Secure your Go Code with the Vulnerability Detection Tool. by Stephanie Lai | October, 2022

Official tools to protect your code

Unsplash Markus Spiske. From

Security vulnerabilities exist in any language and in any code, some written by itself, but more from upstream dependencies, even the underlying Linux ones. We have discussed security protection methods for Go and Kubernetes images Path to a Perfect Go Dockerfile And Image vulnerability scanning for optimal Kubernetes security, In which security scanning was done on the basis of generic.

As the Go community grows, more and more open-source packages have created more security vulnerabilities, which has raised the concern of Go authorities, and then the security scanning tool Go Vulnerability Detection was introduced in September 2022.

https://go.dev/blog/vuln/architecture.png . From

If you are interested in this tool, just follow me, and let’s understand its internal logic and then make full use of it.

First, let’s try it.

Install (only supported from Go 1.18 onwards).

go install golang.org/x/vuln/cmd/govulncheck@latest

Then run it in the project directory, the directory where go.mod The file is located.

govulncheck ./...

Take one of my Kubernetes operator projects as a demo. Two vulnerabilities are displayed in the report.

  • scanning for dependencies with known vulnerabilities, There is a vulnerability in the project code, probably a vulnerability in the current Go version, and it can be resolved by upgrading Go.
  • The below vulnerabilities are in the package you import, There is a vulnerability in the project dependencies, and it can only be fixed by upgrading the associated package dependencies.

Both of the following are given in the vulnerability information.

  • How many vulnerabilities have been detected
  • Specific information about each vulnerability, including the date of submission, a detailed description, and a link to the vulnerability report
  • Specific code where the vulnerability is found, such as which method and which line
  • The version in which the vulnerability is found and the fixed version

Run Govulnerablity in CI/CDI

It is more effective if we integrate the tool into the CI/CD pipeline, which can be implemented by exporting the result to a JSON file and then using -json flag.

govulncheck -json ./...

JSON file is verbose output including scan procedure, call entries and scan results.

Calls There is a check related to the original code. Imports Dependency is checked. And Vulns Check result.

for jq '.Vulns | length'we can set != 0, And for the current operator, we can put the corresponding bash in Makefile and run it in CI/CD.

vuln Also supports testing of binary files by replacing ./… With the binary file name. In addition, when integrating into CI/CD, it is also suitable for detecting vulnerabilities in Go projects that contain only Docker images.

check test code

vuln doesn’t check test code by default, but you can scan test files:

-test flag govulncheck -test pkg/test/*

The vuln tool works by running the command line tool and reads and analyzes the vuln database. go.mod File and Go code. So it is mainly composed of two parts.

  • Development of the vuln command-line tool
  • maintenance of vulndb database

wln command-line tool

Reading command line tool code usually begins where the command line is defined. The whole process is simple, and there are only 5 steps to check the source.

  • Read and configure the database client
  • load configuration
  • Read source code and sequence
  • trace
  • process the results

core is vulncheck.source() way.

build out import And require Graph separately, and do the scanning. import what is used in the current code, while require Linking to dependent packages that are not used directly. I

wln database

Ivulndb It contains all vulnerability information, synchronizes some other open-source vulnerability libraries, and introduces community-discovered vulnerabilities with user-submitted tickets. And you can check all relevant vulnerabilities at https://pkg.go.dev/vuln/.

There are six features detailing each vulnerability.

Curated dataset. The database will be actively maintained by the Go Security team, and will provide consistent metadata and uniform analysis of tracked vulnerabilities, with a focus on enabling not only detection, but accurate impact assessment.

original metadata. The entries include a database-specific unique identifier for the vulnerability, affected package and version categories, a coarse severity grade, and GOOS,GOARCH if applicable. If missing, we will also specify a CVE number.

targeting metadata. Each database entry will contain sufficient metadata to enable detection of affected downstream applications with fewer false positives. For example, this would include affected symbols (functions, methods, types, variables…) so that unaffected consumers can be identified with static analysis.

Web Page. Each vulnerability will link to a web page with a description of the vulnerability, remedial instructions and additional links.

source of truth. The database will be maintained as a public Git repository, similar to other Go repositories. Database entries will be available through a static protocol (see “Protocols”). The contents of the repository itself will be in an internal format which is subject to change without notice.

Triage process. Candidate entries will be sourced from existing streams (such as the CVE database, and security mailing lists) as well as community submissions. Both will be processed by the team to ensure consistent metadata and analysis. We specifically want to encourage maintainers to report vulnerabilities in their own modules.

when applying, vulndb Also provides a set of cmd commands for database maintenance, online verification, etc. For example, the worker command can start a server locally and scan files in Git.

The cve command can query and update vulnerability information by calling HTTP requests to retrieve the relevant information.

we can download vulndb code git clone https://github.com/golang/vulndb.git, and then test and run these commands locally via script devtools,

vuln Go is from official and is going to be popular soon, but there are still some drawbacks.

  • it’s only oneExpeirmental tool,
  • It supports binary code check only from Go 1.18 and above.
  • It only detects vulnerabilities in the current Go version. For example, if I upgrade my Go to the latest 1.19, the dependency vulnerabilities in 1.18 will not be reported.
  • Its production method is limited. JSON The output is too complex, and text For local environments only, only development and test environments are supported, such as the summary output format in the source code.
  • It gives false positives or false stack reports when scanning interfaces and function pointers.

Don’t stay there while you wait for the vuln tool to complete, and check out other Go dependency protection scanning tools. Currently the most popular are Github Security Dependency Scan and goseck tool.

GitHub Security Dependency Scan

For open-source Github Go projects, we can do regular dependency scans by configuring Dependabot alerts in settings.

GitHub Security Scan supports daily or weekly scan reports by email or GitHub notifications. And it also provides shortcuts for one-click fixes, which is ideal for open-source Go projects.

gosec The tool is very similar to the vuln tool, both are command-line tools and scan for Go vulnerabilities with similar rules.

but gosec Supports all Go versions and is rich in operation options, such as scanning specific rules, scanning configuration files, and output reports in multiple formats such as JSON, YAML, CSV.

it can be said that gosec is more mature before being assigned more tasks in vuln,

As Go evolves and there are more and more security issues, it is very important to carefully select dependencies and update them on a regular basis. However, it is not an easy task when regular updates of PRs and merges are required. Which will be ignored by some users. Dependency scanning is one way, which forces users to update by failing builds directly in CI/CD.

vuln The tool is under development, and I will be following it closely and look forward to its future optimizations.

Leave a Comment