Go漏洞数据库

留言

Go Vulnerability Database

官网 vuln.go.dev

2022年9月新(改名)推出的

https://www.baidu.com/s?tn=50000021_hao_pg&ie=utf-8&sc=UWd1pgw-pA7EnHc1FMfqnHTsnWRznj61n1mvnauW5y99U1Dznzu9m1YYrHD1njDvrHc&ssl_sample=normal&srcqid=8082043803732959369&H123Tmp=nunew7&word=govulncheck

https://www.bilibili.com/read/cv19506992/


1
2
3
4
5
6
vulnerability

n.脆弱性;弱点;易伤性;可捕性;
例句:Scientists who study the birds believe it's time their particular vulnerability was formally recognised, and they want to see measures taken to ease other pressures faced by Emperors, such as the fishing activities that impinge on their food supply.

研究该鸟类的科学家们认为,现应严肃认识到这一特定物种的脆弱性,他们也希望能看到人们采取措施,以缓解帝企鹅所面临的其它压力,比如影响它们食物供应的捕鱼活动。

https://pkg.go.dev/vuln/ 会定期更新报告的Go的漏洞信息

https://go.dev/doc/security/vuln/ Go Vulnerability Management


govulncheck工具的使用


govulncheck 是一个用于 Go 编程语言的工具,它专门用于检测 Go 项目中的已知漏洞。这个工具会扫描项目中使用的依赖项,并与已知的漏洞数据库进行比对,从而帮助开发者识别和解决潜在的安全问题。

使用 govulncheck 的基本步骤如下:

  1. 安装:首先,您需要安装 govulncheck。如果您已经安装了 Go,可以使用以下命令来安装 govulncheck

    1
    go install golang.org/x/vuln/cmd/govulncheck@latest

  2. 运行:安装完成后,您可以在您的 Go 项目目录中运行 govulncheck。这将检查项目的 go.mod 文件中列出的所有依赖项,以及项目中使用的其他 Go 模块。

    1
    govulncheck ./...

  3. 查看结果:运行完毕后,govulncheck 会输出一个报告,其中包含了检测到的任何已知漏洞。这些信息通常包括漏洞的描述、受影响的版本范围,以及可能的修复建议。

  4. 更新依赖项:如果发现了漏洞,您应该考虑更新受影响的依赖项到一个没有漏洞的版本。这通常可以通过更新 go.mod 文件来实现。

  5. 重新运行:更新依赖项后,您应该重新运行 govulncheck 来确认漏洞是否已经被修复。

这个工具对于保持 Go 项目的安全性至关重要,特别是在处理公开依赖项时。通过定期使用 govulncheck,您可以更有效地管理和缓解安全风险。


govulncheck是一个Go的漏洞检测工具,它可以检测Go项目中的漏洞。它可以检测Go项目中的漏洞,并将其报告为JSON格式。

1
govulncheck -json -project=github.com/google/go-github

https://go.dev/doc/security/

源码地址及使用: https://github.com/golang/vuln

只能针对包含go.mod的项目进行检测,如果没有go.mod,则会报错,如上(一个目录下有a,b,c等多个目录,a,b,c都是包含go.mod的独立项目,这种情况也不行,必须进到里面才能检测)


上面是因为合并代码时冲突了,其实肯定编译不过

即 对于编译不过的代码,也可以进行govulncheck检测


解决完冲突后:


govulncheck检测这个项目本身

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
Scanning your code and 203 packages across 4 dependent modules for known vulnerabilities...

Vulnerability #1: GO-2023-2382
    Denial of service via chunk extensions in net/http
  More info: https://pkg.go.dev/vuln/GO-2023-2382
  Standard library
    Found in: net/http/internal@go1.21rc2
    Fixed in: net/http/internal@go1.21.5
    Example traces found:
      #1: internal/gosym/additions.go:67:25: gosym.LineTable.InlineTree calls binary.Read, which eventually calls internal.chunkedReader.Read

