Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Go をセキュアに書き進めるための
「ガードレール」を整備しよう / Let's Build Security Guardrails For Your Go Programs!

Takashi Yoneuchi
April 24, 2021
Programming
4
4.7k

Go をセキュアに書き進めるための
「ガードレール」を整備しよう / Let's Build Security Guardrails For Your Go Programs!

Go Conference 2021 Spring (B7-S) で使用した資料です。
- セッションの詳細: https://gocon.jp/sessions/session-b7-s/
- 発表者: https://twitter.com/lmt_swallow
- 資料に誤りがあれば是非こちらにご連絡ください

Takashi Yoneuchi

April 24, 2021
Tweet

More Decks by Takashi Yoneuchi

See All by Takashi Yoneuchi
実践 SpiceDB - クライドネイティブ時代をサバイブできるパーミッション管理の実装を目指して / Practical SpiceDB
lmt_swallow
0
380
Developer-First Security という考え方 / Introduction to Developer-First Security
lmt_swallow
6
7.4k
ちいさな Web ブラウザを作ってみよう(オンライン講義版) / Build Your Own Web Browser
lmt_swallow
17
9.7k
すこしだけマクロな視点から捉える Web セキュリティ / Web Security from the Macro Perspective (Short Version)
lmt_swallow
2
2.7k
マクロな視点から捉える Web セキュリティ / Web Security from the Macro Perspective
lmt_swallow
14
5.4k
Web クライアントサイドの攻防 / Attacks and Defenses in Web Browsers
lmt_swallow
2
2.9k
正規表現とセキュリティ / Regular Expressions and Their Security-Related Aspects
lmt_swallow
17
5.6k
2019 年度 CPU 実験 余興: Linux が動く RISC-V CPUを作る
lmt_swallow
3
24k
Revisiting ReDoS: A Rough Idea of Data Exfiltration by ReDoS and Side-channel Techniques
lmt_swallow
5
6.4k

Other Decks in Programming

See All in Programming
prototype大全 / YAPC::Kyoto 2023
utgwkk
0
1.1k
タクシーアプリ『GO』にLive Activitiesを入れてみた / MoT TechTalk #17
mot_techtalk
0
120
Run Your Firebase for Web App Locally Using Firebase Emulator Suite
dicoding
0
340
PHPで任意精度演算を行って「正しい」金額計算をする方法 / Perform arbitrary precision arithmetic in PHP to achieve "accurate" monetary calculations
hiro_y
1
300
特徴、魅力を知って、各PHPフレームワークを使いこなそう! / PHPerkaigi 2023
hitoshi_a0
0
140
いろいろなフレームワークの仕組みを index.php から読み解こう / index.php of each framework
okashoi
0
360
失敗から学ぶオーナーシップ欠乏症への処方箋 #phperkaigi #d
77web
0
200
RISC-V 命令 / ISA 拡張ピックアップ ― 最近追加されたもの、これから追加されるもの、議論が進みつつあるもの
a4lg
0
120
DDD Demystified ~結局DDDとは何なのか?何でないのか?~ #phperkaigi_reject
77web
0
640
新社会人でも活躍したい!〜新卒1年目で活躍するためのコツ〜
ogijun2018
1
290
CSC308 Lecture 26
javiergs
PRO
0
120
Angular Deep Dive: Components & Directives
manfredsteyer
PRO
0
130

Featured

See All Featured
Producing Creativity
orderedlist
PRO
335
38k
The Web Native Designer (August 2011)
paulrobertlloyd
77
2.3k
GraphQLとの向き合い方2022年版
quramy
22
10k
Design by the Numbers
sachag
271
18k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
217
21k
GraphQLの誤解/rethinking-graphql
sonatard
39
8k
How to train your dragon (web standard)
notwaldorf
66
4.4k
The Power of CSS Pseudo Elements
geoffreycrofte
53
4.4k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
8
5k
Web development in the modern age
philhawksworth
197
9.6k
The Art of Programming - Codeland 2020
erikaheidi
36
11k
YesSQL, Process and Tooling at Scale
rocio
159
13k

Transcript

  1. (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷ
    ʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    (P$POGFSFODF4QSJOH#4
    ถ಺وࢤ:0/&6$)* 5BLBTIJ
    גࣜձࣾ'MBUU4FDVSJUZ

