CodeAnt AI home pagelight logodark logo
  • Dashboard
  • Dashboard
  • Documentation
  • Demo Call with CEO
  • Blog
  • Slack
    • Get Started
    • CodeAnt AI
    • Setup
    • Control Center
    • Pull Request Review
    • IDE
    • Compliance
    • Anti-Patterns
    • Code Governance
    • Infrastructure Security Database
    • Application Security Database
      • Apex
      • Bash
      • C
      • Clojure
      • Cpp
      • Csharp
      • Dockerfile
      • Elixir
      • Fingerprints
      • Generic
      • Go
        • Aws-lambda
        • Gin
        • Gorilla
        • Gorm
        • Grpc
        • Jwt-go
        • Lang
          • Best practice
          • Correctness
          • Correctness
          • Maintainability
          • Memory
          • Security
          • Security
            • Audit
            • Audit
              • Crypto
              • Database
              • Net
              • Sqli
              • Xss
              • Xxe
            • Injection
        • Net
        • Otto
        • Secrets
        • Template
      • Html
      • Java
      • Javascript
      • Json
      • Kotlin
      • Ocaml
      • Php
      • Problem-based-packs
      • Python
      • Ruby
      • Rust
      • Scala
      • Solidity
      • Swift
      • Terraform
      • Typescript
      • Yaml
    Audit

    Net

    unescaped-data-in-htmlattr

    Found a formatted template string passed to ‘template. HTMLAttr()’. ‘template.HTMLAttr()’ does not escape contents. Be absolutely sure there is no user-controlled data in this template or validate and sanitize the data before passing it into the template.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
    OWASP:
    - A07:2017 - Cross-Site Scripting (XSS)
    - A03:2021 - Injection

    formatted-template-string

    Found a formatted template string passed to ‘template.HTML()’. ‘template.HTML()’ does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
    OWASP:
    - A07:2017 - Cross-Site Scripting (XSS)
    - A03:2021 - Injection

    avoid-bind-to-all-interfaces

    Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string.
    Likelihood: LOW
    Confidence: HIGH
    CWE:
    - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
    OWASP:
    - A01:2021 - Broken Access Control

    wip-xss-using-responsewriter-and-printf

    Found data going from url query parameters into formatted data written to ResponseWriter. This could be XSS and should not be done. If you must do this, ensure your data is sanitized or escaped.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
    OWASP:
    - A07:2017 - Cross-Site Scripting (XSS)
    - A03:2021 - Injection

    cookie-missing-httponly

    A session cookie was detected without setting the ‘HttpOnly’ flag. The ‘HttpOnly’ flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the ‘HttpOnly’ flag by setting ‘HttpOnly’ to ‘true’ in the Cookie.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag
    OWASP:
    - A05:2021 - Security Misconfiguration

    cookie-missing-secure

    A session cookie was detected without setting the ‘Secure’ flag. The ‘secure’ flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the ‘Secure’ flag by setting ‘Secure’ to ‘true’ in the Options struct.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
    OWASP:
    - A05:2021 - Security Misconfiguration

    unescaped-data-in-url

    Found a formatted template string passed to ‘template.URL()’. ‘template.URL()’ does not escape contents, and this could result in XSS (cross-site scripting) and therefore confidential data being stolen. Sanitize data coming into this function or make sure that no user-controlled input is coming into the function.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
    OWASP:
    - A07:2017 - Cross-Site Scripting (XSS)
    - A03:2021 - Injection

    pprof-debug-exposure

    The profiling ‘pprof’ endpoint is automatically exposed on /debug/pprof. This could leak information about the server. Instead, use import "net/http/pprof". See https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/ for more information and mitigation.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-489: Active Debug Code
    OWASP:
    - A
    - 0
    - 6
    - :
    - 2
    - 0
    - 1
    - 7
    -

    - -
    -

    - S
    - e
    - c
    - u
    - r
    - i
    - t
    - y
    -

    - M
    - i
    - s
    - c
    - o
    - n
    - f
    - i
    - g
    - u
    - r
    - a
    - t
    - i
    - o
    - n

    use-tls

    Found an HTTP server without TLS. Use ‘http.ListenAndServeTLS’ instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-319: Cleartext Transmission of Sensitive Information
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    fs-directory-listing

    Detected usage of ‘http.FileServer’ as handler: this allows directory listing and an attacker could navigate through directories looking for sensitive files. Be sure to disable directory listing or restrict access to specific directories/files.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-548: Exposure of Information Through Directory Listing
    OWASP:
    - A06:2017 - Security Misconfiguration
    - A01:2021 - Broken Access Control

    dynamic-httptrace-clienttrace

    Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for ‘$TRACE’. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-913: Improper Control of Dynamically-Managed Code Resources
    OWASP:
    - A01:2021 - Broken Access Control

    unescaped-data-in-js

    Found a formatted template string passed to ‘template.JS()’. ‘template.JS()’ does not escape contents. Be absolutely sure there is no user-controlled data in this template.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
    OWASP:
    - A07:2017 - Cross-Site Scripting (XSS)
    - A03:2021 - Injection
    DatabaseSqli
    twitterlinkedin
    Powered by Mintlify
    Assistant
    Responses are generated using AI and may contain mistakes.