SlideShare a Scribd company logo

Security of Go Modules - SF Meetup

Deep Datta
Deep Datta

Go 1.13 introduced important security features to Go Modules including a checksumdb. Deep Datta from JFrog will explain how this works and provide info on other tools that keep modules secure. He will review GoCenter’s vulnerability scanning capabilities so developers can check for security issues or known vulnerabilities.

Technology
1 of 25
Download to read offline
2 Agenda ● Introduction ● Dependency management and Go modules ● Go.mod and go.sum ● Checksum database ● Potential Issues that can come up ● Why we added vulnerability scanning to GoCenter ● More security considerations with Jfrog Xray ● Q&A and Feedback
JFrog.com/shownotes ● Tonights Slides ● Introduction to GoCenter presentation ● JFrog T-Shirts Raffle - Win 1 of 3 JFrog Go T-Shirts
4 Deep Datta GoCenter Community Product Manager deepd@jfrog.com @DeepDattaX
5 Dependency management and Go Modules Go 1.11 Introduced Go Modules module main.go go 1.13 require github.com/sirupsen/logrus v1.4.2 go.mod github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/konsorten/go-windows-terminal-sequenc es v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894 h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= go.sum Go 1.13 Make Go Modules the standard Security was built into 1.13 with go.sum and go.mod The go mod init command wrote a go.mod file After running go build you will also see a file called go.sum gets created.
6 go.sum github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/konsorten/go-windows-terminal-sequencesv1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
7 SHA-256 cryptographic hash algorithms produce irreversible and unique hashes Irreversible because you can’t use the hash to figure out what the original piece of data was unique means that two different pieces of data can never produce the same hash
8 checksum database Module 1 (go.sum) Module 2 (go.sum) go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= go.sum List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= https://sum.golang.org/
9 The checksum database ensures that the go command always adds the same lines to everyone's go.sum file. Whenever the go command receives new source code, it can verify the hash of that code against this global database to make sure the hashes match, ensuring that everyone is using the same code for a given version. https://sum.golang.org/
10 How hashes protect you Module 1 (go.sum) Module 1 (go.sum) Minor content change go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= https://sum.golang.org/
11 Let’s say your first Go module. package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “text/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... You save your app as mod1 go.mod go.sum main.go
12 package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “html/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... mod1 main.go You can fix your app and create a new version for everyone called mod1/v2 (probably would be a patch) v1.1.0
13 ... Semantic import versioning
14 Both versions have been committed to the checksum db github.com/dee pda/mod1 github.com/dee pda/mod1/v2 go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= go.sum List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc=
15 If someone imports…. package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “text/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... mod1 main.go They open themselves up to a cross-site scripting attack ...imagine if your app is a dependency for other projects...
16 Let’s summarize so far go.sum file, a list of SHA-256 base64 hashes go.mod stores a list of each dependency The go command can use these hashes to detect misbehavior by an origin server or proxy that gives a different code for the same version. However, the go.sum file has a limitation, it works entirely by trust based on user’s first use...
17 Introducing JFrog GoCenter with Xray Security GoCenter is a GOPROXY that caches metadata and source code in its own storage system. This allows the mirror to continue to serve source code that is no longer available from the original locations thus speeding up downloads and protect users from the disappearing dependencies. export GOPROXY=https://gocenter.io
18 Demo of Vulnerability info in GoCenter.io https://gocenter.io
19 How seeing your vulnerabilities in GoCenter can help
20 You can check vulnerabilities in dependencies too
21 GoCenter provides CVE public list of vulnerabilities
22 Every module and version is scanned and actively provides a security warning github.com/dee pda/mod1 github.com/dee pda/mod1/v2 Versions tab also shows you which version are safe or not.
23 Coming soon...
24 Q&A How to give us feedback gocenter@jfrog.com deepd@jfrog.com @DeepDattaX
JFrog.com/shownotes ● Tonights Slides ● Introduction to GoCenter presentation ● JFrog T-Shirts Raffle - Win 1 of 3 JFrog Go T-Shirts