    View Slide

  2. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    XIPBNJ
    4FFIUUQTTIJGUKTJOGP
    ถ಺وࢤ [email protected]
    גࣜձࣾ'MBUU4FDVSJUZ
    ࠷ۙʰ8FCϒϥ΢βηΩϡϦςΟʱͱ͍͏ॻ੶Λग़͠·ͨ͠

    View Slide

  3. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    ͋Εɺ͜Εͬͯ҆શ͚ͩͬʜʜ
    /* ... */
    x := 0
    blah(unsafe.Pointer(x))
    /* ... */

    View Slide

  4. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    ͋Εɺ͜Εͬͯ҆શ͚ͩͬʜʜ
    /* ... */
    x := 0
    blah(unsafe.Pointer(x))
    /* ... */
    /* .... */
    config = &tls.Config{
    InsecureSkipVerify: true,
    };
    /* .... */

    View Slide

  5. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    ͋Εɺ͜Εͬͯ҆શ͚ͩͬʜʜ
    /* ... */
    x := 0
    blah(unsafe.Pointer(x))
    /* ... */
    /* .... */
    config = &tls.Config{
    InsecureSkipVerify: true,
    };
    /* .... */
    https://golang.org/pkg/math/rand

    View Slide

  6. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    ͋͋ɺ҆શͳίʔυΛॻ͘ͷ͸ർΕΔ
    ʜʜͦΕ͕ͨͱ͑(PͰ͋ͬͯ΋ʂ
    /* ... */
    x := 0
    blah(unsafe.Pointer(x))
    /* ... */
    /* .... */
    config = &tls.Config{
    InsecureSkipVerify: true,
    };
    /* .... */
    https://golang.org/pkg/math/rand

    View Slide

  7. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    ૊৫ͷίʔυΛηΩϡΞʹอ্ͭͰͷ՝୊
    ஌͍ͬͯͯ΋஫ҙෆ଍Ͱ
    ੬ऑͳίʔυΛॻ͍ͯ͠·͏
    ՝୊
    ࣗ෼͸෼͔͍ͬͯΔ͕ɺ
    νʔϜʹ஌ݟ͕ਁಁ͠ͳ͍
    ՝୊
    ͦ΋ͦ΋ԿʹؾΛ͚ͭΔ΂͖
    ͔Λ୭΋஌Βͳ͍··
    ՝୊
    c := &http.Client{
    Transport: &http.Transport{
    TLSClientConfig: &tls.Config{
    InsecureSkipVerify: true,
    },
    },
    }

    View Slide

  8. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    ૊৫ͷίʔυΛηΩϡΞʹอ্ͭͰͷ՝୊
    ஌͍ͬͯͯ΋஫ҙෆ଍Ͱ
    ੬ऑͳίʔυΛॻ͍ͯ͠·͏
    ՝୊
    ࣗ෼͸෼͔͍ͬͯΔ͕ɺ
    νʔϜʹ஌ݟ͕ਁಁ͠ͳ͍
    ՝୊
    ͦ΋ͦ΋ԿʹؾΛ͚ͭΔ΂͖
    ͔Λ୭΋஌Βͳ͍··
    ՝୊
    c := &http.Client{
    Transport: &http.Transport{
    TLSClientConfig: &tls.Config{
    InsecureSkipVerify: true,
    },
    },
    }

    View Slide

  9. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    ૊৫ͷίʔυΛηΩϡΞʹอ্ͭͰͷ՝୊
    ஌͍ͬͯͯ΋஫ҙෆ଍Ͱ
    ੬ऑͳίʔυΛॻ͍ͯ͠·͏
    ՝୊
    ࣗ෼͸෼͔͍ͬͯΔ͕ɺ
    νʔϜʹ஌ݟ͕ਁಁ͠ͳ͍
    ՝୊
    ͦ΋ͦ΋ԿʹؾΛ͚ͭΔ΂͖
    ͔Λ୭΋஌Βͳ͍··
    ՝୊
    c := &http.Client{
    Transport: &http.Transport{
    TLSClientConfig: &tls.Config{
    InsecureSkipVerify: true,
    },
    },
    }

    View Slide

  10. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    ͦ΋ͦ΋ԿʹؾΛ͚ͭΔ΂͖͔Λ୭΋஌Βͳ͍··
    ࣗ෼͸෼͔͍ͬͯΔ͕ɺνʔϜʹ஌ݟ͕ਁಁ͠ͳ͍
    ஌͍ͬͯͯ΋஫ҙෆ଍Ͱ੬ऑͳίʔυΛॻ͍ͯ͠·͏
    ΄͍͠ͷ͸ʜ
    ՝୊
    ஌͍ͬͯͯ΋஫ҙෆ଍Ͱ
    ੬ऑͳίʔυΛॻ͍ͯ͠·͏
    ՝୊
    ࣗ෼͸෼͔͍ͬͯΔ͕ɺ
    νʔϜʹ஌ݟ͕ਁಁ͠ͳ͍
    ՝୊
    ͦ΋ͦ΋ԿʹؾΛ͚ͭΔ΂͖͔Λ୭΋஌Βͳ͍··
    ՝୊
    c := &http.Client{
    Transport:
    &http.Transport{
    TLSClientConfig:
    &tls.Config{
    InsecureSkipVerify:
    true,
    },
    },
    }

    View Slide

  11. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    ͦ΋ͦ΋ԿʹؾΛ͚ͭΔ΂͖͔Λ୭΋஌Βͳ͍··
    ࣗ෼͸෼͔͍ͬͯΔ͕ɺνʔϜʹ஌ݟ͕ਁಁ͠ͳ͍
    ஌͍ͬͯͯ΋஫ҙෆ଍Ͱ੬ऑͳίʔυΛॻ͍ͯ͠·͏
    ΄͍͠ͷ͸ʜΨʔυϨʔϧ🚧
    ՝୊
    ҎԼΛຬͨ͢Α͏ͳʮΨʔυϨʔϧʯ͕΄͍͠ʂ
    ✔ Α͋͘ΔϛεΛେ·͔ʹरͬͯ͘ΕΔ
    ✔ Ұਓͷ஌ݟΛνʔϜʹεέʔϧͤ͞ΒΕΔ
    ✔ ؾΛ͚ͭଓ͚ͳͯ͘΋ɺ໰୊Λػց͕ڭ͑ͯ͘ΕΔ
    ཧ૝
    ஌͍ͬͯͯ΋஫ҙෆ଍Ͱ
    ੬ऑͳίʔυΛॻ͍ͯ͠·͏
    ՝୊
    ࣗ෼͸෼͔͍ͬͯΔ͕ɺ
    νʔϜʹ஌ݟ͕ਁಁ͠ͳ͍
    ՝୊
    ͦ΋ͦ΋ԿʹؾΛ͚ͭΔ΂͖͔Λ୭΋஌Βͳ͍··
    ՝୊
    c := &http.Client{
    Transport:
    &http.Transport{
    TLSClientConfig:
    &tls.Config{
    InsecureSkipVerify:
    true,
    },
    },
    }

    View Slide

  12. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    ΨʔυϨʔϧΛߏ੒͢ΔͨΊͷ
    ͭͷΞΫγϣϯ
    ஌͍ͬͯͯ΋஫ҙෆ଍Ͱ
    ੬ऑͳίʔυΛॻ͍ͯ͠·͏
    ࣗ෼͸෼͔͍ͬͯΔ͕ɺ
    νʔϜʹ஌ݟ͕ਁಁ͠ͳ͍
    ͦ΋ͦ΋ԿʹؾΛ͚ͭΔ΂͖
    ͔Λ୭΋஌Βͳ͍··
    ՝୊
    ·ͣ͸HPTFDͰΑ͋͘Δ
    ϛεΛݕग़Ͱ͖ΔΑ͏ʹ͢Δ
    HPSVMFHVBSE౳Λ׆༻ͯ͠
    ஌ݟΛίʔυͱͯ͠஝ੵ͍ͯ͘͠
    $*ʹHPTFD౳Λ഑ஔ͢Δ
    ॳظ͸SFWJFXEPHͷซ༻΋(PPE
    ΞΫγϣϯ

