Categories

Programming language

Latest version

v1.12.0

Updated on

Nov 18, 2022

Issues

371

Autofix

137

Sample configuration


[[analyzers]]

name = "go"
enabled = true

  [analyzers.meta]
  import_root = "github.com/deepsourcelabs/webapp"

Stats


Anti-pattern

90

Bug risk

167

Documentation

4

Performance

17

Security

75

Style

18

Issues


View all
gin.LoadHTMLGlob with ill-formed pattern would panic GO-E1000
Bug risk

gin.LoadHTMLGlob loads HTML files identified by glob pattern and associates the result with HTML renderer, but if the pattern passed is ill-formed, it would result in panic. Hence, one should check pattern before using it as an argument to LoadHTMLGlob.

Audit required: Exposure of sensitive headers GO-S0901
Security

Use of headers like "Server", "X-Powered-By" and "X-AspNet-Version" can leak sensitive information of your application and server. If not necessary, usage of these headers should be avoided.

Audit required: XML package may be vulnerable to XXE attacks GO-S0903
Security

XML specification allows the use of entities that can be internal or external (file system/network access, etc.) which could lead to vulnerabilities such as SSRF or confidential file disclosures. XML package (Go binding to libxml2) might be vulnerable to XXE attacks. When dealing with external entities, one must be very careful when using the package, allowing an attacker to access sensitive data on the filesystem.

Audit required: Insecure gRPC server GO-S0902
Security

gRPC is designed to work with various authentication mechanisms, making it easy to use gRPC to talk to other systems. It is recommended to use the supported authentication mechanisms to shield against multiple types of attacks (e.g., MITM - Man in the Middle Attack).