SlideShare a Scribd company logo

Security of Go Modules and Vulnerability Scanning in Go Center

Deep Datta
Deep Datta

Meetup on July 23

Technology
1 of 28
Download to read offline
SECURITY OF GO MODULES AND VULNERABILITY SCANNING IN GOCENTER AND VSCODE
● Presentation Slides & Video ● Enter our July Sweepstakes for a chance to win a Nintendo Switch w/ Mortal Kombat and Super Smash Bros. ● EVERYONE present who enter WINS a Gopher JFrog T-Shirt https://bit.ly/MHGophersJFrog
3 Agenda ● Dependency management in Go v1.13 and Go modules ● Checksum database concepts ● Committing a new Go module to the checksum database ● Vulnerability information in GoCenter ● DEMO: Security in VSCode ● Q&A ● Introduction
4 GoCenter Community Product Manager deepd@jfrog.com @DeepDattaX
5 Go 1.11 Introduced Go Modules module main.go go 1.13 require github.com/sirupsen/logrus v1.4.2 go.mod github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/konsorten/go-windows-terminal-sequenc es v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894 h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= go.sum Go 1.13 Go Modules become standard Basic data security and data integrity with go.sum and go.mod The go mod init command wrote a go.mod file you will see a file called go.sum gets created glide, gopath, dep, vendoring...
6 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/konsorten/go-windows-terminal-sequencesv1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
7 Irreversible because you can’t use the hash to figure out what the original piece of data was Unique means that two different pieces of data can never produce the same hash
8 At its core, a Merkle Tree is a list of items representing the data that should be verified. data data data data hash hash hash hash hash hash hash go.sum data Each of these items is inserted into a leaf node and a tree of hashes is constructed. If you change the data, the hash will also change - all the through the tree. root
9 Module 1 (go.sum) Module 2 (go.sum) go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= go.sum List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= https://sum.golang.org/
10 The checksum database ensures that the go command always adds the same lines to everyone's go.sum file. https://sum.golang.org/ Whenever the go command receives new source code, it can verify the hash of that code against this global database to make sure the hashes match… ...ensuring that everyone is using the same code for a given version.
11 Module 1 (go.sum) Module 1 (go.sum) go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= https://sum.golang.org/ Minor content change
12 Let’s say you create your first Go module. package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “text/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... You save it as mod1 go.mod go.sum main.go
13 package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “html/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... mod1 main.go You can fix your files and create a new version for everyone called mod1/v2 (probably would be a patch, but let’s pretend it’s a v2)
14 ... Semantic import versioning Go is strict about versioning
15 github.com/dee pda/mod1 github.com/dee pda/mod1/v2 go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= go.sum List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc=
16 If someone imports…. package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “text/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... mod1 main.go They open themselves up to a XSS (cross site scripting) attack ...imagine if your app is a dependency for other projects...
17 go.sum file uses a list of SHA-256 hashes to match the checksumdb when imported go.mod stores a list of each dependency and version Hashes are used to detect misbehavior by an origin server or proxy that provides different code for the same version However, the go.sum file has a limitation, it works entirely by trust based on user’s first use... Vulnerabilities will remain in that version of the module
18 Introducing JFrog GoCenter with Xray Security GoCenter is a GOPROXY that caches metadata and source code in its own storage system. This allows the mirror to continue to serve source code that is no longer available from the original locations thus speeding up downloads and protect users from the disappearing dependencies. export GOPROXY=https://gocenter.io GoCenter has every version of a publically available module.
Demo of Vulnerability Information in GoCenter.io https://gocenter.io
20
21
22 github.com/dee pda/mod1 github.com/dee pda/mod1/v2
23
24
25 A basic web application viewed in the browser with Go Using GORM and sqlite to configure a database Security alerts in Visual Studio Code with JFrog Extension
26
27 gocenter@jfrog.com Gophers Slack #GoCenter @DeepDattaX https://bit.ly/GoMNJFrog
● Presentation Slides & Video ● Enter our July Sweepstakes for a chance to win a Nintendo Switch w/ Mortal Kombat and Super Smash Bros. ● EVERYONE present who enter WINS a Gopher JFrog T-Shirt https://bit.ly/MHGophersJFrog

