Scan for vulnerabilities in Go binaries caused by vulnerable versions of the std library
Proposal
Packages from the Go standard library can be susceptible to vulnerabilities just like any other dependency, and thus should be analyzed during a security scan. The Go programming language has published advisories for vulnerabilities that make this possible, all of which are stored in our advisory database like CVE-2023-39325. Trivy covers this as part of container-scanning
and reports these vulnerabilities in the container-scanning reports when the go
binary is present in the image.
This proposal covers the addition of Go std library package scanning as part of continuous vulnerability scanning.
Additional info
This could be done via existing solutions like Trivy, or the Go toolchain which also has support for Go binary analysis, albeit with some caveats. Specifically, it has support for analysis of binaries that have the DWARF
debugging symbols and symbol table included in the binary. This is the default for binaries built by go build
, but the options exists to disable this by passing in the appropriate linker flags:
$ go doc cmd/link
...
-s
Omit the symbol table and debug information.
...
-w
Omit the DWARF symbol table.