docs(go): add stdlib (#6580)

Signed-off-by: knqyf263 <[email protected]>
aquasecurity · May 2, 2024 · 551a46e · 551a46e
1 parent 261649b
commit 551a46e
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 6 deletions.
diff --git a/docs/docs/coverage/language/golang.md b/docs/docs/coverage/language/golang.md
@@ -1,5 +1,9 @@
 # Go
 
+## Data Sources
+The data sources are listed [here](../../scanner/vulnerability.md#data-sources-1).
+Trivy uses Go Vulnerability Database for standard packages, such as `net/http`, and uses GitHub Advisory Database for third-party packages.
+
 ## Features
 Trivy supports two types of Go scanning, Go Modules and binaries built by Go.
 
@@ -12,10 +16,10 @@ The following scanners are supported.
 
 The table below provides an outline of the features Trivy offers.
 
-| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] |
-|----------|:-----------:|:-----------------|:----------------------------------:|
-| Modules  |      ✅      | Include          |               ✅[^2]                |
-| Binaries |      ✅      | Exclude          |                 -                  |
+| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] | Stdlib |
+|----------|:-----------:|:-----------------|:------------------------------------:|:------:|
+| Modules  |      ✅      | Include          |                ✅[^2]                 |   -    |
+| Binaries |      ✅      | Exclude          |                  -                   | ✅[^4]  |
 
 !!! note
     Trivy scans only dependencies of the Go project.
@@ -82,11 +86,12 @@ There are times when Go uses the `(devel)` version for modules/dependencies.
 - Dependencies replaced with local ones use the `(devel)` versions.
 
 In the first case, Trivy will attempt to parse any `-ldflags` as a secondary source, and will leave the version
-empty if it cannot do so[^4]. For the second case, the version of such packages is empty.
+empty if it cannot do so[^5]. For the second case, the version of such packages is empty.
 
 [^1]: It doesn't require the Internet access.
 [^2]: Need to download modules to local cache beforehand
 [^3]: See https://github.com/aquasecurity/trivy/issues/1837#issuecomment-1832523477
-[^4]: See https://github.com/golang/go/issues/63432#issuecomment-1751610604
+[^4]: Identify the Go version used to compile the binary and detect its vulnerabilities
+[^5]: See https://github.com/golang/go/issues/63432#issuecomment-1751610604
 
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
diff --git a/docs/docs/scanner/vulnerability.md b/docs/docs/scanner/vulnerability.md
@@ -91,6 +91,7 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
 |          | [GitHub Advisory Database (npm)][nodejs-ghsa]       |       ✅        |     -     |
 | Java     | [GitHub Advisory Database (Maven)][java-ghsa]       |       ✅        |     -     |
 | Go       | [GitHub Advisory Database (Go)][go-ghsa]            |       ✅        |     -     |
+|          | [Go Vulnerability Database][go-vulndb]              |       ✅        |     -     |
 | Rust     | [Open Source Vulnerabilities (crates.io)][rust-osv] |       ✅        |     -     |
 | .NET     | [GitHub Advisory Database (NuGet)][dotnet-ghsa]     |       ✅        |     -     |
 | C/C++    | [GitLab Advisories Community][gitlab]               |       ✅        |  1 month  |
@@ -255,6 +256,7 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
 [go-ghsa]: https://github.com/advisories?query=ecosystem%3Ago
 [swift-ghsa]: https://github.com/advisories?query=ecosystem%3Aswift
 
+[go-vulndb]: https://pkg.go.dev/vuln/
 [php]: https://github.com/FriendsOfPHP/security-advisories
 [ruby]: https://github.com/rubysec/ruby-advisory-db
 [nodejs]: https://github.com/nodejs/security-wg