    View Slide

  13. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    ‣ యܕతͳ҆શͰͳ͍(PίʔυύλʔϯΛݕग़ͯ͘͠ΕΔπʔϧ
    ‣ HPMBOHDJMJOUܦ༝Ͱར༻Մೳ
    ‣ ,VCFSOFUFT΍$BEEZ౳ͷஶ໊ͳ(PϓϩδΣΫτͰ΋ར༻͞Ε͍ͯΔ
    HPTFD
    IUUQTHJUIVCDPNTFDVSFHPHPTFD
    $ gosec ./main.go
    [/app/main.go:6] - G404 (CWE-338): Use of weak random number generator
    (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    5: func main() {
    > 6: sample := rand.Int()
    7:

    View Slide

  14. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    ҆શͰͳ͍(PίʔυͷయܕྫΛݕग़Մೳ
    /* ... */
    x := 0
    blah(unsafe.Pointer(x))
    /* ... */
    /* .... */
    config = &tls.Config{
    InsecureSkipVerify: true,
    };
    /* .... */
    (
    (
    HPTFD
    https://golang.org/pkg/math/rand
    (

    View Slide

  15. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    ‣ HPܥύοέʔδ੡
    ‣ HP͸(Pඪ४ͷ੩తղੳ༻ͷύοέʔδ܈
    ‣ HPTFDͰ͸ओʹHPBTUʢߏจ໦पΓʣͱHPUZQFTʢܕपΓʣ͕ར༻͞Ε͍ͯΔ
    ‣ ֤ݕग़ϧʔϧ͸HPͱHPTFDʹΑΔHPͷUIJOXSBQQFSͰॻ͔ΕΔ
    HPTFDͷ͘͠Έ
    if ident, ok := n.Key.(*ast.Ident); ok {
    switch ident.Name {
    case "InsecureSkipVerify":
    if node, ok := n.Value.(*ast.Ident); ok {
    if node.Name != "false" {
    return gosec.NewIssue(c, n, t.ID(),
    "TLS InsecureSkipVerify set true.",
    gosec.High, gosec.High)
    }
    } // ....
    https://github.com/securego/gosec/blob/27a5ffb5c8f6dd3b6dea3b8e6019a2b3d43bf0f9/rules/tls.go#L64-L72

    View Slide

  16. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    ՝୊૊৫ݻ༗ͷϧʔϧ࡞੒ͰࠔΔ
    func applyUnsafeOpToDir(path string) error {
    /* ... */
    }
    /* ... */
    s := scanner.Text()
    applyUnsafeOpToDir("/etc")
    applyUnsafeOpToDir("/etc"+ "/gogogo")
    applyUnsafeOpToDir(s)
    ͦͦ͜͜ةͳ͍ؔ਺
    ‣ QSJWBUFͳύοέʔδʹؔ͢ΔηΩϡϦςΟϧʔϧΛHPTFDʹ௥Ճ͢Δͷ͸ࠔ೉
    ‣ 044ͳͷͰ૊৫ʹݻ༗ͷϧʔϧΛ࡞ͬͯ΋DPOUSJCVUFͰ͖ͳ͍
    ‣ ҰԠHPTFDΛGPSLͯ͠ϝϯςφϯε͢Δͱ͍͏ख͸͋Δ͕ɺͭΒ͍
    ‣ ࿑ྗ͸࠷খԽͭͭࣗ͠࡞-JOUFSΛ༻ҙͰ͖ͨΒخ͍͕͠ʜʜ
    ྫҾ਺͕ίϯύΠϧ
    ࣌ఆ਺Ͱͳ͍Մೳੑ͕
    ͋Δ৔߹ʹܯࠂ͍ͨ͠

    View Slide

  17. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    ‣ (Pίʔυ޲͚ͷಠࣗ੩తղੳϧʔϧͷ࡞੒Λิॿ͢Δ-JOUFS
    ‣ ૊৫ಠࣗͷϧʔϧΛڧྗͳύλʔϯϚονϟʢETMύοέʔδʣΛ༻͍ͯهड़Ͱ͖Δ
    ‣ HPBOBMZTJT HPHSFQϕʔεͰ࡞੒͞Ε͍ͯΔ
    HPSVMFHVBSE
    IUUQTHJUIVCDPNRVBTJMZUFHPSVMFHVBSE
    m.Match(`copy($b, []byte($s))`).
    Where(m["s"].Type.Is(`string`)).
    Suggest(`copy($b, $s)`)
    sample := "test"
    copy(buf, []byte(sample))
    ղੳϧʔϧͷྫ
    ݕग़͍ͨ͠அยͷྫ

