Open-source software (OSS) greatly facilitates program development for developers. However, the high number of vulnerabilities in open-source software is a major concern, including in Golang, a relatively new programming language. In contrast to other commonly used OSS package managers, Golang presents a distinctive feature whereby commits are prevalently used as dependency versions prior to their integration into official releases. This attribute can prove advantageous to users, as patch commits can be implemented in a timely manner before the releases. However, Golang employs a decentralized mechanism for managing dependencies, whereby dependencies are upheld and distributed in separate repositories. This approach can result in delays in the dissemination of patches and unresolved vulnerabilities. To tackle the aforementioned concern, a comprehensive investigation was undertaken to examine the life cycle of vulnerability in Golang, commencing from its introduction and culminating with its rectification. To this end, a framework was established by gathering data from diverse sources and systematically amalgamating them with an algorithm to compute the lags in vulnerability patching. It turned out that 66.10% of modules in the Golang ecosystem were affected by vulnerabilities. Within the vulnerability life cycle, we found two kinds of lag impeding the propagation of vulnerability fixing. By analyzing reasons behind non-lagged and lagged vulnerabilities, timely releasing and indexing patch versions could significantly enhance ecosystem security.

翻译：开源软件（OSS）极大地方便了开发者的程序开发过程。然而，开源软件中大量的漏洞是一个主要问题，包括在相对较新的编程语言Go中。与其他常用的OSS包管理器不同，Go生态呈现出一个独特特征：在提交被纳入官方版本发布之前，提交被普遍用作依赖版本。这一特性对用户可能有利，因为补丁提交可以在正式版本发布前及时实施。然而，Go采用去中心化的依赖管理机制，依赖项在各自的仓库中维护和分发。这种方法可能导致补丁传播延迟和漏洞未修复的问题。为解决上述问题，我们开展了全面研究，考察Go生态中从漏洞引入到修复的完整生命周期。为此，我们构建了一个框架，通过收集不同来源的数据，并利用算法系统性地整合这些数据来计算漏洞修复的滞后时间。研究发现，Go生态中66.10%的模块受到漏洞影响。在漏洞生命周期中，我们发现了两种阻碍漏洞修复传播的滞后现象。通过分析非滞后和滞后漏洞背后的原因，及时发布和索引补丁版本可以显著增强生态系统的安全性。