Static Analysis of Golang Source Code: A Survey

Static analysis methods determine the properties of a program without executing it, while different properties allow solving different tasks. We have reviewed articles on Golang static analysis. In this paper, we have reviewed 34 papers published since the release of Go 1.0 (2012 – 2025) and focused on static analysis in Golang. Based on our analysis, we have identified the main trends and methods for performing static analysis as well as intermediate representations and features of Golang that affect the process. We have also examined the challenges faced by developers of static analyzers. This survey will be helpful for both developers of static analyzers and Golang developers, providing a systematic understanding of current research in static analysis for Go.

1. Golang main page. https://go.dev/. Доступ: 2024-01-10.

2. Go vet main page. https://golang.org/cmd/vet/. Доступ: 2023-10-01.

3. Go tools. https://godoc.org/golang.org/x/tools. Доступ: 2023-10-05.

4. A. A. Donovan и B. W. Kernighan. The Go programming language. Addison-Wesley Professional, 2015.

5. Effective go– the go programming language. https://go.dev/doc/effective_go. Доступ: 2024-10-05.

6. Y. Feng и Z. Wang. Towards understanding bugs in Go programming language. В 2024 IEEE 24th International Conference on Software Quality, Reliability and Security (QRS), страницы 284–295, 2024. DOI: 10.1109/QRS62785.2024.00036.

7. J. Wu и J. Clause. Assessing Golang static analysis tools on real-world issues. Available at SSRN 5208109.

8. Errcheck main page. https://github.com/kisielk/errcheck. Доступ: 2024-01-10.

9. Go security checker – gosec. https://github.com/securego/gosec. Доступ: 2024-01-10.

10. Revive. https://github.com/mgechev/revive. Доступ: 2025-02-11.

11. Staticcheck main page. https://staticcheck.io. Доступ: 2024-01-10.

12. Go linters runner– golangci-lint. https://github.com/golangci/golangci-lint. Доступ: 2023-10-01.

13. Go developer survey 2024 h2 results. https://go.dev/blog/survey2024-h2-results. Доступ: 2024-12-21.

14. Gopls. https://pkg.go.dev/golang.org/x/tools/gopls. Доступ: 2023-10-03.

15. Visual studio code. https://code.visualstudio.com/. Доступ: 2023-10-04.

16. E. D. Berger, C. Hollenbeck, P. Maj, O. Vitek и J. Vitek. On the impact of programming languages on code quality: a reproduction study. ACM Transactions on Programming Languages and Systems (TOPLAS), 41(4):1–24, 2019.

17. M. H. Ruge. Analysis of software engineering automation tools for Go. Universidad de los Andes. https://hdl.handle.net/1992/54945. Доступ: 2025-02-11.

18. Opennota/check. https://gitlab.com/opennota/check. Доступ: 2025-02-11.

19. M. bohusl’avek, mibk/dupl. https://github.com/mibk/dupl. Доступ: 2025-02-11.

20. Fzipp, fzipp/gocyclo. https://github.com/fzipp/gocyclo. Доступ: 2025-02-11.

21. A. kohler, alexkohler/prealloc. https://github.com/alexkohler/prealloc. Доступ: 2025-02-11.

22. Stripe/safesql. https://github.com/stripe/safesql. Доступ: 2025-02-11.

23. Gofmt. https://pkg.go.dev/cmd/gofmt. Доступ: 2023-10-04.

24. Delve. https://github.com/go-delve/delve. Доступ: 2025-02-11.

25. Godoc. https://pkg.go.dev/golang.org/x/tools/cmd/godoc. Доступ: 2025-02-11.

26. B. Kitchenham. Procedures for performing systematic reviews. Keele, UK, Keele University, 33(2004):1–26, 2004.

27. L. Li, T. F. Bissyand’e, M. Papadakis, S. Rasthofer, A. Bartel, D. Octeau, J. Klein и L. Traon. Static analysis of android apps: a systematic literature review. Information and Software Technology, 88:67– 5, 2017. DOI: https://doi.org/10.1016/j.infsof.2017.04.001.

28. P. H. Nguyen, M. Kramer, J. Klein, M. Schulz, B. R. de Supinski и M. S. M‥uller. An extensive systematic review on the model-driven development of secure systems. Scientific Programming, 21(3-4):109–121, 2013.

