Golang developers care a lot about security and as Go modules become more widely used, they need more ways to assure these publicly shared files are safe. One unique feature included with Golang version 1.13 is the foresight that went into authentication and security for Go modules. When a developer creates a new module or a new version of an existing module, a go.sum file included there creates a list of SHA-256 hashes that are unique to that module version. That go.sum file is then sent to Golang’s official checksum database where it is stored and used to verify that modules haven’t been tampered with when accessed later by a GOPROXY. This helps keep the integrity of packages intact. The checksum authentication feature helps create trust among developers, but it isn’t fully tamperproof. If a vulnerability is introduced in the original module’s files, the GOSUMDB will only be able to indicate that the module wasn’t changed later. This doesn’t solve the problem of malicious code being introduced . in the very first commit Luckily, with the addition of JFrog Xray’s , can now tell you when any Go module has a known vulnerability. security scanning GoCenter The Xray DevSecOps Difference JFrog Xray is the DevSecOps tool used to identify known vulnerabilities in application builds. When joined with Artifactory, it performs deep recursive scans on the binaries held in repositories to identify anywhere that open source components with reported security weaknesses or malicious code have been used. Xray supports scanning of a large variety of language and package types. The most recent release of as well so that Golang applications can fully implement DevSecOps procedures to prevent risky binaries from being deployed from Artifactory into production. Xray supports vulnerability scanning of Go modules Xray Scans GoCenter is now a part of GoCenter, allowing every module and version in GoCenter to be automatically scanned for known vulnerabilities recognized in public vulnerability databases such as NVD. Those results are stored in GoCenter, which will list all vulnerabilities that exist in the module version. Xray When you land on a specific module page, you’ll know if there is a vulnerability in that module version if a warning triangle exists next to the security tab. Clicking on the tab or triangle will direct you to the security page that provides specific information about each vulnerability including the CVE number, severity, and description. Try It and Learn More Xray in Go Center also allows for the universal analysis of all binary software components, adding an extra level of security inGo projects. By scanning binary components and their metadata - going through dependencies at all levels - Xray provides unprecedented visibility into issues lurking in your module dependencies. The full version of Xray includes detailed information about each vulnerability including remediation steps and other features: Security and Compliance Visibility multiple technologies (not just Golang) VulnDB data from Risk-Based Security IDE Integration Open for and Automation Integration Stopping Download of Vulnerable Packages Xray for License Compliance Impact Analysis Graph In the meantime, take a look at GoCenter to see what Xray can reveal. You may find that modules you’re already using have issues you weren’t aware of. Helping Golang software to be more secure is . our proud contribution to the open-source developer community Previously published at https://jfrog.com/blog/gocenter-reveals-go-module-vulnerabilities-with-xray/

Keep

RELEASE FAST OR DIE

Too Long; Didn't Read

In your car, at home, or at work — Bosch technology shapes many areas of life.

Reveal Go Module Vulnerabilities With Xray

Too Long; Didn't Read

Company Mentioned

JFrog

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Reveal Go Module Vulnerabilities With Xray

Too Long; Didn't Read

Company Mentioned

JFrog

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES