gopkg.in/alecthomas/gometalinter.v3@v3.0.0/_linters/src/github.com/securego/gosec/rules/weakcrypto.go (about) 1 // (c) Copyright 2016 Hewlett Packard Enterprise Development LP 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package rules 16 17 import ( 18 "go/ast" 19 20 "github.com/securego/gosec" 21 ) 22 23 type usesWeakCryptography struct { 24 gosec.MetaData 25 blacklist map[string][]string 26 } 27 28 func (r *usesWeakCryptography) ID() string { 29 return r.MetaData.ID 30 } 31 32 func (r *usesWeakCryptography) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) { 33 for pkg, funcs := range r.blacklist { 34 if _, matched := gosec.MatchCallByPackage(n, c, pkg, funcs...); matched { 35 return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil 36 } 37 } 38 return nil, nil 39 } 40 41 // NewUsesWeakCryptography detects uses of des.* md5.* or rc4.* 42 func NewUsesWeakCryptography(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { 43 calls := make(map[string][]string) 44 calls["crypto/des"] = []string{"NewCipher", "NewTripleDESCipher"} 45 calls["crypto/md5"] = []string{"New", "Sum"} 46 calls["crypto/sha1"] = []string{"New", "Sum"} 47 calls["crypto/rc4"] = []string{"NewCipher"} 48 rule := &usesWeakCryptography{ 49 blacklist: calls, 50 MetaData: gosec.MetaData{ 51 ID: id, 52 Severity: gosec.Medium, 53 Confidence: gosec.High, 54 What: "Use of weak cryptographic primitive", 55 }, 56 } 57 return rule, []ast.Node{(*ast.CallExpr)(nil)} 58 }