RuleDescriptionExampleKPI
G102-BindToAllInterfacesBinding to all network interfaces can potentially open up a service to traffic on unintended interfaces, that may not be properly documented or secured. This check looks for a string pattern “0.0.0.0” that may indicate a hardcoded binding to all network interfaces.This exposes the running instance to any attackers reachable via the interface they didn't expect to be listening on.
For example: If a user wants to run a setup locally or on any other instance, they may specify to run on "localhost"(or any other specified ip). But if "0.0.0.0" is used, it makes the port accessible on all network interfaces.		 //non-compliant code

package main
import (
"log"
"net"
)
func main() {
l, err := net.Listen("tcp", "0.0.0.0:2000") //non-compliant
if err != nil {
log.Fatal(err)
}
defer l.Close()
}



// compliant code


package main
import (
"log"
"net"
)
func main() {
l, err := net.Listen("tcp", "123.123.12.1:2000") //compliant
if err != nil {
log.Fatal(err)
}
defer l.Close()
}		Security- [Source](https://github.com/securego/gosec#available-rules)
- [OWASP Top 10 2007 Category A6](https://www.martellosecurity.com/kb/mitre/cwe/717/) - Information Leakage and Improper Error Handling
- [CWE-200](http://cwe.mitre.org/data/definitions/200.html) - Exposure of Sensitive Information to an Unauthorized Actor
- [CWE-605](https://cwe.mitre.org/data/definitions/605.html) - Multiple Binds to the Same Port
G103-AuditTheUseOfUnsafeBlockDo not import package "unsafe".Using the "unsafe" package in Go gives flexibility to the attacker of your application.The pointer arithmetic is one of the examples from the unsafe package which can be used for data leak, memory corruption or even execution of attackers own script.Also the "unsafe" package is not protected by "Go 1 compatibility guidelines".//non-compliant code


package main
import (
"fmt"
"unsafe"
)
type Fake struct{}
func (Fake) Good() {}
func main() {
unsafeM := Fake{}
unsafeM.Good()
fmt.Printf("unsafe package is imported.")


//compliant code

package main
import (
"fmt"
)
type Fake struct{}
func (Fake) Good() {}
func main() {

fmt.Printf("Do not import packaged unsafe.")

Security- [Source](https://github.com/securego/gosec#available-rules)
- [CWE-242](https://cwe.mitre.org/data/definitions/242.html) - Use of Inherently Dangerous Function
G104-AuditErrorsNotCheckedA really useful feature of Golang is the ability to return a tuple of a result and an error value from a function. There is a rule in Golang that the result of a function is unsafe until you check the error value. Many security exploits can be performed when the error value is not checked.Go code uses error values to indicate an abnormal state.
//non-compliant

package main
import (
"fmt"
)

func a() error {
return fmt.Errorf("This is an error")
}


func main() {
a()

}



//compliant code


package main
import (
"fmt"
)

func a() error {
return fmt.Errorf("This is an error")
}


func main() {
err := a()
if(err != nil){
fmt.Println("Checked Error!")
}

}		Security- [Source](https://github.com/securego/gosec#available-rules)
- [CWE-703](https://cwe.mitre.org/data/definitions/703.html) - Improper Check or Handling of Exceptional Conditions
G106-AuditTheUseOfssh-InsecureIgnoreHostKeyAudit the use of ssh.InsecureIgnoreHostKey.InsecureIgnoreHostKey is used to accept any host key. It should not be used for production code. Go team provided the "knownhosts" subpackage in their crypto SSH package.Using new with a known_hosts file a code can be written more `efficiently and securely.
//non-compliant code

package main

import (
"golang.org/x/crypto/ssh"
"golang.org/x/crypto/ssh/agent"
)
func main() {
// generate key
hkCallback := ssh.InsecureIgnoreHostKey()
}


//compliant code

package main

import (

"golang.org/x/crypto/ssh/knownhosts"
)
func main() {
hkCallback, err = knownhosts.New(tf.Name())
if err != nil {
return nil, err
}


}		Security- [CWE-322](https://cwe.mitre.org/data/definitions/322.html) - Key Exchange without Entity Authentication
G108-ProfilingEndpointAutomaticallyExposedOn-debug-pprofProfiling endpoint automatically exposed on /debug/pprof. This can lead to following Security issues:

1) Function names and file paths are revealed.
2) Profiling data may reveal business sensitive information (for example traffic to a web server)
3) Profiling degrades performance, providing a vector for a DoS attack

Depending on your application, leaving a debugging server may not necessarily be a critical security hole. At a minimum it’s inadvisable, but it could be much worse.		//non compliant code

package main

import (
"fmt"
"log"
"net/http"
_ "net/http/pprof" // here be dragons
)

func main() {
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Hello World!")
})
log.Fatal(http.ListenAndServe(":8080", nil))
}


//compliant code

package main

import (
"fmt"
"log"
"net/http"

)

func main() {
// Pprof server.
professor.Launch("localhost:8081")

// Application server.
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Hello World!")
})
log.Fatal(http.ListenAndServe(":8080", nil))
}


Security
G110-PotentialDoSvulnerabilityviadecompressionbombPotential DoS vulnerability via decompression bomb //non-compliant code

package main
import (
"bytes"
"compress/gzip"
"fmt"
"io"
"log"
"os"
"time"
)

func Example_writerReader() {
var buf bytes.Buffer
zw := gzip.NewWriter(&buf)

// Setting the Header fields is optional.
zw.Name = "a-new-hope.txt"
zw.Comment = "an epic space opera by George Lucas"
zw.ModTime = time.Date(1977, time.May, 25, 0, 0, 0, 0, time.UTC)

_, err := zw.Write([]byte("A long time ago in a galaxy far, far away..."))
if err != nil {
log.Fatal(err)

zr, err := gzip.NewReader(&buf)
if err != nil {
log.Fatal(err)
}

fmt.Printf("Name: %s\nComment: %s\nModTime: %s\n\n", zr.Name, zr.Comment, zr.ModTime.UTC())

if _, err := io.Copy(os.Stdout, zr); err != nil {
log.Fatal(err)
}

}}

Security
G305-FileTraversalWhenExtractingZip-tar-archiveA path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. Extracting some malicious file will result in traversing out of the target folder, ending up overwriting important files.//non-compliant code

package main

import (
"archive/zip"
"fmt"
"path/filepath"

)


func main(src string, dst string) ([]string, error) {
fmt.Printf("Unzip dataset %s\n", src)
var fileNames []string
// Open zip file
r, err := zip.OpenReader(src)
if err != nil {
return fileNames, err
}
defer r.Close()
// Extract files
for _, f := range r.File {
// Open file
filePath := filepath.Join(dst, f.Name)
fmt.println(filepath)
}

}
Security- [CWE-22](https://cwe.mitre.org/data/definitions/22.html) - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
G401-DetectTheUsageOfDES-RC4-MD5orSHA1Detect the usage of DES, RC4, MD5 or SHA1//non-compliant code


package main

import (
"crypto/sha1"
"fmt"

)

func main() {
h = sha1.New()

}		Security- [CWE-326](https://cwe.mitre.org/data/definitions/326.html) - Inadequate Encryption Strength
G404-InsecureRandomNumberSource_randUse "crypto/rand" instead of "math/rand". "math/rand" implements a large selection of pseudo-random number generators whereas "crypto/rand" implements a cryptographically secure pseudo-random number generator with a limited interface.//non-compliant code

package main

import (
"fmt"
"math/rand"
"time"
)

func main() {

fmt.Print(rand.Intn(100), ",")

}


//compliant code

package main

import (
"fmt"
"crypto/rand"
"time"
)

func main() {

fmt.Print(rand.Intn(100), ",")

}		Security- [CWE-338](https://cwe.mitre.org/data/definitions/338.html) - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
G501-Importblocklist-crypto-md5Do not import crypto/md5.Package md5 implements the MD5 hash algorithm as defined in RFC 1321.
MD5 is cryptographically broken and should not be used for secure applications.		//non-compliant code

package main

import (
"fmt"
"crypto/md5"
)

func main() {
fmt.Printf("Imported crypto/md5")
}

//compliant code

package main

import (
"fmt"
)

func main() {
fmt.Printf("Do not import crypto/md5")
}		Security- [CWE-327](https://cwe.mitre.org/data/definitions/327.html) - Use of a Broken or Risky Cryptographic Algorithm
- [OWASP Top 10 2017 Category A3](https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure) - Sensitive Data Exposure
G502-Importblocklist-crypto-desPackage des implements the Data Encryption Standard (DES) and the Triple Data Encryption Algorithm (TDEA) as defined in U.S. Federal Information Processing Standards Publication 46-3.
DES is cryptographically broken and should not be used for secure applications.		//non-compliant code

package main

import (
"fmt"
"crypto/des"
)

func main() {
fmt.Printf("Imported crypto/des")
}

//compliant code

package main

import (
"fmt"
)

func main() {
fmt.Printf("Do not import crypto/des")
}
Security- [CWE-327](https://cwe.mitre.org/data/definitions/327.html) - Use of a Broken or Risky Cryptographic Algorithm
- [OWASP Top 10 2017 Category A3](https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure) - Sensitive Data Exposure
G503-Importblocklist-crypto-rc4Import blocklist: crypto/rc4//non-compliant code

package main

import (
"fmt"
"crypto/rc4"
)

func main() {
fmt.Printf("Imported crypto/rc4")
}

//compliant code

package main

import (
"fmt"
"crypto/rc4"
)

func main() {
fmt.Printf("Do not import crypto/rc4")
}
Security
G504-Importblocklist-net-http-cgiImport blocklist: net/http/cgi//non-compliant code

package main

import (
"fmt"
"net/http/cgi"
)

func main() {
fmt.Printf("Imported net/http/cgi")
}

//compliant code

package main

import (
"fmt"
"net/http/cgi"
)

func main() {
fmt.Printf("Do not import net/http/cgi")
}
Security
G505-Importblocklist-crypto-sha1Do not import crypto/sha1. It is a SHA-1 used to calculate an alphanumeric string that serves as the cryptographic representation of a file or a piece of data.This can serve as a digital signature. It is supposed to be unique and non-reversible.If a weakness is found in a hash function that allows for two files to have the same digest, the function is considered cryptographically broken, because digital fingerprints generated with it can be forged and cannot be trusted.
//non-compliant code

package main

import (
"fmt"
"crypto/sha1"
)

func main() {
fmt.Printf("Imported crypto/sha1")
}


//compliant code

package main

import (
"fmt"
)

func main() {
fmt.Printf("Do not import crypto/sha1")
}

Security- [Source](https://github.com/securego/gosec#available-rules)
- [CWE-327](https://cwe.mitre.org/data/definitions/327.html) - Use of a Broken or Risky Cryptographic Algorithm
- [OWASP Top 10 2017 Category A3](https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure) - Sensitive Data Exposure