Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proposal: cmd/go: add "go mod audit" subcommand #54443

Closed
ElijahPepe opened this issue Aug 13, 2022 · 13 comments
Closed

proposal: cmd/go: add "go mod audit" subcommand #54443

ElijahPepe opened this issue Aug 13, 2022 · 13 comments
Labels
Milestone

Comments

@ElijahPepe
Copy link

Related to #54438, this proposal regards the audit subcommand in go mod.

Arguably a simple subcommand, the implementation in #54438 uses the already existing vuln.go.dev database to list known vulnerabilities. One drawback of this implementation is that it doesn't account for non-golang.org modules, although this is something for the API itself, not the subcommand.

@gopherbot gopherbot added this to the Proposal milestone Aug 13, 2022
@seankhliao
Copy link
Member

The implementation looks like it will generate quite a few false positives, compared to x/vuln/cmd/govulncheck, as well as being less useful.

It would be better to focus efforts there, it can graduate to a go subcommand at a later date

@ElijahPepe
Copy link
Author

@seankhliao What is the difference between direct requests to https://vuln.go.dev and x/vuln/cmd/govulncheck, if I may ask?

@seankhliao
Copy link
Member

call graph traversal vs everything in a module, suppport for multiple vulndb servers, reporting for the standard library

@robpike
Copy link
Contributor

robpike commented Aug 13, 2022

There is also the Open Source Insights service at https://deps.dev, which aims to be more comprehensive.

@seankhliao
Copy link
Member

cc @golang/vulndb

@ianlancetaylor ianlancetaylor changed the title proposal: go mod audit proposal: cmd/go: add "go mod audit" subcommand Aug 14, 2022
@gopherbot
Copy link

Change https://go.dev/cl/423615 mentions this issue: cmd/go: implement go mod audit

@zpavlinovic
Copy link
Contributor

zpavlinovic commented Aug 15, 2022

@seankhliao What is the difference between direct requests to https://vuln.go.dev and x/vuln/cmd/govulncheck, if I may ask?

govulncheck can detect calls to vulnerable symbols (functions or methods). It constructs a call graph and tries to figure out what vulnerable functions and methods are transitively called from entry points (inits, main, exported functions/methods). It then communicates a description of a call stack witnessing the finding. Detection at this level of granularity is more precise, because a vulnerable symbol can be imported (or its module) but that does not mean it is actually used. govulncheck uses the vuln.go.dev db by default, but more dbs can be added.

govulncheck is built on top of vulncheck library, which also supports less expensive detection of vulnerable imports only. More information can also be found here.

If you want to add a sub-command like in https://go.dev/cl/423615, this will have to go through a proposal process.

Is there anything you'd like to have that govulncheck does not support?

@ElijahPepe
Copy link
Author

I was not aware of the existence of govulncheck prior to making this proposal/pull request, but natively supporting module auditing within Go is still an important feature. If go mod audit is missing features in comparison to govulncheck, then those features should be added (i.e. call graph traversal, which I see as a much better implementation of this rather than checking go.sum).

@rolandshoemaker
Copy link
Member

The goal of govulncheck is to develop a tool which can be eventually be rolled into the standard Go toolchain, it is being developed as a separate tool, for now, so that we can gain UX knowledge before directly integrating it.

@seankhliao
Copy link
Member

I think it's clear from the above that something like this will happen in the future, but the open PR and this proposal to support it isn't there yet.

@seankhliao seankhliao closed this as not planned Won't fix, can't repro, duplicate, stale Aug 17, 2022
@rsc
Copy link
Contributor

rsc commented Mar 29, 2023

This proposal has been added to the active column of the proposals project
and will now be reviewed at the weekly proposal review meetings.
— rsc for the proposal review group

@seankhliao
Copy link
Member

@rsc should this be active or retracted?

@rsc
Copy link
Contributor

rsc commented Apr 6, 2023

This proposal has been declined as infeasible.
— rsc for the proposal review group

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

7 participants