SlideShare una empresa de Scribd logo

Security of go modules and vulnerability scanning in GoCenter

Deep Datta
Deep Datta

Go 1.13 introduced important security features to Go Modules including a checksumdb. Deep Datta from JFrog will explain how this works and provide info on other tools that keep modules secure. He will review GoCenter’s vulnerability scanning capabilities so developers can check for security issues or known vulnerabilities.

Tecnología
1 de 25
Descargar para leer sin conexión
2 Agenda ● Introduction ● Dependency management and Go modules ● Go.mod and go.sum ● Checksum database ● Potential Issues that can come up ● Why we added vulnerability scanning to GoCenter ● More security considerations with Jfrog Xray ● Q&A and Feedback
JFrog.com/shownotes ● Tonights Slides ● Introduction to GoCenter presentation ● JFrog T-Shirts Raffle - Win 1 of 3 JFrog Go T-Shirts
4 Deep Datta GoCenter Community Product Manager deepd@jfrog.com @DeepDattaX
5 Dependency management and Go Modules Go 1.11 Introduced Go Modules module main.go go 1.13 require github.com/sirupsen/logrus v1.4.2 go.mod github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/konsorten/go-windows-terminal-sequenc es v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894 h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= go.sum Go 1.13 Make Go Modules the standard Security was built into 1.13 with go.sum and go.mod The go mod init command wrote a go.mod file After running go build you will also see a file called go.sum gets created.
6 go.sum github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/konsorten/go-windows-terminal-sequencesv1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
7 SHA-256 cryptographic hash algorithms produce irreversible and unique hashes Irreversible because you can’t use the hash to figure out what the original piece of data was unique means that two different pieces of data can never produce the same hash
8 checksum database Module 1 (go.sum) Module 2 (go.sum) go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= go.sum List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= https://sum.golang.org/
9 The checksum database ensures that the go command always adds the same lines to everyone's go.sum file. Whenever the go command receives new source code, it can verify the hash of that code against this global database to make sure the hashes match, ensuring that everyone is using the same code for a given version. https://sum.golang.org/
10 How hashes protect you Module 1 (go.sum) Module 1 (go.sum) Minor content change go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= https://sum.golang.org/
11 Let’s say you create your first Go module. package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “text/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... You save it as mod1 go.mod go.sum main.go
12 package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “html/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... mod1 main.go You can fix your files and create a new version for everyone called mod1/v2 (probably would be a patch) v1.1.0
13 ... Semantic import versioning
14 Both versions have been committed to the checksum db github.com/dee pda/mod1 github.com/dee pda/mod1/v2 go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= go.sum List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc=
15 If someone imports…. package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “text/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... mod1 main.go They open themselves up to a cross-site scripting attack ...imagine if your app is a dependency for other projects...
16 Let’s summarize so far go.sum file, a list of SHA-256 base64 hashes go.mod stores a list of each dependency The go command can use these hashes to detect misbehavior by an origin server or proxy that gives a different code for the same version. However, the go.sum file has a limitation, it works entirely by trust based on user’s first use...
17 Introducing JFrog GoCenter with Xray Security GoCenter is a GOPROXY that caches metadata and source code in its own storage system. This allows the mirror to continue to serve source code that is no longer available from the original locations thus speeding up downloads and protect users from the disappearing dependencies. export GOPROXY=https://gocenter.io
18 Demo of Vulnerability info in GoCenter.io https://gocenter.io
19 How seeing your vulnerabilities in GoCenter can help
20 You can check vulnerabilities in dependencies too
21 GoCenter provides CVE public list of vulnerabilities
22 Every module and version is scanned and actively provides a security warning github.com/dee pda/mod1 github.com/dee pda/mod1/v2 Versions tab also shows you which version are safe or not.
23 Coming soon...
24 Q&A How to give us feedback gocenter@jfrog.com deepd@jfrog.com @DeepDattaX
JFrog.com/shownotes ● Tonights Slides ● Introduction to GoCenter presentation ● JFrog T-Shirts Raffle - Win 1 of 3 JFrog Go T-Shirts

Recomendados

Security of Go Modules - SF Meetup
Security of Go Modules - SF MeetupSecurity of Go Modules - SF Meetup
Security of Go Modules - SF MeetupDeep Datta
 
