{"id":26633522,"url":"https://github.com/chains-project/gosurf","last_synced_at":"2025-03-24T15:15:20.843Z","repository":{"id":229841791,"uuid":"774916873","full_name":"chains-project/GoSurf","owner":"chains-project","description":"Static analyzer to find locations to hide malicious code in Go ","archived":false,"fork":false,"pushed_at":"2024-10-03T16:24:39.000Z","size":34560,"stargazers_count":4,"open_issues_count":5,"forks_count":1,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-03-24T15:15:15.695Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chains-project.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-03-20T12:40:05.000Z","updated_at":"2024-12-06T12:41:22.000Z","dependencies_parsed_at":"2024-06-21T11:45:10.092Z","dependency_job_id":"5b4a9f5b-3955-450f-961b-a42c42a53a98","html_url":"https://github.com/chains-project/GoSurf","commit_stats":null,"previous_names":["chains-project/capslock-analysis","chains-project/gosurface","chains-project/gosurf"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2FGoSurf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2FGoSurf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2FGoSurf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2FGoSurf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chains-project","download_url":"https://codeload.github.com/chains-project/GoSurf/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245294721,"owners_count":20591909,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-03-24T15:15:19.147Z","updated_at":"2025-03-24T15:15:20.830Z","avatar_url":"https://github.com/chains-project.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":" # GoSurf 🏄\n\nGoSurf is a tool that analyzes the potential attack surface of open-source Go packages and modules. It looks for occurrences of various features and constructs that could potentially introduce security risks, known as attack vectors.\n\nSee paper [GoSurf: Identifying Software Supply Chain Attack Vectors in Go (SCORED 2024)](http://arxiv.org/pdf/2407.04442) ([doi:10.1145/3689944.3696166](https://doi.org/10.1145/3689944.3696166))\n## Repository Structure\n\n- **attack_vectors**: This folder contains an analysis of 12 different attack vectors in Go, along with their respective proof-of-concept implementations.\n- **experiments**: This folder contains scripts and results for attack surface analysis of different Go modules.\n    - *popular10* contains experiments on the 10 most popular Go modules.\n    - *top500* contains experiments on the 500 most imported Go modules.\n- **libs**: This folder contains utility functions used by the GoSurf tool.\n- **template**: This folder contains HTML templates used by the experiment scripts to print results.\n- **gosurf.go**: The file `gosurf.go` file is the entry point for the GoSurf tool, which allows you to analyze a Go module and identify all the defined attack vectors, effectively framing the attack surface through Abstract Syntax Tree (AST) analysis.\n\n\n\n\n## Simple Usage\nTo use the GoSurf tool, follow these steps:\n\n```bash\n# Clone the repository\ngit clone https://github.com/chains-project/GoSurf.git\n\n# Navigate to the gosurf directory\ncd gosurf\n\n# Build the tool\ngo build\n\n# Analyze the github.com/ethereum/go-ethereum module\n./gosurf $GOPATH/pkg/mod/github.com/ethereum/go-ethereum@v1.13.14\n\n```\nThe tool will analyze the specified module and its direct dependencies,\nidentifying occurrences of the defined attack vectors, and print results on the CLI.\n\n\n## Experiments\n\n#### Analyze Top 500 most imported modules\nThe `top500/run_exp.go` script in the experiments folder allows for automating large-scale analysis on 500 Go (most imported) modules using the GoSurf library. To use this script, simply run:\n\n```bash\ncd experiments/top500\ngo run run_exp.go \n```\n\nThe results for the analysis will be reported in the `experiments/top500/results` folder in HTML format.\n\n#### Analyze custom list of modules\nThe `popular10/run_exp.go` script in the experiments folder allows for customized analysis on a set of selected packages. To use this script, insert a list of \"go_module_name version\" entries in a text file.\n\nTwo experiments are pre-configured to run:\n\n- **Experiment 1**: Analyzes 10 popular Go projects. The project names and versions are contained in the `urls_exp1.txt` file. To run this experiment, execute \n\n```bash\n    cd experiments/popular10\n    go run run_exp.go exp1\n```\n\n- **Experiment 2**: Performs a differential analysis over versions for a single Go project (Kubernetes). The project name and versions to be analyzed are contained in the `urls_exp2.txt` file. To run this experiment, execute \n\n```bash\ncd experiments/popular10\ngo run run_exp.go exp2\n```\n\nThe results for the analysis will be reported in the `experiments/popular10/results` folder in HTML format.\n \n\u003e[!NOTE]\n\u003eThese programs assume a [**Libraries.io API token**](https://libraries.io/api) stored in the environment variable `LIBRARIESIO_TOKEN`.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchains-project%2Fgosurf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchains-project%2Fgosurf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchains-project%2Fgosurf/lists"}