Adapting Go security tools to the Gno ecosystem

[kristovatlas]

In this thread we'll enumerate open source Go security tools that are good candidates for adapting to the Gno ecosystem.

[kristovatlas]

A few tools I'd like to include in this thread:

• GoSec: A static analysis tool specializing in Go code that identifies security vulnerabilities such as SQL injection, XSS, and more.

• SonarQube's SLang framework for Go: Integrates with Go projects to perform static code analysis, detecting bugs, vulnerabilities, and code smells. It may be relatively easy to configure the Go Plugin to analyze Gno.

• GoLint: Provides suggestions for improving Go code based on coding standards and best practices, helping to catch potential security issues early. There is already an open issue concerning a Gno linter here: gno-specific code linters gno#850 And the source for the gno lint command: https://github.com/gnolang/gno/blob/aa9c64a110e1aec33388e6d2688d7a5f0528823f/gnovm/cmd/gno/lint.go So probably we don't need any new linting tools

• Go-Audit: Analyzes Go binaries to ensure they are built with secure configurations and dependencies.

• go test -fuzz

• https://github.com/KyleBanks/depth

Note concerning dependencies: At first we will want to detect the use of vulnerable Go libraries in Gno code. We may also want a tool that is useful for searching open source modules for similarity if it becomes popular at all to copy/paste code from Go to Gno, since such code is likely to carry forward vulnerabilities and not keep up with security patches. Later as we reach greater clarity about Gno dependencies, we'll want to track vulnerabilities in Gno as well in a similar fashion as is done with Go; probably first we need some more clarity about how we will handle code upgrades.

For all code analysis tools, we can get a lot of useful information by simply looking for Go issues in Gno, and then later we can make the tools aware of what's special about Gno.