프로젝트에 함정이 있는지 확인하기 위한 Golang 취약점 검사 도구

최근 Go에서 취약점 관리에 사용되는 새로운 도구를 공식 출시한 것을 발견했는데, 보고된 취약점을 알려주고 어떤 버전으로 업그레이드해야 하는지 알려줍니다.

버전 요구 사항은 다음과 같습니다. Go >= 1.18

go install golang.org/x/vuln/cmd/govulncheck@latest

进入项目目录

govulncheck ./...

출력은 다음과 같습니다

Scanning your code and 470 packages across 91 dependent modules for known vulnerabilities...

Vulnerability #1: GO-2023-2043
    Improper handling of special tags within script contexts in html/template
  More info: https://pkg.go.dev/vuln/GO-2023-2043
  Standard library
    Found in: html/[email protected]
    Fixed in: html/[email protected]
    Example traces found:
      #1: pkg/endless/endless_unix.go:201:24: endless.endlessServer.Serve calls http.Server.Serve, which eventually calls template.Template.Execute
      #2: pkg/endless/endless_unix.go:201:24: endless.endlessServer.Serve calls http.Server.Serve, which eventually calls template.Template.ExecuteTemplate

Vulnerability #2: GO-2023-2041
    Improper handling of HTML-like comments in script contexts in html/template
  More info: https://pkg.go.dev/vuln/GO-2023-2041
  Standard library
    Found in: html/[email protected]
    Fixed in: html/[email protected]
    Example traces found:
      #1: pkg/endless/endless_unix.go:201:24: endless.endlessServer.Serve calls http.Server.Serve, which eventually calls template.Template.Execute
      #2: pkg/endless/endless_unix.go:201:24: endless.endlessServer.Serve calls http.Server.Serve, which eventually calls template.Template.ExecuteTemplate

Vulnerability #3: GO-2023-1987
    Large RSA keys can cause high CPU usage in crypto/tls
  More info: https://pkg.go.dev/vuln/GO-2023-1987
  Standard library
    Found in: crypto/[email protected]
    Fixed in: crypto/[email protected]
    Example traces found:
      #1: pkg/gredis/redis.go:22:24: gredis.Setup calls redis.Dial, which calls tls.Conn.Handshake
      #2: pkg/endless/endless_unix.go:201:24: endless.endlessServer.Serve calls http.Server.Serve, which eventually calls tls.Conn.HandshakeContext
      #3: pkg/util/util.go:140:19: util.CreateUuidStringNew calls rand.Read, which eventually calls tls.Conn.Read
      #4: pkg/endless/endless_unix.go:201:24: endless.endlessServer.Serve calls http.Server.Serve, which eventually calls tls.Conn.Write
      #5: pkg/curl/curl.go:62:23: curl.HttpClientRequest calls http.Client.Do, which eventually calls tls.Dialer.DialContext
....
....

GO-2023-2043취약점 번호 다음에 취약점에 대한 설명과 이를 복구하기 위한 제안 사항이 표시됩니다.

구체적인 지침은 https://mp.weixin.qq.com/s/xO_w3FvNN8OeiuEYFarwGQ 문서를 참조하세요.