Recommended

Security of Go Modules and Vulnerability Scanning in Go center and VSCodee
Security of Go Modules and Vulnerability Scanning in Go center and VSCodeeSecurity of Go Modules and Vulnerability Scanning in Go center and VSCodee
Security of Go Modules and Vulnerability Scanning in Go center and VSCodeeDeep Datta
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VS Code
Security of Go Modules and Vulnerability Scanning in GoCenter and VS CodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VS Code
Security of Go Modules and Vulnerability Scanning in GoCenter and VS CodeDeep Datta
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeDeep Datta
 
Security of go modules and vulnerability scanning in go center (1)
Security of go modules and vulnerability scanning in go center (1)Security of go modules and vulnerability scanning in go center (1)
Security of go modules and vulnerability scanning in go center (1)Deep Datta
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeDeep Datta
 
New Security of Go modules and vulnerability scanning in GoCenter
New Security of Go modules and vulnerability scanning in GoCenterNew Security of Go modules and vulnerability scanning in GoCenter
New Security of Go modules and vulnerability scanning in GoCenterDeep Datta
 
Security of Go Modules and Vulnerability Scanning in VSCode
Security of Go Modules and Vulnerability Scanning in VSCodeSecurity of Go Modules and Vulnerability Scanning in VSCode
Security of Go Modules and Vulnerability Scanning in VSCodeDeep Datta
 
Security of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenterSecurity of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenterDeep Datta
 

Recommended

Security of Go Modules and Vulnerability Scanning in Go center and VSCodee
Security of Go Modules and Vulnerability Scanning in Go center and VSCodeeSecurity of Go Modules and Vulnerability Scanning in Go center and VSCodee
Security of Go Modules and Vulnerability Scanning in Go center and VSCodeeDeep Datta
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VS Code
Security of Go Modules and Vulnerability Scanning in GoCenter and VS CodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VS Code
Security of Go Modules and Vulnerability Scanning in GoCenter and VS CodeDeep Datta
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeDeep Datta
 
Security of go modules and vulnerability scanning in go center (1)
Security of go modules and vulnerability scanning in go center (1)Security of go modules and vulnerability scanning in go center (1)
Security of go modules and vulnerability scanning in go center (1)Deep Datta
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeDeep Datta
 
New Security of Go modules and vulnerability scanning in GoCenter
New Security of Go modules and vulnerability scanning in GoCenterNew Security of Go modules and vulnerability scanning in GoCenter
New Security of Go modules and vulnerability scanning in GoCenterDeep Datta
 
Security of Go Modules and Vulnerability Scanning in VSCode
Security of Go Modules and Vulnerability Scanning in VSCodeSecurity of Go Modules and Vulnerability Scanning in VSCode
Security of Go Modules and Vulnerability Scanning in VSCodeDeep Datta
 
Security of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenterSecurity of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenterDeep Datta
 
Security of Go Modules - SF Meetup
Security of Go Modules - SF MeetupSecurity of Go Modules - SF Meetup
Security of Go Modules - SF MeetupDeep Datta
 
Readme
ReadmeReadme
ReadmeDavid Sting
 
Tegra 186のu-boot & Linux
Tegra 186のu-boot & LinuxTegra 186のu-boot & Linux
Tegra 186のu-boot & LinuxMr. Vengineer
 
Docker 1.10 1.11
Docker 1.10 1.11Docker 1.10 1.11
Docker 1.10 1.11dchaffiol
 
PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22Yuya Takei
 
Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5 Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5 William Lee
 
Hls за час
Hls за часHls за час
Hls за часvolegg
 
Openwrt frontend backend
Openwrt frontend backendOpenwrt frontend backend
Openwrt frontend backend晓东 杜
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleDefconRussia
 
Usage Note of Qt ODBC Database Access on Linux
Usage Note of Qt ODBC Database Access on LinuxUsage Note of Qt ODBC Database Access on Linux
Usage Note of Qt ODBC Database Access on LinuxWilliam Lee
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...CODE BLUE
 
