LoginSignup
3
0
@daisuke-yamamoto(daisuke yamamoto)

Rust vs. Go: About Vulnerability Management

Last updated at Posted at 2023-12-03

Rust / Go のセキュリティについて考える。

依存関係の管理が重要になる。

特に、コードを流用する場合は、Cargo.toml の内容は注意が必要。

依存関係については、Node.js にも同じことが言える。

共通で使える scanner について調べる。

他にもあると思うが、事例や汎用性を考えてこの 2 つについて調べる。cargo audit は置いておく。

Environment

  • dev container
    Rust と Go が使える状態。

Installation

  • OSV‑Scanner
    Docs 
go install github.com/google/osv-scanner/cmd/osv-scanner@v1

sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy

Rust

vscode ➜ /workspaces/rust-api-samples/main (main) $ osv-scanner --lockfile=./Cargo.lock 
Scanned /workspaces/rust-api-samples/main/Cargo.lock file and found 241 packages
╭───────────────────────────────────┬──────┬───────────┬─────────┬─────────┬────────────╮
│ OSV URL                           │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE     │
├───────────────────────────────────┼──────┼───────────┼─────────┼─────────┼────────────┤
│ https://osv.dev/RUSTSEC-2021-0141 │      │ crates.io │ dotenv  │ 0.15.0  │ Cargo.lock │
╰───────────────────────────────────┴──────┴───────────┴─────────┴─────────┴────────────╯
vscode ➜ /workspaces/rust-api-samples/main (main) $

丁寧にも、credentials を教えてくれる。

vscode ➜ /workspaces/rust-api-samples/main (main) $ trivy fs .
2023-11-22T05:44:00.913Z        INFO    Vulnerability scanning is enabled
2023-11-22T05:44:00.913Z        INFO    Secret scanning is enabled
2023-11-22T05:44:00.913Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-22T05:44:00.913Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.47/docs/scanner/secret/#recommendation for faster secret detection
2023-11-22T05:44:04.721Z        INFO    Number of language-specific files: 1
2023-11-22T05:44:04.721Z        INFO    Detecting cargo vulnerabilities...

key.json (secrets)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 1)

CRITICAL: Google (gcp-service-account)
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Google (GCP) Service-account
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 key.json:2
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   {
   2 [   *************************,
   3     "project_id": "hoge",
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: AsymmetricPrivateKey (private-key)
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Asymmetric Private Key
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 key.json:5
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   3     "project_id": "hoge",
   4     "private_key_id": "abcdefgh",
   5 [   "private_key": "-----BEGIN PRIVATE KEY-----**********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END PRIVATE KEY-----\n",
   6     "client_email": "rust-app-storage@hoge.iam.gserviceaccount.com",
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


vscode ➜ /workspaces/rust-api-samples/main (main) $

Go

  • OSV‑Scanner
vscode ➜ /workspaces/go-api-samples (main) $ osv-scanner --lockfile=./go.mod 
Scanned /workspaces/go-api-samples/go.mod file and found 21 packages
╭──────────────────────────────┬──────┬───────────┬─────────┬─────────┬────────╮
│ OSV URL                      │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │
├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼────────┤
│ https://osv.dev/GO-2023-2185 │      │ Go        │ stdlib  │ 1.21.3  │ go.mod │
│                              │      │           │         │         │        │
│ https://osv.dev/GO-2023-2186 │      │ Go        │ stdlib  │ 1.21.3  │ go.mod │
│                              │      │           │         │         │        │
╰──────────────────────────────┴──────┴───────────┴─────────┴─────────┴────────╯
vscode ➜ /workspaces/go-api-samples (main) $
  • Trivy
vscode ➜ /workspaces/go-api-samples (main) $ trivy fs .
2023-11-22T05:57:17.670Z        INFO    Need to update DB
2023-11-22T05:57:17.670Z        INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2023-11-22T05:57:17.670Z        INFO    Downloading DB...
40.99 MiB / 40.99 MiB [-----------------------------------------------------------------------------------------------------------------------------------------] 100.00% 17.27 MiB p/s 2.6s
2023-11-22T05:57:21.430Z        INFO    Vulnerability scanning is enabled
2023-11-22T05:57:21.431Z        INFO    Secret scanning is enabled
2023-11-22T05:57:21.431Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-22T05:57:21.431Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.47/docs/scanner/secret/#recommendation for faster secret detection
2023-11-22T05:57:22.013Z        INFO    Number of language-specific files: 1
2023-11-22T05:57:22.013Z        INFO    Detecting gomod vulnerabilities...

key.json (secrets)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 1)

CRITICAL: Google (gcp-service-account)
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Google (GCP) Service-account
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 key.json:2
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   {
   2 [     *************************,
   3       "project_id": "hoge",
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: AsymmetricPrivateKey (private-key)
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Asymmetric Private Key
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 key.json:5
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   3       "project_id": "hoge",
   4       "private_key_id": "abcdefgh",
   5 [     "private_key": "-----BEGIN PRIVATE KEY-----**********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END PRIVATE KEY-----\n",
   6       "client_email": "rust-app-storage@hoge.iam.gserviceaccount.com",
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


vscode ➜ /workspaces/go-api-samples (main) $
3
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
3
0