In https://research.swtch.com/vgo-why-versions, Russ Cox wrote about an hypothetical database of bugs in Go modules. A tool can query the database, extracting the list of modules used in a binary built with Go.
Such a tool can be probably be written today, using, as an example, https://www.cvedetails.com/ and GitHub Security Advisories. For querying a CVE database, the tool can use the last segment of the module import path (not sure if there are more than one module in a repository). For querying github security advisories, the tool can find the actual repository associated with the import path, and then query GitHub (this information *could* be reported by go get). The problem with the CVE database is that the query needs manual verification. The problem with GitHub is that not every Go module is on GitHub and not every Go modules use the security advisory tool. As an example: - https://www.cvedetails.com/cve/CVE-2016-9123/ go-jose is on github, but there is no security advisor issued - https://www.cvedetails.com/cve/CVE-2019-14255/ go-camo issued a github security advisor IMHO, it would be useful to have an official security bug database for the Go ecosystem, e.g. security.golang.org. Thanks Manlio Perillo -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/900e05da-303f-4bf0-99e2-e3a24773da82%40googlegroups.com.