Recommended

Security of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenterSecurity of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenter
Deep Datta
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VS Code
Security of Go Modules and Vulnerability Scanning in GoCenter and VS CodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VS Code
Security of Go Modules and Vulnerability Scanning in GoCenter and VS Code
Deep Datta
 
Security of Go Modules and Vulnerability Scanning in VSCode
Security of Go Modules and Vulnerability Scanning in VSCodeSecurity of Go Modules and Vulnerability Scanning in VSCode
Security of Go Modules and Vulnerability Scanning in VSCode
Deep Datta
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Deep Datta
 
New Security of Go modules and vulnerability scanning in GoCenter
New Security of Go modules and vulnerability scanning in GoCenterNew Security of Go modules and vulnerability scanning in GoCenter
New Security of Go modules and vulnerability scanning in GoCenter
Deep Datta
 
Security of Go Modules and Vulnerability Scanning in Go Center
Security of Go Modules and Vulnerability Scanning in Go CenterSecurity of Go Modules and Vulnerability Scanning in Go Center
Security of Go Modules and Vulnerability Scanning in Go Center
Deep Datta
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Deep Datta
 
Security of Go Modules and Vulnerability Scanning in Go center and VSCodee
Security of Go Modules and Vulnerability Scanning in Go center and VSCodeeSecurity of Go Modules and Vulnerability Scanning in Go center and VSCodee
Security of Go Modules and Vulnerability Scanning in Go center and VSCodee
Deep Datta
 

Recommended

Security of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenterSecurity of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenter
Deep Datta
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VS Code
Security of Go Modules and Vulnerability Scanning in GoCenter and VS CodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VS Code
Security of Go Modules and Vulnerability Scanning in GoCenter and VS Code
Deep Datta
 
Security of Go Modules and Vulnerability Scanning in VSCode
Security of Go Modules and Vulnerability Scanning in VSCodeSecurity of Go Modules and Vulnerability Scanning in VSCode
Security of Go Modules and Vulnerability Scanning in VSCode
Deep Datta
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Deep Datta
 
New Security of Go modules and vulnerability scanning in GoCenter
New Security of Go modules and vulnerability scanning in GoCenterNew Security of Go modules and vulnerability scanning in GoCenter
New Security of Go modules and vulnerability scanning in GoCenter
Deep Datta
 
Security of Go Modules and Vulnerability Scanning in Go Center
Security of Go Modules and Vulnerability Scanning in Go CenterSecurity of Go Modules and Vulnerability Scanning in Go Center
Security of Go Modules and Vulnerability Scanning in Go Center
Deep Datta
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Deep Datta
 
Security of Go Modules and Vulnerability Scanning in Go center and VSCodee
Security of Go Modules and Vulnerability Scanning in Go center and VSCodeeSecurity of Go Modules and Vulnerability Scanning in Go center and VSCodee
Security of Go Modules and Vulnerability Scanning in Go center and VSCodee
Deep Datta
 
The Ring programming language version 1.9 book - Part 22 of 210
The Ring programming language version 1.9 book - Part 22 of 210The Ring programming language version 1.9 book - Part 22 of 210
The Ring programming language version 1.9 book - Part 22 of 210
Mahmoud Samir Fayed
 
Desarrollo web backend: Spring Boot, MongoDB y Azure
Desarrollo web backend: Spring Boot, MongoDB y AzureDesarrollo web backend: Spring Boot, MongoDB y Azure
Desarrollo web backend: Spring Boot, MongoDB y Azure
Patxi Gortázar
 
Игры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfire
Игры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfireИгры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfire
Игры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfire
SQALab
 
[14.02.24] Objective-C in Windows
[14.02.24] Objective-C in Windows[14.02.24] Objective-C in Windows
[14.02.24] Objective-C in Windows
Hyeonmin Park
 
