m Golang GO

Owned by jim mason
Last updated: Feb 14, 2023 by jimm1
3 min read

Key Points

  1. GO - no VM, compiled, no classes
  2. Fast execution relatively
  3. Frameworks ??

References

Reference_description_with_linked_URLs____________________________Notes_______________________________________________________________


https://golang.org/GO lang

https://stackoverflow.com/questions/28166249/how-to-list-
installed-go-packages

go-module-list-stackoverflow.com-How to list installed go packages.pdf

How to list installed GO modules, versions




https://yourbasic.org/golang/go-vs-java/GO vs Java main differences
https://www.educba.com/go-vs-java/GO vs Java compare


Go Tutorials
https://medium.com/@radadiyasunny970/go-lang-rest-api-using-
gorilla-mux-a7dafbb64214		GO Gorilla MUX for CRUD REST API
go-tutorial-read-write-excel-files.pdfGo read / write excel files


https://medium.com/@radadiyasunny970/a-simple-performance
-test-and-difference-go-v-s-java-e6f29ad65293		GO vs Java performance for loop test
https://dzone.com/articles/java-vs-go-microservices-load-testing-rematchGo vs Java microservices




https://benchmarksgame-team.pages.debian.net/benchmarksgame
/fastest/go-node.html

go-vs-node-benchmark1-2020.pdf

GO vs Node.js benchmarks 1

https://www.intellectsoft.net/blog/nodejs-vs-golang/

go-vs-node-benchmark1-2020.pdf

GO vs Node.js benchmarks 2



Key Concepts




Potential Value Opportunities



Potential Challenges


Vulnerability scans of Golang code


Nancy for golang scans is open-source

https://jcdan3.medium.com/scanning-go-dependencies-for-vulnerabilities-b82db3d56b27

In this post, we will explore a solution to lower the risk of having such vulnerabilities in our third-party Golang libraries. The solution is called nancy and is free and open source.

git clone https://github.com/sonatype-nexus-community/nancy.git
cd nancy
go get ./...
go build -o nancy .


output >>

IF a vulnerability found

  • Using a different package that suits your need
  • Reaching to the developer
  • Fork the repo and fix it yourself!


Go vulnerability scanning tool

https://betterprogramming.pub/secure-your-go-code-with-vulnerability-check-tool-bb9f8c5ecd00

 the security scanning tool Go Vulnerability Check was introduced in September 2022

install tool

go install golang.org/x/vuln/cmd/govulncheck@latest

govulncheck


-test flag govulncheck -test pkg/test/*



Vuln Command-line Tool
Reading the command-line tool code usually starts from where the command line is defined. The whole process is simple, and only 5 steps to check the source.

Read and configure database client
Load config
Read the source code and sequence
Detect
Process the results


limitations of vulnerability tool

It is only aExpeirmental tool.
It only supports binary code checks from Go 1.18 and above.
It only detects vulnerabilities in the current Go version. For example, if I upgrade my Go to the latest 1.19, then the dependencies’ vulnerabilities in 1.18 will not be reported.
Its output method is limited. JSON output is too complicated, and text is only for the local environment, such as the summary output format in the source code only supports the development and testing environment.
It returns false positive or inaccurate stack reports when scanning interfaces and function pointers.



Go lang crypto package not FIPS 140-2 certified for Government work


Details on GO crypto FIPS compliance issues here



Hi Dave



2> Use of Go lang crypto libraries not validated by NIST

I see that Fabric is or will be relying on the Go crypto package. Turns out the Go crypto package is not FIPS 140.2 certified. As a result, Fabric can't ( in theory ) be used for any Federal or Canadian government solutions.

This study identified the issue on Fabric crypto libraries

Blockchain Compliance with Federal Cryptographic Information Processing Standards by James P. Howard, II, Maria E. Vachino :: SSRN

Blockchain Compliance with Federal Cryptographic Information Processing ...
Under current Federal Information Security Management Act of 2002 (FISMA) requirements, all new Federal informat...


The package Go crypto is "derived" from was validated:
2017 version of BoringCrypto
https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/2964

I followed up with the Go security team and they provided this detail below - so far no commitment to have their crypto libraries validated.

Here's their only info on the crypto package
From Filippo Valsorda at Google, if anyone else is interested:
" Go 1.14 and earlier ship a module built according to the instructions in certificate 2964, which maps to BoringSSL tag fips-20170615. https://github.com/golang/go/blob/dev.boringcrypto.go1.14/src/crypto/internal/boring/build/build.sh Go 1.15 and later will hopefully ship a module built according to the instructions in certificate 3318, which maps to BoringSSL tag fips-20180730. https://github.com/golang/go/commit/6c64b188a53afec79563cf4ad3c5bc373036d3ae"

FIPS 140.2 requirements for crypto modules
https://csrc.nist.gov/projects/cryptographic-module-validation-program
Use of Unvalidated Cryptographic Modules by Federal Agencies and Departments

FIPS 140-2 precludes the use of unvalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvalidated cryptography is viewed by NIST as providing no protection to the information or data—in effect the data would be considered unprotected plaintext. If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2 is applicable. In essence, if cryptography is required, then it must be validated.

Many companies who would use Fabric on public projects are impacted by this regulation and the Go crypto module certification status.

Your thoughts on both are appreciated,

Thanks !

Jim Mason




Candidate Solutions



Step-by-step guide for Example








sample code block

sample code block



Recommended Next Steps