Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security of Go Modules and Vulnerability Scanni...

Sponsored · SiteGround - Reliable hosting with speed, security, and support you can count on.
Avatar for Deep Deep
June 18, 2020
Technology
0
140

Security of Go Modules and Vulnerability Scanning in GoCenter

This was a 7 minute lightening talk presented at GopherCon EU!

Golang developers care a lot about security and as Go modules become more widely used, they need more ways to assure these publicly shared packages are safe.

One unique feature included with Golang version 1.13 is the foresight that went into authentication and security for Go modules. When a developer creates a new module or a new version of an existing module, a go.sum file included there creates a list of SHA-256 hashes that are unique to that module version. That go.sum file is then sent to Google’s official checksum database where it is stored and used to verify that modules haven’t been tampered with when accessed later by a GOPROXY. This helps keep the integrity of packages intact. In this talk, we’ll go over the behavior of the checksum database, how it protects Go modules, and how the Merkle Tree works.

Now, while the checksum authentication feature helps create trust among developers, it isn’t fully tamperproof. If a vulnerability is introduced in the original module’s files, the gosumdb will only be able to indicate that the module wasn’t changed later. This doesn’t solve the problem of malicious code being introduced in the very first commit.

Luckily, GoCenter can now tell you when any Go module has a known vulnerability. We’ve brought the power of JFrog Xray’s security scanning to this reliable repository of Go modules for the Golang developer community.

Avatar for Deep

Deep

June 18, 2020
Tweet

Other Decks in Technology

See All in Technology
生成AI素人でも玄人でもない私がセイセイAIチョットワカルために勉強したこと
Avatar for wkm2 wkm2
2
320
AI時代のAPIファースト開発
Avatar for 草薙昭彦 nagix
2
560
AIエージェントで変わる開発プロセス ― レビューボトルネックからの脱却
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
2
680
フルスタックGoでスコア改ざんを防いだ話
Avatar for ponyo877 ponyo877
0
520
EKSで実践する オブザーバビリティの現在地
Avatar for HonMarkHunt honmarkhunt
2
300
あすけん_Developers_Summit_2026_-_Vibe_Coding起点での新機能開発で__あすけん_が乗り越えた壁.pdf
Avatar for iwahiro iwahiro
0
790
プロダクト開発の品質を守るAIコードレビュー:事例に見る導入ポイント
Avatar for Atsushi Nakatsugawa moongift
PRO
1
450
AIで 浮いた時間で 何をする? 2026春 #devsumi
Avatar for konifar konifar
16
3.2k
AIに視覚を与えモバイルアプリケーション開発をより円滑に行う
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
1
530
三菱UFJ銀行におけるエンタープライズAI駆動開発のリアル / Enterprise AI_Driven Development at MUFG Bank: The Real Story
Avatar for 三菱UFJインフォメーションテクノロジー株式会社 muit
10
18k
GitHub Copilot CLI 現状確認会議(2026年2月のすがた)
Avatar for Toru Makabe torumakabe
4
630
AI活用を"目的"にしたら、データの本質が見えてきた - Snowflake Intelligence実験記 / chasing-ai-finding-data
Avatar for pei0804 pei0804
0
610

Featured

See All Featured
Leadership Guide Workshop - DevTernity 2021
Avatar for David Neal reverentgeek
1
220
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
333
22k
Google's AI Overviews - The New Search
Avatar for Barry Adams badams
0
920
Code Reviewing Like a Champion
Avatar for maltzj maltzj
527
40k
Pawsitive SEO: Lessons from My Dog (and Many Mistakes) on Thriving as a Consultant in the Age of AI
Avatar for David Carrasco davidcarrasco
0
77
Darren the Foodie - Storyboard
Avatar for Kevinho.art khoart
PRO
3
2.6k
The Impact of AI in SEO - AI Overviews June 2024 Edition
Avatar for Aleyda Solis aleyda
5
750
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
59
6.3k
Large-scale JavaScript Application Architecture
Avatar for Addy Osmani addyosmani
515
110k
<Decoding/> the Language of Devs - We Love SEO 2024
Avatar for Nikki Halliwell nikkihalliwell
1
140
Discover your Explorer Soul
Avatar for Emna emna__ayadi
2
1.1k
Crafting Experiences
Avatar for Bethany Jepchumba bethany
1
65

Transcript

  1. SECURITY OF GO MODULES Lightning Talk By Deep Datta

  2. DEPENDENCY MANAGEMENT IN GOLANG glide, gopath, dep, vendoring… These weren’t

    the right answer for Go... GO 1.11 INTRODUCED GO MODULES GO 1.13 GO MODULES BECOME THE STANDARD Basic data integrity features are introduced with the go.sum and go.mod Go module mirror and Go checksum database

  3. GO.SUM FILE github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38 = github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ =

    github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4 = github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4 = github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE = github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME = github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs = golang.org/x/sys v0.0.0-20190422165155-953cdadca894 h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc = golang.org/x/sys v0.0.0-20190422165155-953cdadca894 /go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs =

  4. SECURE HASH ALGORITHM (SHA2) AS CHECKSUMS cryptographic hash algorithms produce

    irreversible and unique hashes Irreversible because you can’t use the hash to figure out what the original piece of data was Unique means that two different pieces of data can never produce the same hash

  5. MERKLE TREE BASICS At its core, a Merkle Tree is

    a list of items representing the data that should be verified. data data data data hash hash hash hash hash hash hash go.sum data Each of these items is inserted into a leaf node and a tree of hashes is constructed. If you change the data, the hash will also change that branch all the through the tree. hash hash root

  6. Module 1 (go.sum) go.sum go.sum go.sum List of SHA-256 base64

    hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= go.sum List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= https://sum.golang.org/ Module 2 (go.sum) CHECKSUMS

  7. go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4=

    List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= https://sum.golang.org/ HOW HASHES PROTECT MODULE USERS Module 1 (go.sum) Module 1 (go.sum) Minor content change

  8. Let’s say you create your first Go module. package main

    import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “text/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... You save it as mod1 go.mod go.sum main.go

  9. main.go mod1 You can fix your files and create a

    new version for everyone called mod/v2 package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “html/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... Semantic import versioning

  10. BOTH V1 and V2 ARE COMMITTED TO SUMDB go.sum go.sum

    go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= go.sum List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= github.com/deep/ mod1 github.com/deep/ mod1/v2

  11. ...so if someone imports…. package main import { “encoding/json”, “io/ioutil”,

    “net/http”, “os”, “text/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... That original mod1 main.go They open themselves up to a XSS attack ...imagine if your app is a dependency for other projects...

  12. FREE VULNERABILITY DATA IN GOCENTER.IO Set Me Up: export GOPROXY=https://gocenter.io

  13. https://gocenter.io Twitter @DeepDattax [email protected]