Get Started
- CodeAnt AI
- Control Center
- Pull Request Review
- IDE
- Compliance
- Anti-Patterns
- Code Governance
- Infrastructure Security Database
- Application Security Database
- Apex
- Bash
- C
- Clojure
- Cpp
- Csharp
- Dockerfile
- Elixir
- Fingerprints
- Generic
- Go
- Aws-lambda
- Gin
- Gorilla
- Gorm
- Grpc
- Jwt-go
- Lang
- Best practice
- Correctness
- Correctness
- Maintainability
- Memory
- Security
- Security
- Net
- Otto
- Secrets
- Template
- Html
- Java
- Javascript
- Json
- Kotlin
- Ocaml
- Php
- Problem-based-packs
- Python
- Ruby
- Rust
- Scala
- Solidity
- Swift
- Terraform
- Typescript
- Yaml
Audit
Detected non-static command inside exec.Cmd. Audit the input to ‘exec.Cmd’. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection
Detected non-static command inside Exec. Audit the input to ‘syscall.Exec’. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection
It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the golang.org/x/crypto/bcrypt package.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
‘reflect.MakeFunc’ detected. This will sidestep protections that are normally afforded by Go’s type system. Audit this call and be sure that user input cannot be used to affect the code generated by MakeFunc; otherwise, you will have a serious security vulnerability.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-913: Improper Control of Dynamically-Managed Code Resources
OWASP:
- A01:2021 - Broken Access Control
Detected non-static command inside Write. Audit the input to ‘$CW.Write’. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
Detected non-static command inside Command. Audit the input to ‘exec.Command’. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection
Using the unsafe package in Go gives you low-level memory management and many of the strengths of the C language, but also steps around the type safety of Go and can lead to buffer overflows and possible arbitrary code execution by an attacker. Only use this package if you absolutely know what you’re doing.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-242: Use of Inherently Dangerous Function
If an attacker can supply values that the application then uses to determine which method or field to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-470: Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’)
OWASP:
- A03:2021 - Injection