Useful security warnings have been added to the Go programming language
The open source Go programming language developed by Google has added support for Vulnerability Management, writes The Register.
The Go team recently launched the vuln website.go.dev to host a selection of known vulnerabilities in packages that can be imported from public go modules. These vulnerabilities were selected and reviewed by the Go security team based on CVE, GitHub security tips, and maintainer reports.
Presumably, thanks to this, the database of shortcomings will be of high quality, the publication writes, Since minor problems have been filtered out. But this is more than selectivity.
The team members described the Go approach, which is markedly different from, say, the way the GitHub NPM CLI handles vulnerabilities in the JavaScript ecosystem.
Back in 2018, before acquiring GitHub, npm introduced an audit team to search for and identify npm packages with known vulnerabilities in applications that use npm to manage packages.
But using npm auditing proved problematic, as it bombarded developers with false warnings. While there have been some improvements to npm since then, it seems that excessive vulnerability reports remain an unresolved issue.
Instead, Go has implemented a more focused approach with the govulncheck team, which is working with vuln.go.dev is "a low-noise and reliable way to learn about vulnerabilities that can affect projects."
There is also a related vulncheck package that exports govulncheck features as a Go API for integration with security tools.
"Govulncheck analyzes your codebase and identifies only those vulnerabilities that actually affect you, based on which features in your code transitively trigger vulnerable features," the Go Team said.
The documentation explains that govulncheck " uses static analysis of the source code or binary character tables to narrow down reports only to those that may affect the application."
The key point is to warn developers only about relevant vulnerabilities. This means that there will be fewer false alarms, although it will not necessarily completely eliminate them.
