mirror of
https://github.com/securego/gosec.git
synced 2025-06-08 23:26:15 +02:00
remove G113. It only affects old/unsupported versions of Go (#1328)
* don't warn on G113 (big.Rat SetString) if on an unaffected version of Go Newer versions of go (>=1.16.14, >=1.17.7, 1.18+) are not affected by this. Don't warn at all on those newer versions. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23772 * alert on all known versions Co-authored-by: ccoVeille <3875889+ccoVeille@users.noreply.github.com> * remove G113 CVE-2022-23772 which only affects old/unsupport Go versions * Retire rule * gofmt --------- Co-authored-by: ccoVeille <3875889+ccoVeille@users.noreply.github.com>
This commit is contained in:
parent
5fd2a37044
commit
1336dc6820
@ -138,7 +138,6 @@ directory you can supply `./...` as the input argument.
|
|||||||
- G110: Potential DoS vulnerability via decompression bomb
|
- G110: Potential DoS vulnerability via decompression bomb
|
||||||
- G111: Potential directory traversal
|
- G111: Potential directory traversal
|
||||||
- G112: Potential slowloris attack
|
- G112: Potential slowloris attack
|
||||||
- G113: Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772)
|
|
||||||
- G114: Use of net/http serve function that has no support for setting timeouts
|
- G114: Use of net/http serve function that has no support for setting timeouts
|
||||||
- G115: Potential integer overflow when converting between integer types
|
- G115: Potential integer overflow when converting between integer types
|
||||||
- G201: SQL query construction using format string
|
- G201: SQL query construction using format string
|
||||||
@ -172,6 +171,7 @@ directory you can supply `./...` as the input argument.
|
|||||||
### Retired rules
|
### Retired rules
|
||||||
|
|
||||||
- G105: Audit the use of math/big.Int.Exp - [CVE is fixed](https://github.com/golang/go/issues/15184)
|
- G105: Audit the use of math/big.Int.Exp - [CVE is fixed](https://github.com/golang/go/issues/15184)
|
||||||
|
- G113: Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772). This affected Go <1.16.14 and Go <1.17.7, which are no longer supported by gosec.
|
||||||
- G307: Deferring a method which returns an error - causing more inconvenience than fixing a security issue, despite the details from this [blog post](https://www.joeshaw.org/dont-defer-close-on-writable-files/)
|
- G307: Deferring a method which returns an error - causing more inconvenience than fixing a security issue, despite the details from this [blog post](https://www.joeshaw.org/dont-defer-close-on-writable-files/)
|
||||||
|
|
||||||
### Selecting rules
|
### Selecting rules
|
||||||
|
@ -65,7 +65,6 @@ var ruleToCWE = map[string]string{
|
|||||||
"G110": "409",
|
"G110": "409",
|
||||||
"G111": "22",
|
"G111": "22",
|
||||||
"G112": "400",
|
"G112": "400",
|
||||||
"G113": "190",
|
|
||||||
"G114": "676",
|
"G114": "676",
|
||||||
"G115": "190",
|
"G115": "190",
|
||||||
"G201": "89",
|
"G201": "89",
|
||||||
|
@ -278,11 +278,40 @@ var _ = Describe("Formatter", func() {
|
|||||||
})
|
})
|
||||||
Context("When using different report formats", func() {
|
Context("When using different report formats", func() {
|
||||||
grules := []string{
|
grules := []string{
|
||||||
"G101", "G102", "G103", "G104", "G106", "G107", "G109",
|
"G101",
|
||||||
"G110", "G111", "G112", "G113", "G201", "G202", "G203",
|
"G102",
|
||||||
"G204", "G301", "G302", "G303", "G304", "G305", "G401",
|
"G103",
|
||||||
"G402", "G403", "G404", "G405", "G406", "G407", "G501",
|
"G104",
|
||||||
"G502", "G503", "G504", "G505", "G506", "G507", "G601",
|
"G106",
|
||||||
|
"G107",
|
||||||
|
"G109",
|
||||||
|
"G110",
|
||||||
|
"G111",
|
||||||
|
"G112",
|
||||||
|
"G201",
|
||||||
|
"G202",
|
||||||
|
"G203",
|
||||||
|
"G204",
|
||||||
|
"G301",
|
||||||
|
"G302",
|
||||||
|
"G303",
|
||||||
|
"G304",
|
||||||
|
"G305",
|
||||||
|
"G401",
|
||||||
|
"G402",
|
||||||
|
"G403",
|
||||||
|
"G404",
|
||||||
|
"G405",
|
||||||
|
"G406",
|
||||||
|
"G407",
|
||||||
|
"G501",
|
||||||
|
"G502",
|
||||||
|
"G503",
|
||||||
|
"G504",
|
||||||
|
"G505",
|
||||||
|
"G506",
|
||||||
|
"G507",
|
||||||
|
"G601",
|
||||||
}
|
}
|
||||||
|
|
||||||
It("csv formatted report should contain the CWE mapping", func() {
|
It("csv formatted report should contain the CWE mapping", func() {
|
||||||
|
@ -1,45 +0,0 @@
|
|||||||
package rules
|
|
||||||
|
|
||||||
import (
|
|
||||||
"go/ast"
|
|
||||||
|
|
||||||
"github.com/securego/gosec/v2"
|
|
||||||
"github.com/securego/gosec/v2/issue"
|
|
||||||
)
|
|
||||||
|
|
||||||
type usingOldMathBig struct {
|
|
||||||
issue.MetaData
|
|
||||||
calls gosec.CallList
|
|
||||||
}
|
|
||||||
|
|
||||||
func (r *usingOldMathBig) ID() string {
|
|
||||||
return r.MetaData.ID
|
|
||||||
}
|
|
||||||
|
|
||||||
func (r *usingOldMathBig) Match(node ast.Node, ctx *gosec.Context) (gi *issue.Issue, err error) {
|
|
||||||
if callExpr := r.calls.ContainsPkgCallExpr(node, ctx, false); callExpr == nil {
|
|
||||||
return nil, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
confidence := issue.Low
|
|
||||||
major, minor, build := gosec.GoVersion()
|
|
||||||
if major == 1 && (minor == 16 && build < 14 || minor == 17 && build < 7) {
|
|
||||||
confidence = issue.Medium
|
|
||||||
}
|
|
||||||
|
|
||||||
return ctx.NewIssue(node, r.ID(), r.What, r.Severity, confidence), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// NewUsingOldMathBig rule detects the use of Rat.SetString from math/big.
