Open-source software (OSS) greatly facilitates program development for developers. However, the high number of vulnerabilities in open-source software is a major concern, including in Golang, a relatively new programming language. In contrast to other commonly used OSS package managers, Golang presents a distinctive feature whereby commits are prevalently used as dependency versions prior to their integration into official releases. This attribute can prove advantageous to users, as patch commits can be implemented in a timely manner before the releases. However, Golang employs a decentralized mechanism for managing dependencies, whereby dependencies are upheld and distributed in separate repositories. This approach can result in delays in the dissemination of patches and unresolved vulnerabilities. To tackle the aforementioned concern, a comprehensive investigation was undertaken to examine the life cycle of vulnerability in Golang, commencing from its introduction and culminating with its rectification. To this end, a framework was established by gathering data from diverse sources and systematically amalgamating them with an algorithm to compute the lags in vulnerability patching. It turned out that 66.10% of modules in the Golang ecosystem were affected by vulnerabilities. Within the vulnerability life cycle, we found two kinds of lag impeding the propagation of vulnerability fixing. By analyzing reasons behind non-lagged and lagged vulnerabilities, timely releasing and indexing patch versions could significantly enhance ecosystem security.

翻译：开源软件极大地促进了开发者的程序开发。然而，开源软件中大量存在的漏洞是一个主要问题，包括在相对较新的编程语言Go语言中。与其他常用的开源软件包管理器不同，Go语言有一个显著特征：在漏洞被整合到官方版本之前，提交（commit）通常被用作依赖版本。这一特性可能对用户有利，因为补丁提交可以在版本发布前及时实施。然而，Go语言采用去中心化的依赖管理机制，依赖包在各自的仓库中维护和分发。这种方式可能导致补丁传播延迟和漏洞未解决。为解决上述问题，我们开展了一项全面研究，旨在考察Go语言中漏洞的生命周期，从漏洞引入到最终修复的全过程。为此，我们构建了一个框架，通过从多种数据源收集数据，并利用算法系统整合这些数据，计算漏洞修补的延迟。结果表明，Go语言生态系统中66.10%的模块受到漏洞影响。在漏洞生命周期中，我们发现了两种阻碍漏洞修复传播的延迟。通过分析非延迟和延迟漏洞的原因，及时发布和索引补丁版本可以显著增强生态系统的安全性。