go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES

Verifed by r2c
Community Favorite
profile photo of semgrepsemgrep
Author
124,504
Download Count*
LGPL Commons Clause
License

Detected DES cipher algorithm which is insecure. The algorithm is considered weak and has been deprecated. Use AES instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: use-of-DES
    message: Detected DES cipher algorithm which is insecure. The algorithm is
      considered weak and has been deprecated. Use AES instead.
    languages:
      - go
    severity: WARNING
    metadata:
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      cwe:
        - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      source-rule-url: https://github.com/securego/gosec#available-rules
      category: security
      technology:
        - go
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    patterns:
      - pattern-inside: |
          import "crypto/des"
          ...
      - pattern-either:
          - pattern: |
              des.NewTripleDESCipher(...)
          - pattern: |
              des.NewCipher(...)

Examples

use_of_weak_crypto.go

package main

import (
	"crypto/des"
	"crypto/md5"
	"crypto/rc4"
	"crypto/sha1"
	"fmt"
	"io"
	"log"
	"os"
)

func main() {
}

func test_des() {
	// NewTripleDESCipher can also be used when EDE2 is required by
	// duplicating the first 8 bytes of the 16-byte key.
	ede2Key := []byte("example key 1234")

	var tripleDESKey []byte
	tripleDESKey = append(tripleDESKey, ede2Key[:16]...)
	tripleDESKey = append(tripleDESKey, ede2Key[:8]...)
	// ruleid: use-of-DES
	_, err := des.NewTripleDESCipher(tripleDESKey)
	if err != nil {
		panic(err)
	}

	// See crypto/cipher for how to use a cipher.Block for encryption and
	// decryption.
}

func test_md5() {
	f, err := os.Open("file.txt")
	if err != nil {
		log.Fatal(err)
	}
	defer f.Close()

	defer func() {
		err := f.Close()
		if err != nil {
			log.Printf("error closing the file: %s", err)
		}
	}()

	// ruleid: use-of-md5
	h := md5.New()
	if _, err := io.Copy(h, f); err != nil {
		log.Fatal(err)
	}
	// ruleid: use-of-md5
	fmt.Printf("%x", md5.Sum(nil))
}

func test_rc4() {
	key := []byte{1, 2, 3, 4, 5, 6, 7}
	// ruleid: use-of-rc4
	c, err := rc4.NewCipher(key)
	dst := make([]byte, len(src))
	c.XORKeyStream(dst, src)
}

func test_sha1() {
	f, err := os.Open("file.txt")
	if err != nil {
		log.Fatal(err)
	}
	defer f.Close()
	// ruleid: use-of-sha1
	h := sha1.New()
	if _, err := io.Copy(h, f); err != nil {
		log.Fatal(err)
	}
	// ruleid: use-of-sha1
	fmt.Printf("%x", sha1.Sum(nil))
}