Verifed by r2c
Community Favorite
profile photo of Grayson HardawayGrayson Hardaway
Download Count*

Default ruleset for Golang, by r2c

Run Locally


Rules (24)

profile photo of returntocorpreturntocorp

Detected an insecure CipherSuite via the 'tls' module. This suite is considered weak. Use the function 'tls.CipherSuites()' to get a list of good cipher suites. See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other cipher suites to use.

profile photo of returntocorpreturntocorp

The profiling 'pprof' endpoint is automatically exposed on /debug/pprof. This could leak information about the server. Instead, use `import "net/http/pprof"`. See https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/ for more information and mitigation.

profile photo of returntocorpreturntocorp

'reflect.MakeFunc' detected. This will sidestep protections that are normally afforded by Go's type system. Audit this call and be sure that user input cannot be used to affect the code generated by MakeFunc; otherwise, you will have a serious security vulnerability.

profile photo of returntocorpreturntocorp

If an attacker can supply values that the application then uses to determine which method or field to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.

profile photo of returntocorpreturntocorp

Detected the decoding of a JWT token without a verify step. Don't use `ParseUnverified` unless you know what you're doing This method parses the token but doesn't validate the signature. It's only ever useful in cases where you know the signature is valid (because it has been checked previously in the stack) and you want to extract values from it.

profile photo of returntocorpreturntocorp

Detected a hidden goroutine. Function invocations are expected to synchronous, and this function will execute asynchronously because all it does is call a goroutine. Instead, remove the internal goroutine and call the function using 'go'.

profile photo of trailofbitstrailofbits

Logic executed as a result of ticker `$TICKER` may execute more times than desired. When both `$TICKER` and `$DONECHAN` are written to at the same time, the scheduler randomly picks a case to execute. As a result, the `$TICKER.C` may excute one more time than expected.