Linux fundamental - Chap 09 pkg
Linux fundamental - Chap 09 pkgLinux fundamental - Chap 09 pkg
Linux fundamental - Chap 09 pkgKenny (netman)
 
Usage Note of PlayCap
Usage Note of PlayCapUsage Note of PlayCap
Usage Note of PlayCapWilliam Lee
 
FFMPEG on android
FFMPEG on androidFFMPEG on android
FFMPEG on androidYoss Cohen
 
Usage Note of SWIG for PHP
Usage Note of SWIG for PHPUsage Note of SWIG for PHP
Usage Note of SWIG for PHPWilliam Lee
 
Importance of linux system fundamental in technical documentation reading
Importance of linux system fundamental in technical documentation readingImportance of linux system fundamental in technical documentation reading
Importance of linux system fundamental in technical documentation readingKenny (netman)
 
Usage Note of Apache Thrift for C++ Java PHP Languages
Usage Note of Apache Thrift for C++ Java PHP LanguagesUsage Note of Apache Thrift for C++ Java PHP Languages
Usage Note of Apache Thrift for C++ Java PHP LanguagesWilliam Lee
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxPatricia Aas
 
Usage Notes of The Bro 2.2 / 2.3
Usage Notes of The Bro 2.2 / 2.3Usage Notes of The Bro 2.2 / 2.3
Usage Notes of The Bro 2.2 / 2.3William Lee
 
[ETHCon Korea 2019] Shin mansun 신만선
[ETHCon Korea 2019] Shin mansun 신만선[ETHCon Korea 2019] Shin mansun 신만선
[ETHCon Korea 2019] Shin mansun 신만선ethconkr
 
Security of go modules lightning talk
Security of go modules lightning talkSecurity of go modules lightning talk
Security of go modules lightning talkDeep Datta
 
Developing with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaDeveloping with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaJoe Stein
 

More Related Content

What's hot

Security of Go Modules - SF Meetup
Security of Go Modules - SF MeetupSecurity of Go Modules - SF Meetup
Security of Go Modules - SF MeetupDeep Datta
 
Tegra 186のu-boot & Linux
Tegra 186のu-boot & LinuxTegra 186のu-boot & Linux
Tegra 186のu-boot & LinuxMr. Vengineer
 
Docker 1.10 1.11
Docker 1.10 1.11Docker 1.10 1.11
Docker 1.10 1.11dchaffiol
 
PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22Yuya Takei
 
Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5 Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5 William Lee
 
Hls за час
Hls за часHls за час
Hls за часvolegg
 
Openwrt frontend backend
Openwrt frontend backendOpenwrt frontend backend
Openwrt frontend backend晓东 杜
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleDefconRussia
 
Usage Note of Qt ODBC Database Access on Linux
Usage Note of Qt ODBC Database Access on LinuxUsage Note of Qt ODBC Database Access on Linux
Usage Note of Qt ODBC Database Access on LinuxWilliam Lee
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...CODE BLUE
 
Linux fundamental - Chap 09 pkg
Linux fundamental - Chap 09 pkgLinux fundamental - Chap 09 pkg
Linux fundamental - Chap 09 pkgKenny (netman)
 
Usage Note of PlayCap
Usage Note of PlayCapUsage Note of PlayCap
Usage Note of PlayCapWilliam Lee
 
FFMPEG on android
FFMPEG on androidFFMPEG on android
FFMPEG on androidYoss Cohen
 
Usage Note of SWIG for PHP
Usage Note of SWIG for PHPUsage Note of SWIG for PHP
Usage Note of SWIG for PHPWilliam Lee
 
Importance of linux system fundamental in technical documentation reading
Importance of linux system fundamental in technical documentation readingImportance of linux system fundamental in technical documentation reading
Importance of linux system fundamental in technical documentation readingKenny (netman)
 
Usage Note of Apache Thrift for C++ Java PHP Languages
Usage Note of Apache Thrift for C++ Java PHP LanguagesUsage Note of Apache Thrift for C++ Java PHP Languages
Usage Note of Apache Thrift for C++ Java PHP LanguagesWilliam Lee
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxPatricia Aas
 
