go.lang.security.audit.crypto.bad_imports.insecure-module-used
Verifed by r2c
Community Favorite

Author
157,350
Download Count*
License
Detected use of an insecure cryptographic hashing method. This method is known to be broken and easily compromised. Use SHA256 or SHA3 instead.
Run Locally
Run in CI
Defintion
rules:
- id: insecure-module-used
message: Detected use of an insecure cryptographic hashing method. This method
is known to be broken and easily compromised. Use SHA256 or SHA3 instead.
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
source-rule-url: https://github.com/securego/gosec
references:
- https://godoc.org/golang.org/x/crypto/sha3
category: security
technology:
- go
confidence: MEDIUM
subcategory:
- audit
likelihood: MEDIUM
impact: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
languages:
- go
severity: WARNING
pattern-either:
- patterns:
- pattern-inside: |
import "crypto/md5"
...
- pattern: |
md5.$FUNC(...)
- patterns:
- pattern-inside: |
import "crypto/des"
...
- pattern: |
des.$FUNC(...)
- patterns:
- pattern-inside: |
import "crypto/sha1"
...
- pattern: |
sha1.$FUNC(...)
- patterns:
- pattern-inside: |
import "crypto/rc4"
...
- pattern: |
rc4.$FUNC(...)
- patterns:
- pattern-inside: |
import "net/http/cgi"
...
- pattern: |
cgi.$FUNC(...)
Examples
bad_imports.go
package main
import (
"crypto/cipher"
"crypto/des"
"crypto/md5"
"crypto/rand"
"crypto/rc4"
"crypto/sha1"
"encoding/hex"
"fmt"
"io"
"net/http"
"net/http/cgi"
"os"
)
func main1() {
// ruleid: insecure-module-used
cgi.Serve(http.FileServer(http.Dir("/usr/share/doc")))
}
func main2() {
// ruleid: insecure-module-used
block, err := des.NewCipher([]byte("sekritz"))
if err != nil {
panic(err)
}
plaintext := []byte("I CAN HAZ SEKRIT MSG PLZ")
ciphertext := make([]byte, des.BlockSize+len(plaintext))
iv := ciphertext[:des.BlockSize]
if _, err := io.ReadFull(rand.Reader, iv); err != nil {
panic(err)
}
stream := cipher.NewCFBEncrypter(block, iv)
stream.XORKeyStream(ciphertext[des.BlockSize:], plaintext)
fmt.Println("Secret message is: %s", hex.EncodeToString(ciphertext))
}
func main3() {
for _, arg := range os.Args {
// ruleid: insecure-module-used
fmt.Printf("%x - %s\n", md5.Sum([]byte(arg)), arg)
}
}
func main4() {
// ruleid: insecure-module-used
cipher, err := rc4.NewCipher([]byte("sekritz"))
if err != nil {
panic(err)
}
plaintext := []byte("I CAN HAZ SEKRIT MSG PLZ")
ciphertext := make([]byte, len(plaintext))
cipher.XORKeyStream(ciphertext, plaintext)
fmt.Println("Secret message is: %s", hex.EncodeToString(ciphertext))
}
func main5() {
for _, arg := range os.Args {
// ruleid: insecure-module-used
fmt.Printf("%x - %s\n", sha1.Sum([]byte(arg)), arg)
}
}
Short Link: https://sg.run/l2gj