The Ring programming language version 1.5.1 book - Part 14 of 180
The Ring programming language version 1.5.1 book - Part 14 of 180The Ring programming language version 1.5.1 book - Part 14 of 180
The Ring programming language version 1.5.1 book - Part 14 of 180
Mahmoud Samir Fayed
 
Drupal + composer = new love !?
Drupal + composer = new love !?Drupal + composer = new love !?
Drupal + composer = new love !?
nuppla
 
Introduction of Distributed version control system (mainly Mercurial)
Introduction of Distributed version control system (mainly Mercurial)Introduction of Distributed version control system (mainly Mercurial)
Introduction of Distributed version control system (mainly Mercurial)
Fred Lin
 
Python Projects at Neova
Python Projects at NeovaPython Projects at Neova
Python Projects at Neova
Sandip Chaudhari
 
GroovyFX - groove JavaFX Gr8Conf EU 2017
GroovyFX - groove JavaFX Gr8Conf EU 2017GroovyFX - groove JavaFX Gr8Conf EU 2017
GroovyFX - groove JavaFX Gr8Conf EU 2017
sascha_klein
 
Groovy on the shell
Groovy on the shellGroovy on the shell
Groovy on the shell
sascha_klein
 
Creating ASTTs The painful truth
Creating ASTTs The painful truthCreating ASTTs The painful truth
Creating ASTTs The painful truth
Mario García
 
Efficient development workflows with composer
Efficient development workflows with composerEfficient development workflows with composer
Efficient development workflows with composer
nuppla
 
いつやるの?Git入門
いつやるの?Git入門いつやるの?Git入門
いつやるの?Git入門
Masakazu Matsushita
 
Efficient development workflows with composer
Efficient development workflows with composerEfficient development workflows with composer
Efficient development workflows with composer
nuppla
 
PHP QA Tools
PHP QA ToolsPHP QA Tools
PHP QA Tools
rjsmelo
 
Dependency management in golang
Dependency management in golangDependency management in golang
Dependency management in golang
Ramit Surana
 
Python_Session
Python_SessionPython_Session
Python_Session
siva ram
 
GroovyFX - Groove JavaFX
GroovyFX - Groove JavaFXGroovyFX - Groove JavaFX
GroovyFX - Groove JavaFX
sascha_klein
 
Life of a Chromium Developer
Life of a Chromium DeveloperLife of a Chromium Developer
Life of a Chromium Developer
mpaproductions
 
GNU Make, Autotools, CMake 簡介
GNU Make, Autotools, CMake 簡介GNU Make, Autotools, CMake 簡介
GNU Make, Autotools, CMake 簡介
Wen Liao
 
Security of go modules and vulnerability scanning in go center (1)
Security of go modules and vulnerability scanning in go center (1)Security of go modules and vulnerability scanning in go center (1)
Security of go modules and vulnerability scanning in go center (1)
Deep Datta
 
Understanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for Modules
Understanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for ModulesUnderstanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for Modules
Understanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for Modules
Mitali Bisht
 

More Related Content

What's hot

Introduction of Distributed version control system (mainly Mercurial)
Introduction of Distributed version control system (mainly Mercurial)Introduction of Distributed version control system (mainly Mercurial)
Introduction of Distributed version control system (mainly Mercurial)
Fred Lin
 
Python_Session
Python_SessionPython_Session
Python_Session
siva ram
 
Life of a Chromium Developer
Life of a Chromium DeveloperLife of a Chromium Developer
Life of a Chromium Developer
mpaproductions
 

What's hot (20)

The Ring programming language version 1.9 book - Part 22 of 210
The Ring programming language version 1.9 book - Part 22 of 210The Ring programming language version 1.9 book - Part 22 of 210
The Ring programming language version 1.9 book - Part 22 of 210
 
