The latest articles on DEV Community by Vinu K (@kevy). https://dev.to/kevy https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F963348%2F86f8069d-f963-46fd-b941-9c39be31af5b.png https://dev.to/kevy en Vinu K Tue, 05 May 2026 14:04:15 +0000 https://dev.to/kevy/stop-triaging-go-cves-that-dont-affect-you-25og https://dev.to/kevy/stop-triaging-go-cves-that-dont-affect-you-25og <p>If you maintain Go services, you've probably been here: a scanner flags a CVE, you spend 30 minutes tracing imports and call paths, and it turns out your code never touches the vulnerable function.</p> <p>I built <a href="https://github.com/k37y/gvs" rel="noopener noreferrer">GVS</a> to automate that. Give it a repo URL and a CVE ID, and it does call graph analysis to determine whether the vulnerable symbols are actually reachable from your code.</p> <p><strong>What it does:</strong></p> <ul> <li>Builds call graphs using VTA, RTA, CHA, or static analysis</li> <li>Traces reachability from entry points to vulnerable symbols</li> <li>Compares dependency versions against fixed versions</li> <li>Detects reflection patterns that might bypass static analysis</li> <li>Generates SVG visualizations of call paths</li> </ul> <p>It runs as a self-hosted REST API or CLI. MIT licensed, written in Go.</p> <p>Feedback welcome — especially if you're drowning in CVE noise on a large Go codebase.</p> go security opensource vulnerabilities