Skip to main content
Redhat Developers  Logo
  • Products

    Featured

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat OpenShift AI
      Red Hat OpenShift AI
    • Red Hat Enterprise Linux AI
      Linux icon inside of a brain
    • Image mode for Red Hat Enterprise Linux
      RHEL image mode
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • Red Hat Developer Hub
      Developer Hub
    • View All Red Hat Products
    • Linux

      • Red Hat Enterprise Linux
      • Image mode for Red Hat Enterprise Linux
      • Red Hat Universal Base Images (UBI)
    • Java runtimes & frameworks

      • JBoss Enterprise Application Platform
      • Red Hat build of OpenJDK
    • Kubernetes

      • Red Hat OpenShift
      • Microsoft Azure Red Hat OpenShift
      • Red Hat OpenShift Virtualization
      • Red Hat OpenShift Lightspeed
    • Integration & App Connectivity

      • Red Hat Build of Apache Camel
      • Red Hat Service Interconnect
      • Red Hat Connectivity Link
    • AI/ML

      • Red Hat OpenShift AI
      • Red Hat Enterprise Linux AI
    • Automation

      • Red Hat Ansible Automation Platform
      • Red Hat Ansible Lightspeed
    • Developer tools

      • Red Hat Trusted Software Supply Chain
      • Podman Desktop
      • Red Hat OpenShift Dev Spaces
    • Developer Sandbox

      Developer Sandbox
      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Secure Development & Architectures

      • Security
      • Secure coding
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
      • View All Technologies
    • Start exploring in the Developer Sandbox for free

      sandbox graphic
      Try Red Hat's products and technologies without setup or configuration.
    • Try at no cost
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • Java
      Java icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • API Catalog
    • Product Documentation
    • Legacy Documentation
    • Red Hat Learning

      Learning image
      Boost your technical skills to expert-level with the help of interactive lessons offered by various Red Hat Learning programs.
    • Explore Red Hat Learning
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

Vulnerability analysis for Golang applications with Red Hat CodeReady Dependency Analytics

April 15, 2021
Parag Dave Dharmendra Gopal Patel
Related topics:
CI/CDGoIDEsJavaSecurity
Related products:
Developer Tools

Share:

    Red Hat CodeReady Dependency Analytics, powered by Snyk Intel Vulnerability database, helps developers find, identify, and fix security vulnerabilities in their code. In the latest 0.3.2 release, we focused on supporting vulnerability analysis for Golang application dependencies, providing easier access to vulnerability details uniquely known to Snyk, and other user experience improvements.

    Vulnerability analysis for Golang applications

    With this release, developers can run vulnerability analyses for their Golang application stacks. The analysis identifies vulnerabilities at the Golang module and package levels, including direct and transitive dependencies. It also supports semver and pseudo versions.

    go.mod file component analysis

    Opening a go.mod file in the IDE editor window triggers the plug-in's component analysis. The component analysis highlights the vulnerabilities for each dependency listed in the go.mod file. The plug-in provides the option to examine each vulnerability's details. You can then remedy the vulnerability by switching to the recommended version using the Quick Fix option.

    Editing, saving, or reopening the go.mod file will also initiate the component analysis.

    Figure 1 shows the output from the IDE editor's component analysis, with a summary of the findings in the notification window in the bottom-right corner. This summary lists the total number of vulnerabilities and exploits found in the manifest.

    Output from Component Analysis of go.mod file
    Figure 1: Output from Component Analysis of go.mod file
    Figure 1: Output from Component Analysis of go.mod file

    The vulnerabilities and exploits are highlighted in the IDE editor with red and blue underlines. Hovering over an issue displays a diagnostic summary of the specific package's vulnerability profile, as Figure 2 illustrates.

    Various diagnostic messages displayed for a specific package
    Figure 2: Various diagnostic messages displayed for a specific package.

