Skip to main content

Go agent release notes

Release date: October 25, 2022

Language versions currently supported: Go: 1.18, 1.19

New and improved:

  • Added route discovery and observation for the julienschmidt/httprouter routing library.

Bug fixes:

  • Fixed a configuration options merge issue that unintentionally disabled Assess under some conditions. (GO-1567)

  • Updated routes deduplication algorithm. (GO-1528)

Release date: October 12, 2022

Language versions currently supported: Go: 1.18, 1.19

New and improved:

  • Go Agent 4.0 uses direct communication with the Contrast web interface. The dependency on Contrast service is removed from the agent and the option to use Contrast service for communication is no longer supported.

  • gRPC support is out of preview status and is now generally available.

  • Added support for go1.19 language features.

  • Improved accuracy of gRPC message tracking.

Bug fixes:

  • Fixed swagger route discovery failure.

Release date: September 8, 2022

Language versions currently supported: Go: 1.17, 1.18

New and improved:

  • Reduced instrumentation overhead and improved agent performance.

  • Improved accuracy of gRPC message tracking.

Release date: August 26, 2022

Language versions currently supported: Go: 1.17, 1.18

New and improved:

  • Added X-Powered-By-Set Assess response analysis

Bug fixes:

  • Agent failed to start in case of config option misconfiguration (GO-1497)

  • Fixed a race condition in concurrent map access that might result in a crash (GO-1467)

Release date: August 19, 2022

Language versions currently supported: Go: 1.17, 1.18

New and improved:

  • Log diagnostic data to JSON file at agent startup

  • Fixed logs inconsistency in cached build logs

  • Added process ID to the log entires

Release date: August 5, 2022

Language versions currently supported: Go: 1.17, 1.18

Bug fixes:

  • Fixed a crash condition that occurred when all required fields were missing from the configuration (GO-1446)

  • Improved code instrumentation when encountering shadowed type names (GO-1472)

Release date: August 2, 2022

Language versions currently supported: Go: 1.17, 1.18

Bug fixes:

  • contrast-go build failed in 1.18 modules when any is redeclared. (GO-1464)

Release date: July 28, 2022

Language versions currently supported: Go: 1.17, 1.18

Bug fixes:

  • Agent only reported routes for one service in gRPC apps with multiple services. (GO-1465)

  • Agent caused a memory leak in certain scenarios where an instrumented application spawns a long-running goroutine. (GO-1461)

Release date: July 7, 2022

Language versions currently supported: Go: 1.17, 1.18

Warning

  • The Go agent now defaults to communicating directly with Contrast, rather than indirectly through the Contrast service.

    • This change will break environments where an instrumented app is running in a separate network than the Contrast service and the instrumented app is not configured to communicate with Contrast.

      We encourage users to update the instrumented app’s network to allow direct communication, and to remove the Contrast service. Alternately, you may choose to continue to use the Contrast service by setting agent.service.bypass=false in YAML configuration or setting CONTRAST_AGENT_SERVICE__BYPASS=false as an environment variable.

  • The contrast-go rewriter and Go agent no longer support go1.16

    • Users should update to the latest version of go1.17 or go1.18, or continue to use contrast-go v2.8.0 if they choose to stay on go1.16

New and improved:

  • The Go agent now supports log rotation. Log rotation can be configured using the following options:

    agent:
      logger:
        rotate: 
          enable: true # defaults to false
          max_size_mb: 10 # defaults to 1. sets the maximum size of an individual log file
          backup_count: 3 # defaults 10. sets the number of backup files to retain
          compress: false # defaults to false. enables compression of rotated files

    It can also be configured through environment variables. Backups are stored in agent.logger.path with a timestamp appended to the base of the filename.

    • The Go agent now drops route observations reports under high load to improve application request throughput.

    • The Go agent short circuits more instrumentation when disabled, resulting in lower memory usage.

Release date: June 9, 2022

Language versions currently supported: Go: 1.16, 1.17, 1.18

New and improved:

  • Improvements to vulnerability rendering.

  • Log messages now use a user-friendly time format rather than Unix epochs.

Bug fixes:

  • Agent now correctly reports routes discovered for applications written with the go-swagger framework (GO-1377).

  • Agent now correctly reports library usage data for applications written with the Gin framework (GO-1292).

Release date: April 25, 2022

Language versions currently supported: Go: 1.16, 1.17, 1.18

New and improved:

  • Support for Go 1.18.

Bug fixes:

  • Various minor fixes.

Release date: April 14, 2022

Language versions currently supported: Go: 1.16, 1.17

New and improved:

Bug fixes:

  • Update to include Go security fixes in Golang release 1.17.9.

Release date: April 14, 2022

Language versions currently supported: Go: 1.16, 1.17

New and improved:

  • Support for go-swagger APIs.

  • Route discovery and observation for gRPC APIs written with google.golang.org/grpc.

Bug fixes:

  • gRPC trace titles are now reported more uniquely for different inputs. (GO-1272)

Release date: March 25, 2022

Language versions currently supported: Go: 1.16, 1.17

New and improved:

  • The agent now supports vulnerability detection for gRPC APIs written with the google.golang.org/grpc module. The functionality is enabled via the following configuration settings:

    agent:
      go:
        preview:
          grpc: true
      service:
        bypass: true

    Alternately, the same feature can be enabled using environment variables:

    CONTRAST__AGENT__GO__PREVIEW__GRPC=true
    CONTRAST__AGENT__SERVICE__BYPASS=true

Bug fixes:

  • The agent now correctly reports server tags when bypassing the service. (GO-1256)

  • The agent now reports unvalidated redirects under the appropriate vulnerability category. (GO-1265)

  • contrast-go now correctly accepts build flags with double dashes. (GO-1258)

Release date: March 7, 2022

Language versions currently supported: Go: 1.16, 1.17

New and improved:

  • Go agent users can now configure the agent to report directly to Contrast, removing the need to install contrast-service, by using the bypass setting in their contrast_security.yaml file:

    agent:
      service:
        bypass: true

    Alternately, the same feature can be enabled using an environment variable:

    CONTRAST__AGENT__SERVICE__BYPASS=true

Bug fixes:

  • When running the agent with contrast-go run main.go , the application name was reported as 'command-line-arguments'. It now reports the correct package name when possible. (GO-1188)

  • Exercised routes erroneously appeared as new routes due to a mismatch in how trailing slashes were interpreted by discovered vs exercised routes. Exercised routes now handle trailing slashes identically to discovered routes. (GO-1210)

Release date:January 11, 2022

Language versions currently supported: Go: 1.16, 1.17

New and improved:

  • Use main package path as default application name.

Bug fixes:

  • Minor bug fixes and improvements.

Release date: December 9, 2021

Language versions currently supported: Go: 1.16, 1.17

New and improved:

  • Support for bufio buffered I/O.

Bug fixes:

  • Distributing bullseye package for Debian. (GO-1141)

  • Report path traversal vulnerability for os.Rename with user controlled new file name. (GO-1078)

  • Fix fmt handling of complex types. (GO-1146)

  • Tracking no longer fails when reading directly from a request body to a []byte. (GO-1147)

  • Fixed a false negative caused by merging multiple vulnerabilities discovered on the same route. (GO-1149)

Release date: November 17, 2021

Language versions currently supported: Go: 1.16, 1.17

New and improved:

  • Support for the Gin web framework.

Bug fixes:

  • The io/fs.Open function now correctly triggers the path traversal finding. (GO-1072)

  • contrast-go run now supports running programs that take arguments. (GO-1016)

Release date: October 18, 2021

Language versions currently supported: Go: 1.16, 1.17

Bug fixes:

  • When calling bufio/bytes methods on interfaces instead of concrete types, the agent won't propagate. (GO-1019)

  • When custom types are printed to a http.ResponseWriter, they aren't analyzed for XSS (False Negative). (GO-1053)

Warning

This release will no longer support GoLang version 1.15.

Release date: September 28, 2021

Language versions currently supported: Go: 1.15, 1.16, 1.17

New and improved:

  • Golang major language version 1.17 support.

Bug fixes:

  • When converting from strings to named byte slices or byte slices to named strings, the agent loses data flow. (GO-1005)

Release date: September 22, 2021

Language versions currently supported: Go: 1.15, 1.16

Bug fixes:

  • When an application nests http.Handlers, the agent reports route observation and responses multiple times. (GO-999)

  • When triggering dataflow rules, sink events do not correctly set up parent history. (GO-1027)

  • When reporting route observation, the request pointer changes which breaks assess sources. (GO-1028)

Release date: September 15, 2021

Language versions currently supported: Go: 1.15, 1.16

New and improved:

  • Allow for custom go commands to be passed through our contrast-go executable.

Bug fixes:

  • When reporting sinks with multiple sources, the agent does not correctly attribute which fields/sources triggered the corresponding finding. (Go-950)

  • When rewriting a slice operation on a named byte slice type with methods, the build fails. (Go-991)

  • When appending data, the agent incorrectly detects if the data is tracked, resulting in no finding when reporting to TeamServer. (Go-993)

  • When dataflow events happen concurrently, the runtime panics and crashes the application. (Go-1023)

Release date: September 1, 2021

Language versions currently supported: Go: 1.15, 1.16

Bug fixes:

  • When the application starts, the agent spawns ticker routines which continuously leak more tickers. (GO-995)

  • When sending enhanced class usage, the agent never releases previous reports and spends unnecessary resources on de-duping. (GO-996)

Release date: August 23, 2021

Language versions currently supported: Go: 1.15, 1.16

Bug fixes:

  • When an application calls a pointer method with a value, the rewritten code copies by value not reference, changing the runtime behavior. (GO-989)

Release date: August 17, 2021

Language versions currently supported: Go: 1.15, 1.16

New and improved:

  • Improve performance of rewritten code.

Bug fixes:

  • When propagating through bytes Buffer/Reader.Read, no propagation event is shown in the finding trace. (GO-993)

  • When rewriting go function literals with returns, the rewriter omits the returns and breaks builds. (GO-937)

  • When an error occurs during initialization of the logger, the agent shuts itself off. (GO-952)

  • When a slice of a tainted byte slice reaches a sink, the sink is not triggered (false negative). (GO-983)

Release date: August 6, 2021

Language versions currently supported: Go: 1.15, 1.16

New and improved:

  • Enhanced data flow tracking, which improves agent accuracy.

Bug fixes:

  • When propagating through a circular buffer, the agent caused a stack overflow. (GO-982)

Release date: July 22, 2021

Language versions currently supported: Go: 1.15, 1.16

New and improved:

  • When an error occurs during agent initialization, more specific/detailed error messages are logged.

Release date: July 8, 2021

Language versions currently supported: Go: 1.15, 1.16

Bug fixes:

  • When using getTypeName, the rewriter failed to safely handle errors and did not inject correct packages. (GO-884)

  • When comparing types, the rewriter incorrectly compared by pointer rather than by type. (GO-885)

Release date: June 17, 2021

Language versions currently supported: Go: 1.15, 1.16

New and improved:

  • Update the rewriter to only emit on exported functions, reducing the performance overhead of the rewriter itself.

Bug fixes:

  • When replacing expressions with callexprs, the agent may break addressability, resulting in a failed build. (GO-873)

  • When creating caches for rewrite, the reported tool version is not included, resulting in caches that will not be rebuilt despite agent changes. (GO-875)

  • When rewriting string slices, shadowed type names do not prevent casts from being injected, resulting in code that will not build. (GO-883)

Release date: June 15, 2021

Language versions currently supported: Go: 1.15, 1.16

New and improved:

  • Updated the rewriter functionality of the agent to rely on Go’s toolexec to allow for the instrumentation of a larger set of Go applications.

Bug fixes:

Release date: June 14, 2021

Language versions currently supported: Go: 1.15, 1.16

New and improved:

  • Add custom SSRF sink for net/http Client.PostForm.

Bug fixes:

Release date: May 28, 2021

Language versions currently supported: Go: 1.15, 1.16

New and improved:

  • Added the ability to rewrite Go code including compiler directive comments, such as, //go:embed//go:nosplit and //go:noescape and others.

  • OSS and Assess feature support for the Go standard library.

Bug fixes:

  • Update agent.logger.path and agent.logger.level config settings to those from remote settings. (GO-844)