Official tools to protect your code
Security vulnerabilities exist in any language and in any code, some written by itself, but more from upstream dependencies, even the underlying Linux ones. We have discussed security protection methods for Go and Kubernetes images Path to a Perfect Go Dockerfile And Image vulnerability scanning for optimal Kubernetes security, In which security scanning was done on the basis of generic.
As the Go community grows, more and more open-source packages have created more security vulnerabilities, which has raised the concern of Go authorities, and then the security scanning tool Go Vulnerability Detection was introduced in September 2022.
If you are interested in this tool, just follow me, and let’s understand its internal logic and then make full use of it.
First, let’s try it.
Install (only supported from Go 1.18 onwards).
go install golang.org/x/vuln/cmd/govulncheck@latest
Then run it in the project directory, the directory where
go.mod The file is located.
Take one of my Kubernetes operator projects as a demo. Two vulnerabilities are displayed in the report.
- scanning for dependencies with known vulnerabilities, There is a vulnerability in the project code, probably a vulnerability in the current Go version, and it can be resolved by upgrading Go.
- The below vulnerabilities are in the package you import, There is a vulnerability in the project dependencies, and it can only be fixed by upgrading the associated package dependencies.
Both of the following are given in the vulnerability information.
- How many vulnerabilities have been detected
- Specific information about each vulnerability, including the date of submission, a detailed description, and a link to the vulnerability report
- Specific code where the vulnerability is found, such as which method and which line
- The version in which the vulnerability is found and the fixed version
Run Govulnerablity in CI/CDI
It is more effective if we integrate the tool into the CI/CD pipeline, which can be implemented by exporting the result to a JSON file and then using
govulncheck -json ./...
JSON file is verbose output including scan procedure, call entries and scan results.
Calls There is a check related to the original code.
Imports Dependency is checked. And
Vulns Check result.
jq '.Vulns | length'we can set
!= 0, And for the current operator, we can put the corresponding bash in Makefile and run it in CI/CD.
vuln Also supports testing of binary files by replacing
./… With the binary file name. In addition, when integrating into CI/CD, it is also suitable for detecting vulnerabilities in Go projects that contain only Docker images.
check test code
vuln doesn’t check test code by default, but you can scan test files:
-test flag govulncheck -test pkg/test/*
The vuln tool works by running the command line tool and reads and analyzes the vuln database.
go.mod File and Go code. So it is mainly composed of two parts.
- Development of the vuln command-line tool
- maintenance of
wln command-line tool
Reading command line tool code usually begins where the command line is defined. The whole process is simple, and there are only 5 steps to check the source.
- Read and configure the database client
- load configuration
- Read source code and sequence
- process the results
require Graph separately, and do the scanning.
import what is used in the current code, while
require Linking to dependent packages that are not used directly. I
vulndb It contains all vulnerability information, synchronizes some other open-source vulnerability libraries, and introduces community-discovered vulnerabilities with user-submitted tickets. And you can check all relevant vulnerabilities at https://pkg.go.dev/vuln/.
There are six features detailing each vulnerability.
Curated dataset. The database will be actively maintained by the Go Security team, and will provide consistent metadata and uniform analysis of tracked vulnerabilities, with a focus on enabling not only detection, but accurate impact assessment.
original metadata. The entries include a database-specific unique identifier for the vulnerability, affected package and version categories, a coarse severity grade, and
GOARCHif applicable. If missing, we will also specify a CVE number.
targeting metadata. Each database entry will contain sufficient metadata to enable detection of affected downstream applications with fewer false positives. For example, this would include affected symbols (functions, methods, types, variables…) so that unaffected consumers can be identified with static analysis.
Web Page. Each vulnerability will link to a web page with a description of the vulnerability, remedial instructions and additional links.
source of truth. The database will be maintained as a public Git repository, similar to other Go repositories. Database entries will be available through a static protocol (see “Protocols”). The contents of the repository itself will be in an internal format which is subject to change without notice.
Triage process. Candidate entries will be sourced from existing streams (such as the CVE database, and security mailing lists) as well as community submissions. Both will be processed by the team to ensure consistent metadata and analysis. We specifically want to encourage maintainers to report vulnerabilities in their own modules.
vulndb Also provides a set of cmd commands for database maintenance, online verification, etc. For example, the worker command can start a server locally and scan files in Git.
The cve command can query and update vulnerability information by calling HTTP requests to retrieve the relevant information.
we can download
git clone https://github.com/golang/vulndb.git, and then test and run these commands locally via script
vuln Go is from official and is going to be popular soon, but there are still some drawbacks.
- it’s only one
- It supports binary code check only from Go 1.18 and above.
- It only detects vulnerabilities in the current Go version. For example, if I upgrade my Go to the latest 1.19, the dependency vulnerabilities in 1.18 will not be reported.
- Its production method is limited.
JSONThe output is too complex, and
textFor local environments only, only development and test environments are supported, such as the summary output format in the source code.
- It gives false positives or false stack reports when scanning interfaces and function pointers.
Don’t stay there while you wait for the vuln tool to complete, and check out other Go dependency protection scanning tools. Currently the most popular are Github Security Dependency Scan and goseck tool.
GitHub Security Dependency Scan
For open-source Github Go projects, we can do regular dependency scans by configuring
Dependabot alerts in settings.
GitHub Security Scan supports daily or weekly scan reports by email or GitHub notifications. And it also provides shortcuts for one-click fixes, which is ideal for open-source Go projects.
gosec The tool is very similar to the vuln tool, both are command-line tools and scan for Go vulnerabilities with similar rules.
gosec Supports all Go versions and is rich in operation options, such as scanning specific rules, scanning configuration files, and output reports in multiple formats such as JSON, YAML, CSV.
it can be said that
gosec is more mature before being assigned more tasks in
As Go evolves and there are more and more security issues, it is very important to carefully select dependencies and update them on a regular basis. However, it is not an easy task when regular updates of PRs and merges are required. Which will be ignored by some users. Dependency scanning is one way, which forces users to update by failing builds directly in CI/CD.
vuln The tool is under development, and I will be following it closely and look forward to its future optimizations.