-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathcode.json
More file actions
1 lines (1 loc) · 8.24 KB
/
code.json
File metadata and controls
1 lines (1 loc) · 8.24 KB
1
{"errors": [], "interfile_languages_used": ["Go"], "paths": {"scanned": [".github/workflows/semgrep.yml", "code.json", "code.sarif", "go.mod", "go.sum", "idor.go", "insecure-cookie.go", "insecure-grpc.go", "insecure-grpc2.go", "secret.go"]}, "results": [{"check_id": "r2c_david.test-go-escape-signature", "end": {"col": 53, "line": 129, "offset": 3096}, "extra": {"engine_kind": "PRO", "fingerprint": "b4a8562d3681a29d5f4219b799f93e29e8689a8f6b37c979fa395ca8738227b4e31598774711dc627f21ab8199b032a3ae7fd8f6dba436a82c098e8ab7294411_0", "is_ignored": false, "lines": "\t\tsign := HTMLEscapeString(r.FormValue(\"signature\"))", "message": "This rule is meant for testing and will fire anytime we're escaping the 'signature' form value", "metadata": {"dev.semgrep.actions": ["monitor"], "semgrep.dev": {"rule": {"origin": "custom", "rule_id": "DbU6kKO", "url": "https://semgrep.dev/playground/r/K3Tz2eJ/r2c_david.test-go-escape-signature", "version_id": "K3Tz2eJ"}}, "semgrep.policy": {"id": 53434, "name": "Rule Board - Audit column", "slug": "rule-board-audit"}, "shortlink": "https://sg.run/kxpke", "source": "https://semgrep.dev/r/r2c_david.test-go-escape-signature"}, "metavars": {}, "severity": "WARNING", "validation_state": "NO_VALIDATOR"}, "path": "idor.go", "start": {"col": 11, "line": 129, "offset": 3054}}, {"check_id": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5", "end": {"col": 21, "line": 164, "offset": 3919}, "extra": {"engine_kind": "PRO", "fingerprint": "1edb2ae8823c1ba4f1d78c5ab7af9229a31386975cae8601ff6eb7ab8e639aec25659e6dfcb02ff3a9ed0070779669d679d8042b302d7b69d4e3ae53f2e3cac8_0", "is_ignored": false, "lines": "\thasher := md5.New()", "message": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.", "metadata": {"category": "security", "confidence": "MEDIUM", "cwe": ["CWE-327: Use of a Broken or Risky Cryptographic Algorithm"], "dev.semgrep.actions": ["comment"], "impact": "MEDIUM", "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", "likelihood": "MEDIUM", "owasp": ["A03:2017 - Sensitive Data Exposure", "A02:2021 - Cryptographic Failures"], "references": ["https://owasp.org/Top10/A02_2021-Cryptographic_Failures"], "semgrep.dev": {"rule": {"origin": "community", "rule_id": "x8Un6q", "url": "https://semgrep.dev/playground/r/2KTzro0/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5", "version_id": "2KTzro0"}}, "semgrep.policy": {"id": 53432, "name": "Rule Board - PR Comments column", "slug": "rule-board-pr-comments"}, "semgrep.url": "https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5", "shortlink": "https://sg.run/2xB5", "source": "https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5", "source-rule-url": "https://github.com/securego/gosec#available-rules", "subcategory": ["vuln"], "technology": ["go"], "vulnerability_class": ["Cryptographic Issues"]}, "metavars": {}, "severity": "WARNING", "validation_state": "NO_VALIDATOR"}, "path": "idor.go", "start": {"col": 12, "line": 164, "offset": 3910}}, {"check_id": "go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly", "end": {"col": 3, "line": 33, "offset": 604}, "extra": {"engine_kind": "PRO", "fingerprint": "c584e2bab4cbcc745bb4d7b52c0e05869a96a99cb148958c8d1a6546db84aff5db5e7f007b9f811bf89514637397088bc92bd4133bd22cff5b6669133e0b0806_0", "fix": "&sessions.Options{\n\t\tPath: \"/\",\n\t\tMaxAge: 3600,\n\t\tHttpOnly: true, //set to false for xss :)\n Secure: true,\n\t}", "fixed_lines": ["\tsession.Options = &sessions.Options{", "\t\tPath: \"/\",", "\t\tMaxAge: 3600,", "\t\tHttpOnly: true, //set to false for xss :)", " Secure: