🛡️ A tool to verify Go vulnerabilities from SBOM reports using symbol analysis
SBOM Verifier for Go is an vulnerability verification tool PoC that goes beyond traditional SBOM scanning. It analyzes Go binaries at the symbol level to confirm whether reported vulnerabilities are actually present in the compiled binary, reducing false positives and providing more accurate security assessments.
- 🔬 Symbol-Level Analysis - Examines binary symbols to verify actual vulnerability presence
- 📊 SBOM Generation - Automatically generates Software Bill of Materials using Syft
- 🔒 Vulnerability Scanning - Scans for vulnerabilities using Grype
- ✅ Smart Verification - Cross-references vulnerable functions with binary symbols
- 📈 Clear Reporting - Provides detailed tables showing confirmed vs. potential vulnerabilities
- 🎯 Reduced False Positives - Identifies which vulnerabilities are truly exploitable in your binary
Before using SBOM Verifier, ensure you have the following tools installed:
- 🐍 Python 3.13 or higher
- 🔧 Syft - SBOM generation tool
- 🔍 Grype - Vulnerability scanner
- 🛠️ Go toolchain (
go toolcommand)
- Clone the repository:
git clone https://github.com/damaoooo/SBOMVerifierGoPoC.git
cd SBOMVerifierGo- Install Python dependencies:
pip install -r requirements.txt- Verify external tools are installed:
syft version
grype version
go versionpython -m src.main verify <binary-path> <go-mod-path>python -m src.main verify [OPTIONS] BINARY_PATH GO_MOD_PATHBINARY_PATH- Path to the Go binary to analyze (required)GO_MOD_PATH- Path to the Go module'sgo.modfile (required)
-s, --sbom-output PATH- Path to save the generated SBOM file (default:./report/syft_report.json)-r, --report-output PATH- Path to save the vulnerability report (default:./report/grype_report.json)-v, --verbose- Enable verbose output for debugging--help- Show help message
python -m src.main verify ./sample_go_program/sample_app ./sample_go_program/go.modpython -m src.main verify \
./sample_go_program/sample_app \
./sample_go_program/go.mod \
--verbose+------------------+----------------------------+-----------------+---------------------+
| CVE ID | Package Name | Package Version | Confirmed in Binary |
+------------------+----------------------------+-----------------+---------------------+
| CVE-2023-xxxxx | github.com/package/name | v1.2.3 | Yes |
| CVE-2023-yyyyy | github.com/another/package | v2.0.1 | No |
+------------------+----------------------------+-----------------+---------------------+
Total 2 unique vulnerabilities found in the SBOM report.
[+] Verification complete. 1 vulnerable functions found in the binary.
The verification process consists of four main steps:
-
🔨 SBOM Generation
- Uses Syft to generate a comprehensive Software Bill of Materials from your Go module
-
🔍 Vulnerability Scanning
- Runs Grype against the SBOM to identify potential vulnerabilities
-
🧬 Symbol Extraction
- Extracts all symbols from the compiled Go binary using
go tool nm
- Extracts all symbols from the compiled Go binary using
-
✅ Cross-Reference Verification
- Compares vulnerable functions from the CVE database with actual binary symbols
- Confirms which vulnerabilities are truly present in the executable
SBOMVerifierGo/
├── src/
│ ├── __init__.py # Package initialization
│ ├── main.py # CLI entry point
│ ├── binary_parser.py # Binary symbol extraction
│ ├── go_database.py # Go vulnerability database
│ ├── sbom_manager.py # SBOM generation and scanning
│ └── verifier.py # Vulnerability verification logic
├── sample_go_program/ # Sample Go application for testing
├── report/ # Generated reports directory
├── requirements.txt # Python dependencies
├── go_vuln.db # Local vulnerability database
└── README.md # This file
This project is licensed under the MIT License - see the LICENSE file for details.
- Syft - SBOM generation
- Grype - Vulnerability scanning
- Go Vulnerability Database - CVE data source
If you have any questions or suggestions, please open an issue on GitHub.