This document discusses how Go modules and the go.sum file help secure Go dependencies. It explains that Go 1.11 introduced Go modules to better manage dependencies, and Go 1.13 made modules the standard. The go.sum file uses cryptographic hashes to verify the integrity of dependencies, preventing vulnerabilities from compromised modules. When a module is updated, both versions are committed to a checksum database, allowing dependent code to specify the exact version needed.
2. DEPENDENCY MANAGEMENT IN GOLANG
glide, gopath, dep, vendoring…
These weren’t the right answer for Go...
GO 1.11 INTRODUCED GO MODULES
GO 1.13 GO MODULES BECOME THE STANDARD
Basic data integrity features are introduced with the go.sum and go.mod
Go module mirror and Go checksum database
4. SECURE HASH ALGORITHM (SHA2) AS CHECKSUMS
cryptographic hash algorithms produce irreversible and unique hashes
Irreversible because you can’t use the hash to figure out what the original piece of data was
Unique means that two different pieces of data can never produce the same hash
5. MERKLE TREE BASICS
At its core, a Merkle Tree is a list of items representing the data that should be verified.
data data data data
hash hash hash hash
hash hash
hash
go.sum data
Each of these items is inserted into a leaf node and a tree of hashes is constructed. If
you change the data, the hash will also change that branch all the through the tree.
hash
hash
root
6. Module 1
(go.sum)
go.sum
go.sum
go.sum
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
go.sum
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
https://sum.golang.org/
Module 2
(go.sum)
CHECKSUMS
7. go.sum
go.sum
go.sum
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
https://sum.golang.org/
HOW HASHES PROTECT MODULE USERS
Module 1
(go.sum)
Module 1
(go.sum)
Minor content change
8. Let’s say you
create your first
Go module.
package main
import {
“encoding/json”,
“io/ioutil”,
“net/http”,
“os”,
“text/template”
}
type TodoPageData struct {
PageTitle string
Todos []Todo
}
...
You save it as mod1
go.mod go.sum
main.go
9. main.go
mod1
You can fix your files and create a
new version for everyone called
mod/v2
package main
import {
“encoding/json”,
“io/ioutil”,
“net/http”,
“os”,
“html/template”
}
type TodoPageData struct {
PageTitle string
Todos []Todo
}
...
Semantic import versioning
10. BOTH V1 and V2 ARE COMMITTED TO SUMDB
go.sum
go.sum
go.sum
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
PIRibHv4MatM3XXNO2BJeFLZwZ2L
vZgfQ5+UNI2im4=
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
go.sum
List of SHA-256 base64 hashes.
Cz4ceDQGXuKRnVBDTS23GTn/pU5
OE2C0WrNTOYK1Uuc=
github.com/deep/
mod1
github.com/deep/
mod1/v2
11. ...so if someone
imports….
package main
import {
“encoding/json”,
“io/ioutil”,
“net/http”,
“os”,
“text/template”
}
type TodoPageData struct {
PageTitle string
Todos []Todo
}
...
That original mod1
main.go
They open themselves
up to a XSS attack
...imagine if your app is
a dependency for other
projects...