15+ Go Security Rules (cryptography misconfigurations)

Hello,

A couple of weeks ago, we released our first batch of security rules dedicated to Go. We continued this effort, and it’s time to announce that we enhanced our Go analyzer again with 15 additional foundational Go security rules.
Here is the list of newly added rules:

Vulnerability Issues:

  • S6437: Credentials should not be hard-coded
  • S5547: Cipher algorithms should be robust
  • S3329: Cipher Block Chaining IVs should be unpredictable
  • S5542: Encryption algorithms should be used with secure mode and padding scheme
  • S5445: Insecure temporary file creation methods should not be used
  • S5344: Passwords should not be stored in plaintext or with a fast hashing algorithm
  • S4830: Server certificates should be verified during SSL/TLS connections
  • S5527: Server hostnames should be verified during SSL/TLS connections
  • S4426: Cryptographic keys should be robust
  • S2053: Password hashing functions should use an unpredictable salt

Security Hotspots:

  • S6418: Hard-coded secrets are security-sensitive
  • S5443: Using publicly writable directories is security-sensitive
  • S5332: Using clear-text protocols is security-sensitive
  • S4036: Searching OS commands in PATH is security-sensitive
  • S2077: Formatting SQL queries is security-sensitive

These rules are already available for SonarQube Cloud users and will be part of the next SonarQube Server 2025.2 release (March 2025).

Enjoy!
Alex

4 Likes