    View Slide

  18. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    m.Match(`applyUnsafeOpToDir($x)`).
    Where(!m["x"].Const).
    Report(`$x should be a compile-time constant value`)
    func applyUnsafeOpToDir(path string) error { /* ... */ }
    /* ... */
    s := scanner.Text()
    applyUnsafeOpToDir("/etc")
    applyUnsafeOpToDir("/etc"+ "/gogogo")
    applyUnsafeOpToDir(s)
    /app/main.go:39:2: permitOnlyConstant: s should be a compile-time constant
    value (rules.go:14)
    ղੳର৅ͷίʔυྫ
    ղੳϧʔϧͷྫ
    ղੳ݁Ռͷྫ
    ࠷ऴߦͷΑ͏ͳ
    ݺͼग़͠Λݕग़͍ͨ͠ʂ

    View Slide

  19. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    m.Match(`applyUnsafeOpToDir($x)`).
    Where(!m["x"].Const).
    Report(`$x should be a compile-time constant value`)
    func applyUnsafeOpToDir(path string) error { /* ... */ }
    /* ... */
    s := scanner.Text()
    applyUnsafeOpToDir("/etc")
    applyUnsafeOpToDir("/etc"+ "/gogogo")
    applyUnsafeOpToDir(s)
    /app/main.go:39:2: permitOnlyConstant: s should be a compile-time constant
    value (rules.go:14)
    ղੳର৅ͷίʔυྫ
    ղੳϧʔϧͷྫ
    ղੳ݁Ռͷྫ

    View Slide

  20. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    m.Match(`applyUnsafeOpToDir($x)`).
    Where(!m["x"].Const).
    Report(`$x should be a compile-time constant value`)
    func applyUnsafeOpToDir(path string) error { /* ... */ }
    /* ... */
    s := scanner.Text()
    applyUnsafeOpToDir("/etc")
    applyUnsafeOpToDir("/etc"+ "/gogogo")
    applyUnsafeOpToDir(s)
    /app/main.go:39:2: permitOnlyConstant: s should be a compile-time constant
    value (rules.go:14)
    ղੳର৅ͷίʔυྫ
    ղੳϧʔϧͷྫ
    ղੳ݁Ռͷྫ
    ^
    \

    View Slide

  21. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    (PʹಛԽ͍ͯ͠Δ͔Βͦ͜ͷڧΈ΋
    https://go-ruleguard.github.io/by-example/
    m.Match(`fmt.Sprint($x)`).
    Where(m["x"].Type.
    Implements(`fmt.Stringer`)).
    Suggest(`$x.String()`)
    m.Match(`$x$b`).
    Where(m["a"].Value.Int()
    <= m["b"].Value.Int()).
    Report("always false")
    ‣ HPSVMFHVBSE͸(PʹಛԽͯ͠࡞ΒΕ͍ͯΔ
    ‣ ͦͷͨΊྨࣅπʔϧͱൺ΂Δͱศརɾߴػೳ
    ‣ ίϯύΠϧ࣌ఆ਺ͷऔΓѻ͍ɺܕपΓͷऔΓѻ͍ɺʜ
    ܕ৘ใΛ༻͍ͨ
    ϧʔϧ
    ίϯύΠϧ࣌ఆ਺Λ
    ༻͍ͨϧʔϧ

    View Slide

  22. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    ܧଓతʹվળ͍ͯͨ͘͠Ίʹ
    ͜ͷखͷπʔϧͷಋೖ͸ॳظোน͕ߴ͍͕ʜʜ
    $ curl -sfL https://raw.githubusercontent.com/securego/gosec/
    master/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.7.0
    $ gosec ./...
    ʮࢼ͠ʹ࢖ͬͯΈΑ͏ʂʯ

    View Slide

  23. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    ܧଓతʹվળ͍ͯͨ͘͠Ίʹ
    ͜ͷखͷπʔϧͷಋೖ͸ॳظোน͕ߴ͍͕ʜʜ
    $ curl -sfL https://raw.githubusercontent.com/securego/gosec/
    master/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.7.0
    $ gosec ./...
    /* ... */
    Summary:
    Files: 77
    Lines: 4034
    Nosec: 0
    Issues: 543
    $
    ʮ΋ͷౖ͍͢͝ΒΕͯΔͳɺಋೖ͸·ͨࠓ౓ߟ͑Δ͔ʜʯ

