From 514200e58529f8509909b7427af8d177f01f87b4 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Thu, 10 Oct 2024 10:51:58 +0530 Subject: [PATCH 1/2] ssl-v3-is-insecure-go --- rules/go/security/ssl-v3-is-insecure-go.yml | 17 +++++++++++ .../ssl-v3-is-insecure-go-snapshot.yml | 25 +++++++++++++++++ tests/go/ssl-v3-is-insecure-go-test.yml | 28 +++++++++++++++++++ 3 files changed, 70 insertions(+) create mode 100644 rules/go/security/ssl-v3-is-insecure-go.yml create mode 100644 tests/__snapshots__/ssl-v3-is-insecure-go-snapshot.yml create mode 100644 tests/go/ssl-v3-is-insecure-go-test.yml diff --git a/rules/go/security/ssl-v3-is-insecure-go.yml b/rules/go/security/ssl-v3-is-insecure-go.yml new file mode 100644 index 00000000..114aeabe --- /dev/null +++ b/rules/go/security/ssl-v3-is-insecure-go.yml @@ -0,0 +1,17 @@ +id: ssl-v3-is-insecure-go +language: go +severity: warning +message: >- + SSLv3 is insecure because it has known vulnerabilities. Starting with + go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'. +note: >- + [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm + [OWASP A03:2017]: Sensitive Data Exposure + [OWASP A02:2021]: Cryptographic Failures + [REFERENCES] + https://golang.org/doc/go1.14#crypto/tls + https://www.us-cert.gov/ncas/alerts/TA14-290A +rule: + kind: composite_literal + all: + - pattern: "tls.Config{$$$, MinVersion: tls.VersionSSL30, $$$}" diff --git a/tests/__snapshots__/ssl-v3-is-insecure-go-snapshot.yml b/tests/__snapshots__/ssl-v3-is-insecure-go-snapshot.yml new file mode 100644 index 00000000..fe66016e --- /dev/null +++ b/tests/__snapshots__/ssl-v3-is-insecure-go-snapshot.yml @@ -0,0 +1,25 @@ +id: ssl-v3-is-insecure-go +snapshots: + ? | + client := &http.Client{ + Transport: &http.Transport{ + // ruleid: ssl-v3-is-insecure + TLSClientConfig: &tls.Config{ + KeyLogWriter: w, + MinVersion: tls.VersionSSL30, + Rand: zeroSource{}, // for reproducible output; don't do this. + InsecureSkipVerify: true, // test server certificate is not trusted. + }, + }, + } + : labels: + - source: |- + tls.Config{ + KeyLogWriter: w, + MinVersion: tls.VersionSSL30, + Rand: zeroSource{}, // for reproducible output; don't do this. + InsecureSkipVerify: true, // test server certificate is not trusted. + } + style: primary + start: 107 + end: 358 diff --git a/tests/go/ssl-v3-is-insecure-go-test.yml b/tests/go/ssl-v3-is-insecure-go-test.yml new file mode 100644 index 00000000..a1d2bce4 --- /dev/null +++ b/tests/go/ssl-v3-is-insecure-go-test.yml @@ -0,0 +1,28 @@ +id: ssl-v3-is-insecure-go +valid: + - | + client_good := &http.Client{ + Transport: &http.Transport{ + TLSClientConfig: &tls.Config{ + KeyLogWriter: w, + // OK + MinVersion: tls.VersionTLS10, + Rand: zeroSource{}, // for reproducible output; don't do this. + InsecureSkipVerify: true, // test server certificate is not trusted. + }, + }, + } + +invalid: + - | + client := &http.Client{ + Transport: &http.Transport{ + // ruleid: ssl-v3-is-insecure + TLSClientConfig: &tls.Config{ + KeyLogWriter: w, + MinVersion: tls.VersionSSL30, + Rand: zeroSource{}, // for reproducible output; don't do this. + InsecureSkipVerify: true, // test server certificate is not trusted. + }, + }, + } From 2b4ee9c2f03fdcd39d68aea928fcc50d83089c02 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Thu, 10 Oct 2024 10:53:42 +0530 Subject: [PATCH 2/2] missing-ssl-minversion-go --- .../go/security/missing-ssl-minversion-go.yml | 31 +++++++++++++++++++ .../missing-ssl-minversion-go-snapshot.yml | 13 ++++++++ tests/go/missing-ssl-minversion-go-test.yml | 13 ++++++++ 3 files changed, 57 insertions(+) create mode 100644 rules/go/security/missing-ssl-minversion-go.yml create mode 100644 tests/__snapshots__/missing-ssl-minversion-go-snapshot.yml create mode 100644 tests/go/missing-ssl-minversion-go-test.yml diff --git a/rules/go/security/missing-ssl-minversion-go.yml b/rules/go/security/missing-ssl-minversion-go.yml new file mode 100644 index 00000000..88ae3f9a --- /dev/null +++ b/rules/go/security/missing-ssl-minversion-go.yml @@ -0,0 +1,31 @@ +id: missing-ssl-minversion-go +language: go +severity: warning +message: >- + MinVersion` is missing from this TLS configuration. By default, TLS + 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 + when acting as a server. General purpose web applications should default + to TLS 1.3 with all other protocols disabled. Only where it is known that + a web server must support legacy clients with unsupported an insecure + browsers (such as Internet Explorer 10), it may be necessary to enable TLS + 1.0 to provide support. Add `MinVersion: tls.VersionTLS13' to the TLS + configuration to bump the minimum version to TLS 1.3. +note: >- + [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm + [OWASP A03:2017]: Sensitive Data Exposure + [OWASP A02:2021]: Cryptographic Failures + [REFERENCES] + https://owasp.org/Top10/A02_2021-Cryptographic_Failures +utils: + match_tls_without_minversion: + kind: composite_literal + pattern: $R + inside: + stopBy: end + kind: assignment_statement +rule: + any: + - matches: match_tls_without_minversion +constraints: + R: + regex: ^(tls.Config) diff --git a/tests/__snapshots__/missing-ssl-minversion-go-snapshot.yml b/tests/__snapshots__/missing-ssl-minversion-go-snapshot.yml new file mode 100644 index 00000000..1c95d52f --- /dev/null +++ b/tests/__snapshots__/missing-ssl-minversion-go-snapshot.yml @@ -0,0 +1,13 @@ +id: missing-ssl-minversion-go +snapshots: + ? | + server.TLS = &tls.Config{ Rand: zeroSource{}, } + : labels: + - source: 'tls.Config{ Rand: zeroSource{}, }' + style: primary + start: 14 + end: 47 + - source: 'server.TLS = &tls.Config{ Rand: zeroSource{}, }' + style: secondary + start: 0 + end: 47 diff --git a/tests/go/missing-ssl-minversion-go-test.yml b/tests/go/missing-ssl-minversion-go-test.yml new file mode 100644 index 00000000..247e706e --- /dev/null +++ b/tests/go/missing-ssl-minversion-go-test.yml @@ -0,0 +1,13 @@ +id: missing-ssl-minversion-go +valid: + - | + TLSClientConfig: &tls.Config{ + KeyLogWriter: w, + MinVersion: tls.VersionSSL30, + Rand: zeroSource{}, + InsecureSkipVerify: true, + }, + +invalid: + - | + server.TLS = &tls.Config{ Rand: zeroSource{}, }