Desarrollo web backend: Spring Boot, MongoDB y Azure
Desarrollo web backend: Spring Boot, MongoDB y AzureDesarrollo web backend: Spring Boot, MongoDB y Azure
Desarrollo web backend: Spring Boot, MongoDB y Azure
 
Игры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfire
Игры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfireИгры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfire
Игры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfire
 
[14.02.24] Objective-C in Windows
[14.02.24] Objective-C in Windows[14.02.24] Objective-C in Windows
[14.02.24] Objective-C in Windows
 
The Ring programming language version 1.5.1 book - Part 14 of 180
The Ring programming language version 1.5.1 book - Part 14 of 180The Ring programming language version 1.5.1 book - Part 14 of 180
The Ring programming language version 1.5.1 book - Part 14 of 180
 
Drupal + composer = new love !?
Drupal + composer = new love !?Drupal + composer = new love !?
Drupal + composer = new love !?
 
Introduction of Distributed version control system (mainly Mercurial)
Introduction of Distributed version control system (mainly Mercurial)Introduction of Distributed version control system (mainly Mercurial)
Introduction of Distributed version control system (mainly Mercurial)
 
Python Projects at Neova
Python Projects at NeovaPython Projects at Neova
Python Projects at Neova
 
GroovyFX - groove JavaFX Gr8Conf EU 2017
GroovyFX - groove JavaFX Gr8Conf EU 2017GroovyFX - groove JavaFX Gr8Conf EU 2017
GroovyFX - groove JavaFX Gr8Conf EU 2017
 
Groovy on the shell
Groovy on the shellGroovy on the shell
Groovy on the shell
 
Creating ASTTs The painful truth
Creating ASTTs The painful truthCreating ASTTs The painful truth
Creating ASTTs The painful truth
 
Efficient development workflows with composer
Efficient development workflows with composerEfficient development workflows with composer
Efficient development workflows with composer
 
いつやるの?Git入門
いつやるの?Git入門いつやるの?Git入門
いつやるの?Git入門
 
Efficient development workflows with composer
Efficient development workflows with composerEfficient development workflows with composer
Efficient development workflows with composer
 
PHP QA Tools
PHP QA ToolsPHP QA Tools
PHP QA Tools
 
Dependency management in golang
Dependency management in golangDependency management in golang
Dependency management in golang
 
Python_Session
Python_SessionPython_Session
Python_Session
 
GroovyFX - Groove JavaFX
GroovyFX - Groove JavaFXGroovyFX - Groove JavaFX
GroovyFX - Groove JavaFX
 
Life of a Chromium Developer
Life of a Chromium DeveloperLife of a Chromium Developer
Life of a Chromium Developer
 
GNU Make, Autotools, CMake 簡介
GNU Make, Autotools, CMake 簡介GNU Make, Autotools, CMake 簡介
GNU Make, Autotools, CMake 簡介
 

Similar to Security of Go Modules - SF Meetup

Developing a Joomla 3.x Component using RAD FOF- Part 2: Front-end + demo - J...
Developing a Joomla 3.x Component using RAD FOF- Part 2: Front-end + demo - J...Developing a Joomla 3.x Component using RAD FOF- Part 2: Front-end + demo - J...
Developing a Joomla 3.x Component using RAD FOF- Part 2: Front-end + demo - J...
Peter Martin
 
Golang 101 for IT-Pros - Cisco Live Orlando 2018 - DEVNET-1808
Golang 101 for IT-Pros - Cisco Live Orlando 2018 - DEVNET-1808Golang 101 for IT-Pros - Cisco Live Orlando 2018 - DEVNET-1808
Golang 101 for IT-Pros - Cisco Live Orlando 2018 - DEVNET-1808
Cisco DevNet
 

Similar to Security of Go Modules - SF Meetup (20)

Security of go modules and vulnerability scanning in go center (1)
Security of go modules and vulnerability scanning in go center (1)Security of go modules and vulnerability scanning in go center (1)
Security of go modules and vulnerability scanning in go center (1)
 
Understanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for Modules
Understanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for ModulesUnderstanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for Modules
Understanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for Modules
 
Understanding pseudo-version and Go1.14+ with notes
Understanding pseudo-version and Go1.14+ with notesUnderstanding pseudo-version and Go1.14+ with notes
Understanding pseudo-version and Go1.14+ with notes
 
Developing a Joomla 3.x Component using RAD FOF- Part 2: Front-end + demo - J...
Developing a Joomla 3.x Component using RAD FOF- Part 2: Front-end + demo - J...Developing a Joomla 3.x Component using RAD FOF- Part 2: Front-end + demo - J...
Developing a Joomla 3.x Component using RAD FOF- Part 2: Front-end + demo - J...
 
mago3D Technical Workshop Material
mago3D Technical Workshop Material mago3D Technical Workshop Material
mago3D Technical Workshop Material
 
Pseudo-versions, moving to Go1.13 and later versions
Pseudo-versions, moving to Go1.13 and later versionsPseudo-versions, moving to Go1.13 and later versions
Pseudo-versions, moving to Go1.13 and later versions
 
Docman - The swiss army knife for Drupal multisite docroot management and dep...
Docman - The swiss army knife for Drupal multisite docroot management and dep...Docman - The swiss army knife for Drupal multisite docroot management and dep...
Docman - The swiss army knife for Drupal multisite docroot management and dep...
 
Golang 101 for IT-Pros - Cisco Live Orlando 2018 - DEVNET-1808
Golang 101 for IT-Pros - Cisco Live Orlando 2018 - DEVNET-1808Golang 101 for IT-Pros - Cisco Live Orlando 2018 - DEVNET-1808
Golang 101 for IT-Pros - Cisco Live Orlando 2018 - DEVNET-1808
 
GIT training - advanced for software projects
GIT training - advanced for software projectsGIT training - advanced for software projects
GIT training - advanced for software projects
 
Gorush: A push notification server written in Go
Gorush: A push notification server written in GoGorush: A push notification server written in Go
Gorush: A push notification server written in Go
 
Write microservice in golang
Write microservice in golangWrite microservice in golang
Write microservice in golang
 
Debugging Hung Python Processes With GDB
Debugging Hung Python Processes With GDBDebugging Hung Python Processes With GDB
Debugging Hung Python Processes With GDB
 
mago3D workshop(English) in Thailand , 2018.07
mago3D workshop(English) in Thailand , 2018.07mago3D workshop(English) in Thailand , 2018.07
mago3D workshop(English) in Thailand , 2018.07
 
Do + ldo for developers(full)
Do + ldo for developers(full)Do + ldo for developers(full)
Do + ldo for developers(full)
 
Yobi d2 naver(create)
Yobi d2 naver(create)Yobi d2 naver(create)
Yobi d2 naver(create)
 
JDD 2017: 7 things which you should care about before release your code to pr...
JDD 2017: 7 things which you should care about before release your code to pr...JDD 2017: 7 things which you should care about before release your code to pr...
JDD 2017: 7 things which you should care about before release your code to pr...
 
mago3D Technical Workshop Material(New Version)
mago3D Technical Workshop Material(New Version)mago3D Technical Workshop Material(New Version)
mago3D Technical Workshop Material(New Version)
 
GTG30: Introduction vgo
GTG30: Introduction vgoGTG30: Introduction vgo
GTG30: Introduction vgo
 
How to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDKHow to Build & Use OpenCL on OpenCV & Android NDK
How to Build & Use OpenCL on OpenCV & Android NDK
 
Lean Drupal Repositories with Composer and Drush
Lean Drupal Repositories with Composer and DrushLean Drupal Repositories with Composer and Drush
Lean Drupal Repositories with Composer and Drush
 

Recently uploaded

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Recently uploaded (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

