1// (c) Copyright 2016 Hewlett Packard Enterprise Development LP 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15package rules 16 17import ( 18 "fmt" 19 "go/ast" 20 21 "github.com/securego/gosec/v2" 22) 23 24type weakKeyStrength struct { 25 gosec.MetaData 26 calls gosec.CallList 27 bits int 28} 29 30func (w *weakKeyStrength) ID() string { 31 return w.MetaData.ID 32} 33 34func (w *weakKeyStrength) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) { 35 if callExpr := w.calls.ContainsPkgCallExpr(n, c, false); callExpr != nil { 36 if bits, err := gosec.GetInt(callExpr.Args[1]); err == nil && bits < (int64)(w.bits) { 37 return gosec.NewIssue(c, n, w.ID(), w.What, w.Severity, w.Confidence), nil 38 } 39 } 40 return nil, nil 41} 42 43// NewWeakKeyStrength builds a rule that detects RSA keys < 2048 bits 44func NewWeakKeyStrength(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { 45 calls := gosec.NewCallList() 46 calls.Add("crypto/rsa", "GenerateKey") 47 bits := 2048 48 return &weakKeyStrength{ 49 calls: calls, 50 bits: bits, 51 MetaData: gosec.MetaData{ 52 ID: id, 53 Severity: gosec.Medium, 54 Confidence: gosec.High, 55 What: fmt.Sprintf("RSA keys should be at least %d bits", bits), 56 }, 57 }, []ast.Node{(*ast.CallExpr)(nil)} 58} 59