https://github.com/chains-project/gosurf
Static analyzer to find locations to hide malicious code in Go
Science Score: 36.0%
This score indicates how likely this project is to be science-related based on various indicators:
-
○CITATION.cff file
-
✓codemeta.json file
Found codemeta.json file -
○.zenodo.json file
-
✓DOI references
Found 3 DOI reference(s) in README -
✓Academic publication links
Links to: arxiv.org -
○Committers with academic emails
-
○Institutional organization owner
-
○JOSS paper metadata
-
○Scientific vocabulary similarity
Low similarity (13.3%) to scientific vocabulary
Repository
Static analyzer to find locations to hide malicious code in Go
Basic Info
Statistics
- Stars: 4
- Watchers: 6
- Forks: 1
- Open Issues: 5
- Releases: 0
Metadata Files
README.md
# GoSurf 🏄
GoSurf is a tool that analyzes the potential attack surface of open-source Go packages and modules. It looks for occurrences of various features and constructs that could potentially introduce security risks, known as attack vectors.
See paper GoSurf: Identifying Software Supply Chain Attack Vectors in Go (SCORED 2024) (doi:10.1145/3689944.3696166)
Repository Structure
- attack_vectors: This folder contains an analysis of 12 different attack vectors in Go, along with their respective proof-of-concept implementations.
- experiments: This folder contains scripts and results for attack surface analysis of different Go modules.
- popular10 contains experiments on the 10 most popular Go modules.
- top500 contains experiments on the 500 most imported Go modules.
- libs: This folder contains utility functions used by the GoSurf tool.
- template: This folder contains HTML templates used by the experiment scripts to print results.
- gosurf.go: The file
gosurf.gofile is the entry point for the GoSurf tool, which allows you to analyze a Go module and identify all the defined attack vectors, effectively framing the attack surface through Abstract Syntax Tree (AST) analysis.
Simple Usage
To use the GoSurf tool, follow these steps:
```bash
Clone the repository
git clone https://github.com/chains-project/GoSurf.git
Navigate to the gosurf directory
cd gosurf
Build the tool
go build
Analyze the github.com/ethereum/go-ethereum module
./gosurf $GOPATH/pkg/mod/github.com/ethereum/go-ethereum@v1.13.14
``` The tool will analyze the specified module and its direct dependencies, identifying occurrences of the defined attack vectors, and print results on the CLI.
Experiments
Analyze Top 500 most imported modules
The top500/run_exp.go script in the experiments folder allows for automating large-scale analysis on 500 Go (most imported) modules using the GoSurf library. To use this script, simply run:
bash
cd experiments/top500
go run run_exp.go
The results for the analysis will be reported in the experiments/top500/results folder in HTML format.
Analyze custom list of modules
The popular10/run_exp.go script in the experiments folder allows for customized analysis on a set of selected packages. To use this script, insert a list of "gomodulename version" entries in a text file.
Two experiments are pre-configured to run:
- Experiment 1: Analyzes 10 popular Go projects. The project names and versions are contained in the
urls_exp1.txtfile. To run this experiment, execute
bash
cd experiments/popular10
go run run_exp.go exp1
- Experiment 2: Performs a differential analysis over versions for a single Go project (Kubernetes). The project name and versions to be analyzed are contained in the
urls_exp2.txtfile. To run this experiment, execute
bash
cd experiments/popular10
go run run_exp.go exp2
The results for the analysis will be reported in the experiments/popular10/results folder in HTML format.
[!NOTE] These programs assume a Libraries.io API token stored in the environment variable
LIBRARIESIO_TOKEN.
Owner
- Name: CHAINS research project at KTH Royal Institute of Technology
- Login: chains-project
- Kind: organization
- Website: https://chains.proj.kth.se
- Repositories: 9
- Profile: https://github.com/chains-project
"Consistent Hardening and Analysis of Software Supply Chains" at KTH, funded by SSF
GitHub Events
Total
- Watch event: 8
Last Year
- Watch event: 8
Committers
Last synced: over 1 year ago
Top Committers
| Name | Commits | |
|---|---|---|
| carminecesarano | c****o@h****t | 123 |
| vivi365 | v****0@g****m | 18 |
| Martin Monperrus | m****s@g****g | 1 |
Committer Domains (Top 20 + Academic)
Issues and Pull Requests
Last synced: over 1 year ago
All Time
- Total issues: 4
- Total pull requests: 8
- Average time to close issues: N/A
- Average time to close pull requests: 3 days
- Total issue authors: 1
- Total pull request authors: 1
- Average comments per issue: 0.5
- Average comments per pull request: 1.25
- Merged pull requests: 6
- Bot issues: 0
- Bot pull requests: 0
Past Year
- Issues: 4
- Pull requests: 8
- Average time to close issues: N/A
- Average time to close pull requests: 3 days
- Issue authors: 1
- Pull request authors: 1
- Average comments per issue: 0.5
- Average comments per pull request: 1.25
- Merged pull requests: 6
- Bot issues: 0
- Bot pull requests: 0
Top Authors
Issue Authors
Pull Request Authors
- vivi365 (9)