Golang developers care a lot about security and as Go modules become more widely used, they need more ways to assure these publicly shared files are safe.
One unique feature included with Golang version 1.13 is the foresight that went into authentication and security for Go modules. When a developer creates a new module or a new version of an existing module, a go.sum file included there creates a list of SHA-256 hashes that are unique to that module version. That go.sum file is then sent to Golang’s official checksum database where it is stored and used to verify that modules haven’t been tampered with when accessed later by a GOPROXY. This helps keep the integrity of packages intact.
The checksum authentication feature helps create trust among developers, but it isn’t fully tamperproof. If a vulnerability is introduced in the original module’s files, the GOSUMDB will only be able to indicate that the module wasn’t changed later. This doesn’t solve the problem of malicious code being introduced in the very first commit.
Luckily, with the addition of JFrog Xray’s security scanning, GoCenter can now tell you when any Go module has a known vulnerability.
JFrog Xray is the DevSecOps tool used to identify known vulnerabilities in application builds. When joined with Artifactory, it performs deep recursive scans on the binaries held in repositories to identify anywhere that open source components with reported security weaknesses or malicious code have been used.
Xray supports scanning of a large variety of language and package types. The most recent release of Xray supports vulnerability scanning of Go modules as well so that Golang applications can fully implement DevSecOps procedures to prevent risky binaries from being deployed from Artifactory into production.
Xray is now a part of GoCenter, allowing every module and version in GoCenter to be automatically scanned for known vulnerabilities recognized in public vulnerability databases such as NVD. Those results are stored in GoCenter, which will list all vulnerabilities that exist in the module version.
When you land on a specific module page, you’ll know if there is a vulnerability in that module version if a warning triangle exists next to the security tab. Clicking on the tab or triangle will direct you to the security page that provides specific information about each vulnerability including the CVE number, severity, and description.
Xray in Go Center also allows for the universal analysis of all binary software components, adding an extra level of security inGo projects. By scanning binary components and their metadata - going through dependencies at all levels - Xray provides unprecedented visibility into issues lurking in your module dependencies.
The full version of Xray includes detailed information about each vulnerability including remediation steps and other features:
In the meantime, take a look at GoCenter to see what Xray can reveal. You may find that modules you’re already using have issues you weren’t aware of. Helping Golang software to be more secure is our proud contribution to the open-source developer community.
Previously published at https://jfrog.com/blog/gocenter-reveals-go-module-vulnerabilities-with-xray/