Usage Notes of The Bro 2.2 / 2.3
Usage Notes of The Bro 2.2 / 2.3Usage Notes of The Bro 2.2 / 2.3
Usage Notes of The Bro 2.2 / 2.3William Lee
 
[ETHCon Korea 2019] Shin mansun 신만선
[ETHCon Korea 2019] Shin mansun 신만선[ETHCon Korea 2019] Shin mansun 신만선
[ETHCon Korea 2019] Shin mansun 신만선ethconkr
 

What's hot (20)

Security of Go Modules - SF Meetup
Security of Go Modules - SF MeetupSecurity of Go Modules - SF Meetup
Security of Go Modules - SF Meetup
 
Readme
ReadmeReadme
Readme
 
Tegra 186のu-boot & Linux
Tegra 186のu-boot & LinuxTegra 186のu-boot & Linux
Tegra 186のu-boot & Linux
 
Docker 1.10 1.11
Docker 1.10 1.11Docker 1.10 1.11
Docker 1.10 1.11
 
PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22
 
Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5 Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5
 
Hls за час
Hls за часHls за час
Hls за час
 
Openwrt frontend backend
Openwrt frontend backendOpenwrt frontend backend
Openwrt frontend backend
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in style
 
Usage Note of Qt ODBC Database Access on Linux
Usage Note of Qt ODBC Database Access on LinuxUsage Note of Qt ODBC Database Access on Linux
Usage Note of Qt ODBC Database Access on Linux
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
 
Linux fundamental - Chap 09 pkg
Linux fundamental - Chap 09 pkgLinux fundamental - Chap 09 pkg
Linux fundamental - Chap 09 pkg
 
Usage Note of PlayCap
Usage Note of PlayCapUsage Note of PlayCap
Usage Note of PlayCap
 
FFMPEG on android
FFMPEG on androidFFMPEG on android
FFMPEG on android
 
Usage Note of SWIG for PHP
Usage Note of SWIG for PHPUsage Note of SWIG for PHP
Usage Note of SWIG for PHP
 
Importance of linux system fundamental in technical documentation reading
Importance of linux system fundamental in technical documentation readingImportance of linux system fundamental in technical documentation reading
Importance of linux system fundamental in technical documentation reading
 
Usage Note of Apache Thrift for C++ Java PHP Languages
Usage Note of Apache Thrift for C++ Java PHP LanguagesUsage Note of Apache Thrift for C++ Java PHP Languages
Usage Note of Apache Thrift for C++ Java PHP Languages
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
 
Usage Notes of The Bro 2.2 / 2.3
Usage Notes of The Bro 2.2 / 2.3Usage Notes of The Bro 2.2 / 2.3
Usage Notes of The Bro 2.2 / 2.3
 
[ETHCon Korea 2019] Shin mansun 신만선
[ETHCon Korea 2019] Shin mansun 신만선[ETHCon Korea 2019] Shin mansun 신만선
[ETHCon Korea 2019] Shin mansun 신만선
 

Similar to Security of Go Modules and Vulnerability Scanning in Go Center

Security of go modules lightning talk
Security of go modules lightning talkSecurity of go modules lightning talk
Security of go modules lightning talkDeep Datta
 
Developing with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaDeveloping with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaJoe Stein
 
Understanding pseudo-version and Go1.14+ with notes
Understanding pseudo-version and Go1.14+ with notesUnderstanding pseudo-version and Go1.14+ with notes
Understanding pseudo-version and Go1.14+ with notesMitali Bisht
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
 
Understanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for Modules
Understanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for ModulesUnderstanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for Modules
Understanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for ModulesMitali Bisht
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
 
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)Patricia Aas
 
Finding target for hacking on internet is now easier
Finding target for hacking on internet is now easierFinding target for hacking on internet is now easier
Finding target for hacking on internet is now easierDavid Thomas
 
Linux Security and How Web Browser Sandboxes Really Work (Security Researcher...
Linux Security and How Web Browser Sandboxes Really Work (Security Researcher...Linux Security and How Web Browser Sandboxes Really Work (Security Researcher...
Linux Security and How Web Browser Sandboxes Really Work (Security Researcher...Patricia Aas
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 
Generic Synchronization Policies in C++
Generic Synchronization Policies in C++Generic Synchronization Policies in C++
Generic Synchronization Policies in C++Ciaran McHale
 
Gorush: A push notification server written in Go
Gorush: A push notification server written in GoGorush: A push notification server written in Go
Gorush: A push notification server written in GoBo-Yi Wu
 
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)Patricia Aas
 
GIT training - advanced for software projects
GIT training - advanced for software projectsGIT training - advanced for software projects
GIT training - advanced for software projectsThierry Gayet
 
cgo and Go plugins
cgo and Go pluginscgo and Go plugins
cgo and Go pluginsstrikr .
 
