Tool to check binaries for vulnerabilities

[Michel Casabianca]

Hello Gophers,

We, at Intercloud, have developed a tool to check dependencies embedded in Go binaries. It first lists dependencies running "go version -m mybinary", then it looks for vulnerabilities in NVD online database (at https://nvd.nist.gov/).

This tool is open source and available at https://github.com/intercloud/gobinsec.

Any comment and contribution welcome.

Enjoy!

[Dan Kortschak]

On Thu, 2022-04-14 at 03:05 -0700, Michel Casabianca wrote:
> Any comment and contribution welcome.

Can I suggest that you use golang.org/x/sys/execabs rather than os/exec
in ExecCommand?

[Zhaoxun Yan]

That sounds great! Thanks.

[Sean Liao]

If you only need to target 1.18+, you can use `debug/buildinfo.ReadFile` which doesn't require shelling out to go

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/454f35cf-6599-4fc1-9dd2-602137d58cb6n%40googlegroups.com.

[Michel Casabianca]

Thank you for your feedback. Nevertheless, I don't call go anymore using debug/buildinfo.ReadFile, as suggested by another feedback below.

[Michel Casabianca]

Thank you very much for this feedback. I have made a pull request to use debug/buildinfo.ReadFile as suggested: https://github.com/intercloud/gobinsec/pull/7

This is far better than calling go on command line.

Best regards

[Michel Casabianca]

Thank you very much for your feedback. I have made a new 0.7.0 release including your suggestions : https://github.com/intercloud/gobinsec/releases/tag/0.7.0

Enjoy!