Gosec Scanner¶
The BoostSecurity Gosec scanner supports the rules listed below:
| Name | Id | Description |
|---|---|---|
| G101: Look for hard coded credentials | look-for-hard-coded-credentials | The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. |
| G102: Bind to all interfaces | bind-to-all-interfaces | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| G103: Audit the use of unsafe block | audit-use-of-unsafe-block | The program calls a function that can never be guaranteed to work safely. |
| G104: Audit errors not checked | audit-errors-not-checked | The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software. |
| G106: Audit the use of ssh.InsecureIgnoreHostKey | audit-use-of-ssh.insecureignorehostkey | The software performs a key exchange with an actor without verifying the identity of that actor. |
| G107: Url provided to HTTP request as taint input | url-provided-to-http-request-as-taint-input | The software does not properly delimit the intended arguments, options, or switches within that command string. |
| G108: Profiling endpoint automatically exposed on /debug/pprof | profiling-endpoint-exposed-on-debug | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| G109: Potential Integer overflow made by strconv.Atoi result conversion to int16/32 | potential-integer-overflow | The software performs a calculation that can produce an integer overflow or wraparound. |
| G110: Potential DoS vulnerability via decompression bomb | potential-dos-vulnerabiility-via-decompression-bomb | The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. |
| G111: Potential directory traversal | potential-directory-traversal | The software does not properly neutralize special elements within the pathname. |
| G112: Potential slowloris attack | potential-slowloris-attack | The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. |
| G113: Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772) | G113 | The software performs a calculation that can produce an integer overflow or wraparound. |
| G114: Use of net/http serve function that has no support for setting timeouts | G114 | The program invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely. |
| G201: SQL query construction using format string | sql-query-construction-using-format-string | The software does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command. |
| G202: SQL query construction using string concatenation | sql-query-construction-using-string-concatenation | The software does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command. |
| G203: Use of unescaped data in HTML templates | use-of-unescaped-data-in-html-templates | The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output. |
| G204: Audit use of command execution | audit-use-of-command-execution | The software does not eutralize or incorrectly neutralizes special elements that could modify the intended OS command. |
| G301: Poor file permissions used when creating a directory | poor-file-permissions-used-when-creating-a-directory | During installation, installed file permissions are set to allow anyone to modify those files. |
| G302: Poor file permissions used with chmod | poor-file-permissions-used-with-chmod | During installation, installed file permissions are set to allow anyone to modify those files. |
| G303: Creating tempfile using a predictable path | creating-tempfile-using-predictable-path | Creating and using insecure temporary files can leave application and system data vulnerable to attack. |
| G304: File path provided as taint input | file-path-provided-as-taint-input | The software does not properly neutralize special elements within the pathname. |
| G305: File traversal when extracting zip/tar archive | G305 | The software does not properly neutralize special elements within the pathname. |
| G306: Poor file permissions used when writing to a new file | poor-file-permissions | During installation, installed file permissions are set to allow anyone to modify those files. |
| G307: Deferring a method which returns an error | G307 | The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software. |
| G401: Detect the usage of DES, RC4, MD5 or SHA1 | G401 | The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. |
| G402: Look for bad TLS connection settings | G402 | The software does not validate, or incorrectly validates, a certificate. |
| G403: Ensure minimum RSA key length of 2048 bits | ensure-minimum-rsa-key-length | The code contains a weakness related to the design and implementation of data confidentiality and integrity. |
| G404: Insecure random number source (rand) | insecure-random-number-source | The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. |
| G501: Import blocklist: crypto/md5 | crypto-md5 | The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. |
| G502: Import blocklist: crypto/des | crypto-des | The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. |
| G503: Import blocklist: crypto/rc4 | G503 | The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. |
| G504: Import blocklist: net/http/cgi | G504 | The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. |
| G505: Import blocklist: crypto/sha1 | G505 | The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. |
| G601: Implicit memory aliasing of items from a range statement | G601 | The software does not restrict or incorrectly restricts operations within the boundaries of a resource. |