Go agent release notes

Release date: October 18, 2021

Language versions currently supported: Go: 1.16, 1.17

Bug fixes:

  • When calling bufio/bytes methods on interfaces instead of concrete types, the agent won't propagate. (GO-1019)

  • When custom types are printed to a http.ResponseWriter, they aren't analyzed for XSS (False Negative). (GO-1053)

Warning

This release will no longer support GoLang version 1.15.

Release date: September 28, 2021

Language versions currently supported: Go: 1.15, 1.16, 1.17

New and improved:

  • Golang major language version 1.17 support.

Bug fixes:

  • When converting from strings to named byte slices or byte slices to named strings, the agent loses data flow. (GO-1005)

Release date: September 22, 2021

Language versions currently supported: Go: 1.15, 1.16

Bug fixes:

  • When an application nests http.Handlers, the agent reports route observation and responses multiple times. (GO-999)

  • When triggering dataflow rules, sink events do not correctly set up parent history. (GO-1027)

  • When reporting route observation, the request pointer changes which breaks assess sources. (GO-1028)

Release date: September 15, 2021

Language versions currently supported: Go: 1.15, 1.16

New and improved:

  • Allow for custom go commands to be passed through our contrast-go executable.

Bug fixes:

  • When reporting sinks with multiple sources, the agent does not correctly attribute which fields/sources triggered the corresponding finding. (Go-950)

  • When rewriting a slice operation on a named byte slice type with methods, the build fails. (Go-991)

  • When appending data, the agent incorrectly detects if the data is tracked, resulting in no finding when reporting to TeamServer. (Go-993)

  • When dataflow events happen concurrently, the runtime panics and crashes the application. (Go-1023)

Release date: September 1, 2021

Language versions currently supported: Go: 1.15, 1.16

Bug fixes:

  • When the application starts, the agent spawns ticker routines which continuously leak more tickers. (GO-995)

  • When sending enhanced class usage, the agent never releases previous reports and spends unnecessary resources on de-duping. (GO-996)

Release date: August 23, 2021

Language versions currently supported: Go: 1.15, 1.16

Bug fixes:

  • When an application calls a pointer method with a value, the rewritten code copies by value not reference, changing the runtime behavior. (GO-989)

Release date: August 17, 2021

Language versions currently supported: Go: 1.15, 1.16

New and improved:

  • Improve performance of rewritten code.

Bug fixes:

  • When propagating through bytes Buffer/Reader.Read, no propagation event is shown in the finding trace. (GO-993)

  • When rewriting go function literals with returns, the rewriter omits the returns and breaks builds. (GO-937)

  • When an error occurs during initialization of the logger, the agent shuts itself off. (GO-952)

  • When a slice of a tainted byte slice reaches a sink, the sink is not triggered (false negative). (GO-983)

Release date: August 6, 2021

Language versions currently supported: Go: 1.15, 1.16

New and improved:

  • Enhanced data flow tracking, which improves agent accuracy.

Bug fixes:

  • When propagating through a circular buffer, the agent caused a stack overflow. (GO-982)

Release date: July 22, 2021

Language versions currently supported: Go: 1.15, 1.16

New and improved:

  • When an error occurs during agent initialization, more specific/detailed error messages are logged.

Release date: July 8, 2021

Language versions currently supported: Go: 1.15, 1.16

Bug fixes:

  • When using getTypeName, the rewriter failed to safely handle errors and did not inject correct packages. (GO-884)

  • When comparing types, the rewriter incorrectly compared by pointer rather than by type. (GO-885)

Release date: June 17, 2021

Language versions currently supported: Go: 1.15, 1.16

New and improved:

  • Update the rewriter to only emit on exported functions, reducing the performance overhead of the rewriter itself.

Bug fixes:

  • When replacing expressions with callexprs, the agent may break addressability, resulting in a failed build. (GO-873)

  • When creating caches for rewrite, the reported tool version is not included, resulting in caches that will not be rebuilt despite agent changes. (GO-875)

  • When rewriting string slices, shadowed type names do not prevent casts from being injected, resulting in code that will not build. (GO-883)

Release date: June 15, 2021

Language versions currently supported: Go: 1.15, 1.16

New and improved:

  • Updated the rewriter functionality of the agent to rely on Go’s toolexec to allow for the instrumentation of a larger set of Go applications.

Bug fixes:

Release date: June 14, 2021

Language versions currently supported: Go: 1.15, 1.16

New and improved:

  • Add custom SSRF sink for net/http Client.PostForm.

Bug fixes:

Release date: May 28, 2021

Language versions currently supported: Go: 1.15, 1.16

New and improved:

  • Added the ability to rewrite Go code including compiler directive comments, such as, //go:embed//go:nosplit and //go:noescape and others.

  • OSS and Assess feature support for the Go standard library.

Bug fixes:

  • Update agent.logger.path and agent.logger.level config settings to those from remote settings. (GO-844)