This document discusses security of Go modules and vulnerability scanning in GoCenter and VSCode. It covers dependency management in Go with modules and checksum databases, how GoCenter caches modules and scans for vulnerabilities, and a demo of building a Go project in VSCode with security scanning using the JFrog extension.

1. SECURITY OF GO MODULES AND
VULNERABILITY SCANNING IN
GOCENTER AND VSCODE

2. ●
●
●
https://bit.ly/GoMNJFrog

3. 3
Agenda
● Dependency management in Go v1.13 and Go modules
● Checksum database concepts
● Committing a new Go module to the checksum database
● Vulnerability information in GoCenter
● DEMO: Security in VSCode
● Q&A
● Introduction

4. 4
Deep Datta
GoCenter
Community Product Manager
deepd@jfrog.com
@DeepDattaX

5. 5
Dependency management and Go Modules
Go 1.11 Introduced Go Modules
module main.go
go 1.13
require
github.com/sirupsen/logrus
v1.4.2
go.mod
github.com/davecgh/go-spew v1.1.1/go.mod
h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/konsorten/go-windows-terminal-sequenc
es v1.0.1/go.mod
h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/pmezard/go-difflib v1.0.0/go.mod
h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/sirupsen/logrus v1.4.2
h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
github.com/sirupsen/logrus v1.4.2/go.mod
h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
github.com/stretchr/objx v0.1.1/go.mod
h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.2.2/go.mod
h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
golang.org/x/sys
v0.0.0-20190422165155-953cdadca894
h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc=
golang.org/x/sys
v0.0.0-20190422165155-953cdadca894/go.mod
h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
go.sum
Go 1.13 Go Modules become
standard
Basic data security and
data integrity with go.sum
and go.mod
The go mod init command wrote
a go.mod file
you will see a file called
go.sum gets created
glide, gopath, dep, vendoring...

6. 6
go.sum
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/konsorten/go-windows-terminal-sequencesv1.0.1/go.mod
h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
golang.org/x/sys v0.0.0-20190422165155-953cdadca894h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc=
golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

7. 7
SHA-256
cryptographic hash algorithms produce irreversible and unique hashes
Irreversible because you can’t use the hash to figure out what the original piece of data was
Unique means that two different pieces of data can never produce the same hash

8. 8
ChecksumDB and the Merkle Tree
At its core, a Merkle Tree is a list of items representing the data that should be verified.
data data data data
hash hash hash hash
hash hash
hash
go.sum data
Each of these items is inserted into a leaf node and a tree of hashes is constructed.
If you change the data, the hash will also change - all the through the tree.
root

9. 9
checksum database
Module 1
(go.sum)
Module 2
(go.sum)
go.sum
go.sum
go.sum
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
go.sum
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
https://sum.golang.org/

10. 10
The checksum database ensures that the go command
always adds the same lines to everyone's go.sum file.
https://sum.golang.org/
Whenever the go command receives new source code, it
can verify the hash of that code against this global
database to make sure the hashes match…
...ensuring that everyone is using the same code for a
given version.

11. 11
How hashes protect you
Module 1
(go.sum)
Module 1
(go.sum)
go.sum
go.sum
go.sum
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
https://sum.golang.org/
Minor content change

12. 12
Let’s say you
create your first
Go module.
package main
import {
“encoding/json”,
“io/ioutil”,
“net/http”,
“os”,
“text/template”
}
type TodoPageData struct {
PageTitle string
Todos []Todo
}
...
You save it as mod1
go.mod go.sum
main.go

13. 13
package main
import {
“encoding/json”,
“io/ioutil”,
“net/http”,
“os”,
“html/template”
}
type TodoPageData struct {
PageTitle string
Todos []Todo
}
...
mod1
main.go
You can fix your files and create a new
version for everyone called mod1/v2
(probably would be a patch, but let’s pretend it’s a v2)

14. 14
...
Semantic import versioning
Go is strict about versioning

15. 15
Both versions have been committed to the checksum db
github.com/dee
pda/mod1
github.com/dee
pda/mod1/v2
go.sum
go.sum
go.sum
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
go.sum
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=

16. 16
If someone
imports….
package main
import {
“encoding/json”,
“io/ioutil”,
“net/http”,
“os”,
“text/template”
}
type TodoPageData struct {
PageTitle string
Todos []Todo
}
...
mod1
main.go
They open
themselves up to
a XSS (cross site
scripting) attack
...imagine if your app is a
dependency for other
projects...

17. 17
Let’s summarize so far
go.sum file uses a list of SHA-256 hashes to match the checksumdb when imported
go.mod stores a list of each dependency and version
Hashes are used to detect misbehavior by an origin server or proxy that provides
different code for the same version
However, the go.sum file has a limitation, it works entirely
by trust based on user’s first use...
Vulnerabilities will remain in that version of the module

18. 18
Introducing JFrog GoCenter with Xray Security
GoCenter is a GOPROXY that caches metadata and source code in its
own storage system.
This allows the mirror to continue to serve source code that is no longer
available from the original locations thus speeding up downloads and
protect users from the disappearing dependencies.
export GOPROXY=https://gocenter.io
GoCenter has every version of a publically available module.

19. Demo of Vulnerability Information in GoCenter.io
https://gocenter.io

20. 20
How seeing your vulnerabilities in GoCenter can help

21. 21
You can check vulnerabilities in dependencies too

22. 22
Every module and version is scanned and actively provides a security warning
github.com/dee
pda/mod1
github.com/dee
pda/mod1/v2
Versions tab also shows you which version are safe...or not.

23. 23
GoCenter provides CVE public list of vulnerabilities

24. 24
Next: Building a Golang Project in VSCode
Inside VSCode, type “JFrog” to find the free security scanning extension

25. 25
Building my first Web application with Go in VSCode
A basic web application viewed in the browser with Go
Using GORM and sqlite to configure a database
Security alerts in Visual Studio Code with JFrog Extension

26. 26
Go API Tutorial:
https://youtu.be/VAGodyl84OY
GORM
https://gorm.io

27. 27
Q&A
How to give us feedback
gocenter@jfrog.com
Gophers Slack #GoCenter
@DeepDattaX
https://bit.ly/GoMNJFrog

28. ●
●
●
https://bit.ly/GoMNJFrog