About a quarter of developers using Google’s open source Go programming language have started using “generics” — a highly demanded feature that was missing until this year — and while developers worry about supply chain security, they’re ill equipped to respond to vulnerabilities.
Go gained generics in Go version 1.18 released in March, when it was described as ‘Go’s most often requested feature’ so it’s not surprising it has since been quickly adopted. According to the June 2022 Go developer survey, over a quarter of the 5,752 respondents have started using generics in their Go code. Go is the 16th most popular programming language, according to developer analyst, Redmonk’s January 2022 rankings.
Todd Kulesza, a UX designer on Go, noted in a blogpost that addition of generics was welcome, but noted that about a third of developers are running into some limitations of its initial implementation.
Generics, or support for type parameters, brings more type safety to Go and improves productivity and performance. Some 86% of respondents were aware generics shipped in Go 1.18 and 26% had used it, with 14% already using generics in production or released code. However, 54% said they didn’t need to use generics today, while 12% had used generics but not in production code.
Other obstacles to using generics was that linters didn’t support them while 26% reported using a pre-1.8 release or being on a Linux distribution that didn’t provide Go 1.18 packages.
But 10% reported that using generics had resulted in less code duplication.
Kulesza says worries over vulnerabilities in Go dependencies are a “top security concern”. Only 12% of developers were using tools like fuzz testing on Go code. A sizable 65% of developers were using static analysis tools but only 35% of them use it to find vulnerabilities.
The survey found that 84% use security tooling during CI/CD time, but this was often too late in the development cycle as developers want to be notified about a vulnerability in a dependency before building up on it.
The Go team this week also launched new vulnerability management tools and a vulnerability database for Go based on data from Go package maintainers. Go 1.18 was also the first version to feature fuzzing in its standard toolchain. The Go fuzz tests are supported by Google’s open source fuzzing tool OSS-Fuzz.
These are all activities the NSA recently recommended for developers to do to improve software supply chain security and secure coding practices, which came into focus after the 2020 SolarWinds breach.
The Go survey highlights some problems developers face.
Fifty-seven percent of developers reported having difficulties evaluating the security of third-party libraries. Kulesza notes GitHub’s dependabot or the Go team’s govulncheck can assist here. In fact, Dependabot was by far the most common way respondents learned of a vulnerability in a dependency.
However, only 12% reported conducted an investigation to see whether and how their software was impacted by a vulnerability. It found 70% of those who did investigate a vulnerability’s impact found the process of impact analysis the most challenging. They also reported it was often unplanned and unrewarded work.
The most popular code editor for Go developers was Microsoft’s cross-platform Visual Studio Code (VS Code), which is used by 45% of respondents, followed by GoLand/IntelliJ (34%), Vim/Neovim (14%), and Emacs (3%).
Some 59% of respondents developed on a Linux machine, followed by 52% on macOS, and 23% on Windows, with 13% using the Windows Subsystem for Linux. By far the most common platform to target was Linux at 93%, followed by Windows at 16%, macOS at 13%, and IoT devices at 5%.