Security of go modules and vulnerability scanning in go center (1)
1.
2. 2
Agenda
● Introduction
● Dependency management and Go modules
● Go.mod and go.sum
● Checksum database concepts
● Potential Issues that can come up
● Why we added vulnerability scanning to GoCenter
● More security considerations with Jfrog Xray
● Q&A and Feedback
3. ● Tonights Slides
● The Video of this talk
● Talk Materials
● April Monthly Raffle
Bit.ly/GoCenterNYC
5. 5
Dependency management and Go Modules
Go 1.11 Introduced Go Modules
module main.go
go 1.13
require
github.com/sirupsen/logrus
v1.4.2
go.mod
github.com/davecgh/go-spew v1.1.1/go.mod
h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/konsorten/go-windows-terminal-sequenc
es v1.0.1/go.mod
h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/pmezard/go-difflib v1.0.0/go.mod
h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/sirupsen/logrus v1.4.2
h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
github.com/sirupsen/logrus v1.4.2/go.mod
h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
github.com/stretchr/objx v0.1.1/go.mod
h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.2.2/go.mod
h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
golang.org/x/sys
v0.0.0-20190422165155-953cdadca894
h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc=
golang.org/x/sys
v0.0.0-20190422165155-953cdadca894/go.mod
h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
go.sum
Go 1.13 Make Go Modules the
standard
Security was built into 1.13
with go.sum and go.mod
The go mod init command
wrote a go.mod file
After running go build you
will also see a file called
go.sum gets created.
7. 7
SHA-256
cryptographic hash algorithms produce irreversible and unique hashes
Irreversible because you can’t use the hash to figure out what the original piece of data was
unique means that two different pieces of data can never produce the same hash
8. 8
ChecksumDB and the Merkle Tree
At its core, a Merkle Tree is a list of items representing the data that should be verified.
Each of these items is inserted into a leaf node and a tree of hashes is constructed. If you
change the data, the hash will also change - all the through the tree.
hash hash hash hash
hash hash
root
9. 9
checksum database
Module 1
(go.sum)
Module 2
(go.sum)
go.sum
go.sum
go.sum
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
go.sum
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
https://sum.golang.org/
10. 10
The checksum database ensures that the go command
always adds the same lines to everyone's go.sum file.
Whenever the go command receives new source code, it
can verify the hash of that code against this global
database to make sure the hashes match, ensuring that
everyone is using the same code for a given version.
https://sum.golang.org/
11. 11
How hashes protect you
Module 1
(go.sum)
Module 1
(go.sum)
Minor
content
change
go.sum
go.sum
go.sum
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
https://sum.golang.org/
12. 12
Let’s say you
create your first
Go module.
package main
import {
“encoding/json”,
“io/ioutil”,
“net/http”,
“os”,
“text/template”
}
type TodoPageData struct {
PageTitle string
Todos []Todo
}
...
You save it as mod1
go.mod go.sum
main.go
15. 15
Both versions have been committed to the checksum db
github.com/dee
pda/mod1
github.com/dee
pda/mod1/v2
go.sum
go.sum
go.sum
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
go.sum
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
16. 16
If someone
imports….
package main
import {
“encoding/json”,
“io/ioutil”,
“net/http”,
“os”,
“text/template”
}
type TodoPageData struct {
PageTitle string
Todos []Todo
}
...
mod1
main.go
They open
themselves up to
a cross-site
scripting attack
...imagine if your app is a
dependency for other
projects...
17. 17
Let’s summarize so far
go.sum file, a list of SHA-256 base64 hashes
go.mod stores a list of each dependency
The go command can use these hashes to detect misbehavior by
an origin server or proxy that gives a different code for the same
version.
However, the go.sum file has a limitation, it works entirely by trust
based on user’s first use...
18. 18
Introducing JFrog GoCenter with Xray Security
GoCenter is a GOPROXY that caches metadata and source
code in its own storage system.
This allows the mirror to continue to serve source code that is
no longer available from the original locations thus speeding up
downloads and protect users from the disappearing
dependencies.
export GOPROXY=https://gocenter.io
23. 23
Every module and version is scanned and actively provides a security warning
github.com/dee
pda/mod1
github.com/dee
pda/mod1/v2
Versions tab also shows you which version are safe or not.
24. 24
Just launched free vulnerability scanning for Go in VSCode!
Inside VSCode, type “JFrog” to find the free security scanning extension
Available
today!
25. 25
Q&A
How to give us feedback
gocenter@jfrog.com
deepd@jfrog.com
@DeepDattaX
Bit.ly/GoCenterNYC
26. ● Tonights Slides
● The Video of this talk
● Talk Materials
● April Monthly Raffle
Bit.ly/GoCenterNYC