29. E. Bodden, K. I. Pun, M. Steffen, V. Stolz и A.-K. Wickert. Information flow analysis for go. В International Symposium on Leveraging Applications of Formal Methods, страницы 431–445. Springer, 2016.

30. N. Ng и N. Yoshida. Static deadlock detection for concurrent go by global session graph synthesis. В Proceedings of the 25th International Conference on Compiler Construction, страницы 174–184, 2016.

31. C. B. Bergersen. Detection of Bugs and Code Smells through Static Analysis of Go Source Code. Дис. маг., 2016.

32. J. Lange, N. Ng, B. Toninho и N. Yoshida. Fencing off go: liveness and safety for channel-based programming. ACM SIGPLAN Notices, 52(1):748–761, 2017.

33. J. Lange, N. Ng, B. Toninho и N. Yoshida. A static verification framework for message passing in go using behavioural types. В Proceedings of the 40th International Conference on Software Engineering, страницы 1137–1148, 2018.

34. N. Dilley и J. Lange. An empirical study of messaging passing concurrency in go projects. В 2019 IEEE 26th International Conference on Software Analysis, Evolution and Reengineering (SANER), страницы 377–387. IEEE, 2019.

35. A. Scalas, N. Yoshida и E. Benussi. Verifying message-passing programs with dependent behavioural types. В Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation, страницы 502–516, 2019.

36. C. Wang, H. Sun, Y. Xu, Y. Jiang, H. Zhang и M. Gu. Go-sanitizer: bug-oriented assertion generation for Golang. В 2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), страницы 36–41. IEEE, 2019.

37. R. M. Yasir, M. Asad, A. H. Galib, K. K. Ganguly и M. S. Siddik. Godexpo: an automated god structure detection tool for golang. В 2019 IEEE/ACM 3rd International Workshop on Refactoring (IWoR), страницы 47–50. IEEE, 2019.

38. J. Gabet и N. Yoshida. Static race detection and mutex safety and liveness for go programs. В 34th European Conference on Object-Oriented Programming (ECOOP 2020), страницы 4–1. Schloss Dagstuhl–Leibniz-Zentrum f‥ur Informatik, 2020.

39. C. Wang, M. Zhang, Y. Jiang, H. Zhang, Z. Xing и M. Gu. Escape from escape analysis of Golang. В Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering: Software Engineering in Practice, страницы 142–151, 2020.

40. J. Lauinger, L. Baumg‥artner, A.-K. Wickert и M. Mezini. Uncovering the hidden dangers: finding unsafe go code in the wild. В 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), страницы 410–417. IEEE, 2020.

41. D. E. Costa, S. Mujahid, R. Abdalkareem и E. Shihab. Breaking type safety in Go: an empirical study on the usage of the unsafe package. IEEE Transactions on Software Engineering, 48(7):2277–2294, 2021.

42. I. Bolotnikov и A. Borodin. Interprocedural static analysis for finding bugs in go programs. Programming and Computer Software, 47:344–352, 2021.

43. A. Borodin, V. Dvortsova, S. Vartanov и A. Volkov. Static analyzer for Go. В 2021 Ivannikov Ispras Open Conference (ISPRAS), страницы 17–25. IEEE, 2021.

44. А. Е. Бородин, А. В. Горемыкин, С. П. Вартанов и А. А. Белеванцев. Поиск уязвимостей небезопасного использования помеченных данных в статическом анализаторе svace. Труды Института системного программирования РАН, 33(1):7–32, 2021.

45. N. Dilley и J. Lange. Automated verification of go programs via bounded model checking (artifact), 2021.

46. D. Zhang, P. Qi и Y. Zhang. Godetector: detecting concurrent bug in go. IEEE Access, 9:136302–136312, 2021.

47. M. K. Sarker, A. A. Jubaer, M. S. Shohrawardi, T. C. Das и M. S. Siddik. Analysing GoLang projects’ architecture using code metrics and code smell. В Proceedings of the First International Workshop on Intelligent Software Automation: ISEA 2020, страницы 53–63. Springer, 2021.

48. F. A. Wolf, L. Arquint, M. Clochard, W. Oortwijn, J. C. Pereira и P. M‥uller. Gobra: modular specification and verification of go programs. В International Conference on Computer Aided Verification, страницы 367–379. Springer, 2021.

49. Z. Liu, S. Zhu, B. Qin, H. Chen и L. Song. Automatically detecting and fixing concurrency bugs in go software systems. В Proceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, страницы 616–629, 2021.

