1// (c) Copyright 2016 Hewlett Packard Enterprise Development LP 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15package rules 16 17import ( 18 "go/ast" 19 20 "github.com/securego/gosec/v2" 21) 22 23type usesWeakCryptography struct { 24 gosec.MetaData 25 blocklist map[string][]string 26} 27 28func (r *usesWeakCryptography) ID() string { 29 return r.MetaData.ID 30} 31 32func (r *usesWeakCryptography) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) { 33 for pkg, funcs := range r.blocklist { 34 if _, matched := gosec.MatchCallByPackage(n, c, pkg, funcs...); matched { 35 return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil 36 } 37 } 38 return nil, nil 39} 40 41// NewUsesWeakCryptography detects uses of des.* md5.* or rc4.* 42func NewUsesWeakCryptography(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { 43 calls := make(map[string][]string) 44 calls["crypto/des"] = []string{"NewCipher", "NewTripleDESCipher"} 45 calls["crypto/md5"] = []string{"New", "Sum"} 46 calls["crypto/sha1"] = []string{"New", "Sum"} 47 calls["crypto/rc4"] = []string{"NewCipher"} 48 rule := &usesWeakCryptography{ 49 blocklist: calls, 50 MetaData: gosec.MetaData{ 51 ID: id, 52 Severity: gosec.Medium, 53 Confidence: gosec.High, 54 What: "Use of weak cryptographic primitive", 55 }, 56 } 57 return rule, []ast.Node{(*ast.CallExpr)(nil)} 58} 59