Security of Go Modules and Vulnerability Scanning in Go Center
Security of Go Modules and Vulnerability Scanning in Go CenterSecurity of Go Modules and Vulnerability Scanning in Go Center
Security of Go Modules and Vulnerability Scanning in Go CenterDeep Datta
 
Security of go modules and vulnerability scanning in go center (1)
Security of go modules and vulnerability scanning in go center (1)Security of go modules and vulnerability scanning in go center (1)
Security of go modules and vulnerability scanning in go center (1)Deep Datta
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VS Code
Security of Go Modules and Vulnerability Scanning in GoCenter and VS CodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VS Code
Security of Go Modules and Vulnerability Scanning in GoCenter and VS CodeDeep Datta
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeDeep Datta
 
Security of Go Modules and Vulnerability Scanning in VSCode
Security of Go Modules and Vulnerability Scanning in VSCodeSecurity of Go Modules and Vulnerability Scanning in VSCode
Security of Go Modules and Vulnerability Scanning in VSCodeDeep Datta
 
New Security of Go modules and vulnerability scanning in GoCenter
New Security of Go modules and vulnerability scanning in GoCenterNew Security of Go modules and vulnerability scanning in GoCenter
New Security of Go modules and vulnerability scanning in GoCenterDeep Datta
 
Security of Go Modules and Vulnerability Scanning in Go center and VSCodee
Security of Go Modules and Vulnerability Scanning in Go center and VSCodeeSecurity of Go Modules and Vulnerability Scanning in Go center and VSCodee
Security of Go Modules and Vulnerability Scanning in Go center and VSCodeeDeep Datta
 

Recomendados

Security of Go Modules - SF Meetup
Security of Go Modules - SF MeetupSecurity of Go Modules - SF Meetup
Security of Go Modules - SF MeetupDeep Datta
 
Security of Go Modules and Vulnerability Scanning in Go Center
Security of Go Modules and Vulnerability Scanning in Go CenterSecurity of Go Modules and Vulnerability Scanning in Go Center
Security of Go Modules and Vulnerability Scanning in Go CenterDeep Datta
 
Security of go modules and vulnerability scanning in go center (1)
Security of go modules and vulnerability scanning in go center (1)Security of go modules and vulnerability scanning in go center (1)
Security of go modules and vulnerability scanning in go center (1)Deep Datta
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VS Code
Security of Go Modules and Vulnerability Scanning in GoCenter and VS CodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VS Code
Security of Go Modules and Vulnerability Scanning in GoCenter and VS CodeDeep Datta
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeDeep Datta
 
Security of Go Modules and Vulnerability Scanning in VSCode
Security of Go Modules and Vulnerability Scanning in VSCodeSecurity of Go Modules and Vulnerability Scanning in VSCode
Security of Go Modules and Vulnerability Scanning in VSCodeDeep Datta
 
New Security of Go modules and vulnerability scanning in GoCenter
New Security of Go modules and vulnerability scanning in GoCenterNew Security of Go modules and vulnerability scanning in GoCenter
New Security of Go modules and vulnerability scanning in GoCenterDeep Datta
 
Security of Go Modules and Vulnerability Scanning in Go center and VSCodee
Security of Go Modules and Vulnerability Scanning in Go center and VSCodeeSecurity of Go Modules and Vulnerability Scanning in Go center and VSCodee
Security of Go Modules and Vulnerability Scanning in Go center and VSCodeeDeep Datta
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeDeep Datta
 
Xdebug from a to x
Xdebug from a to xXdebug from a to x
Xdebug from a to xGennady Feldman
 
The Ring programming language version 1.9 book - Part 22 of 210
The Ring programming language version 1.9 book - Part 22 of 210The Ring programming language version 1.9 book - Part 22 of 210
The Ring programming language version 1.9 book - Part 22 of 210Mahmoud Samir Fayed
 
Openwrt startup
Openwrt startupOpenwrt startup
Openwrt startup晓东 杜
 
Openwrt frontend backend
Openwrt frontend backendOpenwrt frontend backend
Openwrt frontend backend晓东 杜
 
Linux fundamental - Chap 09 pkg
Linux fundamental - Chap 09 pkgLinux fundamental - Chap 09 pkg
Linux fundamental - Chap 09 pkgKenny (netman)
 
The Ring programming language version 1.5.1 book - Part 14 of 180
The Ring programming language version 1.5.1 book - Part 14 of 180The Ring programming language version 1.5.1 book - Part 14 of 180
The Ring programming language version 1.5.1 book - Part 14 of 180Mahmoud Samir Fayed
 
Hls за час
Hls за часHls за час
Hls за часvolegg
 
[14.02.24] Objective-C in Windows
[14.02.24] Objective-C in Windows[14.02.24] Objective-C in Windows
[14.02.24] Objective-C in WindowsHyeonmin Park
 
Importance of linux system fundamental in technical documentation reading
Importance of linux system fundamental in technical documentation readingImportance of linux system fundamental in technical documentation reading
Importance of linux system fundamental in technical documentation readingKenny (netman)
 
GroovyFX - groove JavaFX Gr8Conf EU 2017
GroovyFX - groove JavaFX Gr8Conf EU 2017GroovyFX - groove JavaFX Gr8Conf EU 2017
GroovyFX - groove JavaFX Gr8Conf EU 2017sascha_klein
 
Groovy on the shell
Groovy on the shellGroovy on the shell
Groovy on the shellsascha_klein
 
Chap 19 web
Chap 19 webChap 19 web
Chap 19 webKenny (netman)
 
Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5 Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5 William Lee
 
The Ring programming language version 1.10 book - Part 23 of 212
The Ring programming language version 1.10 book - Part 23 of 212The Ring programming language version 1.10 book - Part 23 of 212
The Ring programming language version 1.10 book - Part 23 of 212Mahmoud Samir Fayed
 
Anwendungsfälle für Elasticsearch JavaLand 2015
Anwendungsfälle für Elasticsearch JavaLand 2015Anwendungsfälle für Elasticsearch JavaLand 2015
Anwendungsfälle für Elasticsearch JavaLand 2015Florian Hopf
 
Docker 1.10 1.11
Docker 1.10 1.11Docker 1.10 1.11
Docker 1.10 1.11dchaffiol
 
OpenWRT guide and memo
OpenWRT guide and memoOpenWRT guide and memo
OpenWRT guide and memo家榮 吳
 
FFMPEG on android
FFMPEG on androidFFMPEG on android
FFMPEG on androidYoss Cohen
 
Игры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfire
Игры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfireИгры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfire
Игры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfireSQALab
 
Developing a Joomla 3.x Component using RAD FOF- Part 2: Front-end + demo - J...
Developing a Joomla 3.x Component using RAD FOF- Part 2: Front-end + demo - J...Developing a Joomla 3.x Component using RAD FOF- Part 2: Front-end + demo - J...
Developing a Joomla 3.x Component using RAD FOF- Part 2: Front-end + demo - J...Peter Martin
 
Understanding pseudo-version and Go1.14+ with notes
Understanding pseudo-version and Go1.14+ with notesUnderstanding pseudo-version and Go1.14+ with notes
Understanding pseudo-version and Go1.14+ with notesMitali Bisht
 

Más contenido relacionado

La actualidad más candente

Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeDeep Datta
 
The Ring programming language version 1.9 book - Part 22 of 210
The Ring programming language version 1.9 book - Part 22 of 210The Ring programming language version 1.9 book - Part 22 of 210
The Ring programming language version 1.9 book - Part 22 of 210Mahmoud Samir Fayed
 
Openwrt startup
Openwrt startupOpenwrt startup
Openwrt startup晓东 杜
 
Openwrt frontend backend
Openwrt frontend backendOpenwrt frontend backend
Openwrt frontend backend晓东 杜
 
Linux fundamental - Chap 09 pkg
Linux fundamental - Chap 09 pkgLinux fundamental - Chap 09 pkg
Linux fundamental - Chap 09 pkgKenny (netman)
 
The Ring programming language version 1.5.1 book - Part 14 of 180
The Ring programming language version 1.5.1 book - Part 14 of 180The Ring programming language version 1.5.1 book - Part 14 of 180
The Ring programming language version 1.5.1 book - Part 14 of 180Mahmoud Samir Fayed
 
Hls за час
Hls за часHls за час
Hls за часvolegg
 
[14.02.24] Objective-C in Windows
[14.02.24] Objective-C in Windows[14.02.24] Objective-C in Windows
[14.02.24] Objective-C in WindowsHyeonmin Park
 
Importance of linux system fundamental in technical documentation reading
Importance of linux system fundamental in technical documentation readingImportance of linux system fundamental in technical documentation reading
Importance of linux system fundamental in technical documentation readingKenny (netman)
 
GroovyFX - groove JavaFX Gr8Conf EU 2017
GroovyFX - groove JavaFX Gr8Conf EU 2017GroovyFX - groove JavaFX Gr8Conf EU 2017
GroovyFX - groove JavaFX Gr8Conf EU 2017sascha_klein
 
Groovy on the shell
Groovy on the shellGroovy on the shell
Groovy on the shellsascha_klein
 
Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5 Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5 William Lee
 
The Ring programming language version 1.10 book - Part 23 of 212
The Ring programming language version 1.10 book - Part 23 of 212The Ring programming language version 1.10 book - Part 23 of 212
The Ring programming language version 1.10 book - Part 23 of 212Mahmoud Samir Fayed
 
Anwendungsfälle für Elasticsearch JavaLand 2015
Anwendungsfälle für Elasticsearch JavaLand 2015Anwendungsfälle für Elasticsearch JavaLand 2015
Anwendungsfälle für Elasticsearch JavaLand 2015Florian Hopf
 
Docker 1.10 1.11
Docker 1.10 1.11Docker 1.10 1.11
Docker 1.10 1.11dchaffiol
 
OpenWRT guide and memo
OpenWRT guide and memoOpenWRT guide and memo
OpenWRT guide and memo家榮 吳
 
FFMPEG on android
FFMPEG on androidFFMPEG on android
FFMPEG on androidYoss Cohen
 
Игры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfire
Игры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfireИгры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfire
Игры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfireSQALab
 

La actualidad más candente (20)

Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
 
Xdebug from a to x
Xdebug from a to xXdebug from a to x
Xdebug from a to x
 
The Ring programming language version 1.9 book - Part 22 of 210
The Ring programming language version 1.9 book - Part 22 of 210The Ring programming language version 1.9 book - Part 22 of 210
The Ring programming language version 1.9 book - Part 22 of 210
 
Openwrt startup
Openwrt startupOpenwrt startup
Openwrt startup
 
Openwrt frontend backend
Openwrt frontend backendOpenwrt frontend backend
Openwrt frontend backend
 
Linux fundamental - Chap 09 pkg
Linux fundamental - Chap 09 pkgLinux fundamental - Chap 09 pkg
Linux fundamental - Chap 09 pkg
 
The Ring programming language version 1.5.1 book - Part 14 of 180
The Ring programming language version 1.5.1 book - Part 14 of 180The Ring programming language version 1.5.1 book - Part 14 of 180
The Ring programming language version 1.5.1 book - Part 14 of 180
 
Hls за час
Hls за часHls за час
Hls за час
 
[14.02.24] Objective-C in Windows
[14.02.24] Objective-C in Windows[14.02.24] Objective-C in Windows
[14.02.24] Objective-C in Windows
 
Importance of linux system fundamental in technical documentation reading
Importance of linux system fundamental in technical documentation readingImportance of linux system fundamental in technical documentation reading
Importance of linux system fundamental in technical documentation reading
 
GroovyFX - groove JavaFX Gr8Conf EU 2017
GroovyFX - groove JavaFX Gr8Conf EU 2017GroovyFX - groove JavaFX Gr8Conf EU 2017
GroovyFX - groove JavaFX Gr8Conf EU 2017
 
Groovy on the shell
Groovy on the shellGroovy on the shell
Groovy on the shell
 
Chap 19 web
Chap 19 webChap 19 web
Chap 19 web
 
Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5 Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5
 
The Ring programming language version 1.10 book - Part 23 of 212
The Ring programming language version 1.10 book - Part 23 of 212The Ring programming language version 1.10 book - Part 23 of 212
The Ring programming language version 1.10 book - Part 23 of 212
 
Anwendungsfälle für Elasticsearch JavaLand 2015
Anwendungsfälle für Elasticsearch JavaLand 2015Anwendungsfälle für Elasticsearch JavaLand 2015
Anwendungsfälle für Elasticsearch JavaLand 2015
 
Docker 1.10 1.11
Docker 1.10 1.11Docker 1.10 1.11
Docker 1.10 1.11
 
OpenWRT guide and memo
OpenWRT guide and memoOpenWRT guide and memo
OpenWRT guide and memo
 
FFMPEG on android
FFMPEG on androidFFMPEG on android
FFMPEG on android
 
Игры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfire
Игры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfireИгры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfire
Игры с огнём: знакомимся с BDD и Cucumber фреймворком BDDfire
 

Similar a Security of go modules and vulnerability scanning in GoCenter

Developing a Joomla 3.x Component using RAD FOF- Part 2: Front-end + demo - J...
Developing a Joomla 3.x Component using RAD FOF- Part 2: Front-end + demo - J...Developing a Joomla 3.x Component using RAD FOF- Part 2: Front-end + demo - J...
Developing a Joomla 3.x Component using RAD FOF- Part 2: Front-end + demo - J...Peter Martin
 
Understanding pseudo-version and Go1.14+ with notes
Understanding pseudo-version and Go1.14+ with notesUnderstanding pseudo-version and Go1.14+ with notes
Understanding pseudo-version and Go1.14+ with notesMitali Bisht
 
Understanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for Modules
Understanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for ModulesUnderstanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for Modules
Understanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for ModulesMitali Bisht
 
mago3D Technical Workshop Material
mago3D Technical Workshop Material mago3D Technical Workshop Material
mago3D Technical Workshop Material SANGHEE SHIN
 
Pseudo-versions, moving to Go1.13 and later versions
Pseudo-versions, moving to Go1.13 and later versionsPseudo-versions, moving to Go1.13 and later versions
Pseudo-versions, moving to Go1.13 and later versionsMitali Bisht
 
Debugging Hung Python Processes With GDB
Debugging Hung Python Processes With GDBDebugging Hung Python Processes With GDB
Debugging Hung Python Processes With GDBbmbouter
 
Docman - The swiss army knife for Drupal multisite docroot management and dep...
Docman - The swiss army knife for Drupal multisite docroot management and dep...Docman - The swiss army knife for Drupal multisite docroot management and dep...
Docman - The swiss army knife for Drupal multisite docroot management and dep...Aleksey Tkachenko
 
Lean Drupal Repositories with Composer and Drush
Lean Drupal Repositories with Composer and DrushLean Drupal Repositories with Composer and Drush
Lean Drupal Repositories with Composer and DrushPantheon
 
mago3D Technical Workshop Material(New Version)
mago3D Technical Workshop Material(New Version)mago3D Technical Workshop Material(New Version)
mago3D Technical Workshop Material(New Version)SANGHEE SHIN
 
Developing with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaDeveloping with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaJoe Stein
 
Gorush: A push notification server written in Go
Gorush: A push notification server written in GoGorush: A push notification server written in Go
Gorush: A push notification server written in GoBo-Yi Wu
 
Do + ldo for developers(full)
Do + ldo for developers(full)Do + ldo for developers(full)
Do + ldo for developers(full)Andrii Podanenko
 
Golang 101 for IT-Pros - Cisco Live Orlando 2018 - DEVNET-1808
Golang 101 for IT-Pros - Cisco Live Orlando 2018 - DEVNET-1808Golang 101 for IT-Pros - Cisco Live Orlando 2018 - DEVNET-1808
Golang 101 for IT-Pros - Cisco Live Orlando 2018 - DEVNET-1808Cisco DevNet
 
GIT training - advanced for software projects
GIT training - advanced for software projectsGIT training - advanced for software projects
GIT training - advanced for software projectsThierry Gayet
 
mago3D workshop(English) in Thailand , 2018.07
mago3D workshop(English) in Thailand , 2018.07mago3D workshop(English) in Thailand , 2018.07
mago3D workshop(English) in Thailand , 2018.07Gaia3D,Inc.
 
