[evanjrowley]

Go has govulncheck[0] for static analysis of vulnerabilities in both code and binaries. The govulncheck tool has first-class support in the Go ecosystem. No other language has this level of integration with a static analyzer and at best will only analyze for known vulnerable modules (PLEASE CORRECT ME IF I'M WRONG).

[0] https://go.dev/doc/tutorial/govulncheck

[linolevan]

Not understanding the difference between this and something like cargo audit[0]. I suppose it has something to do with "static analysis of vulnerabilities" but I don't see any of that from a quick google search of govulncheck.

[0]https://crates.io/crates/cargo-audit

[sa46]

govulncheck analyzes symbol usage and only warns if your code reaches the affected symbol(s).

I’m not sure about cargo audit specifically, but most other security advisories are package scoped and will warn if your code transitively references the package, regardless of which symbols your code uses.

[jerf]

It sounds like you think govulncheck can analyze your code and detect vulnerabilities that you wrote in your code. That's not what it does. It analyzes the libraries that you use and determines if you are using them in a vulnerable way. For a free tool, govulncheck is somewhat nicer than average in its class because it does call flow analysis and won't claim you're vulnerable just because you used a module, you have to actually have a call that could go over the vulnerable code, but "somewhat nicer than average" is as far as I would take it. But many languages have similar tools, and when you say "static analyzer" this isn't what I have in mind. For that I'd cite golangci-lint, which is a collection of community-built analysis tools, and it's nice to be able to pick them all up in one fell swoop, but they're nothing like Coverity or any real static analysis tool.