Vulnerability Management for Go

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
Golang Security programming-language UI Components Kafka

InfluxDB
Our great sponsors
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • WorkOS - The modern identity platform for B2B SaaS
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors

  • lunasec

    LunaSec - Dependency Security Scanner that automatically notifies you about vulnerabilities like Log4Shell or node-ipc in your Pull Requests and Builds. Protect yourself in 30 seconds with the LunaTrace GitHub App: https://github.com/marketplace/lunatrace-by-lunasec/

    • This is really cool to see because this is the #1 problem with current tools (as you said). I call it "alert fatigue" in my head because it's meaningless when you have 100+ vulns to fix but they're 99% unexploitable.

    I have a bit of a bone to pick with this space: I've been working on this problem for a few months now (link to repo[0] and blog[1]).

    My background is Application Security and, as is often the case with devs, rage fuels me in my desire to fix this space. Log4Shell helped too.

    As another comment said, doing this in a language agnostic way is a big PITA and we haven't fully built it yet. We are using SemGrep to do very basic ststic analysis (see if vulnerable function is ever imported + called). But we're not doing fancy Inter-process taint analysis like CodeQL can.

    (We have a big Merkle tree that represents the dependency tree and that's how we are able to make the CI/CD check take only a few seconds because we can pre-compute.)

    Anyway, if you have a second to help, we have a GitHub App[1] that you can install to test this out + help us find bugs. It's best at NPM now but we have basic support for other languages (no dep te analysis yet).

    There are so many edge cases with the ways that repos are setup so just have more scans coming in helps a ton. (Well, it breaks stuff, but we already determined that rage sustains me.)

    Thank you. climbs off of soap box

    0: https://github.com/lunasec-io/lunasec

    1: https://www.lunasec.io/docs/blog/the-issue-with-vuln-scanner...

    2: https://github.com/marketplace/lunatrace-by-lunasec

  • components-contrib

    Community driven, reusable components for distributed apps

    • This is super helpful for me as a Dapr maintainer (we have a ton of third party integrations we compile into our binary). Found and upgraded a vulnerable dependency and then quickly added this check to our CI/CD workflow.

    https://github.com/dapr/components-contrib/pull/2054

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • go

    The Go programming language

    • It's important to read the caveats: https://github.com/golang/go/blob/master/src/cmd/link/intern..., the most important of which is:

      // The third case is handled by looking to see if any of:

  • gosec

    Go security checker

    • What's the difference between this a https://github.com/securego/gosec?

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts