去vuln golang漏洞数据库
#安全 #go #todayilearned

什么是Govuln?

Govuln是一个新的漏洞数据库

如何安装govulncheck CLI

govulncheck是用于与数据库进行交互并检查代码的命令行推出,并使用以下命令安装它:

go install golang.org/x/vuln/cmd/govulncheck@latest

然后在您的项目中运行它:

govulncheck .

它将在您的依赖项中搜索脆弱的软件包。这是输出的示例:

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
No vulnerabilities found.

=== Informational ===

The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2022-1095
  Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows.

  In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".
  Found in: syscall@go1.19.1
  Fixed in: syscall@go1.19.3
  More info: https://pkg.go.dev/vuln/GO-2022-1095

有关更多详细信息,请查看官方文档:https://go.dev/security/vuln/和2022年Go Day的演讲,名为
Writing your Applications Faster and More Securely with Go
,它也涵盖了模糊测试,但这是另一个TIL