GitLab Advanced SAST rules: Go
- Tier: Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
Rules used by GitLab Advanced SAST to detect vulnerabilities in Go code.
| Rule ID | Rule description | CWE | OWASP Top 10 |
|---|---|---|---|
go-gocql-sqli-session-taint | Improper neutralization of special elements used in a SQL command (‘SQL Injection’) | CWE-89 | A1:2017, A03:2021 |
go-gopg-sqli-taint | Improper neutralization of special elements used in a SQL command (‘SQL Injection’) | CWE-89 | A1:2017, A03:2021 |
go-gorm-sqli-taint | Improper neutralization of special elements used in a SQL command (‘SQL Injection’) | CWE-89 | A1:2017, A03:2021 |
go-lang-accesscontrol-allow-all-origin-atomic | Permissive cross-domain policy with untrusted domains | CWE-942 | A5:2017, A01:2021 |
go-lang-accesscontrol-http-root-dir-atomic | Files or directories accessible to external parties | CWE-552 | A5:2017, A01:2021 |
go-lang-accesscontrol-permissions-mkdir-atomic | Incorrect permission assignment for critical resource | CWE-732 | A5:2017, A01:2021 |
go-lang-accesscontrol-poor-file-permissions-atomic | Incorrect permission assignment for critical resource | CWE-732 | A5:2017, A01:2021 |
go-lang-accesscontrol-poor-write-permissions-atomic | Incorrect default permissions | CWE-276 | A5:2017, A01:2021 |
go-lang-accesscontrol-tempfiles-atomic | Insecure temporary file | CWE-377 | A5:2017, A01:2021 |
go-lang-cmdi-exec-command-write-taint | Improper neutralization of special elements used in an OS command (‘OS Command Injection’) | CWE-78 | A1:2017, A03:2021 |
go-lang-cmdi-os-exec-cmd-taint | Improper neutralization of special elements used in an OS command (‘OS Command Injection’) | CWE-78 | A1:2017, A03:2021 |
go-lang-cmdi-os-exec-command-taint | Improper neutralization of special elements used in an OS command (‘OS Command Injection’) | CWE-78 | A1:2017, A03:2021 |
go-lang-cmdi-os-syscall-exec-taint | Improper neutralization of special elements used in an OS command (‘OS Command Injection’) | CWE-78 | A1:2017, A03:2021 |
go-lang-crypto-bad-tls-settings-atomic | Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
go-lang-crypto-blocklist-des-atomic | Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
go-lang-crypto-blocklist-md5-atomic | Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
go-lang-crypto-blocklist-rc4-atomic | Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
go-lang-crypto-blocklist-sha1-atomic | Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
go-lang-crypto-insecure-ignore-host-key-atomic | Key exchange without entity authentication | CWE-322 | A2:2017, A07:2021 |
go-lang-crypto-tlsversion-atomic | Inadequate encryption strength | CWE-326 | A3:2017, A02:2021 |
go-lang-crypto-weakkeystrength-atomic | Inadequate encryption strength | CWE-326 | A3:2017, A02:2021 |
go-lang-crypto-weakrandsource-atomic | Use of cryptographically weak Pseudo-Random Number Generator (PRNG) | CWE-338 | A3:2017, A02:2021 |
go-lang-database-sql-sqli-taint | Improper neutralization of special elements used in a SQL command (‘SQL Injection’) | CWE-89 | A1:2017, A03:2021 |
go-lang-dos-decompression-bomb-taint | Improper handling of highly compressed data | CWE-409 | A1:2017, A03:2021 |
go-lang-misconfiguration-cookie-httponly-false-atomic | Sensitive cookie without ‘HttpOnly’ flag | CWE-1004 | A6:2017, A05:2021 |
go-lang-misconfiguration-cookie-secure-false-atomic | Sensitive cookie in HTTPS session without ‘Secure’ attribute | CWE-614 | A6:2017, A05:2021 |
go-lang-misconfiguration-http-serve-atomic | Allocation of resources without limits or throttling | CWE-770 | A6:2017, A05:2021 |
go-lang-misconfiguration-memory-aliasing-atomic | Incorrect access of indexable resource (‘Range Error’) | CWE-118 | A6:2017, A05:2021 |
go-lang-misconfiguration-pprof-endpoint-atomic | Active debug code (pprof enabled) | CWE-489 | A6:2017, A05:2021 |
go-lang-network-bind-to-all-interfaces-atomic | Binding to an unrestricted IP address | CWE-1327 | A6:2017, A05:2021 |
go-lang-openredirect-redirect-taint | URL redirection to untrusted site (‘Open Redirect’) | CWE-601 | A01:2021, A5:2017 |
go-lang-overflow-integer-atomic | Integer overflow or wraparound | CWE-190 | A1:2017, A03:2021 |
go-lang-overflow-unsafe-atomic | Use of inherently dangerous function (unsafe package) | CWE-242 | A9:2017, A06:2021 |
go-lang-pathtraversal-archive-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 |
go-lang-pathtraversal-ioutil-readfile-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 |
go-lang-pathtraversal-ioutil-writefile-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 |
go-lang-pathtraversal-os-readfile-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 |
go-lang-pathtraversal-os-remove-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 |
go-lang-pathtraversal-os-writefile-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 |
go-lang-ssrf-taint | Server Side Request Forgery (SSRF) | CWE-918 | A1:2017, A10:2021 |
go-lang-ssti-htmltemplate-taint | Improper neutralization of special elements used in a template engine | CWE-1336 | A1:2017, A03:2021 |
go-lang-xss-html-template-taint | Improper neutralization of input during web page generation (‘Cross-site Scripting’) | CWE-79 | A1:2017, A03:2021 |
go-lang-xss-taint | Improper neutralization of input during web page generation (‘Cross-site Scripting’) | CWE-79 | A1:2017, A03:2021 |
go-libxml2-xxe-parsestring-taint | Improper restriction of XML external entity reference (‘XXE’) | CWE-611 | A4:2017, A05:2021 |
go-mongo-nosqli-bson-taint | Improper Neutralization of Special Elements in Data Query Logic | CWE-943 | A1:2017, A03:2021 |
go-otto-cmdi-taint | Improper neutralization of special elements used in an OS command (‘OS Command Injection’) | CWE-78 | A1:2017, A03:2021 |
go-pgx-sqli-taint | Improper neutralization of special elements used in a SQL command (‘SQL Injection’) | CWE-89 | A1:2017, A03:2021 |