Find and fix vulnerable dependencies with govulncheck
Govulncheck is a low-noise tool that helps you find and fix vulnerable dependencies in your Go projects. It does this by scanning your project's dependencies for known vulnerabilities and then identifying any direct or indirect calls to those vulnerabilities in your code.
In this tutorial, you will learn how to use govulncheck to scan a simple program for vulnerabilities. You will also learn how to prioritize and evaluate vulnerabilities so that you can focus on fixing the most important ones first.
To learn more about govulncheck, see the govulncheck documentation, and this blog post on vulnerability management for Go. We'd also love to hear your feedback.
Prerequisites
- Go. We recommend using the latest version of Go to follow this tutorial. (For installation instructions, see Installing Go.)
- A code editor. Any editor you have will work fine.
- A command terminal. Go works well using any terminal on Linux and Mac, and on PowerShell or cmd in Windows.
The tutorial will take you through the following steps:
- Create a sample Go module with a vulnerable dependency
- Install and run govulncheck
- Evaluate vulnerabilities
- Upgrade vulnerable dependencies
Create a sample Go module with a vulnerable dependency
Step 1. To begin, create a new folder called vuln-tutorial and initialize a Go module.
(If you are new to Go modules, check out go.dev/doc/tutorial/create-module.
For example, from your home directory, run the following:
Step 2. Create a file called main.go within the vuln-tutorial folder, and copy
the following code into it:
This sample program takes a list of language tags as command line arguments and prints a message for each tag indicating if it was parsed successfully, the tag is undefined, or whether there was an error while parsing the tag.
Step 3. Run go mod tidy, which will populate the go.mod file with all the
dependencies required by the code you added to main.go in the previous step.
From the vuln-tutorial folder, run:
You should see this output:
Step 4. Open your go.mod file to verify that it looks like this:
Step 5. Downgrade the version of golang.org/x/text to v0.3.5, which contains known
vulnerabilities. Run:
You should see this output:
The go.mod file should now read:
Now, let’s see govulncheck in action.
Install and run govulncheck
Step 6. Install govulncheck with the go install command:
Step 7. From the folder you want to analyze (in this case, vuln-tutorial). Run:
You should see this output:
Interpreting the output
*Note: If you are not using the latest version of Go, you may see additional vulnerabilities from the standard library.Our code is affected by one vulnerability,
GO-2021-0113, because it directly calls
the Parse function of golang.org/x/text/language at a vulnerable version
(v0.3.5).
Another vulnerability, GO-2022-1059,
exists in the golang.org/x/text module at v0.3.5. However, it is reported as
"Informational" because our code never (directly or indirectly) calls any of
its vulnerable functions.
Now, let's evaluate the vulnerabilities and determine an action to take.
Evaluate vulnerabilities
a. Evaluate vulnerabilities.
First, read the description of the vulnerability and determine if it actually applies to your code and your use case. If you need more information, visit the "More info" link.
Based on the description, vulnerability GO-2021-0113 can cause a panic when
Parse is used to process untrusted user inputs. Let's suppose that we intend
our program to withstand untrusted inputs, and we are concerned about denial of
service, so the vulnerability likely applies.
GO-2022-1059 likely does not affect our code, because our code does not call any vulnerable functions from that report.
b. Decide on an action.
To mitigate GO-2021-0113, we have a few options:
- Option 1: Upgrade to a fixed version. If there is a fix available, we can remove a vulnerable dependency by upgrading to a fixed version of the module.
- Option 2: Stop using the vulnerable symbol(s). We could choose to remove all calls to the vulnerable function in our code. We would need to find an alternative or implement it ourselves.
In this case, a fix is available, and the Parse function is integral to our
program. Let's upgrade our dependency to the "fixed in" version, v0.3.7.
We decided to deprioritize fixing the informational vulnerability, GO-2022-1059, but because it is in the same module as GO-2021-0113, and because the fixed in version for it is v0.3.8, we can easily remove both at the same time by upgrading to v0.3.8.
Upgrade vulnerable dependencies
Luckily, upgrading vulnerable dependencies is quite simple.
Step 8. Upgrade golang.org/x/text to v0.3.8:
You should see this output:
(Note that we could have also chosen to upgrade to latest, or any other version after v0.3.8).
Step 9. Now run govulncheck again:
You will now see this output:
Finally, govulncheck confirms that there are no vulnerabilities found.
By regularly scanning your dependencies with command govulncheck, you can safeguard your codebase by identifying, prioritizing, and addressing vulnerabilities.