dnwe
commented
2 years ago Thinking about it, in this particular case (for the CVE mentioned) it is technically a fix on golang.org/x/net/http2 so should be detectable as a module issue, although I notice it's not tracked on https://ossindex.sonatype.org/component/pkg:golang/golang.org/x/net/http2 atm
falco467
Detect Go binaries built against a given toolchain version for known vulnerabities
For core Go vulnerabilities such as CVE-2021-44716, which is fixed by rebuilding apps with Go 1.17.5 or 1.16.12, it would be useful if we could use nancy to scan pre-built Go binaries to determine what version of Go they were built against and then lookup that version in the OSS index
Using something like rsc.io/goversion as a library to extract the Go version that was used from the debug info of the executable, and then lookup that version in the OSS index for any known vulnerabilities.
Note: this would rely on the Go toolchain being correctly listed and tracked in the OSS index. Whilst it does partially appear to be indexed here the versions and vulnerabilities listed there are not accurate.
Whilst I know currently nancy is more geared towards scanning go.mod pre-compilation to find vulnerabilties, I think it would also be useful if it could be used post-compilation to scan binaries. The obvious advantage is the one mentioned here (scanning for core Go vulns), but it is also worth pointing out that the module / dependency information is also available from the compiled binary and can be parsed (e.g., see mitchellh/golicense/module/module.go)
cc @bhamail / @DarthHater