Saint Zero Day Posted on May 30 My test suite was green. My software was lying to me. # go # security # testing # devops My CI was green. 1,885 tests, 66 packages, zero failures. go vet clean. The build was a single self-contained binary. By every signal a Go project gives you, it worked. Then I pointed it at something real, and watched it lie to my face. This is the story of six bugs I found in my own security platform — ZDS Core — by refusing to trust a green checkmark. Five of the six belonged to the same scary family: the code reported success and stored nothing. No error. No stack trace. A 200 OK and an empty database. If you ship anything that ingests data from the outside world, you have at least one of these right now. Let me show you what they look like. The setup: test against reality, not fixtures ZDS Core is a security platform written in Go — vulnerability scanning, an endpoint agent, EDR integrations, vuln-data feeds, compliance exports, the works. My unit tests were thorough. They were also, I realized, all talking to fixtures and in-memory SQLite. They proved my logic. They proved nothing about what happens when a real Wazuh server, a real OpenSearch cluster, or a real CVE feed shows up with data shaped slightly differently than I assumed. So I spent a weekend wiring up the real things: podman containers for an nginx target, a Wazuh 4.7 manager, an OpenSearch node nmap for actual scanning Live feeds: CISA KEV, FIRST.org EPSS, Google OSV, NVD The endpoint agent running on my actual Fedora box Rule for the weekend: "it ran" is not a pass. Data has to land, and it has to be correct. Then I went looking for lies. Bug #1 — The endpoint agent that threw everything away The agent registered with the server. It collected 2,343 software packages and a pile of open ports off my machine. The server logged results accepted for every batch. The agent was happy. I was happy. The software table had zero rows. failed to insert port finding 38810/udp: FOREIGN KEY con
LIVE