Go Scan rules
Contrast Scan supports these rules for Go.
Severity | Contrast rule | Engine rule ID | Description |
|---|---|---|---|
Critical | Insecure SSL | OPT.GO.SECURITY.InsecureSSL | InsecureSSL: Insecure SSL configuration |
Critical | Too Much Origins Allowed | OPT.GO.SECURITY.TooMuchOriginsAllowed | TooMuchOriginsAllowed: CORS policy (Cross-origin resource sharing) too broad |
Critical | Anonymous Ldap Bind | OPT.GO.SECURITY.AnonymousLdapBind | AnonymousLdapBind: Access Control - Anonymous LDAP Bind |
Critical | Forbidden Call | OPT.GO.SECURITY.ForbiddenCall | ForbiddenCall: Dangerous function called. |
Critical | Code Injection | OPT.GO.SECURITY.CodeInjection | CodeInjection: Avoid non-neutralized user-controlled input in dynamic code evaluation |
Critical | Command Injection | OPT.GO.SECURITY.CommandInjection | CommandInjection: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
Critical | Connection String Parameter Pollution | OPT.GO.SECURITY.ConnectionStringParameterPollution | ConnectionStringParameterPollution: Connection string polluted with untrusted input |
Critical | Cross Site Scripting | OPT.GO.SECURITY.CrossSiteScripting | CrossSiteScripting: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Critical | Http Splitting | OPT.GO.SECURITY.HttpSplitting | HttpSplitting: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') |
Critical | Ldap Injection | OPT.GO.SECURITY.LdapInjection | LdapInjection: Avoid non-neutralized user-controlled input in LDAP search filters |
Critical | Mail Command Injection | OPT.GO.SECURITY.MailCommandInjection | MailCommandInjection: Mail Command Injection |
Critical | No SQL Injection | OPT.GO.SECURITY.NoSQLInjection | NoSQLInjection: Improper neutralization of special elements in data query logic (NoSQL injection) |
Critical | Process Control | OPT.GO.SECURITY.ProcessControl | ProcessControl: Do not load executables or libraries from untrusted sources |
Critical | Regex Injection | OPT.GO.SECURITY.RegexInjection | RegexInjection: Prevent denial of service attack through malicious regular expression ('Regex Injection') |
Critical | Same Origin Method Execution | OPT.GO.SECURITY.SameOriginMethodExecution | SameOriginMethodExecution: Same Origin Method Execution (SOME) |
Critical | Path Traversal | OPT.GO.SECURITY.PathTraversal | PathTraversal: Avoid non-neutralized user-controlled input composed in a pathname to a resource |
Critical | SQL Injection | OPT.GO.SECURITY.SqlInjection | SqlInjection: Avoid SQL code formed with non neutralized user input (vulnerable to SQL Injection attacks) |
Critical | XPath Injection | OPT.GO.SECURITY.XPathInjection | XPathInjection: Avoid XPath expressions formed with non neutralized user input |
Critical | Password In Redirect | OPT.GO.SECURITY.PasswordInRedirect | PasswordInRedirect: Password Management - Password in Redirect |
Critical | Hardcoded Crypto Key | OPT.GO.SECURITY.HardcodedCryptoKey | HardcodedCryptoKey: Hardcoded cryptographic keys |
Critical | Non Random IV With CBC Mode | OPT.GO.SECURITY.NonRandomIVWithCBCMode | NonRandomIVWithCBCMode: Not using a Random IV with CBC Mode |
Critical | Weak Cryptographic Hash | OPT.GO.SECURITY.WeakCryptographicHash | WeakCryptographicHash: Weak cryptographic hashes cannot guarantee data integrity |
Critical | Weak Encryption | OPT.GO.SECURITY.WeakEncryption | WeakEncryption: Weak symmetric encryption algorithm |
High | Insufficient Session Expiration | OPT.GO.SECURITY.InsufficientSessionExpiration | InsufficientSessionExpiration: Checks that session expiration interval does not exceed a limit |
High | Cookies In Security Decision | OPT.GO.SECURITY.CookiesInSecurityDecision | CookiesInSecurityDecision: Reliance on Cookies without Validation and Integrity Checking in a Security Decision |
High | Cross Site Request Forgery | OPT.GO.SECURITY.CrossSiteRequestForgery | CrossSiteRequestForgery: Cross-site request forgery (CSRF) |
High | Http Parameter Pollution | OPT.GO.SECURITY.HttpParameterPollution | HttpParameterPollution: HTTP parameter pollution (HPP) |
High | JSON Injection | OPT.GO.SECURITY.JSONInjection | JSONInjection: Avoid using non-neutralized user-controlled input into JSON entities - JSON Injection |
High | Log Forging | OPT.GO.SECURITY.LogForging | LogForging: Improper Output Neutralization for Logs |
High | Open Redirect | OPT.GO.SECURITY.OpenRedirect | OpenRedirect: URL Redirection to Untrusted Site ('Open Redirect') |
