remove G113. It only affects old/unsupported versions of Go (#1328)

* don't warn on G113 (big.Rat SetString) if on an unaffected version of Go Newer versions of go (>=1.16.14, >=1.17.7, 1.18+) are not affected by this. Don't warn at all on those newer versions. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23772 * alert on all known versions Co-authored-by: ccoVeille <3875889+ccoVeille@users.noreply.github.com> * remove G113 CVE-2022-23772 which only affects old/unsupport Go versions * Retire rule * gofmt --------- Co-authored-by: ccoVeille <3875889+ccoVeille@users.noreply.github.com>
2025-06-10 23:27:41 +02:00 · 2025-04-03 09:44:20 -05:00 · 2025-04-03 09:44:20 -05:00 · 1336dc6820
commit 1336dc6820
parent 5fd2a37044
7 changed files with 35 additions and 79 deletions
--- a/README.md
+++ b/README.md
@ -138,7 +138,6 @@ directory you can supply `./...` as the input argument.
 - G110: Potential DoS vulnerability via decompression bomb
 - G111: Potential directory traversal
 - G112: Potential slowloris attack
 - G113: Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772)
 - G114: Use of net/http serve function that has no support for setting timeouts
 - G115: Potential integer overflow when converting between integer types
 - G201: SQL query construction using format string
@ -172,6 +171,7 @@ directory you can supply `./...` as the input argument.
 ### Retired rules
 - G105: Audit the use of math/big.Int.Exp - [CVE is fixed](https://github.com/golang/go/issues/15184)
 - G113: Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772). This affected Go <1.16.14 and Go <1.17.7, which are no longer supported by gosec. 
 - G307: Deferring a method which returns an error - causing more inconvenience than fixing a security issue, despite the details from this [blog post](https://www.joeshaw.org/dont-defer-close-on-writable-files/)
 ### Selecting rules
--- a/issue/issue.go
+++ b/issue/issue.go
@ -65,7 +65,6 @@ var ruleToCWE = map[string]string{
 	"G110": "409",
 	"G111": "22",
 	"G112": "400",
 	"G113": "190",
 	"G114": "676",
 	"G115": "190",
 	"G201": "89",
--- a/report/formatter_test.go
+++ b/report/formatter_test.go
@ -278,11 +278,40 @@ var _ = Describe("Formatter", func() {
 	})
 	Context("When using different report formats", func() {
 		grules := []string{
-			"G101", "G102", "G103", "G104", "G106", "G107", "G109",
+			"G101",
-			"G110", "G111", "G112", "G113", "G201", "G202", "G203",
+			"G102",
-			"G204", "G301", "G302", "G303", "G304", "G305", "G401",
+			"G103",
-			"G402", "G403", "G404", "G405", "G406", "G407", "G501",
+			"G104",
-			"G502", "G503", "G504", "G505", "G506", "G507", "G601",
+			"G106",
 			"G107",
 			"G109",
 			"G110",
 			"G111",
 			"G112",
 			"G201",
 			"G202",
 			"G203",
 			"G204",
 			"G301",
 			"G302",
 			"G303",
 			"G304",
 			"G305",
 			"G401",
 			"G402",
 			"G403",
 			"G404",
 			"G405",
 			"G406",
 			"G407",
 			"G501",
 			"G502",
 			"G503",
 			"G504",
 			"G505",
 			"G506",
 			"G507",
 			"G601",
 		}
 		It("csv formatted report should contain the CWE mapping", func() {
--- a/rules/math_big_rat.go
+++ b/rules/math_big_rat.go
@ -1,45 +0,0 @@
 package rules
 import (
 	"go/ast"
 	"github.com/securego/gosec/v2"
 	"github.com/securego/gosec/v2/issue"
 )
 type usingOldMathBig struct {
 	issue.MetaData
 	calls gosec.CallList
 }
 func (r *usingOldMathBig) ID() string {
 	return r.MetaData.ID
 }
 func (r *usingOldMathBig) Match(node ast.Node, ctx *gosec.Context) (gi *issue.Issue, err error) {
 	if callExpr := r.calls.ContainsPkgCallExpr(node, ctx, false); callExpr == nil {
 		return nil, nil
 	}
 	confidence := issue.Low
 	major, minor, build := gosec.GoVersion()
 	if major == 1 && (minor == 16 && build < 14 || minor == 17 && build < 7) {
 		confidence = issue.Medium
 	}
 	return ctx.NewIssue(node, r.ID(), r.What, r.Severity, confidence), nil
 }
 // NewUsingOldMathBig rule detects the use of Rat.SetString from math/big.
 func NewUsingOldMathBig(id string, _ gosec.Config) (gosec.Rule, []ast.Node) {
 	calls := gosec.NewCallList()
 	calls.Add("math/big.Rat", "SetString")
 	return &usingOldMathBig{
 		calls: calls,
 		MetaData: issue.MetaData{
 			ID:       id,
 			What:     "Potential uncontrolled memory consumption in Rat.SetString (CVE-2022-23772)",
 			Severity: issue.High,
 		},
 	}, []ast.Node{(*ast.CallExpr)(nil)}
 }
--- a/rules/rulelist.go
+++ b/rules/rulelist.go
@ -75,7 +75,6 @@ func Generate(trackSuppressions bool, filters ...RuleFilter) RuleList {
 		{"G110", "Detect io.Copy instead of io.CopyN when decompression", NewDecompressionBombCheck},
 		{"G111", "Detect http.Dir('/') as a potential risk", NewDirectoryTraversal},
 		{"G112", "Detect ReadHeaderTimeout not configured as a potential risk", NewSlowloris},
 		{"G113", "Usage of Rat.SetString in math/big with an overflow", NewUsingOldMathBig},
 		{"G114", "Use of net/http serve function that has no support for setting timeouts", NewHTTPServeWithoutTimeouts},
 		// injection
--- a/rules/rules_test.go
+++ b/rules/rules_test.go
@ -103,10 +103,6 @@ var _ = Describe("gosec rules", func() {
 			runner("G112", testutils.SampleCodeG112)
 		})
 		It("should detect potential uncontrolled memory consumption in Rat.SetString", func() {
 			runner("G113", testutils.SampleCodeG113)
 		})
 		It("should detect uses of net/http serve functions that have no support for setting timeouts", func() {
 			runner("G114", testutils.SampleCodeG114)
 		})
--- a/testutils/g113_samples.go
+++ b/testutils/g113_samples.go
@ -1,22 +0,0 @@
 package testutils
 import "github.com/securego/gosec/v2"
 // SampleCodeG113 - Usage of Rat.SetString in math/big with an overflow
 var SampleCodeG113 = []CodeSample{
 	{[]string{`
 package main
 import (
 	"math/big"
 	"fmt"
 )
 func main() {
 	r := big.Rat{}
 	r.SetString("13e-9223372036854775808")
 	fmt.Println(r)
 }
 `}, 1, gosec.NewConfig()},
 }