"GitLab Advanced SAST rules: Go"
- Tier: Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
Rules used by GitLab Advanced SAST to detect vulnerabilities in Go code.
| Rule ID | Rule description | CWE | OWASP Top 10 |
|---|---|---|---|
go-gocql-sqli-session-taint |
Improper neutralization of special elements used in a SQL command ('SQL Injection') | CWE-89 | A1:2017, A03:2021 |
go-gopg-sqli-taint |
Improper neutralization of special elements used in a SQL command ('SQL Injection') | CWE-89 | A1:2017, A03:2021 |
go-gorm-sqli-taint |
Improper neutralization of special elements used in a SQL command ('SQL Injection') | CWE-89 | A1:2017, A03:2021 |
go-lang-accesscontrol-allow-all-origin-atomic |
Permissive cross-domain policy with untrusted domains | CWE-942 | A5:2017, A01:2021 |
go-lang-accesscontrol-http-root-dir-atomic |
Files or directories accessible to external parties | CWE-552 | A5:2017, A01:2021 |
go-lang-accesscontrol-permissions-mkdir-atomic |
Incorrect permission assignment for critical resource | CWE-732 | A5:2017, A01:2021 |
go-lang-accesscontrol-poor-file-permissions-atomic |
Incorrect permission assignment for critical resource | CWE-732 | A5:2017, A01:2021 |
go-lang-accesscontrol-poor-write-permissions-atomic |
Incorrect default permissions | CWE-276 | A5:2017, A01:2021 |
go-lang-accesscontrol-tempfiles-atomic |
Insecure temporary file | CWE-377 | A5:2017, A01:2021 |
go-lang-cmdi-exec-command-write-taint |
Improper neutralization of special elements used in an OS command ('OS Command Injection') | CWE-78 | A1:2017, A03:2021 |
go-lang-cmdi-os-exec-cmd-taint |
Improper neutralization of special elements used in an OS command ('OS Command Injection') | CWE-78 | A1:2017, A03:2021 |
go-lang-cmdi-os-exec-command-taint |
Improper neutralization of special elements used in an OS command ('OS Command Injection') | CWE-78 | A1:2017, A03:2021 |
go-lang-cmdi-os-syscall-exec-taint |
Improper neutralization of special elements used in an OS command ('OS Command Injection') | CWE-78 | A1:2017, A03:2021 |
go-lang-crypto-bad-tls-settings-atomic |
Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
go-lang-crypto-blocklist-des-atomic |
Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
go-lang-crypto-blocklist-md5-atomic |
Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
go-lang-crypto-blocklist-rc4-atomic |
Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
go-lang-crypto-blocklist-sha1-atomic |
Use of a broken or risky cryptographic algorithm | CWE-327 | A3:2017, A02:2021 |
go-lang-crypto-insecure-ignore-host-key-atomic |
Key exchange without entity authentication | CWE-322 | A2:2017, A07:2021 |
go-lang-crypto-tlsversion-atomic |
Inadequate encryption strength | CWE-326 | A3:2017, A02:2021 |
go-lang-crypto-weakkeystrength-atomic |
Inadequate encryption strength | CWE-326 | A3:2017, A02:2021 |
go-lang-crypto-weakrandsource-atomic |
Use of cryptographically weak Pseudo-Random Number Generator (PRNG) | CWE-338 | A3:2017, A02:2021 |
go-lang-database-sql-sqli-taint |
Improper neutralization of special elements used in a SQL command ('SQL Injection') | CWE-89 | A1:2017, A03:2021 |
go-lang-dos-decompression-bomb-taint |
Improper handling of highly compressed data | CWE-409 | A1:2017, A03:2021 |
go-lang-misconfiguration-cookie-httponly-false-atomic |
Sensitive cookie without 'HttpOnly' flag | CWE-1004 | A6:2017, A05:2021 |
go-lang-misconfiguration-cookie-secure-false-atomic |
Sensitive cookie in HTTPS session without 'Secure' attribute | CWE-614 | A6:2017, A05:2021 |
go-lang-misconfiguration-http-serve-atomic |
Allocation of resources without limits or throttling | CWE-770 | A6:2017, A05:2021 |
go-lang-misconfiguration-memory-aliasing-atomic |
Incorrect access of indexable resource ('Range Error') | CWE-118 | A6:2017, A05:2021 |
go-lang-misconfiguration-pprof-endpoint-atomic |
Active debug code (pprof enabled) | CWE-489 | A6:2017, A05:2021 |
go-lang-network-bind-to-all-interfaces-atomic |
Binding to an unrestricted IP address | CWE-1327 | A6:2017, A05:2021 |
go-lang-openredirect-redirect-taint |
URL redirection to untrusted site ('Open Redirect') | CWE-601 | A01:2021, A5:2017 |
go-lang-overflow-integer-atomic |
Integer overflow or wraparound | CWE-190 | A1:2017, A03:2021 |
go-lang-overflow-unsafe-atomic |
Use of inherently dangerous function (unsafe package) | CWE-242 | A9:2017, A06:2021 |
go-lang-pathtraversal-archive-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 |
go-lang-pathtraversal-ioutil-readfile-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 |
go-lang-pathtraversal-ioutil-writefile-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 |
go-lang-pathtraversal-os-readfile-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 |
go-lang-pathtraversal-os-remove-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 |
go-lang-pathtraversal-os-writefile-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 |
go-lang-ssrf-taint |
Server Side Request Forgery (SSRF) | CWE-918 | A1:2017, A10:2021 |
go-lang-ssti-htmltemplate-taint |
Improper neutralization of special elements used in a template engine | CWE-1336 | A1:2017, A03:2021 |
go-lang-xss-html-template-taint |
Improper neutralization of input during web page generation ('Cross-site Scripting') | CWE-79 | A1:2017, A03:2021 |
go-lang-xss-taint |
Improper neutralization of input during web page generation ('Cross-site Scripting') | CWE-79 | A1:2017, A03:2021 |
go-libxml2-xxe-parsestring-taint |
Improper restriction of XML external entity reference ('XXE') | CWE-611 | A4:2017, A05:2021 |
go-mongo-nosqli-bson-taint |
Improper Neutralization of Special Elements in Data Query Logic | CWE-943 | A1:2017, A03:2021 |
go-otto-cmdi-taint |
Improper neutralization of special elements used in an OS command ('OS Command Injection') | CWE-78 | A1:2017, A03:2021 |
go-pgx-sqli-taint |
Improper neutralization of special elements used in a SQL command ('SQL Injection') | CWE-89 | A1:2017, A03:2021 |