Added new rule G407(hardcoded IV/nonce)

The rule is supposed to detect for the usage of hardcoded or static nonce/Iv in many encryption algorithms: * The different modes of AES (mainly tested here) * It should be able to work with ascon Currently the rules doesn't check when constant variables are used. TODO: Improve the rule, to detected for constatant variable usage
2025-06-14 23:45:03 +02:00 · 2024-08-14 17:07:59 +02:00
parent 4ae73c8ba3
commit 0eb8143c23
9 changed files with 889 additions and 2 deletions
--- a/rules/rules_test.go
+++ b/rules/rules_test.go
@ -187,6 +187,66 @@ var _ = Describe("gosec rules", func() {
 			runner("G406", testutils.SampleCodeG406b)
 		})

+		It("should detect hardcoded nonce/IV", func() {
+			runner("G407", testutils.SampleCodeG407)
+		})
+
+		It("should detect hardcoded nonce/IV", func() {
+			runner("G407", testutils.SampleCodeG407b)
+		})
+
+		It("should detect hardcoded nonce/IV", func() {
+			runner("G407", testutils.SampleCodeG407c)
+		})
+
+		It("should detect hardcoded nonce/IV", func() {
+			runner("G407", testutils.SampleCodeG407d)
+		})
+
+		It("should detect hardcoded nonce/IV", func() {
+			runner("G407", testutils.SampleCodeG407e)
+		})
+
+		It("should detect hardcoded nonce/IV", func() {
+			runner("G407", testutils.SampleCodeG407f)
+		})
+
+		It("should detect hardcoded nonce/IV", func() {
+			runner("G407", testutils.SampleCodeG407g)
+		})
+
+		It("should detect hardcoded nonce/IV", func() {
+			runner("G407", testutils.SampleCodeG407h)
+		})
+
+		It("should detect hardcoded nonce/IV", func() {
+			runner("G407", testutils.SampleCodeG407i)
+		})
+
+		It("should detect hardcoded nonce/IV", func() {
+			runner("G407", testutils.SampleCodeG407j)
+		})
+
+		It("should detect hardcoded nonce/IV", func() {
+			runner("G407", testutils.SampleCodeG407k)
+		})
+
+		It("should detect hardcoded nonce/IV", func() {
+			runner("G407", testutils.SampleCodeG407l)
+		})
+
+		It("should detect hardcoded nonce/IV", func() {
+			runner("G407", testutils.SampleCodeG407m)
+		})
+
+		It("should detect hardcoded nonce/IV", func() {
+			runner("G407", testutils.SampleCodeG407n)
+		})
+
+		It("should detect hardcoded nonce/IV", func() {
+			runner("G407", testutils.SampleCodeG407o)
+		})
+
 		It("should detect blocklisted imports - MD5", func() {
 			runner("G501", testutils.SampleCodeG501)
 		})