I strongly agree this would be beneficial. I’ve discussed this exact concept with my employer before, because it’s an area we have scanners for with older languages, but not Go.
I do believe Snyk offers a commercial version of this service, but a public, official, well-vetted repository that is machine-readable would be EXTREMELY welcome. And before we get into religious wars, no, package scanning is far from a panacea, but it does help catch the low-hanging fruit early, and the popularity of (generally non-Go) exploits out there taking advantage of years-old known-vulnerable libraries indicate that widespread availability of such scanning is a good thing. - Dave > On Jan 20, 2020, at 14:34, Manlio Perillo <manlio.peri...@gmail.com> wrote: > > > In https://research.swtch.com/vgo-why-versions, Russ Cox wrote about an > hypothetical database of bugs in Go modules. > A tool can query the database, extracting the list of modules used in a > binary built with Go. > > Such a tool can be probably be written today, using, as an example, > https://www.cvedetails.com/ and GitHub Security Advisories. > For querying a CVE database, the tool can use the last segment of the module > import path (not sure if there are more than one module in a repository). > For querying github security advisories, the tool can find the actual > repository associated with the import path, and then query GitHub (this > information *could* be reported by go get). > > The problem with the CVE database is that the query needs manual verification. > The problem with GitHub is that not every Go module is on GitHub and not > every Go modules use the security advisory tool. As an example: > > - https://www.cvedetails.com/cve/CVE-2016-9123/ go-jose is on github, but > there is no security advisor issued > - https://www.cvedetails.com/cve/CVE-2019-14255/ go-camo issued a github > security advisor > > IMHO, it would be useful to have an official security bug database for the Go > ecosystem, e.g. security.golang.org. > > > Thanks > Manlio Perillo > > > > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/golang-nuts/900e05da-303f-4bf0-99e2-e3a24773da82%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/AF746910-B6EB-4CB8-9117-2614AD63D81F%40gmail.com.