Pseudo-versions, moving to Go1.13 and later versions
Pseudo-versions, moving to Go1.13 and later versionsPseudo-versions, moving to Go1.13 and later versions
Pseudo-versions, moving to Go1.13 and later versionsMitali Bisht
 
Understanding pseudoversion- GolangDC
Understanding pseudoversion- GolangDCUnderstanding pseudoversion- GolangDC
Understanding pseudoversion- GolangDCMitali Bisht
 
The Go features I can't live without, 2nd round
The Go features I can't live without, 2nd roundThe Go features I can't live without, 2nd round
The Go features I can't live without, 2nd roundRodolfo Carvalho
 
Workshop MSF4J - Getting Started with Microservices and Java
Workshop MSF4J - Getting Started with Microservices and JavaWorkshop MSF4J - Getting Started with Microservices and Java
Workshop MSF4J - Getting Started with Microservices and JavaEdgar Silva
 
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?ArangoDB Database
 

Similar to Security of Go Modules and Vulnerability Scanning in Go Center (20)

Security of go modules lightning talk
Security of go modules lightning talkSecurity of go modules lightning talk
Security of go modules lightning talk
 
Developing with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaDeveloping with the Go client for Apache Kafka
Developing with the Go client for Apache Kafka
 
Understanding pseudo-version and Go1.14+ with notes
Understanding pseudo-version and Go1.14+ with notesUnderstanding pseudo-version and Go1.14+ with notes
Understanding pseudo-version and Go1.14+ with notes
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)
 
Understanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for Modules
Understanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for ModulesUnderstanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for Modules
Understanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for Modules
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
 
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
 
Finding target for hacking on internet is now easier
Finding target for hacking on internet is now easierFinding target for hacking on internet is now easier
Finding target for hacking on internet is now easier
 
Linux Security and How Web Browser Sandboxes Really Work (Security Researcher...
Linux Security and How Web Browser Sandboxes Really Work (Security Researcher...Linux Security and How Web Browser Sandboxes Really Work (Security Researcher...
Linux Security and How Web Browser Sandboxes Really Work (Security Researcher...
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
Generic Synchronization Policies in C++
Generic Synchronization Policies in C++Generic Synchronization Policies in C++
Generic Synchronization Policies in C++
 
Gorush: A push notification server written in Go
Gorush: A push notification server written in GoGorush: A push notification server written in Go
Gorush: A push notification server written in Go
 
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
 
GIT training - advanced for software projects
GIT training - advanced for software projectsGIT training - advanced for software projects
GIT training - advanced for software projects
 
cgo and Go plugins
cgo and Go pluginscgo and Go plugins
cgo and Go plugins
 
Pseudo-versions, moving to Go1.13 and later versions
Pseudo-versions, moving to Go1.13 and later versionsPseudo-versions, moving to Go1.13 and later versions
Pseudo-versions, moving to Go1.13 and later versions
 
Understanding pseudoversion- GolangDC
Understanding pseudoversion- GolangDCUnderstanding pseudoversion- GolangDC
Understanding pseudoversion- GolangDC
 
The Go features I can't live without, 2nd round
The Go features I can't live without, 2nd roundThe Go features I can't live without, 2nd round
The Go features I can't live without, 2nd round
 
Workshop MSF4J - Getting Started with Microservices and Java
Workshop MSF4J - Getting Started with Microservices and JavaWorkshop MSF4J - Getting Started with Microservices and Java
Workshop MSF4J - Getting Started with Microservices and Java
 
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
 

Recently uploaded

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Recently uploaded (20)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

