Hello Go Developers,
We are pleased to announce that we are enhancing our Go analyzer, with a particular focus on improving security rules. In 2025, our goal is to significantly expand our security analysis capabilities for Go.
As part of this initiative, we have recently introduced several foundational Go security rules. Below is the list of newly added rules:
- S4423: Weak SSL/TLS protocols should not be used
- S3330: Creating cookies without the “HttpOnly” flag is security-sensitive
- S2092: Creating cookies without the “secure” flag is security-sensitive
- S4507: Delivering code in production with debug features activated is security-sensitive
- S2068: Hard-coded credentials are security-sensitive
- S2612: Setting loose POSIX file permissions is security-sensitive
- S1313: Using hardcoded IP addresses is security-sensitive
- S2245: Using pseudorandom number generators (PRNGs) is security-sensitive
- S4790: Using weak hashing algorithms is security-sensitive
We are committed to continuing this effort in the coming weeks and will subsequently focus on detecting more advanced security issues, such as injection vulnerabilities.
These rules are already available for SonarQube Cloud users and will be part of the next SonarQube Server 2025.2 release (March 2025).
Enjoy!
Alex