Golang developers care a lot about security and as Go modules become more widely used, they need more ways to assure these publicly shared files are safe. One unique feature included with Golang version 1.13 is the foresight that went into authentication and security for Go modules. When a developer creates a new module or a new version of an existing module, a go.sum file included there creates a list of SHA-256 hashes that are unique to that module version. That go.sum file is then sent to Golang’s official checksum database where it is stored and used to verify that modules haven’t been tampered with when accessed later by a GOPROXY. This helps keep the integrity of packages intact. The checksum authentication feature helps create trust among developers, but it isn’t fully tamperproof. If a vulnerability is introduced in the original module’s files, the GOSUMDB will only be able to indicate that the module wasn’t changed later. This doesn’t solve the problem of malicious code being introduced . in the very first commit Luckily, with the addition of JFrog Xray’s , can now tell you when any Go module has a known vulnerability. security scanning GoCenter The Xray DevSecOps Difference JFrog Xray is the DevSecOps tool used to identify known vulnerabilities in application builds. When joined with Artifactory, it performs deep recursive scans on the binaries held in repositories to identify anywhere that open source components with reported security weaknesses or malicious code have been used. Xray supports scanning of a large variety of language and package types. The most recent release of as well so that Golang applications can fully implement DevSecOps procedures to prevent risky binaries from being deployed from Artifactory into production. Xray supports vulnerability scanning of Go modules Xray Scans GoCenter is now a part of GoCenter, allowing every module and version in GoCenter to be automatically scanned for known vulnerabilities recognized in public vulnerability databases such as NVD. Those results are stored in GoCenter, which will list all vulnerabilities that exist in the module version. Xray When you land on a specific module page, you’ll know if there is a vulnerability in that module version if a warning triangle exists next to the security tab. Clicking on the tab or triangle will direct you to the security page that provides specific information about each vulnerability including the CVE number, severity, and description. Try It and Learn More Xray in Go Center also allows for the universal analysis of all binary software components, adding an extra level of security inGo projects. By scanning binary components and their metadata - going through dependencies at all levels - Xray provides unprecedented visibility into issues lurking in your module dependencies. The full version of Xray includes detailed information about each vulnerability including remediation steps and other features: Security and Compliance Visibility multiple technologies (not just Golang) VulnDB data from Risk-Based Security IDE Integration Open for and Automation Integration Stopping Download of Vulnerable Packages Xray for License Compliance Impact Analysis Graph In the meantime, take a look at GoCenter to see what Xray can reveal. You may find that modules you’re already using have issues you weren’t aware of. Helping Golang software to be more secure is . our proud contribution to the open-source developer community Previously published at https://jfrog.com/blog/gocenter-reveals-go-module-vulnerabilities-with-xray/

Keep

How To Block Security Vulnerabilities from Penetrating Your Code

State of DevOps Cloud Solutions [Update: 2020]

RELEASE FAST OR DIE

Too Long; Didn't Read

Make resilience your competitive advantage

Reveal Go Module Vulnerabilities With Xray

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

Free Extension To Scan Go Vulnerabilities in Visual Studio Code

104 Stories To Learn About Go

105 Stories To Learn About Functional Programming

100+ Free Pluralsight Courses to learn Python, Java, and Spring Boot

10 Websites to Learn JavaScript for Beginners

Free Extension To Scan Go Vulnerabilities in Visual Studio Code

104 Stories To Learn About Go

105 Stories To Learn About Functional Programming

100+ Free Pluralsight Courses to learn Python, Java, and Spring Boot

10 Websites to Learn JavaScript for Beginners

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps