快捷導(dǎo)航

Golang中漏洞數(shù)據(jù)庫(kù)的使用詳解

更新時(shí)間：2023年09月04日 08:31:20 作者：路多辛

govulncheck是Golang中的漏洞掃描工具,它強(qiáng)大功能的背后,離不開(kāi)?Go?漏洞數(shù)據(jù)庫(kù)（Go?vulnerability?database）的支持,所以本文就來(lái)為大家詳細(xì)講解下?Go?漏洞數(shù)據(jù)庫(kù)相關(guān)的知識(shí)

Go 漏洞數(shù)據(jù)庫(kù)（Go vulnerability database）是什么

在當(dāng)今數(shù)字化的世界中，軟件安全是至關(guān)重要的。隨著 Golang 在開(kāi)發(fā)領(lǐng)域的日益流行，Go 項(xiàng)目的安全性也越來(lái)越重要。為了幫助開(kāi)發(fā)者及時(shí)發(fā)現(xiàn)和解決與 Golang 相關(guān)的安全漏洞，Go 漏洞數(shù)據(jù)庫(kù)應(yīng)運(yùn)而生。

Go 漏洞數(shù)據(jù)庫(kù)（Go vulnerability database），訪問(wèn)地址是 https://vuln.go.dev 或者 https://pkg.go.dev/vuln，是一個(gè)存儲(chǔ) Golang 安全漏洞信息的數(shù)據(jù)庫(kù)，由 Golang 官方維護(hù)。漏洞信息數(shù)據(jù)來(lái)自現(xiàn)有的源，例如 cve、ghsa 和 Go 包維護(hù)者直接提交的漏洞報(bào)告等，這些信息隨后由 Go 安全團(tuán)隊(duì)審核并添加到數(shù)據(jù)庫(kù)中。

該數(shù)據(jù)庫(kù)支持多數(shù)據(jù)源訪問(wèn)，提供訪問(wèn)漏洞數(shù)據(jù)源的接口和默認(rèn)實(shí)現(xiàn)。漏洞項(xiàng)使用 OSV（Open Source Vulnerability format）格式存儲(chǔ)和傳輸。開(kāi)發(fā)人員可以基于 module 的路徑或者 ID 從漏洞數(shù)據(jù)庫(kù)中查找是否存在已知漏洞。

Go 漏洞數(shù)據(jù)庫(kù) API

Go 漏洞數(shù)據(jù)庫(kù)提供基于 HTTP 協(xié)議，請(qǐng)求方式為 GET 的一系列接口，每個(gè)接口都是返回 JSON 類型的數(shù)據(jù)。

1.獲取數(shù)據(jù)庫(kù)元數(shù)據(jù)接口 /index/db.json[.gz]

示例如下：

$ curl https://vuln.go.dev/index/db.json
{"modified":"2023-08-23T14:38:50Z"}

2.獲取每個(gè)模塊元數(shù)據(jù)接口 /index/modules.json[.gz]

示例如下：

$ curl https://vuln.go.dev/index/modules.json
[ {
  // The module path.
  "path": string,
  // The vulnerabilities that affect this module.
  "vulns":
    [ {
      // The vulnerability ID.
      "id": string,
      // The latest time the vulnerability should be considered
      // to have been modified, as an RFC3339-formatted UTC
      // timestamp ending in "Z".
      "modified": string,
      // (Optional) The module version (in SemVer 2.0.0 format)
      // that contains the latest fix for the vulnerability.
      // If unknown or unavailable, this should be omitted.
      "fixed": string,
    } ]
} ]

3.獲取每個(gè)漏洞元數(shù)據(jù)接口 /index/vulns.json[.gz]

示例如下：

$ curl https://vuln.go.dev/index/vulns.json
[ {
     // The vulnerability ID.
     "id": string,
     // The latest time the vulnerability should be considered
     // to have been modified, as an RFC3339-formatted UTC
     // timestamp ending in "Z".
     "modified": string,
     // A list of IDs of the same vulnerability in other databases.
     "aliases": [ string ]
 } ]

4.獲取某個(gè)漏洞信息接口 /ID/$id.json[.gz]

示例如下：

$ curl https://vuln.go.dev/ID/GO-2023-2003.json
{
    "schema_version": "1.3.1",
    "id": "GO-2023-2003",
    "modified": "2023-08-10T22:06:06Z",
    "published": "2023-08-10T22:06:06Z",
    "aliases": [
        "GHSA-8c37-7qx3-4c4p"
    ],
    "summary": "Blst fails to perform group signature validation",
    "details": "When complemented with a check for infinity, blst skips performing a signature group-check. Formally speaking, infinity is the identity element of the elliptic curve group and as such it is a member of the group, so the group-check should be performed. The fix performs the check even in the presence of infinity.",
    "affected": [
        {
            "package": {
                "name": "github.com/supranational/blst",
                "ecosystem": "Go"
            },
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0.3.0"
                        },
                        {
                            "fixed": "0.3.11"
                        }
                    ]
                }
            ],
            "ecosystem_specific": {
                "imports": [
                    {
                        "path": "github.com/supranational/blst/bindings/go",
                        "symbols": [
                            "P1Affine.SigValidate",
                            "P2Affine.SigValidate"
                        ]
                    }
                ]
            }
        }
    ],
    "references": [
        {
            "type": "FIX",
            "url": "https://github.com/supranational/blst/commit/fb91221c91c82f65bfc7f243256308977a06d48b"
        },
        {
            "type": "WEB",
            "url": "https://github.com/supranational/blst/releases/tag/v0.3.11"
        }
    ],
    "credits": [
        {
            "name": "Yunjong Jeong (@blukat29)"
        }
    ],
    "database_specific": {
        "url": "https://pkg.go.dev/vuln/GO-2023-2003"
    }
}

govulncheck 使用漏洞數(shù)據(jù)庫(kù)方法

govulncheck 使用的漏洞數(shù)據(jù)地址是 https://vuln.go.dev，可以使用 -db 參數(shù)指定漏洞數(shù)據(jù)庫(kù)，支持 http://、https:// 和 file:// 協(xié)議。指定的漏洞數(shù)據(jù)庫(kù)必須實(shí)現(xiàn)上面講解的幾個(gè) API。govulncheck 命令在從 http 源讀取時(shí)使用 “.json.gz” 端點(diǎn)，而從文件源讀取時(shí)，使用 “json”端點(diǎn)。

到此這篇關(guān)于Golang中漏洞數(shù)據(jù)庫(kù)的使用詳解的文章就介紹到這了,更多相關(guān)Go漏洞數(shù)據(jù)庫(kù)內(nèi)容請(qǐng)搜索腳本之家以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持腳本之家！

您可能感興趣的文章: