remove G113. It only affects old/unsupported versions of Go (#1328)

* don't warn on G113 (big.Rat SetString) if on an unaffected version of Go Newer versions of go (>=1.16.14, >=1.17.7, 1.18+) are not affected by this. Don't warn at all on those newer versions. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23772 * alert on all known versions Co-authored-by: ccoVeille <3875889+ccoVeille@users.noreply.github.com> * remove G113 CVE-2022-23772 which only affects old/unsupport Go versions * Retire rule * gofmt --------- Co-authored-by: ccoVeille <3875889+ccoVeille@users.noreply.github.com>
2025-11-25 22:22:17 +02:00 · 2025-04-03 09:44:20 -05:00
parent 5fd2a37044
commit 1336dc6820
7 changed files with 35 additions and 79 deletions
--- a/rules/math_big_rat.go
+++ b/rules/math_big_rat.go
@@ -1,45 +0,0 @@
-package rules
-
-import (
-	"go/ast"
-
-	"github.com/securego/gosec/v2"
-	"github.com/securego/gosec/v2/issue"
-)
-
-type usingOldMathBig struct {
-	issue.MetaData
-	calls gosec.CallList
-}
-
-func (r *usingOldMathBig) ID() string {
-	return r.MetaData.ID
-}
-
-func (r *usingOldMathBig) Match(node ast.Node, ctx *gosec.Context) (gi *issue.Issue, err error) {
-	if callExpr := r.calls.ContainsPkgCallExpr(node, ctx, false); callExpr == nil {
-		return nil, nil
-	}
-
-	confidence := issue.Low
-	major, minor, build := gosec.GoVersion()
-	if major == 1 && (minor == 16 && build < 14 || minor == 17 && build < 7) {
-		confidence = issue.Medium
-	}
-
-	return ctx.NewIssue(node, r.ID(), r.What, r.Severity, confidence), nil
-}
-
-// NewUsingOldMathBig rule detects the use of Rat.SetString from math/big.
-func NewUsingOldMathBig(id string, _ gosec.Config) (gosec.Rule, []ast.Node) {
-	calls := gosec.NewCallList()
-	calls.Add("math/big.Rat", "SetString")
-	return &usingOldMathBig{
-		calls: calls,
-		MetaData: issue.MetaData{
-			ID:       id,
-			What:     "Potential uncontrolled memory consumption in Rat.SetString (CVE-2022-23772)",
-			Severity: issue.High,
-		},
-	}, []ast.Node{(*ast.CallExpr)(nil)}
-}
--- a/rules/rulelist.go
+++ b/rules/rulelist.go
@@ -75,7 +75,6 @@ func Generate(trackSuppressions bool, filters ...RuleFilter) RuleList {
 		{"G110", "Detect io.Copy instead of io.CopyN when decompression", NewDecompressionBombCheck},
 		{"G111", "Detect http.Dir('/') as a potential risk", NewDirectoryTraversal},
 		{"G112", "Detect ReadHeaderTimeout not configured as a potential risk", NewSlowloris},
-		{"G113", "Usage of Rat.SetString in math/big with an overflow", NewUsingOldMathBig},
 		{"G114", "Use of net/http serve function that has no support for setting timeouts", NewHTTPServeWithoutTimeouts},

 		// injection
--- a/rules/rules_test.go
+++ b/rules/rules_test.go
@@ -103,10 +103,6 @@ var _ = Describe("gosec rules", func() {
 			runner("G112", testutils.SampleCodeG112)
 		})

-		It("should detect potential uncontrolled memory consumption in Rat.SetString", func() {
-			runner("G113", testutils.SampleCodeG113)
-		})
-
 		It("should detect uses of net/http serve functions that have no support for setting timeouts", func() {
 			runner("G114", testutils.SampleCodeG114)
 		})