Go vulncheck results suggestion

Go now has beta support for vulnerability management and reporting. The current version (1.59.2) shows:

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
Found 1 known vulnerability.

Vulnerability #1: GO-2022-0969
  HTTP/2 server connections can hang forever waiting for a clean
  shutdown that was preempted by a fatal error. This condition can
  be exploited by a malicious client to cause a denial of service.
  Found in: golang.org/x/net/http2@v0.0.0-20220805013720-a33c5aa5df48
  Fixed in: golang.org/x/net/http2@v0.0.0-20220906165146-f3363e06e74c
  More info: https://pkg.go.dev/vuln/GO-2022-0969

You can have your package report current vuln status on pkg.go.dev which would be nice.

This looks interesting.

How do you do that?

I'm not sure - have not tried it myself on any of my repos. The article I linked shows, as an example, the standard go text package reporting its own version history with vuln tags. text package versions - golang.org/x/text - Go Packages

.. digging around, I found this: Govulncheck Action · Actions · GitHub Marketplace · GitHub

Interesting suggestion!

I just had a quick look at that one myself, but looks to me like it only runs the tool and reports the github action status success/failed - i.e. some missing pieces..? There was also a different action, https://github.com/marketplace/actions/golang-vulncheck, which is quite different, but not sure if that is more complete.

The equivalent page for rclone doesn't have the vulnerability labels

https://pkg.go.dev/github.com/rclone/rclone?tab=versions

Having read the article carefully now, I don't see a way to report vulnerabilities other than opening a github issue.

And I don't see a way that the above page can show vulnerabilities.

Sorry, me neither. Maybe it will be better once the feature moves out of "experimental" stage.

I'll keep an eye on it :slight_smile:

1 Like

vulncheck project is also soliciting feedback .. I filled in their form and linked to our discussion here. I would hope/expect that eventually it would play nicely with CI tooling like Github Actions etc. as well as the pkg.go.dev site and maybe let us put a badge on our repos :slight_smile:

In the mean time; we could run the check on the rclone code as part of the ci? To "red flag" the build should any vulnerabilities be found, e.g. in a PR. It should be as simple as adding the following steps (or use any of the ready-made actions), maybe to the existing lint job:

- name: Get govulncheck
  run: go install golang.org/x/vuln/cmd/govulncheck@latest
- name: Run govulncheck
  run: govulncheck ./...

Sounds like a great idea @albertony if you want to make a PR?

Created PR #6512.

2 Likes