Around a quarter of developers using Google’s open-source Go programming language have started using “generics” – a much-requested feature that was missing until this year – and although developers are concerned about the security of the chain supply chain, they are ill-equipped to respond to vulnerabilities.
Go won credits in Go version 1.18 released in March, when it was described as “Go’s most requested feature”, so it’s no surprise that it has been rapidly adopted ever since. According to the June 2022 Go Developer Survey, more than a quarter of the 5,752 respondents have started using generics in their Go code. Go is the 16th most popular programming language, according to developer analyst, the January 2022 ranking from Redmonk.
Todd Kulesza, a UX designer on Go, noted in a blog post that the generics addition was welcome, but noted that around a third of developers run into some limitations from its initial implementation.
Generics, or type parameter support, brings more type safety to Go and improves productivity and performance. Some 86% of respondents were aware of the generics shipped in Go 1.18 and 26% had used it, with 14% already using generics in production or released code. However, 54% said they didn’t need to use generics today, while 12% had used generics but not in production code.
Other barriers to using generics were that linters didn’t support them, while 26% said they were using a version earlier than 1.8 or being on a Linux distribution that didn’t provide Go 1.18 packages.
But 10% said using generics resulted in less code duplication.
Kulesza says concerns about vulnerabilities in Go’s dependencies are a “major security issue.” Only 12% of developers used tools such as fuzz testing on Go code. 65% of developers used static analysis tools, but only 35% used them to find vulnerabilities.
The survey found that 84% use security tools during the CI/CD period, but this was often too late in the development cycle, as developers want to know about a vulnerability in a dependency before developing it .
The Go team also this week launched new vulnerability management tools and a vulnerability database for Go based on data from Go package maintainers. Go 1.18 was also the first release to integrate fuzzing into its chain. standard tools. Go fuzz testing is supported by Google’s open source fuzzing tool, OSS-Fuzz.
These are all activities that the NSA recently recommended for developers to improve software supply chain security and secure coding practices, which were developed after the SolarWinds breach in 2020.
The Go survey highlights some issues that developers are facing.
Fifty-seven percent of developers said they had difficulty evaluating the security of third-party libraries. Kulesza notes that GitHub’s dependency bot or Go team’s govulncheck can help here. In fact, Dependabot was by far the most common way respondents learned about a vulnerability in an addiction.
However, only 12% said they conducted an investigation to see if and how their software was affected by a vulnerability. He revealed that 70% of those who investigated the impact of a vulnerability found the impact analysis process the most difficult. They also reported that it was often unplanned and unrewarded work.
The most popular code editor for Go developers was Microsoft’s cross-platform Visual Studio Code (VS Code), which is used by 45% of respondents, followed by GoLand/IntelliJ (34%), Vim/Neovim (14 %) and Emacs. (3%).
Some 59% of respondents developed on a Linux machine, followed by 52% on macOS and 23% on Windows, with 13% using the Windows Subsystem for Linux. By far the most common platform to target was Linux at 93%, followed by Windows at 16%, macOS at 13%, and IoT devices at 5%.