20150317 firefox os_studymtg_engver
20150317 firefox os_studymtg_engver20150317 firefox os_studymtg_engver
20150317 firefox os_studymtg_engverNaoki Sekiguchi
 
Mongo performance tuning: tips and tricks
Mongo performance tuning: tips and tricksMongo performance tuning: tips and tricks
Mongo performance tuning: tips and tricksVladimir Malyk
 
The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6Wim Godden
 
Getting started with drupal 8 code
Getting started with drupal 8 codeGetting started with drupal 8 code
Getting started with drupal 8 codeForum One
 

Similar a Security of go modules and vulnerability scanning in GoCenter (20)

Developing a Joomla 3.x Component using RAD FOF- Part 2: Front-end + demo - J...
Developing a Joomla 3.x Component using RAD FOF- Part 2: Front-end + demo - J...Developing a Joomla 3.x Component using RAD FOF- Part 2: Front-end + demo - J...
Developing a Joomla 3.x Component using RAD FOF- Part 2: Front-end + demo - J...
 
Understanding pseudo-version and Go1.14+ with notes
Understanding pseudo-version and Go1.14+ with notesUnderstanding pseudo-version and Go1.14+ with notes
Understanding pseudo-version and Go1.14+ with notes
 
Understanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for Modules
Understanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for ModulesUnderstanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for Modules
Understanding Pseudo-Versions Moving to Go 1.13 What is in Go 1.14+ for Modules
 
mago3D Technical Workshop Material
mago3D Technical Workshop Material mago3D Technical Workshop Material
mago3D Technical Workshop Material
 
Pseudo-versions, moving to Go1.13 and later versions
Pseudo-versions, moving to Go1.13 and later versionsPseudo-versions, moving to Go1.13 and later versions
Pseudo-versions, moving to Go1.13 and later versions
 
Debugging Hung Python Processes With GDB
Debugging Hung Python Processes With GDBDebugging Hung Python Processes With GDB
Debugging Hung Python Processes With GDB
 
Docman - The swiss army knife for Drupal multisite docroot management and dep...
Docman - The swiss army knife for Drupal multisite docroot management and dep...Docman - The swiss army knife for Drupal multisite docroot management and dep...
Docman - The swiss army knife for Drupal multisite docroot management and dep...
 
Yobi d2 naver(create)
Yobi d2 naver(create)Yobi d2 naver(create)
Yobi d2 naver(create)
 
Lean Drupal Repositories with Composer and Drush
Lean Drupal Repositories with Composer and DrushLean Drupal Repositories with Composer and Drush
Lean Drupal Repositories with Composer and Drush
 
mago3D Technical Workshop Material(New Version)
mago3D Technical Workshop Material(New Version)mago3D Technical Workshop Material(New Version)
mago3D Technical Workshop Material(New Version)
 
Developing with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaDeveloping with the Go client for Apache Kafka
Developing with the Go client for Apache Kafka
 
Gorush: A push notification server written in Go
Gorush: A push notification server written in GoGorush: A push notification server written in Go
Gorush: A push notification server written in Go
 
Do + ldo for developers(full)
Do + ldo for developers(full)Do + ldo for developers(full)
Do + ldo for developers(full)
 
Golang 101 for IT-Pros - Cisco Live Orlando 2018 - DEVNET-1808
Golang 101 for IT-Pros - Cisco Live Orlando 2018 - DEVNET-1808Golang 101 for IT-Pros - Cisco Live Orlando 2018 - DEVNET-1808
Golang 101 for IT-Pros - Cisco Live Orlando 2018 - DEVNET-1808
 
GIT training - advanced for software projects
GIT training - advanced for software projectsGIT training - advanced for software projects
GIT training - advanced for software projects
 
mago3D workshop(English) in Thailand , 2018.07
mago3D workshop(English) in Thailand , 2018.07mago3D workshop(English) in Thailand , 2018.07
mago3D workshop(English) in Thailand , 2018.07
 
20150317 firefox os_studymtg_engver
20150317 firefox os_studymtg_engver20150317 firefox os_studymtg_engver
20150317 firefox os_studymtg_engver
 
Mongo performance tuning: tips and tricks
Mongo performance tuning: tips and tricksMongo performance tuning: tips and tricks
Mongo performance tuning: tips and tricks
 
The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6
 
Getting started with drupal 8 code
Getting started with drupal 8 codeGetting started with drupal 8 code
Getting started with drupal 8 code
 

