Link to this headingGo Language

Security assessment techniques for Go projects

Writing secure Go code

Link to this headingStatic analysis tools

https://github.com/google/osv-scanner

Use go vet to scan Go files:

>>> go vet ./src/*.go # command-line-arguments # [command-line-arguments] vet: src/proxy_windows.go:16:6: sh redeclared in this block

Use govulncheck:

#Install #go install golang.org/x/vuln/cmd/govulncheck@latest #Run on Source Code >>> govulncheck ./... No vulnerabilities found. #Run on a Binary >>> govulncheck -mode binary -show verbose `which fzf` Scanning your binary for known vulnerabilities... Fetching vulnerabilities from the database... Checking the binary against the vulnerabilities... No vulnerabilities found.

Use Staticcheck:

#Install #go install honnef.co/go/tools/cmd/staticcheck@latest #Run >>> staticcheck ./... src/terminal.go:330:2: field sigstop is unused (U1000) src/tui/light.go:107:2: field ttyinChannel is unused (U1000) src/tui/light.go:108:2: field inHandle is unused (U1000) src/tui/light.go:109:2: field outHandle is unused (U1000) src/tui/light.go:110:2: field origStateInput is unused (U1000) src/tui/light.go:111:2: field origStateOutput is unused (U1000) src/winpty.go:12:20: error strings should not be capitalized (ST1005)

Gosec Scanner:

#Install #go install github.com/securego/gosec/v2/cmd/gosec@latest #Run gosec ./... >>> gosec ./... [...] [/tmp/fzf/src/tui/tui.go:246] - G115 (CWE-190): integer overflow conversion int64 -> int32 (Confidence: MEDIUM, Severity: HIGH) 245: b, _ := strconv.ParseInt(rrggbb[5:7], 16, 0) > 246: return Color((1 << 24) + (r << 16) + (g << 8) + b) 247: } Autofix: [...] [/tmp/fzf/src/util/util_unix.go:68] - G204 (CWE-78): Subprocess launched with variable (Confidence: HIGH, Severity: MEDIUM) 67: SetStdin(stdin) > 68: syscall.Exec(shellPath, args, environ) 69: } Autofix: [...] [/tmp/fzf/src/tui/light_unix.go:50] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM) 49: if len(tty) > 0 { > 50: if in, err := os.OpenFile(tty, mode, 0); err == nil { 51: return in, nil Autofix: [/tmp/fzf/src/tui/light_unix.go:46] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM) 45: func openTty(mode int) (*os.File, error) { > 46: in, err := os.OpenFile(consoleDevice, mode, 0) 47: if err != nil { Autofix: [/tmp/fzf/src/proxy_unix.go:34] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM) 33: func withInputPipe(input string, task func(io.WriteCloser)) error { > 34: inputFile, err := os.OpenFile(input, os.O_WRONLY, 0) 35: if err != nil { Autofix: [/tmp/fzf/src/proxy_unix.go:24] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM) 23: func withOutputPipe(output string, task func(io.ReadCloser)) error { > 24: outputFile, err := os.OpenFile(output, os.O_RDONLY, 0) 25: if err != nil { Autofix: [...] Summary: Gosec : dev Files : 42 Lines : 16770 Nosec : 0 Issues : 101