Crypto
ssl-v3-is-insecure
ssl-v3-is-insecure
SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use ‘tls.VersionTLS13’.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
insecure-module-used
insecure-module-used
The package net/http/cgi
is on the import blocklist. The package is vulnerable to httpoxy attacks (CVE-2015-5386). It is recommended to use net/http
or a web framework to build a web application instead.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
math-random-used
math-random-used
Do not use math/rand
. Use crypto/rand
instead.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
OWASP:
- A02:2021 - Cryptographic Failures
avoid-ssh-insecure-ignore-host-key
avoid-ssh-insecure-ignore-host-key
Disabled host key verification detected. This allows man-in-the-middle attacks. Use the ‘golang.org/x/crypto/ssh/knownhosts’ package to do host key verification. See https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ to learn more about the problem and how to fix it.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-322: Key Exchange without Entity Authentication
OWASP:
- A02:2021 - Cryptographic Failures
tls-with-insecure-cipher
tls-with-insecure-cipher
Detected an insecure CipherSuite via the ‘tls’ module. This suite is considered weak. Use the function ‘tls.CipherSuites()’ to get a list of good cipher suites. See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other cipher suites to use.
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
use-of-weak-rsa-key
use-of-weak-rsa-key
RSA keys should be at least 2048 bits
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
missing-ssl-minversion
missing-ssl-minversion
MinVersion
is missing from this TLS configuration. By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. Add `MinVersion: tls.VersionTLS13’ to the TLS configuration to bump the minimum version to TLS 1.3.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
use-of-md5
use-of-md5
Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-328: Use of Weak Hash
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
use-of-sha1
use-of-sha1
Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-328: Use of Weak Hash
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
use-of-DES
use-of-DES
Detected DES cipher algorithm which is insecure. The algorithm is considered weak and has been deprecated. Use AES instead.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
use-of-rc4
use-of-rc4
Detected RC4 cipher algorithm which is insecure. The algorithm has many known vulnerabilities. Use AES instead.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures