diff --git a/README.md b/README.md index 019a53e..cbd614b 100644 --- a/README.md +++ b/README.md @@ -138,7 +138,6 @@ directory you can supply `./...` as the input argument. - G110: Potential DoS vulnerability via decompression bomb - G111: Potential directory traversal - G112: Potential slowloris attack -- G113: Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772) - G114: Use of net/http serve function that has no support for setting timeouts - G115: Potential integer overflow when converting between integer types - G201: SQL query construction using format string @@ -172,6 +171,7 @@ directory you can supply `./...` as the input argument. ### Retired rules - G105: Audit the use of math/big.Int.Exp - [CVE is fixed](https://github.com/golang/go/issues/15184) +- G113: Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772). This affected Go <1.16.14 and Go <1.17.7, which are no longer supported by gosec. - G307: Deferring a method which returns an error - causing more inconvenience than fixing a security issue, despite the details from this [blog post](https://www.joeshaw.org/dont-defer-close-on-writable-files/) ### Selecting rules diff --git a/issue/issue.go b/issue/issue.go index 6227db6..b7c804e 100644 --- a/issue/issue.go +++ b/issue/issue.go @@ -65,7 +65,6 @@ var ruleToCWE = map[string]string{ "G110": "409", "G111": "22", "G112": "400", - "G113": "190", "G114": "676", "G115": "190", "G201": "89", diff --git a/report/formatter_test.go b/report/formatter_test.go index ad22ee0..ada9719 100644 --- a/report/formatter_test.go +++ b/report/formatter_test.go @@ -278,11 +278,40 @@ var _ = Describe("Formatter", func() { }) Context("When using different report formats", func() { grules := []string{ - "G101", "G102", "G103", "G104", "G106", "G107", "G109", - "G110", "G111", "G112", "G113", "G201", "G202", "G203", - "G204", "G301", "G302", "G303", "G304", "G305", "G401", - "G402", "G403", "G404", "G405", "G406", "G407", "G501", - "G502", "G503", "G504", "G505", "G506", "G507", "G601", + "G101", + "G102", + "G103", + "G104", + "G106", + "G107", + "G109", + "G110", + "G111", + "G112", + "G201", + "G202", + "G203", + "G204", + "G301", + "G302", + "G303", + "G304", + "G305", + "G401", + "G402", + "G403", + "G404", + "G405", + "G406", + "G407", + "G501", + "G502", + "G503", + "G504", + "G505", + "G506", + "G507", + "G601", } It("csv formatted report should contain the CWE mapping", func() { diff --git a/rules/math_big_rat.go b/rules/math_big_rat.go deleted file mode 100644 index 1aac1fa..0000000 --- a/rules/math_big_rat.go +++ /dev/null @@ -1,45 +0,0 @@ -package rules - -import ( - "go/ast" - - "github.com/securego/gosec/v2" - "github.com/securego/gosec/v2/issue" -) - -type usingOldMathBig struct { - issue.MetaData - calls gosec.CallList -} - -func (r *usingOldMathBig) ID() string { - return r.MetaData.ID -} - -func (r *usingOldMathBig) Match(node ast.Node, ctx *gosec.Context) (gi *issue.Issue, err error) { - if callExpr := r.calls.ContainsPkgCallExpr(node, ctx, false); callExpr == nil { - return nil, nil - } - - confidence := issue.Low - major, minor, build := gosec.GoVersion() - if major == 1 && (minor == 16 && build < 14 || minor == 17 && build < 7) { - confidence = issue.Medium - } - - return ctx.NewIssue(node, r.ID(), r.What, r.Severity, confidence), nil -} - -// NewUsingOldMathBig rule detects the use of Rat.SetString from math/big. -func NewUsingOldMathBig(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { - calls := gosec.NewCallList() - calls.Add("math/big.Rat", "SetString") - return &usingOldMathBig{ - calls: calls, - MetaData: issue.MetaData{ - ID: id, - What: "Potential uncontrolled memory consumption in Rat.SetString (CVE-2022-23772)", - Severity: issue.High, - }, - }, []ast.Node{(*ast.CallExpr)(nil)} -} diff --git a/rules/rulelist.go b/rules/rulelist.go index 13f29f7..3f85980 100644 --- a/rules/rulelist.go +++ b/rules/rulelist.go @@ -75,7 +75,6 @@ func Generate(trackSuppressions bool, filters ...RuleFilter) RuleList { {"G110", "Detect io.Copy instead of io.CopyN when decompression", NewDecompressionBombCheck}, {"G111", "Detect http.Dir('/') as a potential risk", NewDirectoryTraversal}, {"G112", "Detect ReadHeaderTimeout not configured as a potential risk", NewSlowloris}, - {"G113", "Usage of Rat.SetString in math/big with an overflow", NewUsingOldMathBig}, {"G114", "Use of net/http serve function that has no support for setting timeouts", NewHTTPServeWithoutTimeouts}, // injection diff --git a/rules/rules_test.go b/rules/rules_test.go index 9a7d65a..0f5314b 100644 --- a/rules/rules_test.go +++ b/rules/rules_test.go @@ -103,10 +103,6 @@ var _ = Describe("gosec rules", func() { runner("G112", testutils.SampleCodeG112) }) - It("should detect potential uncontrolled memory consumption in Rat.SetString", func() { - runner("G113", testutils.SampleCodeG113) - }) - It("should detect uses of net/http serve functions that have no support for setting timeouts", func() { runner("G114", testutils.SampleCodeG114) }) diff --git a/testutils/g113_samples.go b/testutils/g113_samples.go deleted file mode 100644 index e672896..0000000 --- a/testutils/g113_samples.go +++ /dev/null @@ -1,22 +0,0 @@ -package testutils - -import "github.com/securego/gosec/v2" - -// SampleCodeG113 - Usage of Rat.SetString in math/big with an overflow -var SampleCodeG113 = []CodeSample{ - {[]string{` -package main - -import ( - "math/big" - "fmt" -) - -func main() { - r := big.Rat{} - r.SetString("13e-9223372036854775808") - - fmt.Println(r) -} -`}, 1, gosec.NewConfig()}, -}