GoGuard is a tool that helps you protect your Go projects from known CVE threats. It allows you to check if a given GitHub repository is vulnerable against a specific CVE.
<https://github.com/user/repo>
).go.mod
file. It searches for the package related to the Go vulnerability and compares the version found in the go.mod
file with the fixed version reported by the OSVDB.go.sum
file as well. If there are any vulnerable versions coming from other packages, then GoGuard will inform the user about these as well.go mod graph
to get the dependency graph of the project, against the vulnerable versions found in the go sum
file.To fix a directly vulnerability, bump your go.mod
file to the fixed version and run go mod tidy
.
To fix all indirect vulnerabilities, (e.g. if the vulnerable pkg is gopkg.in/yaml.v2
and the patched version v2.4.0
then do:
go mod edit -replace gopkg.in/yaml.v2=gopkg.in/yaml.v2@v2.4.0
go mod tidy
go install github.com/drpaneas/GoGuard
To use GoGuard, supports 3 scan modes
you can run the following command:
Usage: ./goguard <mode> <GitHub-Repo-URL> <CVE ID>
-- Modes: cve, go, pkg --
Example: goguard cve <GitHub-Repo-URL> <CVE ID>)
Example: goguard go <GitHub-Repo-URL> <GOVULN ID>)
Example: goguard pkg <GitHub-Repo-URL> <VULNPKG> <VULNVER>)
For example:
goguard cve https://github.com/user/repo CVE-2021-4238
goguard go https://github.com/user/repo GO-2022-0411
goguard pkg https://github.com/user/repo 'goutils' '1.0'
This command will check if the GitHub repository https://github.com/user/repo
is vulnerable against the CVE CVE-2021-4238
.
You can also use the --debug parameter to see more detailed information about the vulnerability check process.
GoGuard is provided "as is" without warranty of any kind. Use it at your own risk and always verify the information provided with the original sources.