If you maintain Go services, you've probably been here: a scanner flags a CVE, you spend 30 minutes tracing imports and call paths, and it turns out your code never touches the vulnerable function.
I built GVS to automate that. Give it a repo URL and a CVE ID, and it does call graph analysis to determine whether the vulnerable symbols are actually reachable from your code.
What it does:
- Builds call graphs using VTA, RTA, CHA, or static analysis
- Traces reachability from entry points to vulnerable symbols
- Compares dependency versions against fixed versions
- Detects reflection patterns that might bypass static analysis
- Generates SVG visualizations of call paths
It runs as a self-hosted REST API or CLI. MIT licensed, written in Go.
Feedback welcome — especially if you're drowning in CVE noise on a large Go codebase.
Top comments (0)