What’s new?
— Several issues now have better issue descriptions.
— RVV-B0013 and GO-S0902’s implementations are more robust and detect issues more reliably.
— The analyzer now supports some popular frameworks in the Go community like gin-gonic/gin and go-redis/redis (Yes, they have Autofix too!).
— Multiple minor bugs have been squashed. This includes the ones you reported to us.
— The analyzer has 19 new rules and 4 new Autofix.
— New security issues. The analyzer now covers OWASP 2021, along with enhanced coverage for SANS 25.
Here are some newly added issues:
- GO-E1000:
gin.LoadHTMLGlobwith ill-formed pattern would panic
- GO-E1001: Redis function called with an incorrect number of arguments
- GO-E1002: Unimplemented Redis method call would panic
- GO-R1000: Use http.FileSystem(http.Dir(…)) instead of gin.Dir(…,true)
- GO-S1000: Sanitize insecure filename before use
- GO-S1001: Constant state value in OAuth 2.0 URL
- GO-S1002: Stack trace exposure
- GO-S1003: Open URL Redirect
- GO-S1004: Incomplete URL scheme validation
- GO-S1005: Incomplete Redirect URL validation
- GO-S1006: Reflected cross-site scripting
- GO-S1007: Risky constant length comparison
- GO-S1008: Size computation for allocation may overflow
- GO-S1009: Missing regular expression anchor
- GO-S1010: Uncontrolled data used in network request
- GO-S1011: Inconsistent direction of
forloop
- GO-S1012: Bitwise exclusive-or used like exponentiation
- GO-S1013: Audit required: XPath Injection
- GO-S1014: Email content injection
- GO-S1015: Audit required: Command injection from user-controlled sources
- GO-S1016: Audit required: Incomplete regular expression for hostname
- GO-S1017: Audit required: Unsafe quoting for
github.com/Masterminds/squirrelpackage
- GO-W1000: Use of deprecated Redis methods
- GO-W1001: Impossible interface
nilcheck
