Go 的漏洞管理

Vulnerability Management for Go - go 的漏洞管理

原文:https://go.dev/blog/vuln

Julie Qiu, for the Go security team 6 September 2022

We are excited to announce Go’s new support for vulnerability management, our first step towards helping Go developers learn about known vulnerabilities that may affect them.

我们很高兴地宣布Go对漏洞管理的新支持,这是我们为帮助Go开发者了解可能影响他们的已知漏洞而迈出的第一步。

This post provides an overview of what’s available today and next steps for this project.

这篇文章概述了目前可用的功能,以及这个项目的下一步计划。

Overview 概述

Go provides tooling to analyze your codebase and surface known vulnerabilities. This tooling is backed by the Go vulnerability database, which is curated by the Go security team. Go’s tooling reduces noise in your results by only surfacing vulnerabilities in functions that your code is actually calling.

Go 提供了用于分析代码库和浮现已知漏洞的工具。该工具由 Go 安全团队策划的 Go 漏洞数据库提供支持。Go 的工具只浮现代码实际调用的函数中的漏洞,从而减少结果中的噪音。

Architecture diagram of Go’s vulnerability management system

Architecture diagram of Go’s vulnerability management system

Go 漏洞管理系统的架构图

Go vulnerability database Go 漏洞数据库

The Go vulnerability database (https://vuln.go.dev) is a comprehensive source of information about known vulnerabilities in importable packages in public Go modules.

Go 漏洞数据库(https://vuln.go.dev)是一个全面的信息来源,其中包括公共 Go 模块中可导入包的已知漏洞。

Vulnerability data comes from existing sources (such as CVEs and GHSAs) and direct reports from Go package maintainers. This information is then reviewed by the Go security team and added to the database.

漏洞数据来自于现有的资源(如CVEs和GHSAs)和Go软件包维护者的直接报告。这些信息会被Go安全团队审查并添加到数据库中。

We encourage package maintainers to contribute information about public vulnerabilities in their own projects and update existing information about vulnerabilities in their Go packages. We aim to make reporting a low friction process, so please send us your suggestions for any improvements.

我们鼓励软件包维护者贡献他们自己项目中的公共漏洞信息,并更新他们的Go软件包中的现有漏洞信息。我们的目标是使报告成为一个低摩擦的过程,所以请将您的改进建议发送给我们。

The Go vulnerability database can be viewed in your browser at pkg.go.dev/vuln. For more information about the database, see go.dev/security/vuln/database.

可以在浏览器中查看 Go 漏洞数据库,网址是 pkg.go.dev/vuln。关于数据库的更多信息,请参见go.dev/security/vuln/数据库。

Vulnerability detection using govulncheck 使用govulncheck进行漏洞检测

The new govulncheck command is a low-noise, reliable way for Go users to learn about known vulnerabilities that may affect their projects. Govulncheck analyzes your codebase and only surfaces vulnerabilities that actually affect you, based on which functions in your code are transitively calling vulnerable functions. To start using govulncheck, you can run the following from your project:

新的 govulncheck 命令是一种低噪音、可靠的方法,让 Go 用户了解可能影响其项目的已知漏洞。Govulncheck会分析您的代码库,并根据您的代码中的哪些函数正在调用易受攻击的函数,只浮出对您有实际影响的漏洞。要开始使用govulncheck,您可以在您的项目中运行以下程序:

$ go install golang.org/x/vuln/cmd/govulncheck@latest
$ govulncheck ./...

Govulncheck is a standalone tool to allow frequent updates and rapid iteration while we gather feedback from users. In the long term, we plan to integrate the govulncheck tool into the main Go distribution.

Govulncheck是一个独立的工具,在我们收集用户反馈的同时,允许频繁更新和快速迭代。从长远来看,我们计划将govulncheck工具整合到主要的Go发行版中。

To directly integrate vulnerability checking into other tools and processes, the vulncheck package exports govulncheck’s functionality as a Go API.

为了将漏洞检查直接集成到其他工具和流程中,vulncheck包将govulncheck的功能作为Go API导出。

Integrations 集成

It’s always better to learn about vulnerabilities as early as possible in the development and deployment process. To that end, we have integrated vulnerability detection into existing Go tools and services, such as the Go package discovery site. For example, this page shows the known vulnerabilities in each version of golang.org/x/text. Vulnerability checking functionality through the VS Code Go extension is also coming soon.

在开发和部署过程中,尽早了解漏洞总是更好的。为此,我们将漏洞检测集成到现有的 Go 工具和服务中,例如 Go 包发现网站。例如,这个页面显示了golang.org/x/text每个版本中的已知漏洞。通过VS Code Go扩展的漏洞检查功能也即将推出。

Next Steps 接下来的步骤

We hope you’ll find Go’s support for vulnerability management useful and help us improve it!

我们希望您会发现 Go 对漏洞管理的支持是有用的,并帮助我们改进它!

Go’s support for vulnerability management is a new feature that is under active development. You should expect some bugs and limitations.

Go对漏洞管理的支持是一项新功能,目前正在积极开发中。您应该期待一些错误和限制。

We would love for you to contribute and help us make improvements in the following ways:

我们希望您能通过以下方式做出贡献并帮助我们进行改进:

  • Contribute new and update existing information about public vulnerabilities for Go packages that you maintain 为您所维护的Go软件包贡献新的和更新现有的公共漏洞信息。
  • Take this survey to share your experience using govulncheck 参加这个调查,分享您使用govulncheck的经验
  • Send us feedback about issues and feature requests 向我们发送关于问题和功能请求的反馈

We are excited to work with you to build a better and more secure Go ecosystem.

我们很高兴能与您合作,建立一个更好、更安全的Go生态系统。

最后修改 October 10, 2024: 更新 (a4b8f85)