Skip to content

Instantly share code, notes, and snippets.

@a-h
Created January 31, 2019 16:29
Show Gist options
  • Save a-h/f0fd0fad5e8a2e0c9b7afcf84f51f286 to your computer and use it in GitHub Desktop.
Save a-h/f0fd0fad5e8a2e0c9b7afcf84f51f286 to your computer and use it in GitHub Desktop.
Security vulnerability tracking

What you wanted to do

Check that my program is free from known security vulnerabilities.

For example, if a package I'm using has a security vulnerability in it, I want to be notified to upgrade or warned.

What you actually did

Checked the https://nvd.nist.gov/vuln/search for Go related issues, but found that only core packages were listed. I noticed that some packages had vulnerabilities listed (e.g. https://nvd.nist.gov/vuln/detail/CVE-2018-1002207) but couldn't work out how to find them programatically. I wrote a program to scan the NIST database for Go language related vulnerabilities and to let me know anyway - https://github.com/a-h/nvdnotifier

Wrote a program to scan Github repositories for comments / keywords that might indicate that a library has a security vulnerability (https://github.com/a-h/watchman) and to let me know.

Created a Docker container to run a range of security tests against code and embedded it into my CI pipelines https://github.com/welldigital/gocheck

Considered writing a program to scan the code AST of each dependency in the tree to determine whether it carries out any IO (e.g. reading / writing from a file / network etc.). If a newer version of a library suddenly has IO capability, it could be being used to exfiltrate data or provide an entry point to attackers.

Why that wasn’t great

It was time consuming, not mainstream and not complete.

It would be much more useful to me if:

  • The Go tools kept track of known vulnerabilities and if a vulnerable dependency was found in the dependency graph, alerted me to it. The list could just contain package names and hashes, and be downloaded to the building computer rather than transferring the names of packages up to a server.

  • go vet did more security-related tests out of the box.

These changes would make the checks more "batteries included", like NPM's npm audit command and make it easier to demonstrate to security auditors that the language meets the organisation's security requirements.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment