Go programming language arrives at security warnings that are useful

The open source Go programming language, developed by Google, has added support for vulnerability management in a way designed to preserve programmers' patience.

The Go team recently set up a website at vuln.go.dev to host a selection of known vulnerabilities in packages that can be imported from public Go modules. These chosen vulnerabilities have been curated and reviewed by the Go security team, based on CVEs, GitHub Security Advisories, and reports from maintainers.

Presumably, this results in a high-quality database of flaws because the inconsequential issues have been filtered out. But there's more to it than selectivity.

On Tuesday, Julie Qiu, a member of that team, described Go's approach, which is notably different from, say, the way GitHub's npm CLI handles vulnerabilities in the JavaScript ecosystem.

Back in 2018, before its acquisition by GitHub, npm introduced an audit command, to find and identify npm packages with known vulnerabilities in apps that rely on npm for package management.

But using npm audit proved problematic because it flooded developers with false alarms, prompting Facebook software engineer Dan Abramov last year to declare, "npm audit is a stain on the entire npm ecosystem."

Though npm has seen some improvements since then, npm's overeager vulnerability reporting appears to remain unresolved.

• Google now requires two staff to sign off each Go change
• Wake me up before you go Go: Devs say they'll learn Google-backed lang next
• C: Everyone's favorite programming language isn't a programming language
• Meta approves four programming languages for workers and developers

Go, on the other hand, has implemented a more targeted approach with its govulncheck command, which in conjunction with vuln.go.dev serves as "a low-noise, reliable way for Go users to learn about known vulnerabilities that may affect their projects."

And there's also the related vulncheck package which exports govulncheck’s functionality as a Go API, for integration with security tools.

"Govulncheck analyzes your codebase and only surfaces vulnerabilities that actually affect you, based on which functions in your code are transitively calling vulnerable functions," said Qiu in a blog post.

The package documentation explains that govulncheck "uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application."

That bit about low-noise and alerting developers only to relevant vulnerabilities is the key. It means fewer false alarms, though it won't necessarily eliminate them entirely. The documentation for the command states that the code's conservative approach to function pointer and interface calls "may result in false positives or inaccurate call stacks in some cases," among other limitations.

Even so, this should be a significant improvement over the way current Go vulnerability scanners rely on go.sum files to check the cryptographic hashes of Go modules. ®