List your dependencies capabilities and monitor if updates require more capabilities.

Overview

A take on supply chain security in Go

List your dependencies capabilities and monitor if dependency updates require more capabilities.

The Problem

Recently different attacks and other issues related to open-source dependencies highlighted a quite severe problem with dependencies:

Every imported package gives that package's author basically remote code execution for your software.

The Idea

A video on WASI by linclark brought me to the idea how cool it would be if we could pass permissions to our dependencies.

In Go this could look something like this:

module github.com/cugu/gocap

go 1.20

require (
	github.com/go-chi/chi       v5.0.7   (network:read)
	github.com/mattn/go-sqlite3 v1.14.10 (file:read, file:write)
	github.com/sirupsen/logrus  v1.8.1   (os:stdout)
	github.com/yuin/goldmark    v1.4.4   ()
)

chi would be able to receive network requests, go-sqlite3 would be able to read and write files and logrus could write to stdout. But also all those modules would be limited to those capabilities and, for example, the logging library logrus would not be able to interact with files, the network or execute code.

Changes of dependencies would be much less critical in many cases, as a potential attacker would have only limited attack surface besides stealing your CPU cycles.

A simpler but working approach: GoCap

Implementing the approach above would require changes to Go itself. So I came up with another, simpler approach: GoCap. GoCap can check and validate the source code of dependencies for their capabilities and is ment to be included into the testing phase of the build process. This way GoCap can at least pin the capabilities of dependencies.

GoCap provides simple capability checking for Go using a go.cap file. The go.cap files lists all package dependencies that require critical permissions like file access, execution rights or network access. Unlike the idea above GoCap works on packages not modules and capabilities are based on the imported packages of the standard library.

The go.cap file for GoCap itself looks like this:

github.com/cugu/gocap (execute, file)

github.com/alecthomas/kong (file, syscall)
github.com/pkg/errors (runtime)

Install GoCap

You can download a release or run

go install github.com/cugu/[email protected]

gocap generate

gocap generate <path> prints a valid go.cap file. It lists all dependency packages that require critical permissions like file access, execution rights or network access.

Example

gocap generate github.com/cugu/gocap > go.cap

go.cap

github.com/cugu/gocap (execute, file)

github.com/alecthomas/kong (file, syscall)
github.com/pkg/errors (runtime)

gocap check

gocap check <path> compares a local go.cap file with the actual required capabilities by dependency packages. Any missmatch results in a non-zero exit code, so you can use GoCap check in your CI pipelines. See ci.yml for a working example.

Example

gocap check .

Output

github.com/alecthomas/kong
	capability 'syscall' not provided by go.cap file, add to go.cap file if you want to grant the capability
github.com/pkg/errors
	unnecessary capability 'network', please remove from go.cap file
Comments
  • doesn't work with my local project

    doesn't work with my local project

    in my local project (that means directory with go.mod & go.sum), when I run

    cd myWonderfullProject
    
    ls 
    go.mod  go.sum main.go
    
    gocap generate .
    could not parse package path
    

    I expect that go.cap has been generated with all modules (direct & transitive) pined into my go.mod & go.sum.

    opened by jerome-laforge 7
  • Update module github.com/alecthomas/participle/v2 to v2.0.0-alpha9

    Update module github.com/alecthomas/participle/v2 to v2.0.0-alpha9

    WhiteSource Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | github.com/alecthomas/participle/v2 | require | patch | v2.0.0-alpha7 -> v2.0.0-alpha9 |


    Release Notes

    alecthomas/participle

    v2.0.0-alpha9

    Compare Source

    v2.0.0-alpha8

    Compare Source


    Configuration

    ๐Ÿ“… Schedule: At any time (no schedule defined).

    ๐Ÿšฆ Automerge: Disabled by config. Please merge this manually once you are satisfied.

    โ™ป Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    ๐Ÿ”• Ignore: Close this PR and you won't be reminded about this update again.


    • [ ] If you want to rebase/retry this PR, click this checkbox.

    This PR has been generated by WhiteSource Renovate. View repository job log here.

    opened by renovate[bot] 1
  • Update module github.com/alecthomas/participle/v2 to v2.0.0-alpha8

    Update module github.com/alecthomas/participle/v2 to v2.0.0-alpha8

    WhiteSource Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | github.com/alecthomas/participle/v2 | require | patch | v2.0.0-alpha7 -> v2.0.0-alpha8 |


    Release Notes

    alecthomas/participle

    v2.0.0-alpha8

    Compare Source


    Configuration

    ๐Ÿ“… Schedule: At any time (no schedule defined).

    ๐Ÿšฆ Automerge: Disabled by config. Please merge this manually once you are satisfied.

