NAME

vuln - Go vulnerability database lookups (vuln.go.dev)

SYNOPSIS

vuln

DESCRIPTION

vuln wraps the Go vulnerability database at vuln.go.dev. The data is OSV-shaped: each advisory carries an id (GO-YYYY-NNNN), a list of affected modules, version ranges, and a textual summary.

Two access patterns:

- By id: you already have a GO-YYYY-NNNN reference (from a
  govulncheck report, a security bulletin, a CVE cross-ref) and
  want the full advisory.
- By module: you have a module path and want to know if any
  advisories affect it.

Operating model for an agent calling these tools:

- Reads only. The database is global and the same for every
  caller; no auth, no per-caller state.
- An empty advisory list (`[]` from `vuln by-module`) means "no
  known issues at this time", not "no data". The database is
  curated; absence of an advisory is not absence of risk, but
  it is the best public signal available.
- For deep dependency scanning, the right tool is govulncheck,
  which calls vuln.go.dev under the hood and pairs results with
  static call-graph analysis. This wrapper exposes the raw API
  for cases where you want the advisory text without the
  scanner.

Usage:

vuln [GLOBAL OPTIONS] [command [COMMAND OPTIONS]] [ARGUMENTS...]

COMMANDS

by-id

advisory by GO-YYYY-NNNN id

by-module

every advisory affecting a module path