Hello,
We are leveraging the OWASP DependencyCheck utility (through its maven plugin) to detect vulnerabilities in our project's dependencies and sucessfully covered Java & Node related code.
As we plan to leverage Go language for additional components/modules, we are looking at a convenient way to extend the vulnerability analysis on such modules. Our first attempt consisted in leveraging experimental Golang analyzer that proves introducing a significant amounf of false positives/negatives.
On the other hand we saw that the Go ecosystem comes with a tailored solution (see https://go.dev/doc/security/vuln) which relies on a curated database aimed at avoiding such false positives/negatives.
Do you have any plans to integrate with the Go based analysis in the future (eg : something similar to Node Audit Analyzer that relies on node ecosystem to collect vulerabilities.
Kind regards
Hello,
We are leveraging the OWASP DependencyCheck utility (through its maven plugin) to detect vulnerabilities in our project's dependencies and sucessfully covered Java & Node related code.
As we plan to leverage Go language for additional components/modules, we are looking at a convenient way to extend the vulnerability analysis on such modules. Our first attempt consisted in leveraging experimental Golang analyzer that proves introducing a significant amounf of false positives/negatives.
On the other hand we saw that the Go ecosystem comes with a tailored solution (see https://go.dev/doc/security/vuln) which relies on a curated database aimed at avoiding such false positives/negatives.
Do you have any plans to integrate with the Go based analysis in the future (eg : something similar to Node Audit Analyzer that relies on node ecosystem to collect vulerabilities.
Kind regards