Security of Go Modules - SF Meetup

  • 1.
  • 2. 2 Agenda ● Introduction ● Dependency management and Go modules ● Go.mod and go.sum ● Checksum database ● Potential Issues that can come up ● Why we added vulnerability scanning to GoCenter ● More security considerations with Jfrog Xray ● Q&A and Feedback
  • 3. JFrog.com/shownotes ● Tonights Slides ● Introduction to GoCenter presentation ● JFrog T-Shirts Raffle - Win 1 of 3 JFrog Go T-Shirts
  • 4. 4 Deep Datta GoCenter Community Product Manager deepd@jfrog.com @DeepDattaX
  • 5. 5 Dependency management and Go Modules Go 1.11 Introduced Go Modules module main.go go 1.13 require github.com/sirupsen/logrus v1.4.2 go.mod github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/konsorten/go-windows-terminal-sequenc es v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894 h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= go.sum Go 1.13 Make Go Modules the standard Security was built into 1.13 with go.sum and go.mod The go mod init command wrote a go.mod file After running go build you will also see a file called go.sum gets created.
  • 6. 6 go.sum github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/konsorten/go-windows-terminal-sequencesv1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
  • 7. 7 SHA-256 cryptographic hash algorithms produce irreversible and unique hashes Irreversible because you can’t use the hash to figure out what the original piece of data was unique means that two different pieces of data can never produce the same hash
  • 8. 8 checksum database Module 1 (go.sum) Module 2 (go.sum) go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= go.sum List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= https://sum.golang.org/
  • 9. 9 The checksum database ensures that the go command always adds the same lines to everyone's go.sum file. Whenever the go command receives new source code, it can verify the hash of that code against this global database to make sure the hashes match, ensuring that everyone is using the same code for a given version. https://sum.golang.org/
  • 10. 10 How hashes protect you Module 1 (go.sum) Module 1 (go.sum) Minor content change go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= https://sum.golang.org/
  • 11. 11 Let’s say your first Go module. package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “text/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... You save your app as mod1 go.mod go.sum main.go
  • 12. 12 package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “html/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... mod1 main.go You can fix your app and create a new version for everyone called mod1/v2 (probably would be a patch) v1.1.0
  • 14. 14 Both versions have been committed to the checksum db github.com/dee pda/mod1 github.com/dee pda/mod1/v2 go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= go.sum List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc=
  • 15. 15 If someone imports…. package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “text/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... mod1 main.go They open themselves up to a cross-site scripting attack ...imagine if your app is a dependency for other projects...
  • 16. 16 Let’s summarize so far go.sum file, a list of SHA-256 base64 hashes go.mod stores a list of each dependency The go command can use these hashes to detect misbehavior by an origin server or proxy that gives a different code for the same version. However, the go.sum file has a limitation, it works entirely by trust based on user’s first use...
  • 17. 17 Introducing JFrog GoCenter with Xray Security GoCenter is a GOPROXY that caches metadata and source code in its own storage system. This allows the mirror to continue to serve source code that is no longer available from the original locations thus speeding up downloads and protect users from the disappearing dependencies. export GOPROXY=https://gocenter.io
  • 18. 18 Demo of Vulnerability info in GoCenter.io https://gocenter.io
  • 19. 19 How seeing your vulnerabilities in GoCenter can help
  • 20. 20 You can check vulnerabilities in dependencies too
  • 21. 21 GoCenter provides CVE public list of vulnerabilities
  • 22. 22 Every module and version is scanned and actively provides a security warning github.com/dee pda/mod1 github.com/dee pda/mod1/v2 Versions tab also shows you which version are safe or not.
  • 24. 24 Q&A How to give us feedback gocenter@jfrog.com deepd@jfrog.com @DeepDattaX
  • 25. JFrog.com/shownotes ● Tonights Slides ● Introduction to GoCenter presentation ● JFrog T-Shirts Raffle - Win 1 of 3 JFrog Go T-Shirts