Go security bugs database

[Manlio Perillo]

In https://research.swtch.com/vgo-why-versions, Russ Cox wrote about an hypothetical database of bugs in Go modules.

A tool can query the database, extracting the list of modules used in a binary built with Go.

Such a tool can be probably be written today, using, as an example, https://www.cvedetails.com/ and GitHub Security Advisories.

For querying a CVE database, the tool can use the last segment of the module import path (not sure if there are more than one module in a repository).

For querying github security advisories, the tool can find the actual repository associated with the import path, and then query GitHub (this information *could* be reported by go get).

The problem with the CVE database is that the query needs manual verification.

The problem with GitHub is that not every Go module is on GitHub and not every Go modules use the security advisory tool.  As an example:

 - https://www.cvedetails.com/cve/CVE-2016-9123/  go-jose is on github, but there is no security advisor issued

 - https://www.cvedetails.com/cve/CVE-2019-14255/ go-camo issued a github security advisor

IMHO, it would be useful to have an official security bug database for the Go ecosystem, e.g. security.golang.org.

Thanks

Manlio Perillo

[David Riley]

I strongly agree this would be beneficial. I’ve discussed this exact concept with my employer before, because it’s an area we have scanners for with older languages, but not Go.

I do believe Snyk offers a commercial version of this service, but a public, official, well-vetted repository that is machine-readable would be EXTREMELY welcome.

And before we get into religious wars, no, package scanning is far from a panacea, but it does help catch the low-hanging fruit early, and the popularity of (generally non-Go) exploits out there taking advantage of years-old known-vulnerable libraries indicate that widespread availability of such scanning is a good thing.

- Dave

On Jan 20, 2020, at 14:34, Manlio Perillo <manlio....@gmail.com> wrote:



--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/900e05da-303f-4bf0-99e2-e3a24773da82%40googlegroups.com.