High | Resource Injection | OPT.GO.SECURITY.ResourceInjection | ResourceInjection: Improper control of resource identifiers ("Resource Injection") |
High | Server Side Request Forgery | OPT.GO.SECURITY.ServerSideRequestForgery | ServerSideRequestForgery: Creation of requests from a vulnerable server using untrusted input (server side request forgery, SSRF) |
High | Trust Boundary Violation | OPT.GO.SECURITY.TrustBoundaryViolation | TrustBoundaryViolation: Trust boundary violation |
High | Unsafe Reflection | OPT.GO.SECURITY.UnsafeReflection | UnsafeReflection: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
High | Xslt Injection | OPT.GO.SECURITY.XsltInjection | XsltInjection: XML Injection (aka Blind XPath Injection) |
High | User Controlled SQL Primary Key | OPT.GO.SECURITY.UserControlledSQLPrimaryKey | UserControlledSQLPrimaryKey: Avoid using an user controlled Primary Key into a query |
High | Hardcoded Ip | OPT.GO.SECURITY.HardcodedIp | HardcodedIp: Do not write IP address in source code |
High | Hardcoded Salt | OPT.GO.SECURITY.HardcodedSalt | HardcodedSalt: A hardcoded salt can compromise system security |
High | Insecure Transport | OPT.GO.SECURITY.InsecureTransport | InsecureTransport: Insecure transport |
High | Insufficient Key Size | OPT.GO.SECURITY.InsufficientKeySize | InsufficientKeySize: Weak cryptography, insufficient key length |
High | Server Insecure Transport | OPT.GO.SECURITY.ServerInsecureTransport | ServerInsecureTransport: Insecure transport in HTTP servers |
Low | Password In Comments | OPT.GO.SECURITY.PasswordInComments | PasswordInComments: Storing passwords or password details in plaintext anywhere in the system or system code can compromise system security |
Medium | Plaintext Storage In A Cookie | OPT.GO.SECURITY.PlaintextStorageInACookie | PlaintextStorageInACookie: Cleartext Storage of Sensitive Information in a Cookie |
Medium | Unsafe Cookie | OPT.GO.SECURITY.UnsafeCookie | UnsafeCookie: Generate server-side cookies with adequate security properties |
Medium | Unreachable Code | OPT.GO.RELIABILITY.UnreachableCode | UnreachableCode: Unreachable ("dead") code. |
Medium | Avoid Native Calls | OPT.GO.SECURITY.AvoidNativeCalls | AvoidNativeCalls: Avoid calls from GO to C native code |
Medium | Execution After Redirect | OPT.GO.SECURITY.ExecutionAfterRedirect | ExecutionAfterRedirect: Execution After Redirect (EAR) |
Medium | Avoid Host Name Checks | OPT.GO.SECURITY.AvoidHostNameChecks | AvoidHostNameChecks: Avoid checks on client-side hostname, that are not reliable due to DNS poisoning |
Medium | Format String Injection | OPT.GO.SECURITY.FormatStringInjection | FormatStringInjection: Exclude unsanitized user input from format strings |
Medium | Potential Blocker Stmt | OPT.GO.SECURITY.PotentialBlockerStmt | PotentialBlockerStmt: Review statements that could lead to a resource exhaustion. |
Medium | Potential Infinite Loop | OPT.GO.SECURITY.PotentialInfiniteLoop | PotentialInfiniteLoop: Loop with Unreachable Exit Condition ('Infinite Loop') |
Medium | Profiling Endpoint Exposed | OPT.GO.SECURITY.ProfilingEndpointExposed | ProfilingEndpointExposed: Profiling endpoint automatically exposed |
Medium | Unchecked Input In Loop Condition | OPT.GO.SECURITY.UncheckedInputInLoopCondition | UncheckedInputInLoopCondition: Unchecked input in loop condition |
Medium | Hardcoded Username Password | OPT.GO.SECURITY.HardcodedUsernamePassword | HardcodedUsernamePassword: Use of Hard-coded Credentials |
Medium | JSON P Hijacking | OPT.GO.SECURITY.JSONPHijacking | JSONPHijacking: Sensitive information exposed through JSONP |
Medium | Password In Configuration File | OPT.GO.SECURITY.PasswordInConfigurationFile | PasswordInConfigurationFile: Use of credentials into configuration file |
Medium | Plaintext Storage Of Password | OPT.GO.SECURITY.PlaintextStorageOfPassword | PlaintextStorageOfPassword: Plaintext Storage of a Password |
Medium | Privacy Violation | OPT.GO.SECURITY.PrivacyViolation | PrivacyViolation: Exposure of Private Information ('Privacy Violation') |
Medium | Serializable Type Containing Sensitive Data | OPT.GO.SECURITY.SerializableTypeContainingSensitiveData | SerializableTypeContainingSensitiveData: Serializable Type Containing Sensitive Data |
Medium | Insecure Randomness | OPT.GO.SECURITY.InsecureRandomness | InsecureRandomness: Standard pseudo-random number generators cannot withstand cryptographic attacks |