Security of Go Modules and Vulnerability Scanning in Go center and VSCodee
0 likes271 views
This document discusses security of Go modules and vulnerability scanning in GoCenter and VSCode. It provides an overview of dependency management in Go with modules and checksum databases, how new Go modules are committed to the checksum database, and how vulnerability information is displayed in GoCenter and VSCode. It demonstrates scanning a basic web application for vulnerabilities directly in VSCode using the JFrog extension.
![12
Let’s say you
create your first
Go module.
package main
import {
“encoding/json”,
“io/ioutil”,
“net/http”,
“os”,
“text/template”
}
type TodoPageData struct {
PageTitle string
Todos []Todo
}
...
You save it as mod1
go.mod go.sum
main.go](https://image.slidesharecdn.com/newsecurityofgomodulesandvulnerabilityscanningingocenterandvscode2-200602201537/85/Security-of-Go-Modules-and-Vulnerability-Scanning-in-Go-center-and-VSCodee-12-320.jpg)
![13
package main
import {
“encoding/json”,
“io/ioutil”,
“net/http”,
“os”,
“html/template”
}
type TodoPageData struct {
PageTitle string
Todos []Todo
}
...
mod1
main.go
You can fix your files and create a new
version for everyone called mod1/v2
(probably would be a patch, but let’s pretend it’s a v2)](https://image.slidesharecdn.com/newsecurityofgomodulesandvulnerabilityscanningingocenterandvscode2-200602201537/85/Security-of-Go-Modules-and-Vulnerability-Scanning-in-Go-center-and-VSCodee-13-320.jpg)
![16
If someone
imports….
package main
import {
“encoding/json”,
“io/ioutil”,
“net/http”,
“os”,
“text/template”
}
type TodoPageData struct {
PageTitle string
Todos []Todo
}
...
mod1
main.go
They open
themselves up to
a XSS (cross site
scripting) attack
...imagine if your app is a
dependency for other
projects...](https://image.slidesharecdn.com/newsecurityofgomodulesandvulnerabilityscanningingocenterandvscode2-200602201537/85/Security-of-Go-Modules-and-Vulnerability-Scanning-in-Go-center-and-VSCodee-16-320.jpg)
Security of Go Modules and Vulnerability Scanning in Go center and VSCodee
- 1. SECURITY OF GO MODULES AND VULNERABILITY SCANNING IN GOCENTER AND VSCODE
- 2. ● Presentation Slides ● JFrog T-Shirts Raffle - Win 1 of 3 JFrog Gopher T-Shirts ● Enter our June Sweepstakes for a chance to win 1 of 2 a Nintendo Switch Lites with Animal Crossing Game. Drawing will be end of June https://bit.ly/UtahGoJFrog
- 3. 3 Agenda ● Dependency management in Go v1.13 and Go modules ● Checksum database concepts ● Committing a new Go module to the checksum database ● Vulnerability information in GoCenter ● DEMO: Security in VSCode ● Q&A ● Introduction
- 5. 5 Go 1.11 Introduced Go Modules module main.go go 1.13 require github.com/sirupsen/logrus v1.4.2 go.mod github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/konsorten/go-windows-terminal-sequenc es v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894 h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= go.sum Go 1.13 Go Modules become standard Basic data security and data integrity with go.sum and go.mod The go mod init command wrote a go.mod file you will see a file called go.sum gets created glide, gopath, dep, vendoring...
- 6. 6 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/konsorten/go-windows-terminal-sequencesv1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
- 7. 7 Irreversible because you can’t use the hash to figure out what the original piece of data was Unique means that two different pieces of data can never produce the same hash
- 8. 8 At its core, a Merkle Tree is a list of items representing the data that should be verified. data data data data hash hash hash hash hash hash hash go.sum data Each of these items is inserted into a leaf node and a tree of hashes is constructed. If you change the data, the hash will also change - all the through the tree. root
- 9. 9 Module 1 (go.sum) Module 2 (go.sum) go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= go.sum List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= https://sum.golang.org/
- 10. 10 The checksum database ensures that the go command always adds the same lines to everyone's go.sum file. https://sum.golang.org/ Whenever the go command receives new source code, it can verify the hash of that code against this global database to make sure the hashes match… ...ensuring that everyone is using the same code for a given version.
- 11. 11 Module 1 (go.sum) Module 1 (go.sum) go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= https://sum.golang.org/ Minor content change
- 12. 12 Let’s say you create your first Go module. package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “text/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... You save it as mod1 go.mod go.sum main.go
- 13. 13 package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “html/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... mod1 main.go You can fix your files and create a new version for everyone called mod1/v2 (probably would be a patch, but let’s pretend it’s a v2)
- 14. 14 ... Semantic import versioning Go is strict about versioning
- 15. 15 github.com/dee pda/mod1 github.com/dee pda/mod1/v2 go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= go.sum List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc=
- 16. 16 If someone imports…. package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “text/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... mod1 main.go They open themselves up to a XSS (cross site scripting) attack ...imagine if your app is a dependency for other projects...
- 17. 17 go.sum file uses a list of SHA-256 hashes to match the checksumdb when imported go.mod stores a list of each dependency and version Hashes are used to detect misbehavior by an origin server or proxy that provides different code for the same version However, the go.sum file has a limitation, it works entirely by trust based on user’s first use... Vulnerabilities will remain in that version of the module
- 18. 18 Introducing JFrog GoCenter with Xray Security GoCenter is a GOPROXY that caches metadata and source code in its own storage system. This allows the mirror to continue to serve source code that is no longer available from the original locations thus speeding up downloads and protect users from the disappearing dependencies. export GOPROXY=https://gocenter.io GoCenter has every version of a publically available module.
- 19. Demo of Vulnerability Information in GoCenter.io https://gocenter.io
- 20. 20
- 21. 21
- 23. 23
- 24. 24
- 25. 25 A basic web application viewed in the browser with Go Using GORM and sqlite to configure a database Security alert in Visual Studio Code with JFrog Extension
- 26. 26
- 27. 27
- 28. 28 gocenter@jfrog.com Gophers Slack #GoCenter @DeepDattaX https://bit.ly/UtahGoJFrog
- 29. ● Presentation Slides ● JFrog T-Shirts Raffle - Win 1 of 3 JFrog Gopher T-Shirts ● Enter our June Sweepstakes for a chance to win 1 of 2 a Nintendo Switch Lites with Animal Crossing Game. Drawing will be end of June https://bit.ly/UtahGoJFrog