    โ™ป Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    ๐Ÿ”• Ignore: Close this PR and you won't be reminded about this update again.


    • [ ] If you want to rebase/retry this PR, click this checkbox.

    This PR has been generated by WhiteSource Renovate. View repository job log here.

    opened by renovate[bot] 1
  • Ignore check for my package from my project

    Ignore check for my package from my project

    For example for my local project:

    mkdir -p /tmp/myWonderfullProject/cmd/myWonderfullProject
    
    cd /tmp/myWonderfullProject
    
    echo 'package main
    
    import (
    	"net/http"
    
    	"myWonderfullProject"
    )
    
    func main() {
    	http.ListenAndServe(":8080", myWonderfullProject.Router())
    }' > /tmp/myWonderfullProject/cmd/myWonderfullProject/main.go
    
    echo 'package myWonderfullProject
    
    import (
    	"net/http"
    
    	"github.com/gin-gonic/gin"
    )
    
    func Router() http.Handler {
    	r := gin.Default()
    	r.GET("/ping", func(c *gin.Context) {
    		c.JSON(200, gin.H{
    			"message": "pong",
    		})
    	})
    
    	return r
    }' > /tmp/myWonderfullProject/router.go
    
    go mod tidy
    tree /tmp/myWonderfullProject/
    /tmp/myWonderfullProject/
    โ”œโ”€โ”€ cmd
    โ”‚ย ย  โ””โ”€โ”€ myWonderfullProject
    โ”‚ย ย      โ””โ”€โ”€ main.go
    โ”œโ”€โ”€ go.mod
    โ”œโ”€โ”€ go.sum
    โ””โ”€โ”€ router.go
    
    
    gocap generate /tmp/myWonderfullProject/cmd/myWonderfullProject
    myWonderfullProject/cmd/myWonderfullProject (network)
    
    github.com/gin-contrib/sse (file, network)
    github.com/gin-gonic/gin (file, network, runtime)
    github.com/gin-gonic/gin/binding (network, file)
    github.com/gin-gonic/gin/render (network)
    github.com/go-playground/universal-translator (file)
    github.com/go-playground/validator/v10 (file, network)
    golang.org/x/sys/unix (syscall, runtime)
    myWonderfullProject (network) <------ filter this package on generate & check
    

    Is it possible to filter all the packages from myWonderfullProject or at least myWonderfullProject (network) in this example on generate and on check steps?

    Because, I want to avoid breaking my CI when I develop or refactor source code and also avoid updating too frequently the go.cap (because just add local package)? From my point of view, this tool seems great for watching the external dependencies when I upgrade them.

    opened by jerome-laforge 1
  • ux: go check should generate .cap if does not exist

    ux: go check should generate .cap if does not exist

    Thanks for the such a cool project! Just have been trying this out!


    I think it had better to call generate command under the hood if go.cap file does not exit. Or we can rephrase this warning to: go.cap file does not exist, consider run generate command for example.

    $ gocap check .
    go.cap file does not exist
    

    What do you think?

    opened by Dentrax 1
  • Update module go to 1.19

    Update module go to 1.19

    Mend Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | go (source) | golang | minor | 1.18 -> 1.19 |


    Configuration

    ๐Ÿ“… Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

    ๐Ÿšฆ Automerge: Disabled by config. Please merge this manually once you are satisfied.

    โ™ป Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    ๐Ÿ”• Ignore: Close this PR and you won't be reminded about this update again.


    • [ ] If you want to rebase/retry this PR, click this checkbox.

    This PR has been generated by Mend Renovate. View repository job log here.

    opened by renovate[bot] 0
  • Update module go to 1.18

    Update module go to 1.18

    Mend Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | go (source) | golang | minor | 1.17 -> 1.18 |


    Release Notes

    golang/go

    v1.18.4

    v1.18.3

    v1.18.2

    v1.18.1

    v1.18.0


    Configuration

    ๐Ÿ“… Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

    ๐Ÿšฆ Automerge: Disabled by config. Please merge this manually once you are satisfied.

    โ™ป Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    ๐Ÿ”• Ignore: Close this PR and you won't be reminded about this update again.


    • [ ] If you want to rebase/retry this PR, click this checkbox.

    This PR has been generated by Mend Renovate. View repository job log here.

    opened by renovate[bot] 0
  • Update module github.com/stretchr/testify to v1.8.0

    Update module github.com/stretchr/testify to v1.8.0

    Mend Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | github.com/stretchr/testify | require | minor | v1.7.2 -> v1.8.0 |


    Release Notes

    stretchr/testify

    v1.8.0

    Compare Source

    v1.7.5

    Compare Source

    v1.7.4

    Compare Source

    v1.7.3

    Compare Source


    Configuration

    ๐Ÿ“… Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

    ๐Ÿšฆ Automerge: Disabled by config. Please merge this manually once you are satisfied.