    View Slide

  24. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    ܧଓతʹվળ͍ͯͨ͘͠Ίʹ
    ͜ͷखͷπʔϧͷಋೖ͸ॳظোน͕ߴ͍͕ʜʜ
    $ curl -sfL https://raw.githubusercontent.com/securego/gosec/
    master/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.7.0
    $ gosec ./main.go
    /* ... */
    Summary:
    Files: 77
    Lines: 4034
    Nosec: 0
    Issues: 543
    $
    ʮ΋ͷౖ͍͢͝ΒΕͯΔͳɺಋೖ͸·ͨࠓ౓ߟ͑Δ͔ʜʯ

    View Slide

  25. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    ‣ ֤छ-JOUFSπʔϧͷग़ྗΛίϝϯτͱͯ͠౤ߘͯ͘͠ΕΔ(P੡πʔϧ
    ‣ (JU)VC౳Ͱͷࠩ෼ϨϏϡʔ࣌ʹɺࠩ෼෦෼ͷΈͷ-JOU݁ՌΛڭ͑ͯ͘ΕΔ
    ‣ πʔϧͷ'BMTF1PTJUJWF͕໨ཱͭ৔߹Ͱ΋ɺద౓ʹ໨ʹͭ͘ͱ͜ΖͰ஫ҙשىͰ͖Δ
    ‣ ίʔυશମʹରͯ͠େྔͷΞϥʔτ͕ग़Δ؀ڥͰ΋ɺஈ֊తʹվળΛ࢝ΊΒΕΔ
    SFWJFXEPH🐾
    IUUQTHJUIVCDPNSFWJFXEPHSFWJFXEPH
    ͜ͷ෦෼ͷݕࠪ݁ՌΛ
    ίϝϯτͱͯ͠౤ߘ
    ͜ͷ෦෼ͷݕࠪ݁Ռ͸
    Ұ୴ࣺͯΔ

    View Slide

  26. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    &YBNQMFHPTFDSFWJFXEPH🐾
    https://github.com/security-aware-repo-examples/gosec/pull/1
    ࠩ෼ʹର͢Δࢦఠ͕ίϝϯτͰ

    View Slide

  27. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    ,FZ5BLFBXBZT
    ஌͍ͬͯͯ΋஫ҙෆ଍Ͱ
    ੬ऑͳίʔυΛॻ͍ͯ͠·͏
    ՝୊
    ࣗ෼͸෼͔͍ͬͯΔ͕ɺ
    νʔϜʹ஌ݟ͕ਁಁ͠ͳ͍
    ՝୊
    ͦ΋ͦ΋ԿʹؾΛ͚ͭΔ΂͖
    ͔Λ୭΋஌Βͳ͍··
    ՝୊ ·ͣ͸HPTFD͔Β࢝ΊΑ͏
    HPSVMFHVBSE౳Λ׆༻Ͱ͖Δ
    $*ʹHPTFD౳Λ഑ஔͰ͖Δ
    ॳظ͸SFWJFXEPHͷซ༻΋(PPE
    &YBNQMFTBSFBWBJMBCMFBU
    IUUQTHJUIVCDPNTFDVSJUZBXBSFSFQPFYBNQMFT

    View Slide

  28. ΨʔυϨʔϧΛ੔උͯ͠ɺ
    ҆৺ɾ҆શͳ(PϥΠϑΛૹΓ·͠ΐ͏ʂ

    View Slide

  29. ˜TIJGUKTJOGP
    (PΛηΩϡΞʹॻ͖ਐΊΔͨΊͷʮΨʔυϨʔϧʯΛ੔උ͠Α͏
    ‣ େྔͷ(PQIFS͘Μͨͪ
    ‣ .BSJB-FUUBGSFFHPQIFSTQBDL
    ‣ IUUQTHJUIVCDPN.BSJB-FUUBGSFFHPQIFSTQBDL
    ‣ ΨʔυϨʔϧͷΠϥετ
    ‣ ͍Β͢ͱ΍
    [email protected]
    "QQFOEJYը૾ͷग़ࣗ

    View Slide