Versions Compared

Old Version 4

changes.mady.by.user jim mason

Saved on

compared with

New Version Current

changes.mady.by.user jimm1

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Key Points

...

Potential Value Opportunities



Potential Challenges


Vulnerability scans of Golang code


Nancy for golang scans is open-source

https://jcdan3.medium.com/scanning-go-dependencies-for-vulnerabilities-b82db3d56b27

In this post, we will explore a solution to lower the risk of having such vulnerabilities in our third-party Golang libraries. The solution is called nancy and is free and open source.

git clone https://github.com/sonatype-nexus-community/nancy.git
cd nancy
go get ./...
go build -o nancy .


output >>

Image Added

IF a vulnerability found

  • Using a different package that suits your need
  • Reaching to the developer
  • Fork the repo and fix it yourself!


Go vulnerability scanning tool

https://betterprogramming.pub/secure-your-go-code-with-vulnerability-check-tool-bb9f8c5ecd00

 the security scanning tool Go Vulnerability Check was introduced in September 2022

Image Added

install tool

go install golang.org/x/vuln/cmd/govulncheck@latest

govulncheck


-test flag govulncheck -test pkg/test/*



Vuln Command-line Tool
Reading the command-line tool code usually starts from where the command line is defined. The whole process is simple, and only 5 steps to check the source.

Read and configure database client
Load config
Read the source code and sequence
Detect
Process the results


limitations of vulnerability tool

It is only aExpeirmental tool.
It only supports binary code checks from Go 1.18 and above.
It only detects vulnerabilities in the current Go version. For example, if I upgrade my Go to the latest 1.19, then the dependencies’ vulnerabilities in 1.18 will not be reported.
Its output method is limited. JSON output is too complicated, and text is only for the local environment, such as the summary output format in the source code only supports the development and testing environment.
It returns false positive or inaccurate stack reports when scanning interfaces and function pointers.



Go lang crypto package not FIPS 140-2 certified for Government work

...