Hello everyone,
first of all I think it’s useful to notify that I’ve read this thread:
nevertheless I think maybe now it’s time to add some vulnerabilities rules related to Go.
It’s true that one can import external scanner results, it’s true that one can define custom rules, but I hope that a best of breed solution such as SonarQube could have its own Go vulnerabilities coverage.
All the best,
LC
Hi all,
there are several posts regarding this issue, but I see no news about it so far, so I create a new post.
I think maybe now it’s time to add some vulnerabilities rules related to Go.
It’s true that one can import external scanner results, it’s true that one can define custom rules, but I hope that a best of breed solution such as SonarQube could have its own Go vulnerabilities coverage.
All the best,
LC
Hi Colin,
I’ve already added my voice there, probably twice (by mistake), I am one of the 13 who expressed interest in the feature, unfortunately I see no progress and didn’t get any update.
Best,
LC
There is a command line tool, govulncheck, available as part of the Go toolset. This seems like an ideal mechanism for reporting vulnerabilities to Sonar, perhaps in a similar way to how test reports and the lint reports are processed by Sonar. More info on this is available here: govulncheck command - golang.org/x/vuln/cmd/govulncheck - Go Packages
Thank you for your impressive patience. We should start working on Golang this year. It’s not the highest priority on our roadmap, but our AppSec research team should at least start doing the research that will bring detection capabilities.