proposal: cmd/go: add "go mod audit" subcommand

[ElijahPepe]

Related to #54438, this proposal regards the audit subcommand in go mod.

Arguably a simple subcommand, the implementation in #54438 uses the already existing vuln.go.dev database to list known vulnerabilities. One drawback of this implementation is that it doesn't account for non-golang.org modules, although this is something for the API itself, not the subcommand.

[seankhliao]

The implementation looks like it will generate quite a few false positives, compared to x/vuln/cmd/govulncheck, as well as being less useful.

It would be better to focus efforts there, it can graduate to a go subcommand at a later date

[ElijahPepe]

@seankhliao What is the difference between direct requests to https://vuln.go.dev and x/vuln/cmd/govulncheck, if I may ask?

[seankhliao]

call graph traversal vs everything in a module, suppport for multiple vulndb servers, reporting for the standard library

[robpike]

There is also the Open Source Insights service at https://deps.dev, which aims to be more comprehensive.

[seankhliao]

cc @golang/vulndb

[gopherbot]

Change https://go.dev/cl/423615 mentions this issue: cmd/go: implement go mod audit

[zpavlinovic]

@seankhliao What is the difference between direct requests to https://vuln.go.dev and x/vuln/cmd/govulncheck, if I may ask?

govulncheck can detect calls to vulnerable symbols (functions or methods). It constructs a call graph and tries to figure out what vulnerable functions and methods are transitively called from entry points (inits, main, exported functions/methods). It then communicates a description of a call stack witnessing the finding. Detection at this level of granularity is more precise, because a vulnerable symbol can be imported (or its module) but that does not mean it is actually used. govulncheck uses the vuln.go.dev db by default, but more dbs can be added.

govulncheck is built on top of vulncheck library, which also supports less expensive detection of vulnerable imports only. More information can also be found here.

If you want to add a sub-command like in https://go.dev/cl/423615, this will have to go through a proposal process.

Is there anything you'd like to have that govulncheck does not support?

[ElijahPepe]

I was not aware of the existence of govulncheck prior to making this proposal/pull request, but natively supporting module auditing within Go is still an important feature. If go mod audit is missing features in comparison to govulncheck, then those features should be added (i.e. call graph traversal, which I see as a much better implementation of this rather than checking go.sum).

[rolandshoemaker]

The goal of govulncheck is to develop a tool which can be eventually be rolled into the standard Go toolchain, it is being developed as a separate tool, for now, so that we can gain UX knowledge before directly integrating it.