missing-ssl-minversion-go

ESS-ENN · ESS-ENN · commit 2b4ee9c2f03f · 2024-10-10T10:53:42.000+05:30
diff --git a/rules/go/security/missing-ssl-minversion-go.yml b/rules/go/security/missing-ssl-minversion-go.yml
@@ -0,0 +1,31 @@
+id: missing-ssl-minversion-go
+language: go
+severity: warning
+message: >-
+  MinVersion` is missing from this TLS configuration.  By default, TLS
+  1.2 is currently used as the minimum when acting as a client, and TLS 1.0
+  when acting as a server. General purpose web applications should default
+  to TLS 1.3 with all other protocols disabled.  Only where it is known that
+  a web server must support legacy clients with unsupported an insecure
+  browsers (such as Internet Explorer 10), it may be necessary to enable TLS
+  1.0 to provide support. Add `MinVersion: tls.VersionTLS13' to the TLS
+  configuration to bump the minimum version to TLS 1.3.
+note: >-
+  [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm
+  [OWASP A03:2017]: Sensitive Data Exposure
+  [OWASP A02:2021]: Cryptographic Failures
+  [REFERENCES]
+       https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+utils:
+  match_tls_without_minversion:
+    kind: composite_literal
+    pattern: $R
+    inside:
+      stopBy: end
+      kind: assignment_statement
+rule:
+  any:
+    - matches: match_tls_without_minversion
+constraints:
+  R:
+    regex: ^(tls.Config)
diff --git a/tests/__snapshots__/missing-ssl-minversion-go-snapshot.yml b/tests/__snapshots__/missing-ssl-minversion-go-snapshot.yml
@@ -0,0 +1,13 @@
+id: missing-ssl-minversion-go
+snapshots:
+  ? |
+    server.TLS = &tls.Config{ Rand: zeroSource{}, }
+  : labels:
+    - source: 'tls.Config{ Rand: zeroSource{}, }'
+      style: primary
+      start: 14
+      end: 47
+    - source: 'server.TLS = &tls.Config{ Rand: zeroSource{}, }'
+      style: secondary
+      start: 0
+      end: 47
diff --git a/tests/go/missing-ssl-minversion-go-test.yml b/tests/go/missing-ssl-minversion-go-test.yml
@@ -0,0 +1,13 @@
+id: missing-ssl-minversion-go
+valid:
+  - |
+    TLSClientConfig: &tls.Config{
+    KeyLogWriter:       w,
+    MinVersion:         tls.VersionSSL30,
+    Rand:               zeroSource{}, 
+    InsecureSkipVerify: true,        
+    },
+
+invalid:
+  - |
+    server.TLS = &tls.Config{ Rand: zeroSource{}, }
