Skip to main content

Find vulnerabilities in Go

You can find vulnerabilities in your Go applications. You can scan Glide, go get, Go modules, Godep, Govendor, and Trash repositories using the command-line interface or the CI integrations.

For packaging instructions for Veracode Static Analysis, see Packaging Go applications.

Scan your code

You can scan any code repository to which you have access and meet the requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:

  • Glide: git clone https://github.com/veracode/example-go-glide
  • Go Get: git clone https://github.com/veracode/example-go-goget
  • Go Modules: git clone https://github.com/veracode/example-go-modules
  • Godep: git clone https://github.com/veracode/example-go-godep
  • Govendor: git clone https://github.com/veracode/example-go-govendor
  • Trash: git clone https://github.com/veracode/example-go-trash

After you add a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your .NET code. Some scan directives are specific to Go projects.

Before you begin:

Scanning a repository that uses Go and one of its build or package managers requires the ability to assemble the project dependencies within the environment in which you scan the project. This includes these requirements:

  • Meet the requirements for the Veracode SCA agent.
  • Have access to the Go repository.
  • Use Go version 1.5 or later.
  • Ensure that the project can build in the environment where the agent performs scans.
  • Ensure that the GOROOT and GOPATH environment variables are set to the correct directories, and that the bin subdirectory of GOROOT is included in the PATH environment variable. For example, if GOROOT is set to /usr/local/go, you should include /usr/local/go/bin in your PATH. See the Go documentation for more information on configuring Go projects.
  • If you use Godep, Govendor, Glide, or Trash, ensure the package manager is installed.
  • For these tools, meet the specified requirement:
    • Glide: include the Glide.lock file
    • Go get: use Go version 1.5–1.15
    • Godep: include the Godeps/Godeps.json file
    • Golangdep: include the Gopkg.lock file
    • Govendor: include the vendor/vendor.json file
    • Trash: include the vendor.conf file
    • Go modules:
      • Run this command: go list -deps -json all
      • Run this command to add any missing modules required for the build: go mod tidy
      • To avoid downloading required packages during scanning, which can decrease scan speeds, run this command to download the packages prior to scanning: go mod vendor
      • Use the GOFLAGS environment variable to pass any arguments required for the build. For example: GOFLAGS='-buildvcs=false'

If you set FORCE_GO_INSTALL to true as a scan directive or environment variable or use the --url argument, the Veracode SCA agent runs specific commands to identify the dependencies and their versions in your project. You can run these commands before scanning to test that the agent can build the project:

  • Glide: glide install
  • Go get: go get -d ./...
  • Godep: godep restore
  • Govendor: govendor sync
  • Trash: trash

To complete this task:

At the command line, run the scan command pointed to the directory of the Go repository. For example:

srcclr scan path/to/{project_folder}

o scan code repositories hosted in Git, use the --url argument at the command line.

To view more verbose output during the scan process, add the --loud argument:

srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.

Fix example vulnerable method

These example steps provide a fix for a Denial of Service (DoS) attack vulnerable method in golang.org/x/text, which is included in the example-go-modules repository.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

  2. Select Agent-Based Scan.

  3. Select your workspace.

  4. Select Projects.

  5. Select the veracode/example-go-modules project.

  6. From Issues, search for CVE-2021-38561 and select the issue number.

  7. Go to Vulnerable Methods where it shows that the Parse method is the vulnerable part of the library.

  8. To address the identified vulnerable method, do one of these tasks:

    • Change your code to perform in the same manner without relying on this particular method.
    • Follow the provided instructions to update the library to a safe version.

  9. Validate the fix.

Last updated on