Security of Go Modules and Vulnerability Scanning in Go Center

  • 1. SECURITY OF GO MODULES AND VULNERABILITY SCANNING IN GOCENTER AND VSCODE
  • 2. ● Presentation Slides & Video ● Enter our July Sweepstakes for a chance to win a Nintendo Switch w/ Mortal Kombat and Super Smash Bros. ● EVERYONE present who enter WINS a Gopher JFrog T-Shirt https://bit.ly/MHGophersJFrog
  • 3. 3 Agenda ● Dependency management in Go v1.13 and Go modules ● Checksum database concepts ● Committing a new Go module to the checksum database ● Vulnerability information in GoCenter ● DEMO: Security in VSCode ● Q&A ● Introduction
  • 5. 5 Go 1.11 Introduced Go Modules module main.go go 1.13 require github.com/sirupsen/logrus v1.4.2 go.mod github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/konsorten/go-windows-terminal-sequenc es v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894 h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= go.sum Go 1.13 Go Modules become standard Basic data security and data integrity with go.sum and go.mod The go mod init command wrote a go.mod file you will see a file called go.sum gets created glide, gopath, dep, vendoring...
  • 6. 6 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/konsorten/go-windows-terminal-sequencesv1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
  • 7. 7 Irreversible because you can’t use the hash to figure out what the original piece of data was Unique means that two different pieces of data can never produce the same hash
  • 8. 8 At its core, a Merkle Tree is a list of items representing the data that should be verified. data data data data hash hash hash hash hash hash hash go.sum data Each of these items is inserted into a leaf node and a tree of hashes is constructed. If you change the data, the hash will also change - all the through the tree. root
  • 9. 9 Module 1 (go.sum) Module 2 (go.sum) go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= go.sum List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= https://sum.golang.org/
  • 10. 10 The checksum database ensures that the go command always adds the same lines to everyone's go.sum file. https://sum.golang.org/ Whenever the go command receives new source code, it can verify the hash of that code against this global database to make sure the hashes match… ...ensuring that everyone is using the same code for a given version.
  • 11. 11 Module 1 (go.sum) Module 1 (go.sum) go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= https://sum.golang.org/ Minor content change
  • 12. 12 Let’s say you create your first Go module. package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “text/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... You save it as mod1 go.mod go.sum main.go
  • 13. 13 package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “html/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... mod1 main.go You can fix your files and create a new version for everyone called mod1/v2 (probably would be a patch, but let’s pretend it’s a v2)
  • 14. 14 ... Semantic import versioning Go is strict about versioning
  • 15. 15 github.com/dee pda/mod1 github.com/dee pda/mod1/v2 go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= go.sum List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc=
  • 16. 16 If someone imports…. package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “text/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... mod1 main.go They open themselves up to a XSS (cross site scripting) attack ...imagine if your app is a dependency for other projects...
  • 17. 17 go.sum file uses a list of SHA-256 hashes to match the checksumdb when imported go.mod stores a list of each dependency and version Hashes are used to detect misbehavior by an origin server or proxy that provides different code for the same version However, the go.sum file has a limitation, it works entirely by trust based on user’s first use... Vulnerabilities will remain in that version of the module
  • 18. 18 Introducing JFrog GoCenter with Xray Security GoCenter is a GOPROXY that caches metadata and source code in its own storage system. This allows the mirror to continue to serve source code that is no longer available from the original locations thus speeding up downloads and protect users from the disappearing dependencies. export GOPROXY=https://gocenter.io GoCenter has every version of a publically available module.
  • 19. Demo of Vulnerability Information in GoCenter.io https://gocenter.io
  • 20. 20
  • 21. 21
  • 23. 23
  • 24. 24
  • 25. 25 A basic web application viewed in the browser with Go Using GORM and sqlite to configure a database Security alerts in Visual Studio Code with JFrog Extension
  • 26. 26
  • 28. ● Presentation Slides & Video ● Enter our July Sweepstakes for a chance to win a Nintendo Switch w/ Mortal Kombat and Super Smash Bros. ● EVERYONE present who enter WINS a Gopher JFrog T-Shirt https://bit.ly/MHGophersJFrog