上一篇文章詳細介紹了 Golang 程序漏洞掃描工具 govulncheck 的使用方法，govulncheck 強大功能的背后，離不開 Go 漏洞數(shù)據(jù)庫（Go vulnerability database）的支持，接下來詳細講解下 Go 漏洞數(shù)據(jù)庫相關(guān)的知識。

Go 漏洞數(shù)據(jù)庫（Go vulnerability database）是什么？

在當今數(shù)字化的世界中，軟件安全是至關(guān)重要的。隨著 Golang 在開發(fā)領(lǐng)域的日益流行，Go 項目的安全性也越來越重要。為了幫助開發(fā)者及時發(fā)現(xiàn)和解決與 Golang 相關(guān)的安全漏洞，Go 漏洞數(shù)據(jù)庫應(yīng)運而生。

Go 漏洞數(shù)據(jù)庫（Go vulnerability database），訪問地址是 https://vuln.go.dev 或者?https://pkg.go.dev/vuln，是一個存儲 Golang 安全漏洞信息的數(shù)據(jù)庫，由 Golang 官方維護。漏洞信息數(shù)據(jù)來自現(xiàn)有的源，例如 cve、ghsa 和 Go 包維護者直接提交的漏洞報告等，這些信息隨后由 Go 安全團隊審核并添加到數(shù)據(jù)庫中。

該數(shù)據(jù)庫支持多數(shù)據(jù)源訪問，提供訪問漏洞數(shù)據(jù)源的接口和默認實現(xiàn)。漏洞項使用 OSV（Open Source Vulnerability format）格式存儲和傳輸。開發(fā)人員可以基于 module 的路徑或者 ID 從漏洞數(shù)據(jù)庫中查找是否存在已知漏洞。

Go 漏洞數(shù)據(jù)庫 API

Go 漏洞數(shù)據(jù)庫提供基于 HTTP 協(xié)議，請求方式為 GET 的一系列接口，每個接口都是返回 JSON 類型的數(shù)據(jù)。

1. 獲取數(shù)據(jù)庫元數(shù)據(jù)接口 /index/db.json[.gz]

示例如下：

$ curl https://vuln.go.dev/index/db.json
{"modified":"2023-08-23T14:38:50Z"}

1. 獲取每個模塊元數(shù)據(jù)接口 /index/modules.json[.gz]

示例如下：

$ curl https://vuln.go.dev/index/modules.json
[ {// The module path."path": string,// The vulnerabilities that affect this module."vulns":[ {// The vulnerability ID."id": string,// The latest time the vulnerability should be considered// to have been modified, as an RFC3339-formatted UTC// timestamp ending in "Z"."modified": string,// (Optional) The module version (in SemVer 2.0.0 format)// that contains the latest fix for the vulnerability.// If unknown or unavailable, this should be omitted."fixed": string,} ]
} ]

1. 獲取每個漏洞元數(shù)據(jù)接口 /index/vulns.json[.gz]

示例如下：

$ curl https://vuln.go.dev/index/vulns.json
[ {// The vulnerability ID."id": string,// The latest time the vulnerability should be considered// to have been modified, as an RFC3339-formatted UTC// timestamp ending in "Z"."modified": string,// A list of IDs of the same vulnerability in other databases."aliases": [ string ]} ]

1. 獲取某個漏洞信息接口 /ID/$id.json[.gz]

示例如下：

$ curl https://vuln.go.dev/ID/GO-2023-2003.json
{"schema_version": "1.3.1","id": "GO-2023-2003","modified": "2023-08-10T22:06:06Z","published": "2023-08-10T22:06:06Z","aliases": ["GHSA-8c37-7qx3-4c4p"],"summary": "Blst fails to perform group signature validation","details": "When complemented with a check for infinity, blst skips performing a signature group-check. Formally speaking, infinity is the identity element of the elliptic curve group and as such it is a member of the group, so the group-check should be performed. The fix performs the check even in the presence of infinity.","affected": [{"package": {"name": "github.com/supranational/blst","ecosystem": "Go"},"ranges": [{"type": "SEMVER","events": [{"introduced": "0.3.0"},{"fixed": "0.3.11"}]}],"ecosystem_specific": {"imports": [{"path": "github.com/supranational/blst/bindings/go","symbols": ["P1Affine.SigValidate","P2Affine.SigValidate"]}]}}],"references": [{"type": "FIX","url": "https://github.com/supranational/blst/commit/fb91221c91c82f65bfc7f243256308977a06d48b"},{"type": "WEB","url": "https://github.com/supranational/blst/releases/tag/v0.3.11"}],"credits": [{"name": "Yunjong Jeong (@blukat29)"}],"database_specific": {"url": "https://pkg.go.dev/vuln/GO-2023-2003"}
}

govulncheck 使用漏洞數(shù)據(jù)庫方法

govulncheck 使用的漏洞數(shù)據(jù)地址是 https://vuln.go.dev，可以使用?-db 參數(shù)指定漏洞數(shù)據(jù)庫，支持 http://、https:// 和 file:// 協(xié)議。指定的漏洞數(shù)據(jù)庫必須實現(xiàn)上面講解的幾個 API。govulncheck 命令在從 http 源讀取時使用 “.json.gz” 端點，而從文件源讀取時，使用 “json”端點。