Security of Go Modules and Vulnerability Scanning in Go Center
1. SECURITY OF GO MODULES AND
VULNERABILITY SCANNING IN
GOCENTER AND VSCODE
2. ● Presentation Slides & Video
● Enter our July Sweepstakes for a chance to win a Nintendo Switch w/
Mortal Kombat and Super Smash Bros.
● EVERYONE present who enter WINS a Gopher JFrog T-Shirt
https://bit.ly/MHGophersJFrog
3. 3
Agenda
● Dependency management in Go v1.13 and Go modules
● Checksum database concepts
● Committing a new Go module to the checksum database
● Vulnerability information in GoCenter
● DEMO: Security in VSCode
● Q&A
● Introduction
5. 5
Go 1.11 Introduced Go Modules
module main.go
go 1.13
require
github.com/sirupsen/logrus
v1.4.2
go.mod
github.com/davecgh/go-spew v1.1.1/go.mod
h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/konsorten/go-windows-terminal-sequenc
es v1.0.1/go.mod
h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/pmezard/go-difflib v1.0.0/go.mod
h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/sirupsen/logrus v1.4.2
h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
github.com/sirupsen/logrus v1.4.2/go.mod
h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
github.com/stretchr/objx v0.1.1/go.mod
h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.2.2/go.mod
h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
golang.org/x/sys
v0.0.0-20190422165155-953cdadca894
h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc=
golang.org/x/sys
v0.0.0-20190422165155-953cdadca894/go.mod
h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
go.sum
Go 1.13 Go Modules become
standard
Basic data security and
data integrity with go.sum
and go.mod
The go mod init command wrote
a go.mod file
you will see a file called
go.sum gets created
glide, gopath, dep, vendoring...
7. 7
Irreversible because you can’t use the hash to figure out what the original piece of data was
Unique means that two different pieces of data can never produce the same hash
8. 8
At its core, a Merkle Tree is a list of items representing the data that should be verified.
data data data data
hash hash hash hash
hash hash
hash
go.sum data
Each of these items is inserted into a leaf node and a tree of hashes is constructed.
If you change the data, the hash will also change - all the through the tree.
root
9. 9
Module 1
(go.sum)
Module 2
(go.sum)
go.sum
go.sum
go.sum
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
go.sum
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
https://sum.golang.org/
10. 10
The checksum database ensures that the go command
always adds the same lines to everyone's go.sum file.
https://sum.golang.org/
Whenever the go command receives new source code, it
can verify the hash of that code against this global
database to make sure the hashes match…
...ensuring that everyone is using the same code for a
given version.
11. 11
Module 1
(go.sum)
Module 1
(go.sum)
go.sum
go.sum
go.sum
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
https://sum.golang.org/
Minor content change
12. 12
Let’s say you
create your first
Go module.
package main
import {
“encoding/json”,
“io/ioutil”,
“net/http”,
“os”,
“text/template”
}
type TodoPageData struct {
PageTitle string
Todos []Todo
}
...
You save it as mod1
go.mod go.sum
main.go
15. 15
github.com/dee
pda/mod1
github.com/dee
pda/mod1/v2
go.sum
go.sum
go.sum
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
go.sum
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
16. 16
If someone
imports….
package main
import {
“encoding/json”,
“io/ioutil”,
“net/http”,
“os”,
“text/template”
}
type TodoPageData struct {
PageTitle string
Todos []Todo
}
...
mod1
main.go
They open
themselves up to
a XSS (cross site
scripting) attack
...imagine if your app is a
dependency for other
projects...
17. 17
go.sum file uses a list of SHA-256 hashes to match the checksumdb when imported
go.mod stores a list of each dependency and version
Hashes are used to detect misbehavior by an origin server or proxy that provides
different code for the same version
However, the go.sum file has a limitation, it works entirely
by trust based on user’s first use...
Vulnerabilities will remain in that version of the module
18. 18
Introducing JFrog GoCenter with Xray Security
GoCenter is a GOPROXY that caches metadata and source code in its
own storage system.
This allows the mirror to continue to serve source code that is no longer
available from the original locations thus speeding up downloads and
protect users from the disappearing dependencies.
export GOPROXY=https://gocenter.io
GoCenter has every version of a publically available module.
25. 25
A basic web application viewed in the browser with Go
Using GORM and sqlite to configure a database
Security alerts in Visual Studio Code with JFrog Extension
28. ● Presentation Slides & Video
● Enter our July Sweepstakes for a chance to win a Nintendo Switch w/
Mortal Kombat and Super Smash Bros.
● EVERYONE present who enter WINS a Gopher JFrog T-Shirt
https://bit.ly/MHGophersJFrog