Go agent release notes

Added route discovery and observation for the julienschmidt/httprouter routing library.

Fixed a configuration options merge issue that unintentionally disabled Assess under some conditions. (GO-1567)

Updated routes deduplication algorithm. (GO-1528)

Go Agent 4.0 uses direct communication with the Contrast web interface. The dependency on Contrast service is removed from the agent and the option to use Contrast service for communication is no longer supported.

gRPC support is out of preview status and is now generally available.

Added support for go1.19 language features.

Improved accuracy of gRPC message tracking.

Fixed swagger route discovery failure.

Reduced instrumentation overhead and improved agent performance.

Improved accuracy of gRPC message tracking.

Added X-Powered-By-Set Assess response analysis

Agent failed to start in case of config option misconfiguration (GO-1497)

Fixed a race condition in concurrent map access that might result in a crash (GO-1467)

Log diagnostic data to JSON file at agent startup

Fixed logs inconsistency in cached build logs

Added process ID to the log entires

Fixed a crash condition that occurred when all required fields were missing from the configuration (GO-1446)

Improved code instrumentation when encountering shadowed type names (GO-1472)

contrast-go build failed in 1.18 modules when any is redeclared. (GO-1464)

Agent only reported routes for one service in gRPC apps with multiple services. (GO-1465)

Agent caused a memory leak in certain scenarios where an instrumented application spawns a long-running goroutine. (GO-1461)

The Go agent now supports log rotation. Log rotation can be configured using the following options:

agent:
  logger:
    rotate: 
      enable: true # defaults to false
      max_size_mb: 10 # defaults to 1. sets the maximum size of an individual log file
      backup_count: 3 # defaults 10. sets the number of backup files to retain
      compress: false # defaults to false. enables compression of rotated files

It can also be configured through environment variables. Backups are stored in agent.logger.path with a timestamp appended to the base of the filename.

Improvements to vulnerability rendering.

Log messages now use a user-friendly time format rather than Unix epochs.

Agent now correctly reports routes discovered for applications written with the go-swagger framework (GO-1377).

Agent now correctly reports library usage data for applications written with the Gin framework (GO-1292).

Support for Go 1.18.

Various minor fixes.

Update to include Go security fixes in Golang release 1.17.9.

Support for go-swagger APIs.

Route discovery and observation for gRPC APIs written with google.golang.org/grpc.

gRPC trace titles are now reported more uniquely for different inputs. (GO-1272)

The agent now supports vulnerability detection for gRPC APIs written with the google.golang.org/grpc module. The functionality is enabled via the following configuration settings:

agent:
  go:
    preview:
      grpc: true
  service:
    bypass: true

Alternately, the same feature can be enabled using environment variables:

CONTRAST__AGENT__GO__PREVIEW__GRPC=true
CONTRAST__AGENT__SERVICE__BYPASS=true

The agent now correctly reports server tags when bypassing the service. (GO-1256)

The agent now reports unvalidated redirects under the appropriate vulnerability category. (GO-1265)

contrast-go now correctly accepts build flags with double dashes. (GO-1258)

Go agent users can now configure the agent to report directly to Contrast, removing the need to install contrast-service, by using the bypass setting in their contrast_security.yaml file:

agent:
  service:
    bypass: true

Alternately, the same feature can be enabled using an environment variable:

CONTRAST__AGENT__SERVICE__BYPASS=true

When running the agent with contrast-go run main.go , the application name was reported as 'command-line-arguments'. It now reports the correct package name when possible. (GO-1188)

Exercised routes erroneously appeared as new routes due to a mismatch in how trailing slashes were interpreted by discovered vs exercised routes. Exercised routes now handle trailing slashes identically to discovered routes. (GO-1210)

Use main package path as default application name.

Minor bug fixes and improvements.

Support for bufio buffered I/O.

Distributing bullseye package for Debian. (GO-1141)

Report path traversal vulnerability for os.Rename with user controlled new file name. (GO-1078)

Fix fmt handling of complex types. (GO-1146)

Tracking no longer fails when reading directly from a request body to a []byte. (GO-1147)

Fixed a false negative caused by merging multiple vulnerabilities discovered on the same route. (GO-1149)

Support for the Gin web framework.

The io/fs.Open function now correctly triggers the path traversal finding. (GO-1072)

contrast-go run now supports running programs that take arguments. (GO-1016)