50. F. T. H. M. R. Khatchadourian и Y. Cong. How many mutex bugs can a simple analysis find in Go programs? В Annual Conference of the Japanese Society for Software Science and Technology, 2022.

51. W. Li, S. Jia, L. Liu, F. Zheng, Y. Ma и J. Lin. Cryptogo: automatic detection of go cryptographic api misuses. В Proceedings of the 38th Annual Computer Security Applications Conference, страницы 318–31, 2022.

52. O. H. Veileborg, G.-V. Saioc и A. Møller. Detecting blocking errors in go programs using localized abstract interpretation. В Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering, страницы 1–12, 2022.

53. A. Borodin, V. Dvortsova и A. Volkov. Interprocedural static analysis for Go with closure support. В 2022 Ivannikov Ispras Open Conference (ISPRAS), страницы 1–6. IEEE, 2022.

54. A. Galustov, A. Borodin и A. Belevantsev. Devirtualization for static analysis with low level intermediate representation. В 2022 Ivannikov Ispras Open Conference (ISPRAS), страницы 18–23. IEEE, 2022.

55. V. Dvortsova, A. Izbyshev, A. Borodin и A. Belevantsev. Static analysis for Go: build interception. В 2023 Ivannikov Ispras Open Conference (ISPRAS), страницы 52–57. IEEE, 2023.

56. Д. Н. Субботин, А. Е. Бородин и В. В. Дворцова. Статический анализ ассоциативных массивов в Go. Труды Института системного программирования РАН, 36(3):21–34, 2024.

57. B. Liu и D. Joshi. Goguard: efficient static blocking bug detection for Go. В International Static Analysis Symposium, страницы 216–241. Springer, 2024.

58. Y. Zhang, B. Li, J. Lin, L. Li, J. Bai, S. Jia и Q.Wu. Gopher: high-precision and deep-dive detection of cryptographic api misuse in the go ecosystem. В Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, страницы 2978–2992, 2024.

59. S. Fu и Y. Liao. Golang defect detection based on value flow analysis. В 2024 9th International Conference on Electronic Technology and Information Science (ICETIS), страницы 358–363. IEEE, 2024.

60. C. Cesarano, V. Andersson, R. Natella и M. Monperrus. Gosurf: identifying software supply chain attack vectors in Go. arXiv preprint arXiv:2407.04442, 2024.

61. B. Ding, Q. Li, Y. Zhang, F. Tang и J. Chen. Mea2: a lightweight field-sensitive escape analysis with points-to calculation for Golang. Proceedings of the ACM on Programming Languages, 8(OOPSLA2):1362–1389, 2024.

62. J. Chen, B. Ding, Y. Zhang, Q. Li и F. Tang. An empirical study of Cgo usage in Go projects–distribution, purposes, patterns and critical issues. Purposes, Patterns and Critical Issues.

63. Google scholar. https://scholar.google.com. Доступ: 2025-02-11.

64. Ieee xplore. https://ieeexplore.ieee.org/Xplore/home.jsp. Доступ: 2025-02-11.

65. Acm digital library. https://dl.acm.org. Доступ: 2025-02-11.

66. Springerlink. https://link.springer.com. Доступ: 2025-02-11.

67. Github. https://github.com. Доступ: 2025-02-11.

68. Goroutines. https://go.dev/doc/effective_go#goroutines. Доступ: 2025-02-11.

69. Go channels. https://go.dev/doc/effective_go#channels. Доступ: 2025-02-11.

70. C. Hoare. Communicating sequential processes. В Theories of Programming: The Life and Works of Tony Hoare, страницы 157–186. 2021.

71. T. Tu, X. Liu, L. Song и Y. Zhang. Understanding real-world concurrency bugs in go. В Proceedings of the twenty-fourth international conference on architectural support for programming languages and operating systems, страницы 865–878, 2019.

72. K. Honda, N. Yoshida и M. Carbone. Multiparty asynchronous session types. В Proceedings of the 35th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, страницы 273–284, 2008.

73. Migoinfer+. https://github.com/JujuYuki/gospal. Доступ: 2025-02-11.

74. Godel 2 benchmarks. https://github.com/JujuYuki/godel2-benchmark. Доступ: 2025-02-11.

75. O. Bunte, J. F. Groote, J. J. Keiren, M. Laveaux, T. Neele, E. P. de Vink, W. Wesselink, A. Wijs и T. A. Willemse. The mcrl2 toolset for analysing concurrent systems: improvements in expressivity and usability. В Tools and Algorithms for the Construction and Analysis of Systems: 25th International Conference, TACAS 2019, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2019, Prague, Czech Republic, April 6–11, 2019, Proceedings, Part II 25, страницы 21–39. Springer, 2019.

