missing-ssl-minversion-go

ESS-ENN · ESS-ENN · commit daa5339a6009 · 2025-02-18T19:34:07.000+05:30
diff --git a/rules/go/security/missing-ssl-minversion-go.yml b/rules/go/security/missing-ssl-minversion-go.yml
@@ -0,0 +1,50 @@
+id: missing-ssl-minversion-go
+language: go
+severity: warning
+message: >-
+      MinVersion` is missing from this TLS configuration.  By default, TLS
+      1.2 is currently used as the minimum when acting as a client, and TLS 1.0
+      when acting as a server. General purpose web applications should default
+      to TLS 1.3 with all other protocols disabled.  Only where it is known that
+      a web server must support legacy clients with unsupported an insecure
+      browsers (such as Internet Explorer 10), it may be necessary to enable TLS
+      1.0 to provide support. Add `MinVersion: tls.VersionTLS13' to the TLS
+      configuration to bump the minimum version to TLS 1.3.
+note: >-
+  [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm
+  [OWASP A03:2017]: Sensitive Data Exposure
+  [OWASP A02:2021]: Cryptographic Failures
+  [REFERENCES]
+       https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+
+ast-grep-essentials: true
+
+utils:
+  match_tls_without_minversion:
+    kind: composite_literal
+    all:
+      - has:
+          kind: qualified_type
+          all:
+            - has:
+                kind: package_identifier
+                regex: "^tls$"
+            - has:
+                kind: type_identifier
+                field: name
+                regex: "^Config$"
+      - has:
+          kind: literal_value
+          not:
+            has:
+              kind: keyed_element
+              all:
+                - has:
+                    kind: literal_element
+                    regex: ^MinVersion$
+                - has:
+                    pattern: $A
+rule:
+  any:
+    - matches: match_tls_without_minversion
+
diff --git a/tests/__snapshots__/missing-ssl-minversion-go-snapshot.yml b/tests/__snapshots__/missing-ssl-minversion-go-snapshot.yml
@@ -0,0 +1,25 @@
+id: missing-ssl-minversion-go
+snapshots:
+  ? |
+    server.TLS = &tls.Config{ Rand: zeroSource{}, }
+  : labels:
+    - source: 'tls.Config{ Rand: zeroSource{}, }'
+      style: primary
+      start: 14
+      end: 47
+    - source: tls
+      style: secondary
+      start: 14
+      end: 17
+    - source: Config
+      style: secondary
+      start: 18
+      end: 24
+    - source: tls.Config
+      style: secondary
+      start: 14
+      end: 24
+    - source: '{ Rand: zeroSource{}, }'
+      style: secondary
+      start: 24
+      end: 47
diff --git a/tests/go/missing-ssl-minversion-go-test.yml b/tests/go/missing-ssl-minversion-go-test.yml
@@ -0,0 +1,15 @@
+id: missing-ssl-minversion-go
+valid:
+  - |
+      TLSClientConfig: &tls.Config{
+      KeyLogWriter:       w,
+      MinVersion:         tls.VersionSSL30,
+      Rand:               zeroSource{}, 
+      InsecureSkipVerify: true,        
+      },
+
+invalid:
+   - |
+     server.TLS = &tls.Config{ Rand: zeroSource{}, }
+ 
+
