【代码审计】GO

目录

• 依赖
• 依赖包信息
• 查看指定包依赖
• 版本依赖-漏洞扫描
• 查询指定依赖的漏洞
• 代码安全
• 注释安全
• 参考资料

依赖

依赖包信息

在go文件头import
在go.mod、go.sum中汇总
说明：依赖引入和历史积累的数据不代表实际的引用依赖情况，需要开发进行整理维护

查看指定包依赖

该命令需在项目根目录下执行，无法查看具体版本包的依赖

% go mod why -m golang.org/x/net

查看依赖关系图

go mod graph命令会列举所有依赖，可读性较差
可使用依赖可视化工具 https://github.com/PaulXu-cn/go-mod-graph-chart

#工具安装及使用
% go install github.com/PaulXu-cn/go-mod-graph-chart/gmchart@latest
% cd 具体的go项目下
% go mod graph | gmchart
#在打开的浏览器中查看依赖关系图 通过搜索指定版本包 点击节点可查看相关依赖关系

版本依赖-漏洞扫描
go漏洞扫描工具：https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck

#工具下载
%go install golang.org/x/vuln/cmd/govulncheck@latest
#到项目目录下，开始扫描
%  govulncheck ./...

扫描结果中存在误报情况：1、扫描工具本身的缺陷，可以多查询下列出的漏洞信息加以判断；2、扫描对象的项目未删除未使用的引用 ；3、执行扫描的环境 go的版本不符合要求

Scanning your code and xxx packages across yyy dependent modules for known vulnerabilities...
 
Vulnerability #1: GO-2023-1987
 Large RSA keys can cause high CPU usage in crypto/tls
  More info: https://pkg.go.dev/vuln/GO-2023-1987
  Standard library
    Found in: crypto/tls@go1.20.6
    Fixed in: crypto/tls@go1.21rc4
    Example traces found:
      #1: internal/whttp/whttp.go:400:24: whttp.sWhttp.UploadFile calls http.Client.Do, which eventually calls tls.Conn.HandshakeContext

=== Informational ===
 
Found 2 vulnerabilities in packages that you import, but there are no call
stacks leading to the use of these vulnerabilities. You may not need to
take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.
 
Vulnerability #1: GO-2023-1988
    Improper rendering of text nodes in golang.org/x/net/html
  More info: https://pkg.go.dev/vuln/GO-2023-1988
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.12.0
    Fixed in: golang.org/x/net@v0.13.0
 
Vulnerability #2: GO-2020-0017
    Authorization bypass in github.com/dgrijalva/jwt-go
  More info: https://pkg.go.dev/vuln/GO-2020-0017
  Module: github.com/dgrijalva/jwt-go
    Found in: github.com/dgrijalva/jwt-go@v3.2.0+incompatible
    Fixed in: N/A
 
Your code is affected by 1 vulnerability from the Go standard library.
 
Share feedback at https://go.dev/s/govulncheck-feedback.

查询指定依赖的漏洞

在线网站：https://deps.dev/
搜索框输入包名即可
效果示例：https://deps.dev/advisory/osv/GHSA-qvqg-6rp8-4p9h
可见漏洞详细说明、影响版本、严重程度
缺点：不支持按照包版本搜索

代码安全

安全问题扫描工具：securego/gosec: Golang security checker - https://github.com/securego/gosec

#安装工具
% go install github.com/securego/gosec/v2/cmd/gosec@latest
#进入项目目录 使用工具的指定模块进行扫描
% gosec -include=G101,G203,G401 ./...
#默认是全模块扫描
 % gosec ./...

支持的模块包括

Available rules
G101: Look for hard coded credentials
G102: Bind to all interfaces
G103: Audit the use of unsafe block
G104: Audit errors not checked
G106: Audit the use of ssh.InsecureIgnoreHostKey
G107: Url provided to HTTP request as taint input
G108: Profiling endpoint automatically exposed on /debug/pprof
G109: Potential Integer overflow made by strconv.Atoi result conversion to int16/32
G110: Potential DoS vulnerability via decompression bomb
G111: Potential directory traversal
G112: Potential slowloris attack
G113: Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772)
G114: Use of net/http serve function that has no support for setting timeouts
G201: SQL query construction using format string
G202: SQL query construction using string concatenation
G203: Use of unescaped data in HTML templates
G204: Audit use of command execution
G301: Poor file permissions used when creating a directory
G302: Poor file permissions used with chmod
G303: Creating tempfile using a predictable path
G304: File path provided as taint input
G305: File traversal when extracting zip/tar archive
G306: Poor file permissions used when writing to a new file
G401: Detect the usage of DES, RC4, MD5 or SHA1
G402: Look for bad TLS connection settings
G403: Ensure minimum RSA key length of 2048 bits
G404: Insecure random number source (rand)
G501: Import blocklist: crypto/md5
G502: Import blocklist: crypto/des
G503: Import blocklist: crypto/rc4
G504: Import blocklist: net/http/cgi
G505: Import blocklist: crypto/sha1
G601: Implicit memory aliasing of items from a range statement
G602: Slice access out of bounds

更加严格的安全规则：

摘自：https://jira.opencord.org/browse/VOL-4163?gerritIssueStatus=Open

尽管 gosec 在 golangci 中启用，但对某些 go 存储库运行 gosec ./... 会产生在 golangci 中不可见的问题。

原因是 golangci 默认情况下禁用了一些问题（它们的意思是“误报”），另外一些 gosec 问题直接在代码中禁用。

对于安全要求非常高的项目，建议制定更严格的gosec规则。

需要禁用“exclude-use-default”标志，例如
#.golangci.yml
...
问题：except - 
  use- default : false #自己决定误报
...
 请参阅https://golangci-lint.run/usage/configuration/

需要删除像 //nolint:gosec 这样的行来禁用规则排除

注释安全

在反编译go后可见部分源码，其中存在代码注释泄漏敏感信息的情况
Go 支持常见的单行注释和多行注释，使用 // 和 /* ... */ ，
检查注释

grep -r "//" .
grep -r "/*" .
grep -r "//" . | grep -E "password|secret|key"

或使用工具提取注释

#下载tool https://github.com/golang/tools
%go install golang.org/x/tools/cmd/goimports@latest
#使用go doc https://pkg.go.dev/cmd/doc
%go doc -all

参考资料

谈谈go.sum - Go语言中文网 - Golang中文社区 - https://studygolang.com/articles/25658
go.mod中清理未使用的引用 - https://blog.useragentinfo.com/blog/77
Go 开发者的安全最佳实践 Best Practices for Go Developers - The Go Programming Language - https://go.dev/security/best-practices
担心密码提交到 GitHub？建议使用这个 Go 开源工具 - https://polarisxu.studygolang.com/posts/go/project/gosec-tool-intro/
secguide/Go安全指南.md at main · Tencent/secguide - https://github.com/Tencent/secguide/blob/main/Go%E5%AE%89%E5%85%A8%E6%8C%87%E5%8D%97.md