Vulnerability Management for Go

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured
  • lunasec

    LunaSec - Dependency Security Scanner that automatically notifies you about vulnerabilities like Log4Shell or node-ipc in your Pull Requests and Builds. Protect yourself in 30 seconds with the LunaTrace GitHub App: https://github.com/marketplace/lunatrace-by-lunasec/

    This is really cool to see because this is the #1 problem with current tools (as you said). I call it "alert fatigue" in my head because it's meaningless when you have 100+ vulns to fix but they're 99% unexploitable.

    I have a bit of a bone to pick with this space: I've been working on this problem for a few months now (link to repo[0] and blog[1]).

    My background is Application Security and, as is often the case with devs, rage fuels me in my desire to fix this space. Log4Shell helped too.

    As another comment said, doing this in a language agnostic way is a big PITA and we haven't fully built it yet. We are using SemGrep to do very basic ststic analysis (see if vulnerable function is ever imported + called). But we're not doing fancy Inter-process taint analysis like CodeQL can.

    (We have a big Merkle tree that represents the dependency tree and that's how we are able to make the CI/CD check take only a few seconds because we can pre-compute.)

    Anyway, if you have a second to help, we have a GitHub App[1] that you can install to test this out + help us find bugs. It's best at NPM now but we have basic support for other languages (no dep te analysis yet).

    There are so many edge cases with the ways that repos are setup so just have more scans coming in helps a ton. (Well, it breaks stuff, but we already determined that rage sustains me.)

    Thank you. climbs off of soap box

    0: https://github.com/lunasec-io/lunasec

    1: https://www.lunasec.io/docs/blog/the-issue-with-vuln-scanner...

    2: https://github.com/marketplace/lunatrace-by-lunasec

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo
  • components-contrib

    Community driven, reusable components for distributed apps

    This is super helpful for me as a Dapr maintainer (we have a ton of third party integrations we compile into our binary). Found and upgraded a vulnerable dependency and then quickly added this check to our CI/CD workflow.

    https://github.com/dapr/components-contrib/pull/2054

  • go

    The Go programming language

    It's important to read the caveats: https://github.com/golang/go/blob/master/src/cmd/link/intern..., the most important of which is:

      // The third case is handled by looking to see if any of:

  • gosec

    Go security checker

    What's the difference between this a https://github.com/securego/gosec?

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • We have getrandom at home

    8 projects | /r/rust | 11 Mar 2023
  • Use CDK to deploy a complete solution with Kafka, App Runner, EKS and DynamoDB

    3 projects | dev.to | 8 Jan 2023
  • Glojure: Clojure interpreter hosted on Go, with extensible interop support

    12 projects | news.ycombinator.com | 29 Nov 2024
  • Show HN: Cerbos. Open source, horizontally scalable, stateless authorization

    2 projects | news.ycombinator.com | 3 Dec 2024
  • Cerbos: Fine-Grained Access Control in Days NOT Months

    2 projects | dev.to | 26 Nov 2024

Did you konow that Go is
the 4th most popular programming language
based on number of metions?