Check that my program is free from known security vulnerabilities.
For example, if a package I'm using has a security vulnerability in it, I want to be notified to upgrade or warned.
Checked the https://nvd.nist.gov/vuln/search for Go related issues, but found that only core packages were listed. I noticed that some packages had vulnerabilities listed (e.g. https://nvd.nist.gov/vuln/detail/CVE-2018-1002207) but couldn't work out how to find them programatically. I wrote a program to scan the NIST database for Go language related vulnerabilities and to let me know anyway - https://github.com/a-h/nvdnotifier
Wrote a program to scan Github repositories for comments / keywords that might indicate that a library has a security vulnerability (https://github.com/a-h/watchman) and to let me know.
Created a Docker container to run a range of security tests against code and embedded it into my CI pipelines https://github.com/welldigital/gocheck
Considered writing a program to scan the code AST of each dependency in the tree to determine whether it carries out any IO (e.g. reading / writing from a file / network etc.). If a newer version of a library suddenly has IO capability, it could be being used to exfiltrate data or provide an entry point to attackers.
It was time consuming, not mainstream and not complete.
It would be much more useful to me if:
-
The Go tools kept track of known vulnerabilities and if a vulnerable dependency was found in the dependency graph, alerted me to it. The list could just contain package names and hashes, and be downloaded to the building computer rather than transferring the names of packages up to a server.
-
go vet
did more security-related tests out of the box.
These changes would make the checks more "batteries included", like NPM's npm audit
command and make it easier to demonstrate to security auditors that the language meets the organisation's security requirements.