    โ™ป Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    ๐Ÿ”• Ignore: Close this PR and you won't be reminded about this update again.


    • [ ] If you want to rebase/retry this PR, click this checkbox.

    This PR has been generated by Mend Renovate. View repository job log here.

    opened by renovate[bot] 0
  • Update module github.com/alecthomas/kong to v0.6.1

    Update module github.com/alecthomas/kong to v0.6.1

    Mend Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | github.com/alecthomas/kong | require | patch | v0.6.0 -> v0.6.1 |


    Release Notes

    alecthomas/kong

    v0.6.1

    Compare Source


    Configuration

    ๐Ÿ“… Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

    ๐Ÿšฆ Automerge: Disabled by config. Please merge this manually once you are satisfied.

    โ™ป Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    ๐Ÿ”• Ignore: Close this PR and you won't be reminded about this update again.


    • [ ] If you want to rebase/retry this PR, click this checkbox.

    This PR has been generated by Mend Renovate. View repository job log here.

    opened by renovate[bot] 0
  • Update module github.com/alecthomas/kong to v0.6.0

    Update module github.com/alecthomas/kong to v0.6.0

    Mend Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | github.com/alecthomas/kong | require | minor | v0.5.0 -> v0.6.0 |


    Release Notes

    alecthomas/kong

    v0.6.0

    Compare Source


    Configuration

    ๐Ÿ“… Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

    ๐Ÿšฆ Automerge: Disabled by config. Please merge this manually once you are satisfied.

    โ™ป Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    ๐Ÿ”• Ignore: Close this PR and you won't be reminded about this update again.


    • [ ] If you want to rebase/retry this PR, click this checkbox.

    This PR has been generated by Mend Renovate. View repository job log here.

    opened by renovate[bot] 0
  • Update module github.com/stretchr/testify to v1.7.2 - autoclosed

    Update module github.com/stretchr/testify to v1.7.2 - autoclosed

    Mend Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | github.com/stretchr/testify | require | patch | v1.7.1 -> v1.7.2 |


    Release Notes

    stretchr/testify

    v1.7.2

    Compare Source


    Configuration

    ๐Ÿ“… Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

    ๐Ÿšฆ Automerge: Disabled by config. Please merge this manually once you are satisfied.

    โ™ป Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    ๐Ÿ”• Ignore: Close this PR and you won't be reminded about this update again.


    • [ ] If you want to rebase/retry this PR, click this checkbox.

    This PR has been generated by Mend Renovate. View repository job log here.

    opened by renovate[bot] 0
  • Update module github.com/alecthomas/participle/v2 to v2.0.0-beta.5

    Update module github.com/alecthomas/participle/v2 to v2.0.0-beta.5

    Mend Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | github.com/alecthomas/participle/v2 | require | patch | v2.0.0-alpha7 -> v2.0.0-beta.5 |


    Release Notes

    alecthomas/participle

    v2.0.0-beta.5

    Compare Source

    v2.0.0-beta.4

    Compare Source

    v2.0.0-beta.3

    Compare Source

    v2.0.0-beta.2

    Compare Source

    v2.0.0-beta.1

    Compare Source

    v2.0.0-alpha9.12

    Compare Source

    v2.0.0-alpha9

    Compare Source

    v2.0.0-alpha8

    Compare Source


    Configuration

    ๐Ÿ“… Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

    ๐Ÿšฆ Automerge: Disabled by config. Please merge this manually once you are satisfied.

    โ™ป Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    ๐Ÿ”• Ignore: Close this PR and you won't be reminded about this update again.


    • [ ] If you want to rebase/retry this PR, click this checkbox.

    This PR has been generated by Mend Renovate. View repository job log here.

    opened by renovate[bot] 0
Owner
Jonas Plum
Forensics engineer
Jonas Plum
Ethereum clients monitor

e7mon Tool for monitoring your Ethereum clients. Client-agnostic as it queries the standardized JSON-RPC APIs. Requires the following APIs to be expos

null 25 Jul 7, 2022
Ekliptic - Primitives for cryptographic operations on the secp256k1 curve, with zero dependencies and excellent performance

Ekliptic This package provides primitives for cryptographic operations on the se

Konnor Klashinsky 0 Sep 7, 2022
โšก๏ธCurated list of resources for the development and applications of blockchain.

Awesome Blockchain Curated list of resources for the development and applications of block chain. The blockchain is an incorruptible digital ledger of

null 2.5k Sep 22, 2022
Curated list of resources for the development and applications of block chain

Awesome Blockchain Curated list of resources for the development and applications of block chain. The blockchain is an incorruptible digital ledger of

Rieser Stern 0 Dec 28, 2021
A Golang cryptocurrency trading API & Library. Support Binance, BitMEX, Deribit, Bybit, Huobi DM, OKEX Futures and more.

