Write new article from this text only in smaller paragraphs
Google has released the Govulncheck tool and the associated API in version 1.0. The tool, which examines projects in the programming language Go for vulnerabilities, is therefore considered to be stable. The command line tool, which was first presented in autumn 2022, examines the dependencies in projects for known vulnerabilities. The basis is the Go Vulnerability Database, which contains vulnerabilities in public Go modules. The information about the vulnerabilities comes from public security information such as the Common Vulnerabilities and Exposures (CVE) and the GitHub Security Advisories (GHSA), the information provided by the maintainers of Go packages, and the security fixes for the Go project. The vuln.go.dev database contains records of vulnerabilities. The command line tool, the extension for Visual Studio Code and the Go Package page use the information to warn about vulnerabilities. To avoid false positives, the Go security team curates the database. For the JavaScript package manager npm, there has also been a command for checking for vulnerabilities, npm audit, since version 6.0. However, at least in its early days, it had the reputation of delivering far too many false alarms. Command Line, API and Extension Govulncheck is a command line tool that can scan both the codebase and compiled binaries for dependencies with vulnerabilities. If one of the dependencies has a vulnerability, the tool checks whether the project uses the affected function. This is to prevent false positives. In addition to Govulncheck, the associated API for integration into external tools such as security scanners has also reached stable version 1.0. It provides the same functionality as the command. The extension for Visual Studio Code, which Google also announced in autumn 2022, now has a good 10 million installations. A tutorial should help you get started. The extension shows details of known vulnerabilities in project dependencies in the Visual Studio Code editor. There is also a direct API for calling up HTTP GET commands for direct access to the database. Also, the Go team is providing a GitHub action for Govulncheck, marked experimental, that teams can use to integrate vulnerability scanning into CI/CD (continuous integration, continuous delivery) operations. More details about Govulncheck, the vulnerability database and the APIs can be found on the Go blog. (rme) Home
