The Go team has released an innovative vulnerability checker called govulncheck, along with the results of a survey showing that error handling has moved to the top of the list of the “biggest” challenges when using the open source programming language.
The new vulnerability tooling is based on the Go vulnerability database, which draws on a variety of sources including CVE (Common Vulnerabilities and Exposures) entries and direct reports. The checks are made either using the standalone govulncheck tool, or via a vulncheck package that enables integration with IDEs such as VS Code or JetBrains GoLand.
A key feature is that “Go’s tooling reduces noise in your results by only surfacing vulnerabilities in functions that your code is actually calling,” according to the introductory post, addressing a common problem faced by developers. This problem is where a package or library is reported to be insecure, but it is not obvious whether the vulnerability is relevant in the context of the code in a specific application.
A list of limitations acknowledges that “Govulncheck is an experimental tool” and that there may be false positives or inaccurate results.
The tool is timely since a new survey by Go shows that developers find it challenging to evaluate the security of third-party libraries and also their own code. 42 percent of 5,752 developers said that they struggle to apply best practices to write secured, 45 percent find it hard to verity their code, and 57 percent find assessing library security challenging.
The context of the survey is the aftermath of the March release of Go 1.18, described as “a massive release” and “our biggest ever change to the language.” Perhaps the biggest change was the introduction of generics using parameterized types, along with built in fuzzing for finding potential security issues or other bugs, Workspaces to ease working with multiple modules, and a claimed 20 percent performance improvement on ARM64 architectures.
According to the survey, around 94 percent of developers intend to use generics in Go, though only 14 percent have production code so far. This is mainly a matter of time, but some respondents report blockers in the current implementation, such as needing parameterized methods.
VSCode is the favourite editor for Go code, increasing from 42 percent to 45 percent since last year, with GoLand holding steady in second place with 34 percent share. Go developers prefer Linux for development (59 percent) with Mac (52 percent) in second place. Windows is used by only 23 percent, and 13 percent use Windows Subsystem for Linux (note these figures sum to more than 100 percent because of users of multiple environments). 93 percent deploy to Linux and only 16 percent to Windows. Compiling Go to WebAssembly for deployment is only done by 3 percent of respondents.
While 93 percent of survey respondents declared themselves satisfied with Go, 11 percent cite error handing and working with stack traces as their top challenge. Unlike many other languages, Go does not support …catch exception, instead using its own system of panic and recover.