Go agent release notes
Release date: June 9, 2022
Language versions currently supported: Go: 1.16, 1.17, 1.18
New and improved:
Improvements to vulnerability rendering.
Log messages now use a user-friendly time format rather than Unix epochs.
Bug fixes:
Agent now correctly reports routes discovered for applications written with the go-swagger framework (GO-1377).
Agent now correctly reports library usage data for applications written with the Gin framework (GO-1292).
Release date: April 25, 2022
Language versions currently supported: Go: 1.16, 1.17, 1.18
New and improved:
Support for Go 1.18.
Bug fixes:
Various minor fixes.
Release date: April 14, 2022
Language versions currently supported: Go: 1.16, 1.17
New and improved:
Bug fixes:
Update to include Go security fixes in Golang release 1.17.9.
Release date: April 14, 2022
Language versions currently supported: Go: 1.16, 1.17
New and improved:
Support for
go-swagger
APIs.Route discovery and observation for gRPC APIs written with
google.golang.org/grpc
.
Bug fixes:
gRPC trace titles are now reported more uniquely for different inputs. (GO-1272)
Release date: March 25, 2022
Language versions currently supported: Go: 1.16, 1.17
New and improved:
The agent now supports vulnerability detection for gRPC APIs written with the
google.golang.org/grpc
module. The functionality is enabled via the following configuration settings:agent: go: preview: grpc: true service: bypass: true
Alternately, the same feature can be enabled using environment variables:
CONTRAST__AGENT__GO__PREVIEW__GRPC=true CONTRAST__AGENT__SERVICE__BYPASS=true
Bug fixes:
The agent now correctly reports server tags when bypassing the service. (GO-1256)
The agent now reports unvalidated redirects under the appropriate vulnerability category. (GO-1265)
contrast-go
now correctly accepts build flags with double dashes. (GO-1258)
Release date: March 7, 2022
Language versions currently supported: Go: 1.16, 1.17
New and improved:
Go agent users can now configure the agent to report directly to Contrast, removing the need to install contrast-service, by using the
bypass
setting in theircontrast_security.yaml
file:agent: service: bypass: true
Alternately, the same feature can be enabled using an environment variable:
CONTRAST__AGENT__SERVICE__BYPASS=true
Bug fixes:
When running the agent with
contrast-go run main.go
, the application name was reported as 'command-line-arguments'. It now reports the correct package name when possible. (GO-1188)Exercised routes erroneously appeared as new routes due to a mismatch in how trailing slashes were interpreted by discovered vs exercised routes. Exercised routes now handle trailing slashes identically to discovered routes. (GO-1210)
Release date:January 11, 2022
Language versions currently supported: Go: 1.16, 1.17
New and improved:
Use main package path as default application name.
Bug fixes:
Minor bug fixes and improvements.
Release date: December 9, 2021
Language versions currently supported: Go: 1.16, 1.17
New and improved:
Support for bufio buffered I/O.
Bug fixes:
Distributing bullseye package for Debian. (GO-1141)
Report path traversal vulnerability for os.Rename with user controlled new file name. (GO-1078)
Fix
fmt
handling of complex types. (GO-1146)Tracking no longer fails when reading directly from a request body to a []byte. (GO-1147)
Fixed a false negative caused by merging multiple vulnerabilities discovered on the same route. (GO-1149)
Release date: November 17, 2021
Language versions currently supported: Go: 1.16, 1.17
New and improved:
Support for the Gin web framework.
Bug fixes:
The
io/fs.Open
function now correctly triggers the path traversal finding. (GO-1072)contrast-go run
now supports running programs that take arguments. (GO-1016)
Release date: October 18, 2021
Language versions currently supported: Go: 1.16, 1.17
Bug fixes:
When calling bufio/bytes methods on interfaces instead of concrete types, the agent won't propagate. (GO-1019)
When custom types are printed to a
http.ResponseWriter
, they aren't analyzed for XSS (False Negative). (GO-1053)
Warning
This release will no longer support GoLang version 1.15.
Release date: September 28, 2021
Language versions currently supported: Go: 1.15, 1.16, 1.17
New and improved:
Golang major language version 1.17 support.
Bug fixes:
When converting from strings to named byte slices or byte slices to named strings, the agent loses data flow. (GO-1005)
Release date: September 22, 2021
Language versions currently supported: Go: 1.15, 1.16
Bug fixes:
When an application nests http.Handlers, the agent reports route observation and responses multiple times. (GO-999)
When triggering dataflow rules, sink events do not correctly set up parent history. (GO-1027)
When reporting route observation, the request pointer changes which breaks assess sources. (GO-1028)
Release date: September 15, 2021
Language versions currently supported: Go: 1.15, 1.16
New and improved:
Allow for custom
go
commands to be passed through ourcontrast-go
executable.
Bug fixes:
When reporting sinks with multiple sources, the agent does not correctly attribute which fields/sources triggered the corresponding finding. (Go-950)
When rewriting a slice operation on a named byte slice type with methods, the build fails. (Go-991)
When appending data, the agent incorrectly detects if the data is tracked, resulting in no finding when reporting to TeamServer. (Go-993)
When dataflow events happen concurrently, the runtime panics and crashes the application. (Go-1023)
Release date: September 1, 2021
Language versions currently supported: Go: 1.15, 1.16
Bug fixes:
When the application starts, the agent spawns ticker routines which continuously leak more tickers. (GO-995)
When sending enhanced class usage, the agent never releases previous reports and spends unnecessary resources on de-duping. (GO-996)
Release date: August 23, 2021
Language versions currently supported: Go: 1.15, 1.16
Bug fixes:
When an application calls a pointer method with a value, the rewritten code copies by value not reference, changing the runtime behavior. (GO-989)
Release date: August 17, 2021
Language versions currently supported: Go: 1.15, 1.16
New and improved:
Improve performance of rewritten code.
Bug fixes:
When propagating through bytes
Buffer/Reader.Read
, no propagation event is shown in the finding trace. (GO-993)When rewriting go function literals with returns, the rewriter omits the returns and breaks builds. (GO-937)
When an error occurs during initialization of the logger, the agent shuts itself off. (GO-952)
When a slice of a tainted byte slice reaches a sink, the sink is not triggered (false negative). (GO-983)
Release date: August 6, 2021
Language versions currently supported: Go: 1.15, 1.16
New and improved:
Enhanced data flow tracking, which improves agent accuracy.
Bug fixes:
When propagating through a circular buffer, the agent caused a stack overflow. (GO-982)
Release date: July 22, 2021
Language versions currently supported: Go: 1.15, 1.16
New and improved:
When an error occurs during agent initialization, more specific/detailed error messages are logged.
Release date: July 8, 2021
Language versions currently supported: Go: 1.15, 1.16
Bug fixes:
When using
getTypeName
, the rewriter failed to safely handle errors and did not inject correct packages. (GO-884)When comparing types, the rewriter incorrectly compared by pointer rather than by type. (GO-885)
Release date: June 17, 2021
Language versions currently supported: Go: 1.15, 1.16
New and improved:
Update the rewriter to only emit on exported functions, reducing the performance overhead of the rewriter itself.
Bug fixes:
When replacing expressions with
callexprs
, the agent may break addressability, resulting in a failed build. (GO-873)When creating caches for rewrite, the reported tool version is not included, resulting in caches that will not be rebuilt despite agent changes. (GO-875)
When rewriting string slices, shadowed type names do not prevent casts from being injected, resulting in code that will not build. (GO-883)
Release date: June 15, 2021
Language versions currently supported: Go: 1.15, 1.16
New and improved:
Updated the rewriter functionality of the agent to rely on Go’s toolexec to allow for the instrumentation of a larger set of Go applications.
Bug fixes:
Release date: June 14, 2021
Language versions currently supported: Go: 1.15, 1.16
New and improved:
Add custom SSRF sink for net/http
Client.PostForm
.
Bug fixes:
Release date: May 28, 2021
Language versions currently supported: Go: 1.15, 1.16
New and improved:
Added the ability to rewrite Go code including compiler directive comments, such as,
//go:embed
,//go:nosplit
and//go:noescape
and others.OSS and Assess feature support for the Go standard library.
Bug fixes:
Update
agent.logger.path
andagent.logger.level
config settings to those from remote settings. (GO-844)