Scanning Go source for vulnerabilities with gosec
Intro
In my post about Scanning Go Dependencies for Vulnerabilities, we learned that we can use a tool named Nancy to look for issues in the third-party libraries we use.
Now, what about finding vulnerabilities in our own codebase?
A tool to explore is named gosec and can help us with that!
gosec in a nutshell
Gosec will analyze our source code and try to find issues or vulnerabilities. Such vulnerabilities could be:
- Hardcoded credentials
- Security issue
- Weak cryptography
- Memory aliasing
- Unhandled errors
- and many more
Furthermore, gosec will tell you both the Confidence and the Severity of the issue found.
Finally, note that gosec will also report non-compiling code
Installing and running gosec
Time to see gosec in action, and this week our selected open-source is Kubernetes, the famous project for cloud clustering.
The install and running were super easy. The output is very large, so let's cover just a portion of it.
gosec -fmt=text -out=results.txt ./…
With this command, gosec will output the results in the file results.txt with text format.
Analyzing the output
First, let’s look at the summary:
Now that is a lot of issues! But hey, don’t forget that many of them can be minor issues. The report has around 34500 lines!
One important thing to note is that by default gosec will put the most critical issue at the beginning of the output.
First are compiling errors that were found (yes we found some), here is an example:
An important note to take is that gosec with rank each issue with a Severity level and a Confidence level.
They both can be LOW, MEDIUM, or HIGH.
We need to understand that gosec can make mistakes. And that is why every issue is given a confidence level. The highest the confidence, the less likely gosec is making a mistake.
The severity reflects how much you should worry about it.
Let's take a look at an example with high severity issue:
Now let’s look at the end of the file:
We can see here that an error is not handled in the plan.go file. Gosec attributes High confidence and a Low Severity to this issue.
Many of these are simply unhandled errors, but yet could be addressed. For more detail about the output, I encourage you to do the exercise on your side.