    Each diagnostic message provides the following information:

    • The total number of vulnerabilities
    • The number of Snyk-specific security advisories
    • A count of known exploits
    • The highest severity level across all vulnerabilities
    • The number of packages and modules used in the source

    Details about security vulnerabilities

    To access a detailed report of security issues in a go.mod file (see Figure 3), click the button in the notification window; then right-click the go.mod file and select Dependency Analytics Report. Alternatively, you can click the pie-chart icon labeled Open Vulnerability Report in the top-right corner.

    Detailed Vulnerability Report for a go.mod file
    Figure 3: Detailed Vulnerability Report for a go.mod file
    Figure 3: Detailed Vulnerability Report for a go.mod file
    Details about a vulnerable dependency.
    Figure 4: Details about a vulnerable dependency
    Figure 4: Details about a vulnerable dependency.

    Accessing vulnerability details

    The CodeReady Dependency Analytics plug-in is powered by Snyk Intel, a vulnerability database provided by Snyk. By signing up for a free Snyk account, you can view each vulnerability's known exploits and details about vulnerabilities uniquely known to Snyk.

    Figure 5 shows how to register with Snyk and save your token with the CodeReady Dependency Analytics plug-in.

    Enter an existing Snyk token or register a new one to view each vulnerability’s known exploits
    Figure 5: Enter an existing Snyk token or register a new one to view each vulnerability’s known exploits.

    Figure 6 shows the vulnerabilities and exploit details after the Snyk token has been saved.

    Viewing details of vulnerabilities that are uniquely identified by Snyk after the token is saved
    Exploit details of vulnerability after saving Snyk token
    Figure 6: Viewing details of vulnerabilities that are uniquely identified by Snyk after the token is saved.

    Enabling telemetry

    The Dependency Analytics extension is now integrated with the Red Hat Commons extension. This enables Red Hat to collect telemetry specific to:

    • The type of operating system running Visual Studio Code
    • The development language of the manifest file scanned by Dependency Analytics
    • The time and frequency of vulnerability report generation using stack analysis and component-level analysis
    • Registration with Snyk

    By collecting telemetry, Red Hat can gain valuable feedback about the extension's usage patterns and provide future enhancements for developers.

    The Dependency Analytics extension only collects telemetry if developers opt in to enable it. You can opt in any time by clicking Accept (see Figure 7) or selecting the checkbox for Red Hat Telemetry under Preferences → Settings (see Figure 8).

    Opt in to sending telemetry data or decline via the pop-up window
    Figure 7: Opt in to sending telemetry data or decline via the pop-up window.
    Configuring telemetry in the extension's settings.
    Figure 8: Configuring telemetry in the extension's settings.

    Get started with Red Hat CodeReady Dependency Analytics

    Red Hat CodeReady Dependency Analytics is available as a plug-in for Visual Studio Code, Eclipse Che, Red Hat CodeReady Workspaces, and JetBrains IntelliJ-based IDEs.

    To get started with the CodeReady Dependency Analytics IDE extension or provide feedback, check out the following links.

    • Get the Visual Studio Code extension for CodeReady Dependency Analytics.
    • Get the IntelliJ-based IDE extension for CodeReady Dependency Analytics.
    • Access CodeReady Dependency Analytics via the fabric8-analytics-server API.
    • Provide your feedback via the Git issues repository.

    About Snyk

    Snyk is a developer-first security company that helps software-driven businesses develop fast and stay secure. Snyk finds and fixes vulnerabilities and license violations in open source dependencies and container images. Snyk's solution is built on Snyk Intel, a comprehensive, proprietary vulnerability database maintained by an expert security research team in Israel and London. With tight integration into existing developer workflows, source control, and CI/CD pipelines, Snyk enables efficient security workflows and reduces mean-time-to-fix. For more information or to get started with Snyk for free today, visit https://snyk.io.

    Last updated: February 5, 2024

    Recent Posts

    • Alternatives to creating bootc images from scratch

    • How to update OpenStack Services on OpenShift

    • How to integrate vLLM inference into your macOS and iOS apps

    • How Insights events enhance system life cycle management

    • Meet the Red Hat Node.js team at PowerUP 2025

    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue