SlideShare a Scribd company logo

Security of Go Modules and Vulnerability Scanning in GoCenter and VS Code

Deep Datta
Deep Datta

This document discusses security of Go modules and vulnerability scanning in GoCenter and VSCode. It provides an overview of dependency management in Go with modules and checksum databases, how hashes are used to ensure integrity and detect changes. It demonstrates how GoCenter caches modules and versions, provides vulnerability information and scans dependencies. It shows building a basic Go web app in VSCode and using the JFrog extension for security alerts during development.

Technology
1 of 28
Download to read offline
SECURITY OF GO MODULES AND VULNERABILITY SCANNING IN GOCENTER AND VSCODE
● Presentation Slides ● Video later ● JFrog T-Shirts Raffle - Win 1 of 10 JFrog Gopher T-Shirts https://bit.ly/GoRemoteGoCenter
3 Agenda ● Dependency management in Go v1.13 and Go modules ● Checksum database concepts ● Committing a new Go module to the checksum database ● Vulnerability information in GoCenter ● DEMO: Security in VSCode ● Q&A ● Introduction
4 Deep Datta GoCenter Community Product Manager deepd@jfrog.com @DeepDattaX
5 Dependency management and Go Modules Go 1.11 Introduced Go Modules module main.go go 1.13 require github.com/sirupsen/logrus v1.4.2 go.mod github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/konsorten/go-windows-terminal-sequenc es v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894 h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= go.sum Go 1.13 Go Modules become standard Basic data security and data integrity with go.sum and go.mod The go mod init command wrote a go.mod file you will see a file called go.sum gets created glide, gopath, dep, vendoring...
6 go.sum github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/konsorten/go-windows-terminal-sequencesv1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
7 SHA-256 cryptographic hash algorithms produce irreversible and unique hashes Irreversible because you can’t use the hash to figure out what the original piece of data was Unique means that two different pieces of data can never produce the same hash
8 ChecksumDB and the Merkle Tree At its core, a Merkle Tree is a list of items representing the data that should be verified. data data data data hash hash hash hash hash hash hash go.sum data Each of these items is inserted into a leaf node and a tree of hashes is constructed. If you change the data, the hash will also change - all the through the tree. root
9 checksum database Module 1 (go.sum) Module 2 (go.sum) go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= go.sum List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= https://sum.golang.org/
10 The checksum database ensures that the go command always adds the same lines to everyone's go.sum file. https://sum.golang.org/ Whenever the go command receives new source code, it can verify the hash of that code against this global database to make sure the hashes match… ...ensuring that everyone is using the same code for a given version.
11 How hashes protect you Module 1 (go.sum) Module 1 (go.sum) go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= https://sum.golang.org/ Minor content change
12 Let’s say you create your first Go module. package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “text/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... You save it as mod1 go.mod go.sum main.go
13 package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “html/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... mod1 main.go You can fix your files and create a new version for everyone called mod1/v2 (probably would be a patch, but let’s pretend it’s a v2)
14 ... Semantic import versioning Go is strict about versioning
15 Both versions have been committed to the checksum db github.com/dee pda/mod1 github.com/dee pda/mod1/v2 go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= go.sum List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc=
16 If someone imports…. package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “text/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... mod1 main.go They open themselves up to a XSS (cross site scripting) attack ...imagine if your app is a dependency for other projects...
17 Let’s summarize so far go.sum file uses a list of SHA-256 hashes to match the checksumdb when imported go.mod stores a list of each dependency and version Hashes are used to detect misbehavior by an origin server or proxy that provides different code for the same version However, the go.sum file has a limitation, it works entirely by trust based on user’s first use... Vulnerabilities will remain in that version of the module
18 Introducing JFrog GoCenter with Xray Security GoCenter is a GOPROXY that caches metadata and source code in its own storage system. This allows the mirror to continue to serve source code that is no longer available from the original locations thus speeding up downloads and protect users from the disappearing dependencies. export GOPROXY=https://gocenter.io GoCenter has every version of a publically available module.
Demo of Vulnerability Information in GoCenter.io https://gocenter.io
20 How seeing your vulnerabilities in GoCenter can help
21 You can check vulnerabilities in dependencies too
22 Every module and version is scanned and actively provides a security warning github.com/dee pda/mod1 github.com/dee pda/mod1/v2 Versions tab also shows you which version are safe...or not.
23 GoCenter provides CVE public list of vulnerabilities
24 Next: Building a Golang Project in VSCode Inside VSCode, type “JFrog” to find the free security scanning extension
25 Building my first Web application with Go in VSCode A basic web application viewed in the browser with Go Using GORM and sqlite to configure a database Security alerts in Visual Studio Code with JFrog Extension
26 Go API Tutorial: https://youtu.be/VAGodyl84OY GORM https://gorm.io
27 Q&A How to give us feedback gocenter@jfrog.com Gophers Slack #GoCenter @DeepDattaX https://bit.ly/GoRemoteGoCenter
● Presentation Slides ● Video later ● JFrog T-Shirts Raffle - Win 1 of 10 JFrog Gopher T-Shirts https://bit.ly/GoRemoteGoCenter

Recommended

Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Deep Datta
 
New Security of Go modules and vulnerability scanning in GoCenter
New Security of Go modules and vulnerability scanning in GoCenterNew Security of Go modules and vulnerability scanning in GoCenter
New Security of Go modules and vulnerability scanning in GoCenter
Deep Datta
 
Security of Go Modules and Vulnerability Scanning in VSCode
Security of Go Modules and Vulnerability Scanning in VSCodeSecurity of Go Modules and Vulnerability Scanning in VSCode
Security of Go Modules and Vulnerability Scanning in VSCode
Deep Datta
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Deep Datta
 
Security of Go Modules and Vulnerability Scanning in Go Center
Security of Go Modules and Vulnerability Scanning in Go CenterSecurity of Go Modules and Vulnerability Scanning in Go Center
Security of Go Modules and Vulnerability Scanning in Go Center
Deep Datta
 
Security of Go Modules and Vulnerability Scanning in Go center and VSCodee
Security of Go Modules and Vulnerability Scanning in Go center and VSCodeeSecurity of Go Modules and Vulnerability Scanning in Go center and VSCodee
Security of Go Modules and Vulnerability Scanning in Go center and VSCodee
Deep Datta
 
Security of go modules and vulnerability scanning in go center (1)
Security of go modules and vulnerability scanning in go center (1)Security of go modules and vulnerability scanning in go center (1)
Security of go modules and vulnerability scanning in go center (1)
Deep Datta
 
Security of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenterSecurity of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenter
Deep Datta
 

Recommended

Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Deep Datta
 
New Security of Go modules and vulnerability scanning in GoCenter
New Security of Go modules and vulnerability scanning in GoCenterNew Security of Go modules and vulnerability scanning in GoCenter
New Security of Go modules and vulnerability scanning in GoCenter
Deep Datta
 
Security of Go Modules and Vulnerability Scanning in VSCode
Security of Go Modules and Vulnerability Scanning in VSCodeSecurity of Go Modules and Vulnerability Scanning in VSCode
Security of Go Modules and Vulnerability Scanning in VSCode
Deep Datta
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Deep Datta
 
Security of Go Modules and Vulnerability Scanning in Go Center
Security of Go Modules and Vulnerability Scanning in Go CenterSecurity of Go Modules and Vulnerability Scanning in Go Center
Security of Go Modules and Vulnerability Scanning in Go Center
Deep Datta
 
Security of Go Modules and Vulnerability Scanning in Go center and VSCodee
Security of Go Modules and Vulnerability Scanning in Go center and VSCodeeSecurity of Go Modules and Vulnerability Scanning in Go center and VSCodee
Security of Go Modules and Vulnerability Scanning in Go center and VSCodee
Deep Datta
 
Security of go modules and vulnerability scanning in go center (1)
Security of go modules and vulnerability scanning in go center (1)Security of go modules and vulnerability scanning in go center (1)
Security of go modules and vulnerability scanning in go center (1)
Deep Datta
 
Security of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenterSecurity of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenter
Deep Datta
 
Security of Go Modules - SF Meetup
Security of Go Modules - SF MeetupSecurity of Go Modules - SF Meetup
Security of Go Modules - SF Meetup
Deep Datta
 
Docker 1.10 1.11
Docker 1.10 1.11Docker 1.10 1.11
Docker 1.10 1.11
dchaffiol
 
Tegra 186のu-boot & Linux
Tegra 186のu-boot & LinuxTegra 186のu-boot & Linux
Tegra 186のu-boot & Linux
Mr. Vengineer
 
Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5 Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5
William Lee
 
Readme
ReadmeReadme
ReadmeDavid Sting
 
Usage Note of Qt ODBC Database Access on Linux
Usage Note of Qt ODBC Database Access on LinuxUsage Note of Qt ODBC Database Access on Linux
Usage Note of Qt ODBC Database Access on Linux
William Lee
 
Usage Note of SWIG for PHP
Usage Note of SWIG for PHPUsage Note of SWIG for PHP
Usage Note of SWIG for PHP
William Lee
 
Hls за час
Hls за часHls за час
Hls за час
volegg
 
Usage Notes of The Bro 2.2 / 2.3
Usage Notes of The Bro 2.2 / 2.3Usage Notes of The Bro 2.2 / 2.3
Usage Notes of The Bro 2.2 / 2.3
William Lee
 
New text document
New text documentNew text document
New text document
sqll
 
OpenCV installation in windows visual studio
OpenCV installation in windows visual studioOpenCV installation in windows visual studio
OpenCV installation in windows visual studio
Peter Jose
 
Usage Note of Apache Thrift for C++ Java PHP Languages
Usage Note of Apache Thrift for C++ Java PHP LanguagesUsage Note of Apache Thrift for C++ Java PHP Languages
Usage Note of Apache Thrift for C++ Java PHP Languages
William Lee
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)
Patricia Aas
 
Usage Note of PlayCap
Usage Note of PlayCapUsage Note of PlayCap
Usage Note of PlayCap
William Lee
 
Игры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfire
Игры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfireИгры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfire
Игры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfire
SQALab
 
Город никогда не спит / The City Never Sleeps
Город никогда не спит / The City Never SleepsГород никогда не спит / The City Never Sleeps
Город никогда не спит / The City Never Sleeps
Positive Hack Days
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
Patricia Aas
 
Groovy on the shell
Groovy on the shellGroovy on the shell
Groovy on the shell
sascha_klein
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul Rascagneres
Shakacon
 
Xdebug from a to x
Xdebug from a to xXdebug from a to x
Xdebug from a to x
Gennady Feldman
 
Security of go modules lightning talk
Security of go modules lightning talkSecurity of go modules lightning talk
Security of go modules lightning talk
Deep Datta
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
Patricia Aas
 

More Related Content

What's hot

Security of Go Modules - SF Meetup
Security of Go Modules - SF MeetupSecurity of Go Modules - SF Meetup
Security of Go Modules - SF Meetup
Deep Datta
 
Docker 1.10 1.11
Docker 1.10 1.11Docker 1.10 1.11
Docker 1.10 1.11
dchaffiol
 
Tegra 186のu-boot & Linux
Tegra 186のu-boot & LinuxTegra 186のu-boot & Linux
Tegra 186のu-boot & Linux
Mr. Vengineer
 
Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5 Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5
William Lee
 
Usage Note of Qt ODBC Database Access on Linux
Usage Note of Qt ODBC Database Access on LinuxUsage Note of Qt ODBC Database Access on Linux
Usage Note of Qt ODBC Database Access on Linux
William Lee
 
Usage Note of SWIG for PHP
Usage Note of SWIG for PHPUsage Note of SWIG for PHP
Usage Note of SWIG for PHP
William Lee
 
Hls за час
Hls за часHls за час
Hls за час
volegg
 
Usage Notes of The Bro 2.2 / 2.3
Usage Notes of The Bro 2.2 / 2.3Usage Notes of The Bro 2.2 / 2.3
Usage Notes of The Bro 2.2 / 2.3
William Lee
 
New text document
New text documentNew text document
New text document
sqll
 
OpenCV installation in windows visual studio
OpenCV installation in windows visual studioOpenCV installation in windows visual studio
OpenCV installation in windows visual studio
Peter Jose
 
Usage Note of Apache Thrift for C++ Java PHP Languages
Usage Note of Apache Thrift for C++ Java PHP LanguagesUsage Note of Apache Thrift for C++ Java PHP Languages
Usage Note of Apache Thrift for C++ Java PHP Languages
William Lee
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)
Patricia Aas
 
Usage Note of PlayCap
Usage Note of PlayCapUsage Note of PlayCap
Usage Note of PlayCap
William Lee
 
Игры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfire
Игры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfireИгры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfire
Игры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfire
SQALab
 
Город никогда не спит / The City Never Sleeps
Город никогда не спит / The City Never SleepsГород никогда не спит / The City Never Sleeps
Город никогда не спит / The City Never Sleeps
Positive Hack Days
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
Patricia Aas
 
Groovy on the shell
Groovy on the shellGroovy on the shell
Groovy on the shell
sascha_klein
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul Rascagneres
Shakacon
 
Xdebug from a to x
Xdebug from a to xXdebug from a to x
Xdebug from a to x
Gennady Feldman
 

What's hot (20)

Security of Go Modules - SF Meetup
Security of Go Modules - SF MeetupSecurity of Go Modules - SF Meetup
Security of Go Modules - SF Meetup
 
Docker 1.10 1.11
Docker 1.10 1.11Docker 1.10 1.11
Docker 1.10 1.11
 
Tegra 186のu-boot & Linux
Tegra 186のu-boot & LinuxTegra 186のu-boot & Linux
Tegra 186のu-boot & Linux
 
Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5 Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5
 
Readme
ReadmeReadme
Readme
 
Usage Note of Qt ODBC Database Access on Linux
Usage Note of Qt ODBC Database Access on LinuxUsage Note of Qt ODBC Database Access on Linux
Usage Note of Qt ODBC Database Access on Linux
 
Usage Note of SWIG for PHP
Usage Note of SWIG for PHPUsage Note of SWIG for PHP
Usage Note of SWIG for PHP
 
Hls за час
Hls за часHls за час
Hls за час
 
Usage Notes of The Bro 2.2 / 2.3
Usage Notes of The Bro 2.2 / 2.3Usage Notes of The Bro 2.2 / 2.3
Usage Notes of The Bro 2.2 / 2.3
 
New text document
New text documentNew text document
New text document
 
OpenCV installation in windows visual studio
OpenCV installation in windows visual studioOpenCV installation in windows visual studio
OpenCV installation in windows visual studio
 
Usage Note of Apache Thrift for C++ Java PHP Languages
Usage Note of Apache Thrift for C++ Java PHP LanguagesUsage Note of Apache Thrift for C++ Java PHP Languages
Usage Note of Apache Thrift for C++ Java PHP Languages
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)
 
Usage Note of PlayCap
Usage Note of PlayCapUsage Note of PlayCap
Usage Note of PlayCap
 
Игры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfire
Игры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfireИгры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfire
Игры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfire
 
Город никогда не спит / The City Never Sleeps
Город никогда не спит / The City Never SleepsГород никогда не спит / The City Never Sleeps
Город никогда не спит / The City Never Sleeps
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
 
Groovy on the shell
Groovy on the shellGroovy on the shell
Groovy on the shell
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul Rascagneres
 
Xdebug from a to x
Xdebug from a to xXdebug from a to x
Xdebug from a to x
 

Similar to Security of Go Modules and Vulnerability Scanning in GoCenter and VS Code

Security of go modules lightning talk
Security of go modules lightning talkSecurity of go modules lightning talk
Security of go modules lightning talk
Deep Datta
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
Patricia Aas
 
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Patricia Aas
 
Finding target for hacking on internet is now easier
Finding target for hacking on internet is now easierFinding target for hacking on internet is now easier
Finding target for hacking on internet is now easier
David Thomas
 
Understanding pseudo-version and Go1.14+ with notes
Understanding pseudo-version and Go1.14+ with notesUnderstanding pseudo-version and Go1.14+ with notes
Understanding pseudo-version and Go1.14+ with notes
Mitali Bisht
 
Gorush: A push notification server written in Go
Gorush: A push notification server written in GoGorush: A push notification server written in Go
Gorush: A push notification server written in Go
Bo-Yi Wu
 
Linux Security and How Web Browser Sandboxes Really Work (Security Researcher...
Linux Security and How Web Browser Sandboxes Really Work (Security Researcher...Linux Security and How Web Browser Sandboxes Really Work (Security Researcher...
Linux Security and How Web Browser Sandboxes Really Work (Security Researcher...
Patricia Aas
 
Workshop MSF4J - Getting Started with Microservices and Java
Workshop MSF4J - Getting Started with Microservices and JavaWorkshop MSF4J - Getting Started with Microservices and Java
Workshop MSF4J - Getting Started with Microservices and Java
Edgar Silva
 
Developing with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaDeveloping with the Go client for Apache Kafka
Developing with the Go client for Apache Kafka
Joe Stein
 
Understanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for Modules
Understanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for ModulesUnderstanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for Modules
Understanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for Modules
Mitali Bisht
 
GIT training - advanced for software projects
GIT training - advanced for software projectsGIT training - advanced for software projects
GIT training - advanced for software projects
Thierry Gayet
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniques
Eran Goldstein
 
Pseudo-versions, moving to Go1.13 and later versions
Pseudo-versions, moving to Go1.13 and later versionsPseudo-versions, moving to Go1.13 and later versions
Pseudo-versions, moving to Go1.13 and later versions
Mitali Bisht
 
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Patricia Aas
 
Grokking Techtalk #38: Escape Analysis in Go compiler
Grokking Techtalk #38: Escape Analysis in Go compiler Grokking Techtalk #38: Escape Analysis in Go compiler
Grokking Techtalk #38: Escape Analysis in Go compiler
Grokking VN
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
Felipe Prado
 
Jump into Squeak - Integrate Squeak projects with Docker & Github
Jump into Squeak - Integrate Squeak projects with Docker & GithubJump into Squeak - Integrate Squeak projects with Docker & Github
Jump into Squeak - Integrate Squeak projects with Docker & Github
hubx
 
Sandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooksSandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooks
KarlFrank99
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
Roberto Suggi Liverani
 

Similar to Security of Go Modules and Vulnerability Scanning in GoCenter and VS Code (20)

Security of go modules lightning talk
Security of go modules lightning talkSecurity of go modules lightning talk
Security of go modules lightning talk
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
 
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
 
Finding target for hacking on internet is now easier
Finding target for hacking on internet is now easierFinding target for hacking on internet is now easier
Finding target for hacking on internet is now easier
 
Understanding pseudo-version and Go1.14+ with notes
Understanding pseudo-version and Go1.14+ with notesUnderstanding pseudo-version and Go1.14+ with notes
Understanding pseudo-version and Go1.14+ with notes
 
Gorush: A push notification server written in Go
Gorush: A push notification server written in GoGorush: A push notification server written in Go
Gorush: A push notification server written in Go
 
Linux Security and How Web Browser Sandboxes Really Work (Security Researcher...
Linux Security and How Web Browser Sandboxes Really Work (Security Researcher...Linux Security and How Web Browser Sandboxes Really Work (Security Researcher...
Linux Security and How Web Browser Sandboxes Really Work (Security Researcher...
 
Workshop MSF4J - Getting Started with Microservices and Java
Workshop MSF4J - Getting Started with Microservices and JavaWorkshop MSF4J - Getting Started with Microservices and Java
Workshop MSF4J - Getting Started with Microservices and Java
 
Developing with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaDeveloping with the Go client for Apache Kafka
Developing with the Go client for Apache Kafka
 
Understanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for Modules
Understanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for ModulesUnderstanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for Modules
Understanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for Modules
 
GIT training - advanced for software projects
GIT training - advanced for software projectsGIT training - advanced for software projects
GIT training - advanced for software projects
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniques
 
Pseudo-versions, moving to Go1.13 and later versions
Pseudo-versions, moving to Go1.13 and later versionsPseudo-versions, moving to Go1.13 and later versions
Pseudo-versions, moving to Go1.13 and later versions
 
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
 
Grokking Techtalk #38: Escape Analysis in Go compiler
Grokking Techtalk #38: Escape Analysis in Go compiler Grokking Techtalk #38: Escape Analysis in Go compiler
Grokking Techtalk #38: Escape Analysis in Go compiler
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
Jump into Squeak - Integrate Squeak projects with Docker & Github
Jump into Squeak - Integrate Squeak projects with Docker & GithubJump into Squeak - Integrate Squeak projects with Docker & Github
Jump into Squeak - Integrate Squeak projects with Docker & Github
 
Sandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooksSandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooks
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 

