Gradle Dependency Check
The following build.gradle will perform the vulnerability check against our Go project.
build.gradle
apply plugin: 'org.owasp.dependencycheck' buildscript { repositories { mavenCentral() } ext { owaspPluginVersion = '7.0.3' } dependencies { classpath "org.owasp:dependency-check-gradle:${owaspPluginVersion}" } } dependencyCheck { failOnError = false format = 'ALL' outputDirectory = "${buildDir}/reports/owasp" suppressionFile = "${projectDir}/owasp-suppressions.xml" analyzers { experimentalEnabled = true golangModEnabled = true pathToGo = '/usr/local/go/bin/go' } } task build() { // empty } build.dependsOn (dependencyCheckAnalyze)
Addressing Vulnerabilities
Sample Vulnerability Report
> Task :dependencyCheckAnalyze Verifying dependencies for project kafka-azure-sink Checking for updates and analyzing dependencies for vulnerabilities Generating report for project kafka-azure-sink Found 31 vulnerabilities in project kafka-azure-sink One or more dependencies were identified with known vulnerabilities in kafka-azure-sink: go.mod (pkg:golang/cloud.google.com/go/storage@1.10.0, cpe:2.3:a:storage_project:storage:1.10.0:*:*:*:*:*:*:*) : CVE-2021-20291 go-units@v0.4.0 (pkg:golang/github.com/docker/go-units@0.4.0, cpe:2.3:a:docker:docker:0.4.0:*:*:*:*:*:*:*) : CVE-2014-0047, CVE-2014-0048, CVE-2014-5277, CVE-2014-5278, CVE-2014-5282, CVE-2014-6407, CVE-2014-8178, CVE-2014-8179, CVE-2014-9356, CVE-2014-9358, CVE-2015-3627, CVE-2015-3630, CVE-2015-3631, CVE-2016-3697, CVE-2017-14992, CVE-2019-13139, CVE-2019-13509, CVE-2019-15752, CVE-2019-16884, CVE-2019-5736, CVE-2020-27534, CVE-2021-21284, CVE-2021-21285, CVE-2021-3162, CVE-2022-25365 go.mod (pkg:golang/github.com/hashicorp/consul/api@1.12.0, cpe:2.3:a:hashicorp:consul:1.12.0:*:*:*:*:*:*:*) : CVE-2022-40716 golang_protobuf_extensions@v1.0.1 (pkg:golang/github.com/matttproud/golang_protobuf_extensions@1.0.1, cpe:2.3:a:golang:protobuf:1.0.1:*:*:*:*:*:*:*) : CVE-2021-3121 client_model@v0.2.0 (pkg:golang/github.com/prometheus/client_model@0.2.0, cpe:2.3:a:prometheus:prometheus:0.2.0:*:*:*:*:*:*:*) : CVE-2019-3826 go.mod (pkg:golang/github.com/prometheus/common@0.37.0, cpe:2.3:a:prometheus:prometheus:0.37.0:*:*:*:*:*:*:*) : CVE-2019-3826 go.mod (pkg:golang/github.com/prometheus/procfs@0.8.0, cpe:2.3:a:prometheus:prometheus:0.8.0:*:*:*:*:*:*:*) : CVE-2019-3826 See the dependency-check report for more details.
Dependency Check Report
open build/reports/owasp/dependency-check-report.html
When a vulnerability is found we will need to do the following things:
Update the library
module kafka-azure-sink go 1.18 require ( ... github.com/docker/go-units v0.5.0 )
Issue the following commands:
go mod vendor go mod tidy
Build the project to verify all is well
go build -o ./kafka-azure-sink ./src/cmd/svc