Blog

Announcing Go support in Trusty: Vet the safety of your open source Go dependencies

Author: Stacklok
/
7 mins read
/
Feb 9, 2024
/ Subscribe

We’re excited to announce support for Go packages in Trusty! Go developers can now use Trusty to vet the safety and trustworthiness of their dependencies. With Go, Trusty now supports five major package ecosystems, along with Java, JavaScript, Rust, and Python. 

The benefits of Go  

Go is the language of choice for modern microservices and many cloud native ecosystem projects. It’s flexible, easy to use, and has built-in productivity features for developers like a rich standard library, and built-in testing support.

The Go community has also been thoughtful about package security. For example, Go packages are imported via their source URL. This means there’s a verifiable link from the package to its source code, so that you can inspect the code and verify that the software is what it says it is, and does what it says it will do. (For more on why software provenance matters, read CTO Luke Hinds’ blog post here.) 

How we’re scoring Go packages in Trusty 

When it comes to determining whether an open source package is safe to use, there are other factors beyond provenance to consider. One key factor is whether the package is being actively maintained, and if it has a strong community behind it. It’s a best practice to verify that an open source package doesn’t have any known CVEs when you import it. But you also want to make sure that the package’s maintainers are likely to be around in the future to patch CVEs when they inevitably occur. 

In Trusty, we’ve indexed popular Go packages and scored them on safety factors including repo and author activity, using statistical analysis of public GitHub data like stars, forks, watchers, open issues, and the number of followers of the repo’s contributors. A package’s Trusty Score can give you a quick signal as to whether you’re taking a dependency on active and non-malicious software.

Example of the Trusty Score for a little Go project you might have heard of before

Here are the factors that contribute to a Go project’s overall Trusty Score:

  • Repo Activity Score: A relative ranking of the level of activity within the package’s primary repository, based on statistical analysis.

  • Author Activity Score: A relative aggregate rank of the top contributors to the repository, based on statistical analysis. 

  • Typosquatting: Indicates whether a package is likely to be a “typosquat,” the practice of malicious actors who give their packages a slightly similar name to a reputable package, with the intention of tricking developers into installing a malicious package.

  • Proof of Origin (Provenance): Indicates the strength of the link between a published package and its source repository. 

    • For Go packages, this score is always a 10, since the packages are imported via their source URL.

Trusty scoring in action

Let’s take a closer look at some popular Go open source packages (from the great list at @avelino/awesome-go) and how they’ve been scored. 

BigCache (an efficient cache for gigabytes of data): Trusty Score of 7.2

  • BigCache has 63 contributors and 7,000 stars, so it has high scores for repo and author activity.

BigCache Trusty Score details

Bleve (modern text indexing library): Trusty Score of 7.4

  • With 246 open issues, 85 contributors, and nearly 10,000 GitHub stars, Bleve also ranks highly for repo and author activity.

Bleve Trusty Score details

Prometheus (monitoring system and time series database): Trusty Score of 8.7

  • Prometheus is a really popular and widely used CNCF project, so it’s not surprising that it has a high Trusty Score. Prometheus has over 50k GitHub stars and many open issues and contributors, so its repo score is especially high. Its author activity score is slightly lower, which could indicate that some contributors to the project are not as active on GitHub and may not contribute frequently.

Prometheus Trusty Score details

Now, let’s take a look at a package with a low Trusty Score. Groundup is an open source dashboard that generates code for apps written in Go. It has a Trusty Score of just 1.9:

Groundup on Trusty

When we take a closer look at the score details here, we can see that Groundup has low repo and author activity scores. That’s because there are 0 open issues, 12 followers, and only 2 contributors to this project—one of whom hasn’t had any activity on GitHub in the past year. These are helpful signals for a developer who may be considering taking a critical dependency on this project. 

Groundup Trusty Score details

Some questions you might be asking 

I’m a Go developer. How can Trusty help me?

Like many developers, you’re probably using Google or Go’s package manager to find a package. You’ll get a lot of good information that way, but you won’t necessarily be able to tell whether the package is being well maintained and has a strong community behind it. You can use Trusty’s web app to vet an open source Go package before you use it, and get a better signal as to whether it’s “safe” to use from a security and activity perspective. 

I’m a maintainer of an open source Go project. What can I do to improve my project’s Trusty Score?

Great question! As you can see from above, Trusty scores are highest for Go projects with strong communities and active, connected contributors, so if you’re actively maintaining and improving your project, your Trusty Score should naturally be high. But if you’re looking for specific ways to improve your score, here are a few tips that can help:

  1. Keep growing and contributing to your project! Trusty looks at the number of open issues, the number of repositories in your project, watchers, and star count, among other activity factors. Regular releases, updates, and additions to your project shows users that your project is active and also factors into your repo and author scores. 

  2. Contribute to other projects on GitHub. Trusty’s scoring favors authors who also contribute to other projects on GitHub, with the idea that, if a person is contributing frequently across GitHub, they’re more likely to keep their project maintained. 

  3. Continue to grow your community. A project with a healthy number of contributors who are actively submitting issues and PRs—as well as users watching and following the repo—is likely to have a high Trusty Score. Using free, community-oriented tools like Discord and Mastodon; speaking at open source conferences; and posting about your project on sites like Dev.to and Reddit are all good ways to help promote and grow your project. 

You can also give us feedback on your project’s score—join our Discord channel to chat with our product team. 

See our documentation here for a full breakdown of how Trusty scores are calculated.  

Hmm, I can’t find the Go package that I’m looking for in Trusty.

To start, we’ve indexed the top 1,000 most popular Go packages (based on packages that have the highest number of GitHub stars, and that have go.mod files). Trusty can index new packages on demand, though, so when you search for a package that we haven’t yet indexed, you’ll see an option to access it using a link. When you click on that link, Trusty will create a page for that package and start pulling in the data.

What’s next for Trusty?

We’re continuously adding new capabilities and scoring dimensions in Trusty to make this service more useful for you. A few features that are next on our roadmap include:

  • Sigstore provenance for Python and Rust packages

  • Inclusion of vulnerability data (from osv.dev) and license information

  • Showing a package’s dependencies, and what other packages depend on it

Check out our full roadmap for Trusty here. Let us know what features you’d like to see next—join our Discord channel to share your feedback! 

Visit trustypkg.dev to look up dependencies for your next Go project!

Stacklok has contributed Minder to the OpenSSF out of a deep belief in the power of the open source community

Luke Hinds /
Oct 28, 2024
Continue Reading
This Month in Minder - September 2024

This Month in Minder: September 2024

Stacklok /
Sep 26, 2024
Continue Reading
Flexible policy enforcement with Minder profile selectors

Flexible policy enforcement with Minder profile selectors

Dan Barr /
Sep 19, 2024
Continue Reading