CREX ไธญๆ–‡ | English CREX ๆ˜ฏไธ€ไธช็”จGolang่ฏญ่จ€ๅผ€ๅ‘็š„้‡ๅŒ–ไบคๆ˜“ๅบ“ใ€‚ๆ”ฏๆŒtick็บงๅˆซๆ•ฐๅญ—ๅธๆœŸ่ดงๅนณๅฐ็š„ๅ›žๆต‹ๅ’Œๅฎž็›˜ใ€‚ๅฎž็›˜ไธŽๅ›žๆต‹ๆ— ็ผๅˆ‡ๆข๏ผŒๆ— ้œ€ๆ›ดๆ”นไปฃ็ ใ€‚ ๅ›žๆต‹ ็คบไพ‹ @backtest ไบคๆ˜“็ป“ๆžœ ๅผ€ๆบ็ญ–็•ฅ https://github.com/coinrust/trading-stra

Paranoid 3 Sep 5, 2022
Accompanying repository for the "Build Ethereum From Scratch - Smart Contracts and More" course by David Katz

Build Ethereum From Scratch - Smart Contracts and More This repository accompanies the "Build Ethereum From Scratch - Smart Contracts and More" course

David Katz 43 Jul 28, 2022
Return list of the contract's events logs

Return list of the contract's events logs Return contract's events logs via sending address, from_block and to_block range only as RAW data. Working w

Ali Shokoohi 1 Oct 12, 2021
recursively list secrets from Vaults KV2 engine

vkv recursively list secrets from Vaults KV2 engine Installation Find the corresponding binaries, .rpm and .deb packages in the release section. Authe

null 16 Aug 29, 2022
A utility for the certificate trust list (CTL).

ctlutil A utility for the certificate trust list (CTL) Installation First install Go. If you just want to install the binary to your current directory

Canstand 0 Dec 28, 2021
A more elegant Client for huobi API with golang

huobi A more elegant Client for huobi API example package main import ( "context" "log" "os" "github.com/zhenzou/huobi" "github.com/zhenzou/huo

september 0 Dec 28, 2021
Packaging and encrypting/decrypting your files for Golang

?? Paket โ€“ A vault to packaging and encrypt/decrypt your files in golang! pkg.go.dev | Table of Contents ?? Informations ??โ€?? ??โ€?? What does it do ?

null 19 Aug 19, 2022
Split and distribute your private keys securely amongst untrusted network

cocert An experimental tool for splitting and distributing your private keys safely* cocert, generates ECDSA - P521 key and uses a technique known as

Furkan Tรผrkal 188 Aug 29, 2022
Build apps that run everywhere with Go and a browser engine of your choice (Chrome, Firefox, Epiphany or Android WebView).

hydrapp Build apps that run everywhere with Go and a browser engine of your choice (Chrome, Firefox, Epiphany or Android WebView). Overview ?? This pr

Felix Pojtinger 9 Sep 20, 2022
Sign, verify, encrypt and decrypt data with GPG in your browser.

keygaen Sign, verify, encrypt and decrypt data with GPG in your browser. โš ๏ธ keygaen has not yet been audited! While we try to make keygaen as secure a

Felix Pojtinger 77 Aug 22, 2022
CLI Tool to remove unwanted connections from your Chia Node based on Geo IP Location.

chia-bouncer Tiny CLI tool to remove unwanted connections from your Chia Node based on the Geo IP Location (Country). The Tool is written in golang an

st3ffn 4 Jun 25, 2021
Tool for monitoring your Ethereum clients. Client-agnostic as it queries the standardized JSON-RPC APIs

e7mon Tool for monitoring your Ethereum clients. Client-agnostic as it queries the standardized JSON-RPC APIs. However, the execution client should be

null 25 Jul 7, 2022
A russian roulette-like programme that has a 1/6 chance to delete your OS.

russianRouletteGo russianRouletteGo - a russian roulette-like programme that has a 1/6 chance to delete your OS. Last tested and built in Go 1.17.3 Us

wowil 1 Jan 3, 2022
Build your own blockchain!

Build your own Blockchain in Javascript With all the hype about blockchains and cryptocurrencies, I decided to learn a bit more about it. And what bet

Nam Chu Hoai 827 Sep 24, 2022
Boxen - put your network operating systems in a box!

boxen boxen -- put your network operating systems in a box (or if you speak ???? , fight them! ?? )! boxen is a cli tool written in Go that allows you

Carl Montanari 93 Sep 8, 2022