diff --git a/docs/docs/coverage/language/golang.md b/docs/docs/coverage/language/golang.md index 892746ecef54..3d57edade7ec 100644 --- a/docs/docs/coverage/language/golang.md +++ b/docs/docs/coverage/language/golang.md @@ -1,5 +1,9 @@ # Go +## Data Sources +The data sources are listed [here](../../scanner/vulnerability.md#data-sources-1). +Trivy uses Go Vulnerability Database for standard packages, such as `net/http`, and uses GitHub Advisory Database for third-party packages. + ## Features Trivy supports two types of Go scanning, Go Modules and binaries built by Go. @@ -12,10 +16,10 @@ The following scanners are supported. The table below provides an outline of the features Trivy offers. -| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] | -|----------|:-----------:|:-----------------|:----------------------------------:| -| Modules | ✅ | Include | ✅[^2] | -| Binaries | ✅ | Exclude | - | +| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] | Stdlib | +|----------|:-----------:|:-----------------|:------------------------------------:|:------:| +| Modules | ✅ | Include | ✅[^2] | - | +| Binaries | ✅ | Exclude | - | ✅[^4] | !!! note Trivy scans only dependencies of the Go project. @@ -82,11 +86,12 @@ There are times when Go uses the `(devel)` version for modules/dependencies. - Dependencies replaced with local ones use the `(devel)` versions. In the first case, Trivy will attempt to parse any `-ldflags` as a secondary source, and will leave the version -empty if it cannot do so[^4]. For the second case, the version of such packages is empty. +empty if it cannot do so[^5]. For the second case, the version of such packages is empty. [^1]: It doesn't require the Internet access. [^2]: Need to download modules to local cache beforehand [^3]: See https://github.com/aquasecurity/trivy/issues/1837#issuecomment-1832523477 -[^4]: See https://github.com/golang/go/issues/63432#issuecomment-1751610604 +[^4]: Identify the Go version used to compile the binary and detect its vulnerabilities +[^5]: See https://github.com/golang/go/issues/63432#issuecomment-1751610604 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies diff --git a/docs/docs/scanner/vulnerability.md b/docs/docs/scanner/vulnerability.md index e18fecfcbf30..ee76a8e6844c 100644 --- a/docs/docs/scanner/vulnerability.md +++ b/docs/docs/scanner/vulnerability.md @@ -91,6 +91,7 @@ See [here](../coverage/language/index.md#supported-languages) for the supported | | [GitHub Advisory Database (npm)][nodejs-ghsa] | ✅ | - | | Java | [GitHub Advisory Database (Maven)][java-ghsa] | ✅ | - | | Go | [GitHub Advisory Database (Go)][go-ghsa] | ✅ | - | +| | [Go Vulnerability Database][go-vulndb] | ✅ | - | | Rust | [Open Source Vulnerabilities (crates.io)][rust-osv] | ✅ | - | | .NET | [GitHub Advisory Database (NuGet)][dotnet-ghsa] | ✅ | - | | C/C++ | [GitLab Advisories Community][gitlab] | ✅ | 1 month | @@ -255,6 +256,7 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2) [go-ghsa]: https://github.com/advisories?query=ecosystem%3Ago [swift-ghsa]: https://github.com/advisories?query=ecosystem%3Aswift +[go-vulndb]: https://pkg.go.dev/vuln/ [php]: https://github.com/FriendsOfPHP/security-advisories [ruby]: https://github.com/rubysec/ruby-advisory-db [nodejs]: https://github.com/nodejs/security-wg