| ▲ | evanjrowley 5 hours ago | |||||||
Go has govulncheck[0] for static analysis of vulnerabilities in both code and binaries. The govulncheck tool has first-class support in the Go ecosystem. No other language has this level of integration with a static analyzer and at best will only analyze for known vulnerable modules (PLEASE CORRECT ME IF I'M WRONG). | ||||||||
| ▲ | linolevan 5 hours ago | parent | next [-] | |||||||
Not understanding the difference between this and something like cargo audit[0]. I suppose it has something to do with "static analysis of vulnerabilities" but I don't see any of that from a quick google search of govulncheck. | ||||||||
| ||||||||
| ▲ | jerf 2 hours ago | parent | prev | next [-] | |||||||
It sounds like you think govulncheck can analyze your code and detect vulnerabilities that you wrote in your code. That's not what it does. It analyzes the libraries that you use and determines if you are using them in a vulnerable way. For a free tool, govulncheck is somewhat nicer than average in its class because it does call flow analysis and won't claim you're vulnerable just because you used a module, you have to actually have a call that could go over the vulnerable code, but "somewhat nicer than average" is as far as I would take it. But many languages have similar tools, and when you say "static analyzer" this isn't what I have in mind. For that I'd cite golangci-lint, which is a collection of community-built analysis tools, and it's nice to be able to pick them all up in one fell swoop, but they're nothing like Coverity or any real static analysis tool. | ||||||||
| ▲ | hrmtst93837 2 hours ago | parent | prev [-] | |||||||
You're correct about govulncheck's integration; it significantly enhances Go's maintainability for large projects. Other languages often depend on external tools that lack the same level of usability and depth as Go's offerings. | ||||||||