|
|
||||||
func NewUsingOldMathBig(id string, _ gosec.Config) (gosec.Rule, []ast.Node) {
|
|
||||||
calls := gosec.NewCallList()
|
|
||||||
calls.Add("math/big.Rat", "SetString")
|
|
||||||
return &usingOldMathBig{
|
|
||||||
calls: calls,
|
|
||||||
MetaData: issue.MetaData{
|
|
||||||
ID: id,
|
|
||||||
What: "Potential uncontrolled memory consumption in Rat.SetString (CVE-2022-23772)",
|
|
||||||
Severity: issue.High,
|
|
||||||
},
|
|
||||||
}, []ast.Node{(*ast.CallExpr)(nil)}
|
|
||||||
}
|
|
@ -75,7 +75,6 @@ func Generate(trackSuppressions bool, filters ...RuleFilter) RuleList {
|
|||||||
{"G110", "Detect io.Copy instead of io.CopyN when decompression", NewDecompressionBombCheck},
|
{"G110", "Detect io.Copy instead of io.CopyN when decompression", NewDecompressionBombCheck},
|
||||||
{"G111", "Detect http.Dir('/') as a potential risk", NewDirectoryTraversal},
|
{"G111", "Detect http.Dir('/') as a potential risk", NewDirectoryTraversal},
|
||||||
{"G112", "Detect ReadHeaderTimeout not configured as a potential risk", NewSlowloris},
|
{"G112", "Detect ReadHeaderTimeout not configured as a potential risk", NewSlowloris},
|
||||||
{"G113", "Usage of Rat.SetString in math/big with an overflow", NewUsingOldMathBig},
|
|
||||||
{"G114", "Use of net/http serve function that has no support for setting timeouts", NewHTTPServeWithoutTimeouts},
|
{"G114", "Use of net/http serve function that has no support for setting timeouts", NewHTTPServeWithoutTimeouts},
|
||||||
|
|
||||||
// injection
|
// injection
|
||||||
|
@ -103,10 +103,6 @@ var _ = Describe("gosec rules", func() {
|
|||||||
runner("G112", testutils.SampleCodeG112)
|
runner("G112", testutils.SampleCodeG112)
|
||||||
})
|
})
|
||||||
|
|
||||||
It("should detect potential uncontrolled memory consumption in Rat.SetString", func() {
|
|
||||||
runner("G113", testutils.SampleCodeG113)
|
|
||||||
})
|
|
||||||
|
|
||||||
It("should detect uses of net/http serve functions that have no support for setting timeouts", func() {
|
It("should detect uses of net/http serve functions that have no support for setting timeouts", func() {
|
||||||
runner("G114", testutils.SampleCodeG114)
|
runner("G114", testutils.SampleCodeG114)
|
||||||
})
|
})
|
||||||
|
@ -1,22 +0,0 @@
|
|||||||
package testutils
|
|
||||||
|
|
||||||
import "github.com/securego/gosec/v2"
|
|
||||||
|
|
||||||
// SampleCodeG113 - Usage of Rat.SetString in math/big with an overflow
|
|
||||||
var SampleCodeG113 = []CodeSample{
|
|
||||||
{[]string{`
|
|
||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"math/big"
|
|
||||||
"fmt"
|
|
||||||
)
|
|
||||||
|
|
||||||
func main() {
|
|
||||||
r := big.Rat{}
|
|
||||||
r.SetString("13e-9223372036854775808")
|
|
||||||
|
|
||||||
fmt.Println(r)
|
|
||||||
}
|
|
||||||
`}, 1, gosec.NewConfig()},
|
|
||||||
}
|
|
Loading…
x
Reference in New Issue
Block a user