Better SCA for cgo projects

mcandre · March 24, 2025, 5:23pm

Many software projects check third party C/C++ dependency source files directly into version control. This doesn’t integrate particularly well with SCA. As a result, developers end up with latent security vulnerabilities.

govulncheck may happen to register CVE’s for a select few (c)Go projects, but the classic habit of logically vendoring dependencies without a version identifier in package management configuration does not lend govulncheck to reliably obtaining this information from go.mod. The specific reporting gap is the lack of automation to detect which Go projects depend on which native dependencies.

conan audit and Snyk for conan can help. But they represent development environment attack surface creep. And the dev is likely to cobble together a fragile, nonportable shell script to shimmy the conan artifacts into directories found by (c)go.

Long term, would be good for go mod to grow as equally capable of managing and scanning C/C++ packages as Conan.

What if we began isolating first vs. third party C/C++ cgo code into distinct directories? The latter would generate a warning if a corresponding new go.mod cgo entry were missing.

As a precaution, cgo can also generate a warning for native code that is not clearly housed in either of the two new directories. So that we can grandfather in existing cgo projects without sacrificing security.

Third party native code should be placed within the standard vendor/ tree near where third party Go code is kept.

govulncheck and various go components, should integrate with conan and the conan CVE database, to maximize security report accuracy.

The same applies to ECMAScript, JVM, Python, Ruby, etc. projects relying on C/C++ code: Their package managers should do a better job securing native dependencies.

And someone should write a portable, pure Go MIDI driver library so that MIDI projects don’t rely on any native code.

lemarkar · March 24, 2025, 8:17pm

Can C/C++ package managers scan my go code for vulnerabilities?

This post is so absurd.
First of all, you cannot add packages without version information into go.mod file. That’s an error and will signalize on go mod tidy command, so you won’t be able to vendor nada.

It’s called govulncheck since we are writing in golang and would like to see security issues with the code in this language, not with fancy dependencies on C code. If someone imports C into their go-code, it’s their responsibility to know exactly what they are importing. Not the task for go toolchain.

fonit41452 · March 25, 2025, 6:12am

mcandre:

Many software projects check third party C/C++ dependency source files directly into version control. This doesn’t integrate particularly well with SCA. As a result, developers end up with latent security vulnerabilities.

govulncheck may happen to register CVE’s for a select few (c)Go projects, but the classic habit of logically vendoring dependencies without a version identifier in package management configuration does not lend govulncheck to reliably obtaining this information from go.mod. The specific reporting gap is the lack of automation to detect which Go projects depend on which native dependencies.

conan audit and Snyk for conan can help. But they represent development environment attack surface creep. And the dev is likely to cobble together a fragile, nonportable shell script to shimmy the conan artifacts into directories found by (c)go.

Long term, would be good for go mod to grow as equally capable of managing and scanning C/C++ packages as Conan.

What if we began isolating first vs. third party C/C++ cgo code into distinct directories? The latter would generate a warning if a corresponding new go.mod cgo entry were missing.

As a precaution, cgo can also generate a warning for native code that is not clearly housed in either of the two new directories. So that we can grandfather in existing cgo projects without sacrificing security.

Third party native code should be placed within the standard vendor/ tree near where third party Go code is kept.

govulncheck and various go components, should integrate with conan and the conan CVE database, to maximize security report accuracy.

The same applies to ECMAScript, JVM, Python, Ruby, etc. projects relying on C/C++ code: Their package managers should do a better job securing native dependencies.

And someone should write a portable, pure Go MIDI driver library so that MIDI projects don’t rely on any native code.

Hello,
Improving security for C/C++ dependencies in Go and other ecosystems is essential. Isolating first vs. third-party cgo code into distinct directories with warnings for missing go.mod entries can enhance clarity. Integration of govulncheck with tools like Conan’s CVE database will ensure better vulnerability detection. Strengthening package managers across languages for native dependencies is a critical step forward. Let me know if you’d like to explore further! Tolls by Mail New York

Best Regards,
Fonit Henry

mcandre · March 25, 2025, 3:09pm

Found the bot account.

Yes, let’s keep cgo projects maximally insecure.

lemarkar · March 25, 2025, 3:36pm

As was expected, no real arguments. Only demagogy with lack of expertise.

Since C backend is currently the major one, all languages have wrappers or ways to interact with it. But it does not mean, you need to project the responsibility for C flaws onto languages which call it. If you want to do cgo, then it’s exactly you, who needs to be sure there are no vulnerabilities in C you are using and not the go toolchain problem.