Vulnerability #2: GO-2023-2185
    Insecure parsing of Windows paths with a \??\ prefix in path/filepath
  More info: https://pkg.go.dev/vuln/GO-2023-2185
  Standard library
    Found in: internal/safefilepath@go1.21rc2
    Fixed in: internal/safefilepath@go1.21.4
    Platforms: windows
    Example traces found:
      #1: internal/client/source.go:85:20: client.localSource.get calls fs.ReadFile, which eventually calls safefilepath.FromFS
      #2: internal/client/source.go:85:20: client.localSource.get calls fs.ReadFile, which eventually calls safefilepath.FromFS
      #3: internal/test/buildtest.go:51:26: test.GoBuild calls filepath.Abs
      #4: internal/test/buildtest.go:55:50: test.GoBuild calls filepath.Base
      #5: internal/scan/flags.go:14:2: scan.init calls buildutil.init, which eventually calls filepath.Clean
      #6: internal/client/source.go:112:17: client.hybridSource.get calls filepath.Dir
      #7: internal/test/buildtest.go:55:28: test.GoBuild calls filepath.Join
      #8: internal/scan/filepath.go:24:24: scan.AbsRelShorter calls filepath.Rel
      #9: internal/client/source.go:110:29: client.hybridSource.get calls filepath.Split
      #10: internal/web/url.go:56:31: web.URLFromFilePath calls filepath.VolumeName
      #11: internal/client/index.go:26:28: client.indexFromDir calls filepath.WalkDir
      #12: internal/test/buildtest.go:51:26: test.GoBuild calls filepath.Abs
      #13: internal/test/buildtest.go:55:50: test.GoBuild calls filepath.Base
      #14: internal/scan/flags.go:14:2: scan.init calls buildutil.init, which eventually calls filepath.Clean
      #15: internal/client/source.go:112:17: client.hybridSource.get calls filepath.Dir
      #16: internal/test/buildtest.go:55:28: test.GoBuild calls filepath.Join
      #17: internal/scan/filepath.go:24:24: scan.AbsRelShorter calls filepath.Rel
      #18: internal/client/source.go:110:29: client.hybridSource.get calls filepath.Split
      #19: internal/web/url.go:56:31: web.URLFromFilePath calls filepath.VolumeName
      #20: internal/client/index.go:26:28: client.indexFromDir calls filepath.WalkDir

Vulnerability #3: GO-2023-1987
    Large RSA keys can cause high CPU usage in crypto/tls
  More info: https://pkg.go.dev/vuln/GO-2023-1987
  Standard library
    Found in: crypto/tls@go1.21rc2
    Fixed in: crypto/tls@go1.21rc4
    Example traces found:
      #1: internal/client/source.go:54:22: client.httpSource.get calls http.Client.Do, which eventually calls tls.Conn.HandshakeContext
      #2: internal/gosym/additions.go:67:25: gosym.LineTable.InlineTree calls binary.Read, which eventually calls tls.Conn.Read
      #3: internal/vulncheck/binary.go:62:13: vulncheck.binary calls fmt.Printf, which eventually calls tls.Conn.Write
      #4: internal/client/source.go:54:22: client.httpSource.get calls http.Client.Do, which eventually calls tls.Dialer.DialContext

=== Informational ===

Found 4 vulnerabilities in packages that you import, but there are no call
stacks leading to the use of these vulnerabilities. You may not need to
take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2023-2186
    Incorrect detection of reserved device names on Windows in path/filepath
  More info: https://pkg.go.dev/vuln/GO-2023-2186
  Standard library
    Found in: path/filepath@go1.21rc2
    Fixed in: path/filepath@go1.21.4

Vulnerability #2: GO-2023-2102
    HTTP/2 rapid reset can cause excessive work in net/http
  More info: https://pkg.go.dev/vuln/GO-2023-2102
  Standard library
    Found in: net/http@go1.21rc2
    Fixed in: net/http@go1.21.3

Vulnerability #3: GO-2023-2045
    Memory exhaustion in QUIC connection handling in crypto/tls
  More info: https://pkg.go.dev/vuln/GO-2023-2045
  Standard library
    Found in: crypto/tls@go1.21rc2
    Fixed in: crypto/tls@go1.21.1

Vulnerability #4: GO-2023-2044
    Panic when processing post-handshake message on QUIC connections in
    crypto/tls
  More info: https://pkg.go.dev/vuln/GO-2023-2044
  Standard library
    Found in: crypto/tls@go1.21rc2
    Fixed in: crypto/tls@go1.21.1

Your code is affected by 3 vulnerabilities from the Go standard library.

Share feedback at https://go.dev/s/govulncheck-feedback.