> ## Documentation Index
> Fetch the complete documentation index at: https://docs.codeant.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Crypto

<AccordionGroup>
  <Accordion title="ssl-v3-is-insecure">
    SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'.<br />**Likelihood**: MEDIUM<br />**Confidence**: HIGH<br />**CWE**: <br />- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
    <br />**OWASP**: <br />- A03:2017 - Sensitive Data Exposure
    <br />- A02:2021 - Cryptographic Failures
  </Accordion>

  <Accordion title="insecure-module-used">
    The package `net/http/cgi` is on the import blocklist.  The package is vulnerable to httpoxy attacks (CVE-2015-5386). It is recommended to use `net/http` or a web framework to build a web application instead.<br />**Likelihood**: MEDIUM<br />**Confidence**: MEDIUM<br />**CWE**: <br />- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
    <br />**OWASP**: <br />- A03:2017 - Sensitive Data Exposure
    <br />- A02:2021 - Cryptographic Failures
  </Accordion>

  <Accordion title="math-random-used">
    Do not use `math/rand`. Use `crypto/rand` instead.<br />**Likelihood**: MEDIUM<br />**Confidence**: MEDIUM<br />**CWE**: <br />- CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
    <br />**OWASP**: <br />- A02:2021 - Cryptographic Failures
  </Accordion>

  <Accordion title="avoid-ssh-insecure-ignore-host-key">
    Disabled host key verification detected. This allows man-in-the-middle attacks. Use the 'golang.org/x/crypto/ssh/knownhosts' package to do host key verification. See [https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/](https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/) to learn more about the problem and how to fix it.<br />**Likelihood**: LOW<br />**Confidence**: MEDIUM<br />**CWE**: <br />- CWE-322: Key Exchange without Entity Authentication
    <br />**OWASP**: <br />- A02:2021 - Cryptographic Failures
  </Accordion>

  <Accordion title="tls-with-insecure-cipher">
    Detected an insecure CipherSuite via the 'tls' module. This suite is considered weak. Use the function 'tls.CipherSuites()' to get a list of good cipher suites. See [https://golang.org/pkg/crypto/tls/#InsecureCipherSuites](https://golang.org/pkg/crypto/tls/#InsecureCipherSuites) for why and what other cipher suites to use.<br />**Likelihood**: HIGH<br />**Confidence**: HIGH<br />**CWE**: <br />- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
    <br />**OWASP**: <br />- A03:2017 - Sensitive Data Exposure
    <br />- A02:2021 - Cryptographic Failures
  </Accordion>

  <Accordion title="use-of-weak-rsa-key">
    RSA keys should be at least 2048 bits<br />**Likelihood**: HIGH<br />**Confidence**: HIGH<br />**CWE**: <br />- CWE-326: Inadequate Encryption Strength
    <br />**OWASP**: <br />- A03:2017 - Sensitive Data Exposure
    <br />- A02:2021 - Cryptographic Failures
  </Accordion>

  <Accordion title="missing-ssl-minversion">
    `MinVersion` is missing from this TLS configuration.  By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. General purpose web applications should default to TLS 1.3 with all other protocols disabled.  Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. Add \`MinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3.<br />**Likelihood**: MEDIUM<br />**Confidence**: HIGH<br />**CWE**: <br />- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
    <br />**OWASP**: <br />- A03:2017 - Sensitive Data Exposure
    <br />- A02:2021 - Cryptographic Failures
  </Accordion>

  <Accordion title="use-of-md5">
    Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.<br />**Likelihood**: MEDIUM<br />**Confidence**: MEDIUM<br />**CWE**: <br />- CWE-328: Use of Weak Hash
    <br />**OWASP**: <br />- A03:2017 - Sensitive Data Exposure
    <br />- A02:2021 - Cryptographic Failures
  </Accordion>

  <Accordion title="use-of-sha1">
    Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.<br />**Likelihood**: MEDIUM<br />**Confidence**: MEDIUM<br />**CWE**: <br />- CWE-328: Use of Weak Hash
    <br />**OWASP**: <br />- A03:2017 - Sensitive Data Exposure
    <br />- A02:2021 - Cryptographic Failures
  </Accordion>

  <Accordion title="use-of-DES">
    Detected DES cipher algorithm which is insecure. The algorithm is considered weak and has been deprecated. Use AES instead.<br />**Likelihood**: MEDIUM<br />**Confidence**: MEDIUM<br />**CWE**: <br />- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
    <br />**OWASP**: <br />- A03:2017 - Sensitive Data Exposure
    <br />- A02:2021 - Cryptographic Failures
  </Accordion>

  <Accordion title="use-of-rc4">
    Detected RC4 cipher algorithm which is insecure. The algorithm has many known vulnerabilities. Use AES instead.<br />**Likelihood**: MEDIUM<br />**Confidence**: MEDIUM<br />**CWE**: <br />- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
    <br />**OWASP**: <br />- A03:2017 - Sensitive Data Exposure
    <br />- A02:2021 - Cryptographic Failures
  </Accordion>
</AccordionGroup>
