Go agent release notes

The golang.org/x/net module was updated to address CVE-2024-45338 in the x/net/html package.

Contrast uses this module to parse HTML response bodies for some of the Assess rules.

Some response bodies could result in outsized performance cost in the functions the agent uses to tokenize HTML, potentially resulting in denial of service due to the agent’s rule processing.

Severity is likely very low. The application would need to send specially crafted response bodies which are not likely to occur without effort. An attacker would have to be able to control some aspect of the HTML response, which could require an app which is already vulnerable to XSS.

The golang.org/x/crypto module was updated to address CVE-2024-45337 in the x/crypto/ssh package.

This CVE does not affect Contrast. The Go agent uses other packages in the module, but not the one which was vulnerable.

Improved performance. (Multiple GO tickets)

Improved accuracy. (Multiple GO tickets)

Improved performance. (GO-1967)

Fixed an issue where the Agent token was overwritten by the legacy default key.

Fixed configuration issues related to ADR support. (GO-2179)

Improved the default method for the app name in cases where build command includes a list of Go files instead of packages. (GO-1945)

The Go agent now supports the use of CONTRAST__API__TOKEN instead of  CONTRAST__API__URL, CONTRAST__API__API_KEY, CONTRAST__API__SERVICE_KEY, and CONTRAST__API__USER_NAME for communication with Contrast. (GO-2149)

Added support for Go 1.23. (GO-2130)

Improved handling of hash/kw collisions in pipelines. (GO-2134)

Fixed a race condition when calling SetFinalizer in tracker. (GO-2155)

Made API changes that improved performance. (multiple GO tickets)

The agent now reports Cloud Resource Identifiers. (GO-1695)

Added initial support for Go v1.23. (multiple GO tickets).

Go v1.23 is not an officially supported version yet.

Removed tag.Tags interface. The agent now uses the underlying type directly. (GO-2075)

The agent now uses a new startup endpoint. (GO-2069)

On-premises customers: The minimum TeamServer version for this feature is 3.11.2. This version and future versions of the Go agent will fail to start up with older TeamServer versions.

Refactored policy test helpers to use a new API. (GO-2089)

Add a framework field for route discovery. (GO-2119)

Added a feature flag to let customers configure the route observation error code check. (GO-2093)

Multiple performance optimizations.

Updated route observation behavior to match the Contrast Agent Route Observation Error Handling specification.

Multiple minor bug fixes.

Fixed a memory leak that an issue with tracker instances was causing. (GO-2094)

Improved performance for Assess. 

The contrast-go -v [...] now results in logs in pure JSON format. (GO-2054)

The contrast-go agent can now run with Dynatrace. (GO-2066)

Previously, Dynatrace would crash due to a change in the size of internal/poll.fdMutex.

Changed the route observation reporting interval from 10 seconds to 30 seconds.

Added full support for Go 1.22 features.

Added additional support for Go 1.22. 

Full support for Go 1.22 features is in progress.

Fixed a bug that affected the way some files with special compiler directives were printed. (GO-2035)

This agent is compatible with  Go 1.22.  If you update your applications to Go 1.22, they will continue to work with Contrast.

Support for new features introduced in Go 1.22 is planned for a future release.

Improved general agent performance.

Fixed an issue with Protect attack vector masking. (GO-1986)

Fixed an issue where the rewriter could break build tag formatting and cause build failures. (GO-1981)

The agent now supports Contrast Protect functionality.

The agent no longer supports Go 1.19.

Improved performance for Assess operations.

Improves contrast-go build compatibility with older, unsupported versions of frameworks. Previously, contrast-go could break builds in these scenarios. Now, the build succeeds and warnings are written to the log to alert users that they are using an unsupported version. (GO-1891)

The agent now reports effective configuration settings to Contrast. The application mode is displayed in the Contrast web interface. (GO-1636)

Fixes a build error when using the slice operator on a generic byte array. (GO-1955)

Made performance improvements for Assess. (GO-1929, GO-1923, GO-1946)

The Go agent now supports version 2.40 and later of the Go Fiber framework.

Fixed a race condition that could cause build failures for Go commands which compile multiple main packages. (GO-1935)

Improved dataflow accuracy when tracking map keys (GO-1948)

Fixed a couple of cases where contrast-go could cause build errors. (GO-1907)

Fixed a case where the contrast-go type checking would fail and cause the agent to skip instrumenting some packages. (GO-1853)

Fixed an issue with the handling the shutdown reaction in the response during application creation. (GO-1936)

Improved behavior of requests from net/http sources so that the agent doesn’t try to read the request body ahead of time. (GO-1925)

Improved performance when propagating through the unicode/utf8 package. (GO-1924)

Fixed an issue where the agent was capturing stack traces in certain propagators for no reason, which could cause performance issues. (GO-1917)

Fixed a bug where contrast-go could generate invalid code and cause build failures. (GO-1904)

Improved the accuracy of the path-traversal rule. (GO-1892)

Fixed an issue where propagation through JSON marshaling was causing performance issues. (GO-1912)

The Go agent now supports Go 1.21.

Added policy to track gRPC messages served by the net/http.Handler interface. (GO-1268)

Added support for github.com/gofiber/fiber v2.48.0 and later.

Added support for github.com/valyala/fasthttp v1.46.0 and later.

Improved trace presentation details.

Improved accuracy and performance.

Added support for the Contrast CLI command:, contrast-go help.

Added a policy for propagation though gin.StingToBytes and gin.BytesToString.

Fixed an use that could cause panics when tracking stack-allocated byte slices.

Updated dependency versions.

Fixed an issue that caused aarch64 builds to fail.

Updated multiple dependency versions.

Update diagnostic output to align with Contrast specifications.

Improved how agent shut down and flush occurs on SIGTERM and SIGINT.

Improvements and bug fixes for data accuracy.

Removed support for Go 1.18

Added support for Chi framework

Added route discovery and observation for the julienschmidt/httprouter routing library.

Fixed a configuration options merge issue that unintentionally disabled Assess under some conditions. (GO-1567)

Updated routes deduplication algorithm. (GO-1528)

Use main package path as default application name.

Minor bug fixes and improvements.

Go Agent 4.0 uses direct communication with the Contrast web interface. The dependency on Contrast service is removed from the agent and the option to use Contrast service for communication is no longer supported.

gRPC support is out of preview status and is now generally available.

Added support for go1.19 language features.

Improved accuracy of gRPC message tracking.

Fixed swagger route discovery failure.

Reduced instrumentation overhead and improved agent performance.

Improved accuracy of gRPC message tracking.

Added X-Powered-By-Set Assess response analysis

Agent failed to start in case of config option misconfiguration (GO-1497)

Fixed a race condition in concurrent map access that might result in a crash (GO-1467)

Log diagnostic data to JSON file at agent startup

Fixed logs inconsistency in cached build logs

Added process ID to the log entires

contrast-go build failed in 1.18 modules when any is redeclared. (GO-1464)

Fixed a crash condition that occurred when all required fields were missing from the configuration (GO-1446)

Improved code instrumentation when encountering shadowed type names (GO-1472)

Agent only reported routes for one service in gRPC apps with multiple services. (GO-1465)

Agent caused a memory leak in certain scenarios where an instrumented application spawns a long-running goroutine. (GO-1461)

The Go agent now supports log rotation. Log rotation can be configured using the following options:

agent:
  logger:
    rotate: 
      enable: true # defaults to false
      max_size_mb: 10 # defaults to 1. sets the maximum size of an individual log file
      backup_count: 3 # defaults 10. sets the number of backup files to retain
      compress: false # defaults to false. enables compression of rotated files

It can also be configured through environment variables. Backups are stored in agent.logger.path with a timestamp appended to the base of the filename.

Improvements to vulnerability rendering.

Log messages now use a user-friendly time format rather than Unix epochs.

Agent now correctly reports routes discovered for applications written with the go-swagger framework (GO-1377).

Agent now correctly reports library usage data for applications written with the Gin framework (GO-1292).

Support for Go 1.18.

Various minor fixes.

Update to include Go security fixes in Golang release 1.17.9.

Support for go-swagger APIs.

