Software Architecture in Golang: Vulnerability Management with govulncheck

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello my name is Mario welcome to another software architecture and go video in today's episode I'm talking about security specifically vulnerability management this is a new feature that was added to go a few weeks ago is not yet part of the official tool chain but you can still use it nowadays it consists of a vulnerability database that is being fed by different data sources those include the national vulnerability database GitHub security advisory as well as the ones that we can submit as package maintainers and those that are going to be added by the go team these data source this database is going to be used to power a few different tools and services at the moment one that I'm going to be showing you will show you three different examples is the go Vault check that is going to be detecting a vulnerabilities in the code and in your binaries but this also is available in the go package Discovery site and I think it's going to be added soon to uh plugin in visual code so let me show you the three examples as usual the link to the code is in the description of this video so feel free to check it out the first example I'm going to be showing you is one using the standard Library already a bug detected in the standard library and typically the wave rules and ability services like a snake which I covered in a previous video regarding security and dependencies out I'm leaving the link in the description as well it it is going to be reading the vendor package or file that is defined in the the values and versions of the packages that you import typically got some and go mod god.mod god.sum so if I go back and look at the one that I imported already you will notice that I do not have any vulnerability because you know the program is really simple and let me show you that the way it works is is using this new API that was added in 1.19 that includes a bug like I told you before so if we go and open the readme I added instructions for compiling this using a Docker container you can do what I just shown you or you build it with this concrete standard you know binary to compile your your file but I'm doing it here because it's a little bit easier so if I run the go 119 binary you will notice that it's printing out the values incorrectly but if I go and try using the version 1.18 you will notice that now it's going to be printing out if the values correctly and the values correctly will be referring to what I have in this case right here and if I do the same with the goal line 1.80 versions you will see that now this one is the value that we should be expecting compared to this one that now has the dot dot that we shouldn't be having in the first place which is right here now if we use the Google then check binary that we installed and the extractions and interpreting as well so feel free to check that out you will do a GoPhone check and you will indicate the binary in this case I want to use the one that has a bug so if I run it like this you will see that now I have the vulnerability indicated right here if I go and do the same but with the one that was already fixed you won't see that problem anymore because it's referencing to the binary itself this is really powerful because you remember that in go when you're using modules we are always referring to the minor version not the patch so there is no way to determine for typically most of the services that provide some sort of is scanning vulnerabilities there is no way to detect those issues without a without accessing the actual binary so this is super cool because it's the biggest difference compared to what we can have with a sneak or maybe manned or maybe other providers that we are available now let me show you another example using a third party Library Now using a third-party library is similar to what we did before but instead of running the binary I want to show you the other way to do it which will be using packages and will be the syntax will be like this so instead of using the binary name I haven't compiled anything let me show you there is nothing compiled here I'm just going to do the following check and the three three dots to indicate what's happening now this one will be calling an issue that is right here this vulnerability that I'm importing a package the jml 3.0 version and there is an issue with that if I go and show you the code you will notice that what it's doing is literally referring to what I do what the vulnerability is describing if I go and show you the actual a sneaker version of this you will notice that it's actually well it's been reported by a snake as well so I think both of them work right but let me show you another example and this is really cool because there are cases where you don't use that concrete function that is being vulnerable in your code let me show you so this is the third and last example and I think this is one of the best one best features I have seen recently regarding world and ability scanners nowadays one of the things about this one in particular that calls out my attention is that hey I'm importing this buggy package specifically let me open the command to show you the version that has been affected which is still the same 3.0.0 and but I still however I'm not actually using the function that is been affected uh if you recall the code a while back the issue was in the on Marshall I'm here I'm using well I'm using Marshall but not the on Marshall therefore I'm not using the vulnerable function that is included in the package however typically services like a sneak for example I have nothing I'm running sneak what I'm trying to show you is that when using go Vol and check this is really specific to the go code itself not just some checking of the car mod or they got some files that determine what version has been imported in the case of a snake well it's looking at the yeah sure it's looking at the way that it we're importing the file or the package that is vulnerable but really we're not using it so probably when we are working an Enterprise maybe we could Define the priority a little bit lower yes we have to update the package that's that's for sure but we don't have it to we don't have to update it right away because in the first place we are not using it so what happens if I use the go go volden check file or application writer or the binary if I do a government check you will notice that hey is it still going to report that is there is a vulnerability but my code doesn't happen to include those values in here if you notice you may not take an action or you may do depending on your priorities and this is I think the biggest differentiator is not going to give you noisy reports or what you have in your code it's going to still report those but it will tell you hey it's up to you if you want to update or not so let's jump into conclusions so that's it this is the new vulnerability Management in go it's a brand new feature that I really really like one because it's included in the go is going to be included officially in the go tool chain it's detecting the issues that you have locally in your binary from previous versions in the standard library and also it determines whether you're using an affected function that was vulnerable already so this is this is really cool and also another thing that may be important for you it's free it's already part of the tool chain so you don't have to pay a new service you don't have to you know push your code outside of the batteries of your Enterprise for example it's already in there now we need to wait and see the new improvements that we are going to be coming soon I'm looking forward to see what is going to happen so I'm really excited for this one in particular that's it thank you for watching I will talk to you next time take care stay safe see you
Info
Channel: Mario Carrion
Views: 2,353
Rating: undefined out of 5
Keywords: golang, go lang, golang tutorial, go lang tutorial, golang beginners, golang for beginners, learn golang, govulncheck, golang vulnerability management, go lang govulncheck, go lang security, golang security, go lang vulnerability, golang snyk, go lang snyk, golang software architecture security, go lang software architecture security, golang pkg.go.dev
Id: BOQfO60gWGM
Channel Id: undefined
Length: 8min 28sec (508 seconds)
Published: Fri Sep 16 2022
Related Videos
Implementing gRPC Deadlines and Timeouts in Golang and Ruby Tutorial
Mario Carrion
1.5K
Software Architecture in Golang: Externalized Configuration Pattern
Mario Carrion
2.6K
GopherCon 2022: Benji Vesterby - Secure Coding in Go: Avoiding Common Vulnerabilities
Gopher Academy
6.8K
Golang 1.22: What is new?
Mario Carrion
3.8K
Software Architecture in Golang: Choreography Pattern
Mario Carrion
2.4K
Golang 1.21: What is new?
Mario Carrion
4.1K
Nessus Vulnerability Scanner Tutorial (Cyber Security Tools)
Jon Good
229K
Building gRPC Interceptors in Golang: Client and Server (Unary and Streaming)
Mario Carrion
3.1K
Scan any Git Repository for Security Issues with Trivy
Aqua Security Open Source
8.7K
Transactions in context values in Golang, is it OK? r/golang
Mario Carrion
2.5K
Golang 1.20: What is new?
Mario Carrion
8.5K
Intel's CPUs Are Failing, ft. Wendell of Level1 Techs
Gamers Nexus
349K
My Neovim configuration for Golang development in 2024 (Using lazy.nvim and go.nvim)
Mario Carrion
4.2K
Software Architecture in Golang: Structured Logging using slog (Observability)
Mario Carrion
7.1K
Build A Buffer Overflow Exploit To Learn Golang - Project-Based Learning
Daniel Lowrie
1.8K
⚡ Secure shell (ssh) client in 80 lines of Go code
rwxrob
2.4K
Why Does Scrum Make Programmers HATE Coding?
Thriving Technologist
505K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.