Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Details
We had a great meetup last month! We hope you can join us via Zoom. Grab a snack and a beverage, and let's recreate that in-person meetup feel. First 30 minutes will be open discussion with food and drink, then we'll start the presentation.
This month's meeting is virtual due to current recommendations from local, state, federal, and international sources to slow the spread of COVID-19. We will continue to meet virtually until we can safely meet in-person.
-- Presentation --
Go 1.13 introduced important security features to Go Modules including a checksumdb. Deep Datta from JFrog will explain how this works and provide info on other tools that keep modules secure. He will review GoCenter’s vulnerability scanning capabilities so developers can check for security issues or known vulnerabilities.
As background, when a developer creates a new module or a new version of an existing module in Go 1.13, a go.sum file included in the module creates a list of SHA-256 hashes that are unique to that module version. That go.sum file is then sent to Google’s official checksum database where it is stored and used to verify that modules haven’t been tampered with when accessed later by a GOPROXY. This helps keep the integrity of packages intact. In this talk, Deep will go over the behavior of the checksum database, how it protects Go modules, and how JFrog is building new tools to keep modules safe in VSCode.
Deep Datta
Community Product Manager
Deep Datta is a Product Manager with JFrog managing the GoCenter - The Central Go Modules Repository. He loves encouraging diversity in tech and he has a passion for helping people join open source communities. Before JFrog he helped build and manage open source programs at Indeed and Benetech.org. Outside of work, Deep likes to travel the world, go to live music events, learn Golang, and find beautiful places to go hiking.
Agenda
- 6pm - 6:30pm: Networking, food & drink, and announcements
- 6:30pm - 7:15pm: Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode - Deep Datta
- 7:15pm - 8:00pm - Open Discussion
Interested in sharing at an upcoming meetup? We'd love to hear what you have to share! Contact the meetup organizers to get the ball rolling!
https://www.meetup.com/golangmn/members/?op=leaders
If anyone has any problems or questions, feel free to text or call:
- Jesse Lang - 612-568-8380
- Jack Spirou - 630-715-4302
Additional Resources
For Go specific events, announcements, training, and jobs in Minneapolis, check out this document (http://bit.ly/minneapolis-golang)!
Slack Channel for Gophers - gophers.slack.com (http://gophers.slack.com/)
To get added, fill out the invite form here:
https://gophersinvite.herokuapp.com/
Join the local channel: https://gophers.slack.com/messages/minneapolis/
Go Forum - forum.golangbridge.org (http://forum.golangbridge.org/)
GoBridge (https://twitter.com/golangbridge) is dedicated to building bridges that educate underrepresented communities to teach technical skills and foster diversity in Go.
Special Offers
Get 50% off most ebooks + videos and 40% off most print books from @oreillymedia by using code PCBW http://oreil.ly/1gETXNy
Go OSS Help Wanted Projects (https://github.com/corylanou/oss-helpwanted) - Check out this repo if you want to contribute to open source Go projects. Most projects are labeled for easy/medium/hard issues as well.
How to run a Go Meetup (https://github.com/corylanou/go-meetup) - This is a great resource on how to run a Go meetup and resources to help you run your meetup.
Announcement Reminders:
• Thank You!
• Where are the bathrooms
• Host Announcements
• Job Openings / Hiring Announcements
• Events / Training
• Announce next meetup
