New Autofix, issues, reliability improvements, and more in the Go Analyzer

What’s new?

— Several issues now have better issue descriptions.

RVV-B0013 and GO-S0902’s implementations are more robust and detect issues more reliably.

— The analyzer now supports some popular frameworks in the Go community like gin-gonic/gin and go-redis/redis (Yes, they have Autofix too!).

— Multiple minor bugs have been squashed. This includes the ones you reported to us.

— The analyzer has 19 new rules and 4 new Autofix.

— New security issues. The analyzer now covers OWASP 2021, along with enhanced coverage for SANS 25.

Here are some newly added issues:

  • GO-E1000: gin.LoadHTMLGlob with ill-formed pattern would panic

  • GO-E1001: Redis function called with an incorrect number of arguments

  • GO-E1002: Unimplemented Redis method call would panic

  • GO-R1000: Use http.FileSystem(http.Dir(…)) instead of gin.Dir(…,true)

  • GO-S1000: Sanitize insecure filename before use

  • GO-S1001: Constant state value in OAuth 2.0 URL

  • GO-S1004: Incomplete URL scheme validation

  • GO-S1005: Incomplete Redirect URL validation

  • GO-S1006: Reflected cross-site scripting

  • GO-S1007: Risky constant length comparison

  • GO-S1008: Size computation for allocation may overflow

  • GO-S1009: Missing regular expression anchor

  • GO-S1010: Uncontrolled data used in network request

  • GO-S1011: Inconsistent direction of for loop

  • GO-S1012: Bitwise exclusive-or used like exponentiation

  • GO-S1013: Audit required: XPath Injection

  • GO-S1015: Audit required: Command injection from user-controlled sources

  • GO-S1016: Audit required: Incomplete regular expression for hostname

  • GO-S1017: Audit required: Unsafe quoting for github.com/Masterminds/squirrel package

  • GO-W1000: Use of deprecated Redis methods

  • GO-W1001: Impossible interface nil check