Security of Go Modules and Vulnerability Scanning in GoCenter and VS Code

  • 1. SECURITY OF GO MODULES AND VULNERABILITY SCANNING IN GOCENTER AND VSCODE
  • 2. ● Presentation Slides ● Video later ● JFrog T-Shirts Raffle - Win 1 of 10 JFrog Gopher T-Shirts https://bit.ly/GoRemoteGoCenter
  • 3. 3 Agenda ● Dependency management in Go v1.13 and Go modules ● Checksum database concepts ● Committing a new Go module to the checksum database ● Vulnerability information in GoCenter ● DEMO: Security in VSCode ● Q&A ● Introduction
  • 4. 4 Deep Datta GoCenter Community Product Manager deepd@jfrog.com @DeepDattaX
  • 5. 5 Dependency management and Go Modules Go 1.11 Introduced Go Modules module main.go go 1.13 require github.com/sirupsen/logrus v1.4.2 go.mod github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/konsorten/go-windows-terminal-sequenc es v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894 h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= go.sum Go 1.13 Go Modules become standard Basic data security and data integrity with go.sum and go.mod The go mod init command wrote a go.mod file you will see a file called go.sum gets created glide, gopath, dep, vendoring...
  • 6. 6 go.sum github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/konsorten/go-windows-terminal-sequencesv1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
  • 7. 7 SHA-256 cryptographic hash algorithms produce irreversible and unique hashes Irreversible because you can’t use the hash to figure out what the original piece of data was Unique means that two different pieces of data can never produce the same hash
  • 8. 8 ChecksumDB and the Merkle Tree At its core, a Merkle Tree is a list of items representing the data that should be verified. data data data data hash hash hash hash hash hash hash go.sum data Each of these items is inserted into a leaf node and a tree of hashes is constructed. If you change the data, the hash will also change - all the through the tree. root
  • 9. 9 checksum database Module 1 (go.sum) Module 2 (go.sum) go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= go.sum List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= https://sum.golang.org/
  • 10. 10 The checksum database ensures that the go command always adds the same lines to everyone's go.sum file. https://sum.golang.org/ Whenever the go command receives new source code, it can verify the hash of that code against this global database to make sure the hashes match… ...ensuring that everyone is using the same code for a given version.
  • 11. 11 How hashes protect you Module 1 (go.sum) Module 1 (go.sum) go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= https://sum.golang.org/ Minor content change
  • 12. 12 Let’s say you create your first Go module. package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “text/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... You save it as mod1 go.mod go.sum main.go
  • 13. 13 package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “html/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... mod1 main.go You can fix your files and create a new version for everyone called mod1/v2 (probably would be a patch, but let’s pretend it’s a v2)
  • 14. 14 ... Semantic import versioning Go is strict about versioning
  • 15. 15 Both versions have been committed to the checksum db github.com/dee pda/mod1 github.com/dee pda/mod1/v2 go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= go.sum List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc=
  • 16. 16 If someone imports…. package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “text/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... mod1 main.go They open themselves up to a XSS (cross site scripting) attack ...imagine if your app is a dependency for other projects...
  • 17. 17 Let’s summarize so far go.sum file uses a list of SHA-256 hashes to match the checksumdb when imported go.mod stores a list of each dependency and version Hashes are used to detect misbehavior by an origin server or proxy that provides different code for the same version However, the go.sum file has a limitation, it works entirely by trust based on user’s first use... Vulnerabilities will remain in that version of the module
  • 18. 18 Introducing JFrog GoCenter with Xray Security GoCenter is a GOPROXY that caches metadata and source code in its own storage system. This allows the mirror to continue to serve source code that is no longer available from the original locations thus speeding up downloads and protect users from the disappearing dependencies. export GOPROXY=https://gocenter.io GoCenter has every version of a publically available module.
  • 19. Demo of Vulnerability Information in GoCenter.io https://gocenter.io
  • 20. 20 How seeing your vulnerabilities in GoCenter can help
  • 21. 21 You can check vulnerabilities in dependencies too
  • 22. 22 Every module and version is scanned and actively provides a security warning github.com/dee pda/mod1 github.com/dee pda/mod1/v2 Versions tab also shows you which version are safe...or not.
  • 23. 23 GoCenter provides CVE public list of vulnerabilities
  • 24. 24 Next: Building a Golang Project in VSCode Inside VSCode, type “JFrog” to find the free security scanning extension
  • 25. 25 Building my first Web application with Go in VSCode A basic web application viewed in the browser with Go Using GORM and sqlite to configure a database Security alerts in Visual Studio Code with JFrog Extension
  • 27. 27 Q&A How to give us feedback gocenter@jfrog.com Gophers Slack #GoCenter @DeepDattaX https://bit.ly/GoRemoteGoCenter
  • 28. ● Presentation Slides ● Video later ● JFrog T-Shirts Raffle - Win 1 of 10 JFrog Gopher T-Shirts https://bit.ly/GoRemoteGoCenter