Skip to content

Go

Go Lang

https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/

https://jarosz.dev/article/writing-secure-go-code/

Scaning Code

Use govet to scan go files:

>>> go vet ./src/*.go
# command-line-arguments
# [command-line-arguments]
vet: src/proxy_windows.go:16:6: sh redeclared in this block

Use govulncheck:

#Install
#go install golang.org/x/vuln/cmd/govulncheck@latest

#Run on Source Code
>>> govulncheck ./...
No vulnerabilities found.

#Run on a Binary
>>> govulncheck -mode binary -show verbose `which fzf`
Scanning your binary for known vulnerabilities...

Fetching vulnerabilities from the database...

Checking the binary against the vulnerabilities...

No vulnerabilities found.

Use StaticCheck:

#Install
#go install honnef.co/go/tools/cmd/staticcheck@latest

#Run
>>> staticcheck ./...
src/terminal.go:330:2: field sigstop is unused (U1000)
src/tui/light.go:107:2: field ttyinChannel is unused (U1000)
src/tui/light.go:108:2: field inHandle is unused (U1000)
src/tui/light.go:109:2: field outHandle is unused (U1000)
src/tui/light.go:110:2: field origStateInput is unused (U1000)
src/tui/light.go:111:2: field origStateOutput is unused (U1000)
src/winpty.go:12:20: error strings should not be capitalized (ST1005)

Gosec Scanner:

#Install
#go install github.com/securego/gosec/v2/cmd/gosec@latest

#Run
gosec ./...
>>> gosec ./...
[...]

[/tmp/fzf/src/tui/tui.go:246] - G115 (CWE-190): integer overflow conversion int64 -> int32 (Confidence: MEDIUM, Severity: HIGH)
    245:        b, _ := strconv.ParseInt(rrggbb[5:7], 16, 0)
  > 246:        return Color((1 << 24) + (r << 16) + (g << 8) + b)
    247: }

Autofix:

[...]

[/tmp/fzf/src/util/util_unix.go:68] - G204 (CWE-78): Subprocess launched with variable (Confidence: HIGH, Severity: MEDIUM)
    67:         SetStdin(stdin)
  > 68:         syscall.Exec(shellPath, args, environ)
    69: }

Autofix:

[...]

[/tmp/fzf/src/tui/light_unix.go:50] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    49:                 if len(tty) > 0 {
  > 50:                         if in, err := os.OpenFile(tty, mode, 0); err == nil {
    51:                                 return in, nil

Autofix:

[/tmp/fzf/src/tui/light_unix.go:46] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    45: func openTty(mode int) (*os.File, error) {
  > 46:         in, err := os.OpenFile(consoleDevice, mode, 0)
    47:         if err != nil {

Autofix:

[/tmp/fzf/src/proxy_unix.go:34] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    33: func withInputPipe(input string, task func(io.WriteCloser)) error {
  > 34:         inputFile, err := os.OpenFile(input, os.O_WRONLY, 0)
    35:         if err != nil {

Autofix:

[/tmp/fzf/src/proxy_unix.go:24] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    23: func withOutputPipe(output string, task func(io.ReadCloser)) error {
  > 24:         outputFile, err := os.OpenFile(output, os.O_RDONLY, 0)
    25:         if err != nil {

Autofix:

[...]

Summary:
  Gosec  : dev
  Files  : 42
  Lines  : 16770
  Nosec  : 0
  Issues : 101