true,", "\t}"], "is_ignored": false, "lines": "\tsession.Options = &sessions.Options{\n\t\tPath: \"/\",\n\t\tMaxAge: 3600,\n\t\tHttpOnly: false, //set to false for xss :)\n Secure: true,\n\t}", "message": "A session cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the 'HttpOnly' flag by setting 'HttpOnly' to 'true' in the Options struct.", "metadata": {"category": "security", "confidence": "MEDIUM", "cwe": ["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"], "dev.semgrep.actions": ["comment"], "impact": "LOW", "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", "likelihood": "LOW", "owasp": ["A05:2021 - Security Misconfiguration"], "references": ["https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69"], "semgrep.dev": {"rule": {"origin": "community", "rule_id": "qNUj6g", "url": "https://semgrep.dev/playground/r/A8T95ZE/go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly", "version_id": "A8T95ZE"}}, "semgrep.policy": {"id": 53432, "name": "Rule Board - PR Comments column", "slug": "rule-board-pr-comments"}, "semgrep.url": "https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly", "shortlink": "https://sg.run/4xJZ", "source": "https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly", "subcategory": ["audit"], "technology": ["gorilla"], "vulnerability_class": ["Cookie Security"]}, "metavars": {}, "severity": "WARNING", "validation_state": "NO_VALIDATOR"}, "path": "insecure-cookie.go", "start": {"col": 20, "line": 28, "offset": 481}}, {"check_id": "go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection", "end": {"col": 57, "line": 10, "offset": 278}, "extra": {"engine_kind": "PRO", "fingerprint": "58fccddd2cb127ebd5ab4c199cedfdba23e50960262fea31cad5930aa8e7a2b42c436605c1afdd9ced08312b9346193b7d5a30d17007c6b56c59e8a50702d4d2_0", "fix": "grpc.Dial(address, grpc.WithTransportCredentials(credentials.NewTLS(<your_tls_config_here>)))", "fixed_lines": [" conn, err := grpc.Dial(address, grpc.WithTransportCredentials(credentials.NewTLS(<your_tls_config_here>)))"], "is_ignored": false, "lines": " conn, err := grpc.Dial(address, grpc.WithInsecure())", "message": "Found an insecure gRPC connection using 'grpc.WithInsecure()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS(<config>))'.", "metadata": {"category": "security", "confidence": "HIGH", "cwe": ["CWE-300: Channel Accessible by Non-Endpoint"], "dev.semgrep.actions": ["comment"], "impact": "LOW", "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", "likelihood": "LOW", "owasp": ["A07:2021 - Identification and Authentication Failures"], "references": ["https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption"], "semgrep.dev": {"rule": {"origin": "community", "rule_id": "PeUZ4X", "url": "https://semgrep.dev/playground/r/0bTLlY6/go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection", "version_id": "0bTLlY6"}}, "semgrep.policy": {"id": 53432, "name": "Rule Board - PR Comments column", "slug": "rule-board-pr-comments"}, "semgrep.url": "https://semgrep.dev/r/go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection", "shortlink": "https://sg.run/J9yZ", "source": "https://semgrep.dev/r/go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection", "subcategory": ["audit"], "technology": ["grpc"], "vulnerability_class": ["Other"]}, "metavars": {"$ADDR": {"abstract_content": "address", "end": {"col": 35, "line": 10, "offset": 256}, "start": {"col": 28, "line": 10, "offset": 249}}, "$GRPC": {"abstract_content": "grpc", "end": {"col": 22, "line": 10, "offset": 243}, "start": {"col": 18, "line": 10, "offset": 239}}}, "severity": "ERROR", "validation_state": "NO_VALIDATOR"}, "path": "insecure-grpc.go", "start": {"col": 18, "line": 10, "offset": 239}}], "skipped_rules": [], "version": "1.59.0"}