The Go security team has announced a new project to manage vulnerabilities – designed to help Go developers understand known vulnerabilities that may affect them.

The project consists of three parts:

• Vulnerability Data Sources
• Go Vulnerability Database
• Tools & Integrations

The Go Vulnerability Database (https://vuln.go.dev) is a comprehensive source of information on known vulnerabilities in importable packages in public Go modules. There are also sources upstream for this vulnerability data, such as CVE and GHSA, as well as direct reports from Go package maintainers. The data is reviewed by the Go security team and added to the database.

Anyone can visit https://pkg.go.dev/vuln/ directly Go Vulnerability Database. For more information on this database, see go.dev/security/vuln/database.

The new govulncheck command enables Go developers to learn about known vulnerabilities that may affect their projects. govulncheck finds the vulnerabilities that actually affect them by analyzing the code base and only based on which functions in the code pass in calls to vulnerable functions. To start using govulncheck, first run the following command:

$ go install golang.org/x/vuln/cmd/govulncheck@latest
$ govulncheck ./...

govulncheck is a standalone tool, the team is futureThere are plans to integrate the tool into major Go distributions.Currently, the Go security team has integrated vulnerability detection capabilities into existing Go tools and services, such as the Go package discovery site,and a page like below,Known vulnerabilities in each version of golang.org/x/text are shown.

Finally, the vulnerability detection feature of the VS Code Go extension is also coming soon.