Intro
This week has been the theatre of a zero-day exploit, a critical security flaw found in Log4j.
Log4j is a free java library widely used in software around the world.
The truth is that in modern software development projects, it's very rare not to use external dependencies, that are often free and open source.
In this post, we will explore a solution to lower the risk of having such vulnerabilities in our third-party Golang libraries. The solution is called nancy and is free and open source.
Running Nancy on our repo
There are a few ways to get started with Nancy, but we are going to focus on simply building the code ourselves!
First, we need to clone the repo from Github and build it! Simply do the following:
First, we simply clone and build the binaries:
Second, we move to the root of the repository we want to inspect. Then we run nancy. In this case, let's inspect the open-source docker-compose repo.
go list -json -deps ./..Lists the package you use in your project, outputs them as JSON.
It will look recursively in all directories to find .go file as we passed the value ./…
| nancy sleuth > nancy_scan_results.txtNow this will run pipe the output of the first command to nancy and output the result in the file nancy_scan_results.txt
By looking at the output of the file we see no vulnerabilities found in docker-compose, good job!
A vulnerability was found, what do I do?
Don’t panic! The first, thing to do is to go straight up to Google, armed with your dependency name and the version, and see if your issue was fixed in a later release.
Chances are, it was fixed and you can simply update the module with a go get.
If it was not, consider the following:
- Using a different package that suits your need
- Reaching to the developer
- Fork the repo and fix it yourself!