Último

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 

Último (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

Security of go modules and vulnerability scanning in GoCenter

  • 1.
  • 2. 2 Agenda ● Introduction ● Dependency management and Go modules ● Go.mod and go.sum ● Checksum database ● Potential Issues that can come up ● Why we added vulnerability scanning to GoCenter ● More security considerations with Jfrog Xray ● Q&A and Feedback
  • 3. JFrog.com/shownotes ● Tonights Slides ● Introduction to GoCenter presentation ● JFrog T-Shirts Raffle - Win 1 of 3 JFrog Go T-Shirts
  • 4. 4 Deep Datta GoCenter Community Product Manager deepd@jfrog.com @DeepDattaX
  • 5. 5 Dependency management and Go Modules Go 1.11 Introduced Go Modules module main.go go 1.13 require github.com/sirupsen/logrus v1.4.2 go.mod github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/konsorten/go-windows-terminal-sequenc es v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894 h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= go.sum Go 1.13 Make Go Modules the standard Security was built into 1.13 with go.sum and go.mod The go mod init command wrote a go.mod file After running go build you will also see a file called go.sum gets created.
  • 6. 6 go.sum github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/konsorten/go-windows-terminal-sequencesv1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
  • 7. 7 SHA-256 cryptographic hash algorithms produce irreversible and unique hashes Irreversible because you can’t use the hash to figure out what the original piece of data was unique means that two different pieces of data can never produce the same hash
  • 8. 8 checksum database Module 1 (go.sum) Module 2 (go.sum) go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= go.sum List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= https://sum.golang.org/
  • 9. 9 The checksum database ensures that the go command always adds the same lines to everyone's go.sum file. Whenever the go command receives new source code, it can verify the hash of that code against this global database to make sure the hashes match, ensuring that everyone is using the same code for a given version. https://sum.golang.org/
  • 10. 10 How hashes protect you Module 1 (go.sum) Module 1 (go.sum) Minor content change go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= https://sum.golang.org/
  • 11. 11 Let’s say you create your first Go module. package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “text/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... You save it as mod1 go.mod go.sum main.go
  • 12. 12 package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “html/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... mod1 main.go You can fix your files and create a new version for everyone called mod1/v2 (probably would be a patch) v1.1.0
  • 14. 14 Both versions have been committed to the checksum db github.com/dee pda/mod1 github.com/dee pda/mod1/v2 go.sum go.sum go.sum List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. PIRibHv4MatM3XXNO2BJeFLZwZ2L vZgfQ5+UNI2im4= List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc= go.sum List of SHA-256 base64 hashes. Cz4ceDQGXuKRnVBDTS23GTn/pU5 OE2C0WrNTOYK1Uuc=
  • 15. 15 If someone imports…. package main import { “encoding/json”, “io/ioutil”, “net/http”, “os”, “text/template” } type TodoPageData struct { PageTitle string Todos []Todo } ... mod1 main.go They open themselves up to a cross-site scripting attack ...imagine if your app is a dependency for other projects...
  • 16. 16 Let’s summarize so far go.sum file, a list of SHA-256 base64 hashes go.mod stores a list of each dependency The go command can use these hashes to detect misbehavior by an origin server or proxy that gives a different code for the same version. However, the go.sum file has a limitation, it works entirely by trust based on user’s first use...
  • 17. 17 Introducing JFrog GoCenter with Xray Security GoCenter is a GOPROXY that caches metadata and source code in its own storage system. This allows the mirror to continue to serve source code that is no longer available from the original locations thus speeding up downloads and protect users from the disappearing dependencies. export GOPROXY=https://gocenter.io
  • 18. 18 Demo of Vulnerability info in GoCenter.io https://gocenter.io
  • 19. 19 How seeing your vulnerabilities in GoCenter can help
  • 20. 20 You can check vulnerabilities in dependencies too
  • 21. 21 GoCenter provides CVE public list of vulnerabilities
  • 22. 22 Every module and version is scanned and actively provides a security warning github.com/dee pda/mod1 github.com/dee pda/mod1/v2 Versions tab also shows you which version are safe or not.
  • 24. 24 Q&A How to give us feedback gocenter@jfrog.com deepd@jfrog.com @DeepDattaX
  • 25. JFrog.com/shownotes ● Tonights Slides ● Introduction to GoCenter presentation ● JFrog T-Shirts Raffle - Win 1 of 3 JFrog Go T-Shirts