Happy to announce that we are releasing – 5 new security issues, 3 new Autofixes and simpler configuration for our Go analyzer.
DeepSource’s Go analyzer now fully covers OWASP’s Top Ten security risk categories. Also, configuring the Go analyzer to your repository is easier than before – no need to manually configure
import_paths; just configure
import_root and you’re done! And yes, 3 new Autofixes have been added to the Go analyzer.
- Add new security rule: Detect exposure of sensitive headers (GO-S0901, OWASP A6)
- Add new security rule: Detect usage of insecure gRPC server (GO-S0902, OWASP A8)
- Add new security rule: Detect XML package usage vulnerable to XXE attacks (GO-S0903, OWASP A4)
- Add new security rule: Detect possible usage of Logger for infected user defined data (GO-S0904, OWASP [A1, A10])
- Add new security rule: Detect usage of
encoding/xml– not safe by design for security-critical operation (GO-S0905, OWASP [A2, A9])
- Add new Autofix: Use plain channel send or receive (SCC-S1000)
- Add new Autofix: Function call can be replaced with helper function (CRT-A0010)
- Add new Autofix: Types of function parameters can be combined (CRT-A0017)
- Configuring Go analyzer is much “simpler” than before – now a single “import_root” field is required. Previously “import_paths” array was mandatory along with “import_root” (in case of multiple
import_paths). New change in configuration is backward compatible.