76. Promela. https://en.wikipedia.org/wiki/Promela. Доступ: 2025-02-11.

77. Spin. https://spinroot.com/spin/whatispin.html. Доступ: 2025-02-11.

78. Gomela. https://github.com/nicolasdilley/gomela-ase21/. Доступ: 2025-02-11.

79. Gcatch. https://github.com/system-pclub/GCatch. Доступ: 2023-10-05.

80. Crypto. https://pkg.go.dev/crypto. Доступ: 2025-02-11.

81. Crypto. https://pkg.go.dev/golang.org/x/crypto. Доступ: 2025-02-11.

82. Go-safer. https://github.com/jlauinger/go-safer. Доступ: 2025-01-15.

83. Goanalysis. https://github.com/chrisbbe/GoAnalysis. Доступ: 2025-02-11.

84. T. J. McCabe. A complexity measure. IEEE Transactions on software Engineering, (4):308–320, 1976.

85. S. M. Olbrich, D. S. Cruzes и D. I. Sjøberg. Are all code smells harmful? A study of god classes and brain classes in the evolution of three open source systems. В 2010 IEEE international conference on software maintenance, страницы 1–10. IEEE, 2010.

86. R. Harrison, S. J. Counsell и R. V. Nithi. An evaluation of the mood set of object-oriented software metrics. IEEE Transactions on Software Engineering, 24(6):491–496, 2002.

87. R. Subramanyam и M. S. Krishnan. Empirical analysis of ck metrics for object-oriented design complexity: implications for software defects. IEEE Transactions on software engineering, 29(4):297–310, 2003.

88. P. Anderson, D. Binkley, G. Rosay и T. Teitelbaum. Flow insensitive points-to sets. Information and Software Technology, 44(13):743–754, 2002. DOI: https://doi.org/10.1016/S0950-5849(02)00105-2. URL: https://www.sciencedirect.com/science/article/pii/S0950584902001052. Special Issue on Source Code Analysis and Manipulation (SCAM).

89. Coverity 2021.03: Supported Platforms. Доступ: 2025-02-11. 2021. URL: https://sigdocs.synopsys.com/polaris/topics/r_coveritycompatible-platforms_2021.03.html.

90. Common weakness enumeration. https://cwe.mitre.org. Доступ: 2024-10-01.

91. Badgerdb. https://github.com/hypermodeinc/badger. Доступ: 2025-02-11.

92. J. Hu, L. Zhang, C. Liu, S. Yang, S. Huang и Y. Liu. Empirical analysis of vulnerabilities life cycle in Golang ecosystem. В Proceedings of the IEEE/ACM 46th International Conference on Software Engineering, страницы 1–13, 2024.

93. About - git. https://git-scm.com/about/data-assurance. Доступ: 2025-02-11.

94. Go modules services. https://proxy.golang.org/. Доступ: 2025-02-11.

95. R. Cytron, J. Ferrante, B. K. Rosen, M. N. Wegman и F. K. Zadeck. Efficiently computing static single assignment form and the control dependence graph. ACM Trans. Program. Lang. Syst., 13(4):451–490, окт. 1991. DOI: 10.1145/115372.115320. URL: https://doi.org/10.1145/115372.115320.

96. Ssadump. https://pkg.go.dev/golang.org/x/tools/cmd/ssadump. Доступ: 2023-10-05.

97. C. Lattner и V. Adve. A compilation framework for lifelong program analysis and transformation. В CGO, том 4, страница 75, 2003.

98. Gollvm is an llvm-based Go compiler. https://go.googlesource.com/gollvm/. Доступ: 2024-10-05.

99. N. Malyshev, I. Dudina, D. Kutz, A. Novikov и S. Vartanov. Smt solvers in application to static and dynamic symbolic execution: a case study. В 2019 Ivannikov Ispras Open Conference (ISPRAS), страницы 9–15. IEEE, 2019.

100. W. Landi. Undecidability of static analysis. ACM Letters on Programming Languages and Systems (LOPLAS), 1(4):323–337, 1992.