We’ve been working hard on improving the Go Analyzer over the last couple of months, and I’m excited to announce some exciting new things today! These updates are available immediately on DeepSource Cloud and DeepSource Enterprise Server v3.13.9.
Performance Improvements
Static analysis of pull requests is now up to 70% faster for medium to large-sized repositories and up to 30% faster on average for small-sized repositories. 
How? We’ve enabled the Go Analyzer to run a partial analysis for modules to achieve this. As you know, DeepSource only shows issues that you’re newly introducing in each pull request. However, since we require the complete type information for all modules in a repository, we still had to process all the files regardless of the changeset and then remove issues from non-changeset files post hoc. With this change, we parse the imports of each file that needs to be analyzed, figure out the packages they depend on, build the complete import graph, and only consider the packages present in the import graph for analysis.
To add a cherry on top, Go 1.19 introduces several compiler-caching improvements. This has contributed to our overall analysis being noticeably faster for all analysis runs, including complete analysis on the entire repository.
New in Autofix
We’ve added Autofix for ten issues in this release, increasing the coverage of Autofix to 135+ issues.
See all issues with new Autofix
- (GO-W1010) Using a deprecated function, variable, constant or field from os package
- (GO-W1011) Using a deprecated function, variable, constant or field from net package
- (GO-W1012) Using a deprecated function, variable, constant or field from go/types package
- (GO-S1036) Exposure of directory listing using Static
- (GO-S2108) Profiling endpoint automatically exposed on /debug/pprof
- (GO-P4007) Use fmt.Fprint instead of (io.Writer).Write along with fmt.Sprint
- (GO-P4008) Use (io.StringWriter).WriteString for writing strings
- (GO-W4011) Subsequent calls to Load and Delete on sync.Map should be replaced with LoadAndDelete
- (GO-W4012) Redundant deferring of calls
- (GO-W4014) Prefer filepath.Join instead of concatenating strings with os.PathSeparator
New Issues
We’ve added 42 new issues to the Analyzer this year, bringing the total issue count to 350+, the highest in the industry for Go static analysis tools.
These new issues span security, anti-patterns, bug risks, performance, and style. Expand these categories below to see the list of issues.
Security
- (GO-S1030) Audit required: Use of PKCS #1 v1.5 padding with RSA
- (GO-S1031) Audit required: (*crypto/x509.Certificate).Verify does not check for certificate revocation
- (GO-S1032) Audit required: (*crypto/x509.Certificate).Verify does not use the system time for verification
- (GO-S1033) Random number generator seed doesn’t have enough entropy
- (GO-S1034) Exposure of directory listing using net/http.FileServer
- (GO-S1035) Exposure of directory listing using Serve / ServeFS
- (GO-S1036) Exposure of directory listing using Static
- (GO-S1037) Using less than 310,000 iterations for PBKDF2
- (GO-S1038) Using a constant salt for PBKDF2
- (GO-S1039) Non HTTP-only cookie for fiber sessions
- (GO-S1040) Audit Required: Insecure cookie for fiber sessions
- (GO-S1041) Audit Required: Same-Site attribute improperly configured for fiber session cookie
- (GO-S1042) Audit Required: Same-Site attribute improperly configured for gin session cookie
- (GO-S1043) Non HTTP-only cookie for gin sessions
- (GO-S1044) Audit Required: Insecure cookie for gin sessions
- (GO-S1045) Using a cost factor of less than 10 for bcrypt
- (GO-S1046) Using a cost factor of less than 32768 for scrypt
Anti-patterns
Bug risks
- (GO-W4003) Suspicious map literal key
- (GO-W4004) Suspicious regexp
- (GO-W4005) Empty declaration
- (GO-W4006) Potentially unwanted dependency on evaluation order
- (GO-W4007) Reassignment of an error from another package
- (GO-W4008) Suspicious http.Error call without following return
- (GO-W4009) Suspicious call to sort.Slice
- (GO-W4010) Potential issue in Query call
- (GO-W4011) Subsequent calls to Load and Delete on sync.Map should be replaced with LoadAndDelete
- (GO-W4013) sync.Mutex or sync.RWMutex methods exposed
- (GO-W4014) Prefer filepath.Join instead of concatenating strings with os.PathSeparator
Style
Performance
If you’re using DeepSource for your Go projects, you’re already on the latest version and should start seeing considerable improvement in analysis times and more issues. We’re excited to ship this release and would love to hear from you! Let us know your feedback in the comments!