Improper dependency pinning - Go

Improper dependency pinning - Go

Need

Proper management of dependency versions and explicit declaration of the entire dependency tree

Context

  • Usage of Go 1.16 for building high-performance and scalable applications
  • Usage of Gin framework (v1.7.4) for building web applications in Go

Description

Non compliant code

        module myapp

go 1.16

require (
    github.com/gin-gonic/gin v1.7.4
)
        
        

In the above go.mod file, we have specified only one direct dependency
- github.com/gin-gonic/gin v1.7.4. However, the Gin framework itself depends on a number of other packages, and this application might indirectly depend on them as well.

The problem with this approach is that it does not "pin" the versions of these indirect dependencies. This means that when the application is built or run, Go will automatically download the latest versions of these dependencies. If a new version of an indirect dependency introduces a breaking change, or if it has a security vulnerability, it could cause the application to break or be exposed to security risks.

This is a clear example of the "Improper dependency pinning" vulnerability. The application does not make explicit the whole dependency tree it requires (direct and indirect third-party libraries) and their respective version. This can lead to potential issues in the future if any of the dependencies used by the application has a breaking change in its newer versions. This can also lead to potential security vulnerabilities if the dependencies are not properly managed and updated.

To fix this vulnerability, the application should specify the exact versions of all direct and indirect dependencies it uses. This can be done by running go mod tidy and go mod vendor commands which will populate the go.mod file with exact versions of all dependencies and store them in the vendor directory respectively.

Steps

  • Identify all the direct and indirect dependencies of your application.
  • Determine the specific versions of each dependency that your application requires.
  • Update the 'require' section in your go.mod file to include the explicit versions of all dependencies.
  • Regularly review and update the dependency versions to ensure they are up to date and do not contain any known vulnerabilities.
  • Consider using a dependency management tool like Go Modules to automate the process of managing dependencies and their versions.

Compliant code

        module myapp

go 1.16

require (
    github.com/gin-gonic/gin v1.7.4
    // Add your other dependencies here, with their respective versions
)
        
        

The original code does not explicitly state all the dependencies that the application requires. This can lead to potential issues if a dependency is updated and introduces breaking changes or vulnerabilities.

To fix this, we need to identify all the direct and indirect dependencies of the application and specify their versions in the require section of the go.mod file. This ensures that the application always uses the correct versions of its dependencies, regardless of any updates or changes made to those dependencies.

Here are the steps to fix this vulnerability:

1. Identify all the direct and indirect dependencies of your application. You can do this by running the command go list -m all in your terminal. This will list all the current modules in use and their versions.

2. Determine the specific versions of each dependency that your application requires. You can do this by checking the documentation of each dependency or by testing different versions to see which ones work with your application.

3. Update the 'require' section in your go.mod file to include the explicit versions of all dependencies. This ensures that your application always uses the correct versions of its dependencies.

4. Regularly review and update the dependency versions to ensure they are up to date and do not contain any known vulnerabilities. You can do this by regularly running the command go get -u to update all dependencies to their latest minor or patch releases.

5. Consider using a dependency management tool like Go Modules to automate the process of managing dependencies and their versions. This can save you time and help prevent errors.

By following these steps, you can ensure that your application is using the correct versions of its dependencies and reduce the risk of introducing breaking changes or vulnerabilities.

References