1 Securing Code with Govulncheck Chin-Ming Huang & Mohit Pokharna 

2 Software engineer at Mercari since 2020, primarily focusing on ML-assisted Listing and Search backend. Chin-Ming Huang Software engineer at Mercari since 2019, primarily focusing on ML price and Search backend.
 Mohit Pokharna 

3 Why Security? Agenda Vulnerability Govulncheck Demo 02 03 04 01 

4 Why Security? 

5 How Costly are Security Breaches? USD 4.45M (~663M JPY) Average Total Cost of a breach in 2023 277 days Time to identify and contain a data breach 17% Data breaches with known unpatched vulnerabilities or unknown (zero-day) vulnerabilities Ref: IBM Report 

6 Notable Security Incidents (2017) Equifax Data Breach (2019) Docker Hub Breach (2020) SolarWinds Supply Chain Attack (2021) Codecov Supply Chain Attack (2021) Log4Shell Vulnerability 

7 Notable Security Incidents (2017) Equifax Data Breach (2019) Docker Hub Breach (2020) SolarWinds Supply Chain Attack (2021) Codecov Supply Chain Attack (2021) Log4Shell Vulnerability ● Mar 7th: security patch released by Apache Struts 

8 Notable Security Incidents (2017) Equifax Data Breach (2019) Docker Hub Breach (2020) SolarWinds Supply Chain Attack (2021) Codecov Supply Chain Attack (2021) Log4Shell Vulnerability ● Mar 7th: security patch released by Apache Struts ● Mar 12th: breach started at Equifax by hackers 

9 Notable Security Incidents (2017) Equifax Data Breach (2019) Docker Hub Breach (2020) SolarWinds Supply Chain Attack (2021) Codecov Supply Chain Attack (2021) Log4Shell Vulnerability ● Mar 7th: security patch released by Apache Struts ● Mar 12th: breach started at Equifax by hackers ● Jul 29th (76 days later): breach was discovered by Equifax 

10 Notable Security Incidents (2017) Equifax Data Breach (2019) Docker Hub Breach (2020) SolarWinds Supply Chain Attack (2021) Codecov Supply Chain Attack (2021) Log4Shell Vulnerability ● Mar 7th: security patch released by Apache Struts ● Mar 12th: breach started at Equifax by hackers ● Jul 29th (76 days later): breach was discovered by Equifax ● Impacted over 147 million people including PII data 

11 Notable Security Incidents (2017) Equifax Data Breach (2019) Docker Hub Breach (2020) SolarWinds Supply Chain Attack (2021) Codecov Supply Chain Attack (2021) Log4Shell Vulnerability ● Mar 7th: security patch released by Apache Struts ● Mar 12th: breach started at Equifax by hackers ● Jul 29th (76 days later): breach was discovered by Equifax ● Impacted over 147 million people including PII data 

12 Vulnerability 

13 Vulnerability CVE defines a vulnerability as: (ref) "A weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability. Mitigation of the vulnerabilities in this context typically involves coding changes, but could also include specification changes or even specification deprecations (e.g., removal of affected protocols or functionality in their entirety)." 

14 ● The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. ● There is one CVE Record for each vulnerability in the catalog. ● The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program. CVE Program (ref) 

15 CNAs are vendor, researcher, open source, CERT, hosted service, bug bounty provider, and consortium organizations authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records within their own specific scopes of coverage. CVE Numbering Authorities (CNAs) (ref) 

16 CNA for Go: Go Project 

17 National Vulnerability Database (NVD) Dashboard Ref: https://nvd.nist.gov/general/nvd-dashboard @2024.3.17 

18 Vulnerabilities Discovered Every Year Ref: National Vulnerability Database 

19 ● Scan source code and binaries for vulnerabilities. ● Keep your Go version and dependencies up to date. ● Test with fuzzing to uncover edge-case exploits. ● Check for race conditions with Go’s race detector. ● Use Vet to examine suspicious constructs. ● Subscribe to golang-announce for notification of security releases. Best Practices (ref) 

20 ● Scan source code and binaries for vulnerabilities. ● Keep your Go version and dependencies up to date. ● Test with fuzzing to uncover edge-case exploits. ● Check for race conditions with Go’s race detector. ● Use Vet to examine suspicious constructs. ● Subscribe to golang-announce for notification of security releases. Best Practices (ref) 

21 Govulncheck 

22 Vulnerability Management Ref: https://go.dev/doc/security/vuln/ 

23 ● National Vulnerability Database (NVD) (ref) ● GitHub Advisory Database (ref) ● Reported from package maintainers (ref) Data Sources 

24 ● All reports in the database are reviewed and curated by the Go Security team. ● Reports are formatted in the Open Source Vulnerability (OSV, Github) format and accessible through the API. Vulnerability Database 

25 https://pkg.go.dev/vuln/ 

26 GO-2024-2631 (1/2) 

27 GO-2024-2631 (2/2) 

28 Default database URL: https://vuln.go.dev/ API (ref) API Description /index/db.json[.gz] The latest time the database should be considered to have been modified, as an RFC3339-formatted UTC timestamp ending in "Z". /index/modules.json[.gz] Returns a list containing metadata about each module in the database. /index/vulns.json[.gz] Returns a list containing metadata about each vulnerability in the database. /ID/$id.json[.gz] (e.g. /ID/GO-2022-0191.json) Returns the individual report for the vulnerability with ID $id, in OSV format. ID format: GO-- 

29 Govulncheck (doc) ● Govulncheck reports known vulnerabilities that affect Go code. ● It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application. 

30 Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file. Database entries available at https://vuln.go.dev are distributed under the terms of the CC-BY 4.0 license. License (ref) 

31 ● Govulncheck analyzes function pointer and interface calls conservatively, which may result in false positives or inaccurate call stacks in some cases. ● Calls to functions made using package reflect are not visible to static analysis. Vulnerable code reachable only through those calls will not be reported. Use of the unsafe package may result in false negatives. ● Because Go binaries do not contain detailed call information, govulncheck cannot show the call graphs for detected vulnerabilities. It may also report false positives for code that is in the binary but unreachable. Limitations 

32 ● There is no support for silencing vulnerability findings. See https://go.dev/issue/61211 for updates. ● Govulncheck only reads binaries compiled with Go 1.18 and later. ● For binaries where the symbol information cannot be extracted, govulncheck reports vulnerabilities for all modules on which the binary depends. Limitations 

33 Demo 

34 ● Install the latest version: go install golang.org/x/vuln/cmd/govulncheck@latest ● Run govulncheck inside your module: (default: -mode=source) govulncheck ./… ● Scan binary: govulncheck -mode=binary Install and Run 

35 ● Add the following step to your workflow: Github Action (ref, src) 

36 Example (GO-2024-2610, #2610, #65697) go.mod 

37 Run: govulncheck ./... 

38 Vulnerability Report: GO-2024-2610 

39 ● Vulnerable result: var a = /* json: error calling MarshalJSON for type *main.beep: */null ● Fixed result: var a = /* json: error calling MarshalJSON for type *main.beep: \x3C/script> */null Results: 

40 Q&A