Route discovery and observation for gRPC APIs written with google.golang.org/grpc.

gRPC trace titles are now reported more uniquely for different inputs. (GO-1272)

The agent now supports vulnerability detection for gRPC APIs written with the google.golang.org/grpc module. The functionality is enabled via the following configuration settings:

agent:
  go:
    preview:
      grpc: true
  service:
    bypass: true

Alternately, the same feature can be enabled using environment variables:

CONTRAST__AGENT__GO__PREVIEW__GRPC=true
CONTRAST__AGENT__SERVICE__BYPASS=true

The agent now correctly reports server tags when bypassing the service. (GO-1256)

The agent now reports unvalidated redirects under the appropriate vulnerability category. (GO-1265)

contrast-go now correctly accepts build flags with double dashes. (GO-1258)

Go agent users can now configure the agent to report directly to Contrast, removing the need to install contrast-service, by using the bypass setting in their contrast_security.yaml file:

agent:
  service:
    bypass: true

Alternately, the same feature can be enabled using an environment variable:

CONTRAST__AGENT__SERVICE__BYPASS=true

When running the agent with contrast-go run main.go , the application name was reported as 'command-line-arguments'. It now reports the correct package name when possible. (GO-1188)

Exercised routes erroneously appeared as new routes due to a mismatch in how trailing slashes were interpreted by discovered vs exercised routes. Exercised routes now handle trailing slashes identically to discovered routes. (GO-1210)

Support for bufio buffered I/O.

Distributing bullseye package for Debian. (GO-1141)

Report path traversal vulnerability for os.Rename with user controlled new file name. (GO-1078)

Fix fmt handling of complex types. (GO-1146)

Tracking no longer fails when reading directly from a request body to a []byte. (GO-1147)

Fixed a false negative caused by merging multiple vulnerabilities discovered on the same route. (GO-1149)

Support for the Gin web framework.

The io/fs.Open function now correctly triggers the path traversal finding. (GO-1072)

contrast-go run now supports running programs that take arguments. (GO-1016)

When calling bufio/bytes methods on interfaces instead of concrete types, the agent won't propagate. (GO-1019)

When custom types are printed to a http.ResponseWriter, they aren't analyzed for XSS (False Negative). (GO-1053)

Golang major language version 1.17 support.

When converting from strings to named byte slices or byte slices to named strings, the agent loses data flow. (GO-1005)

When an application nests http.Handlers, the agent reports route observation and responses multiple times. (GO-999)

When triggering dataflow rules, sink events do not correctly set up parent history. (GO-1027)

When reporting route observation, the request pointer changes which breaks assess sources. (GO-1028)

Allow for custom go commands to be passed through our contrast-go executable.

When reporting sinks with multiple sources, the agent does not correctly attribute which fields/sources triggered the corresponding finding. (Go-950)

When rewriting a slice operation on a named byte slice type with methods, the build fails. (Go-991)

When appending data, the agent incorrectly detects if the data is tracked, resulting in no finding when reporting to TeamServer. (Go-993)

When dataflow events happen concurrently, the runtime panics and crashes the application. (Go-1023)

When the application starts, the agent spawns ticker routines which continuously leak more tickers. (GO-995)

When sending enhanced class usage, the agent never releases previous reports and spends unnecessary resources on de-duping. (GO-996)

When an application calls a pointer method with a value, the rewritten code copies by value not reference, changing the runtime behavior. (GO-989)

Improve performance of rewritten code.

When propagating through bytes Buffer/Reader.Read, no propagation event is shown in the finding trace. (GO-993)

When rewriting go function literals with returns, the rewriter omits the returns and breaks builds. (GO-937)

When an error occurs during initialization of the logger, the agent shuts itself off. (GO-952)

When a slice of a tainted byte slice reaches a sink, the sink is not triggered (false negative). (GO-983)

Enhanced data flow tracking, which improves agent accuracy.

When propagating through a circular buffer, the agent caused a stack overflow. (GO-982)

When an error occurs during agent initialization, more specific/detailed error messages are logged.

When using getTypeName, the rewriter failed to safely handle errors and did not inject correct packages. (GO-884)

When comparing types, the rewriter incorrectly compared by pointer rather than by type. (GO-885)

Update the rewriter to only emit on exported functions, reducing the performance overhead of the rewriter itself.

When replacing expressions with callexprs, the agent may break addressability, resulting in a failed build. (GO-873)

When creating caches for rewrite, the reported tool version is not included, resulting in caches that will not be rebuilt despite agent changes. (GO-875)

When rewriting string slices, shadowed type names do not prevent casts from being injected, resulting in code that will not build. (GO-883)

Updated the rewriter functionality of the agent to rely on Go’s toolexec to allow for the instrumentation of a larger set of Go applications.

Add custom SSRF sink for net/http Client.PostForm.

Added the ability to rewrite Go code including compiler directive comments, such as, //go:embed, //go:nosplit and //go:noescape and others.

OSS and Assess feature support for the Go standard library.

Update agent.logger.path and agent.logger.level config settings to those from remote settings. (GO-844)