Go

Go

By DeepSource

`MinVersion` is missing from this TLS configurationGO-S1020
Security

MinVersion is missing from this TLS configuration. As the default value is TLS 1.0, which is considered insecure, it is recommended to explicitly set the MinVersion to a secure version of TLS, such as VersionTLS13.

`http.NewRequest` request send to `http://` URLsGO-S1028
Security

Requests sent via http.NewRequest to http:// URLs is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, it is recommended to use https://.

Audit required: XML package may be vulnerable to XXE attacksGO-S0903
Security

XML specification allows the use of entities that can be internal or external (file system/network access, etc.) which could lead to vulnerabilities such as SSRF or confidential file disclosures. XML package (Go binding to libxml2) might be vulnerable to XXE attacks. When dealing with external entities, one must be very careful when using the package, allowing an attacker to access sensitive data on the filesystem.

Audit required: Insecure use of loggerGO-S0904
Security

Possible insecure use of logger because of tainted, untrusted, or sensitive arguments passed to the logger. Logging invalidated user input can allow an attacker to forge log entries or inject malicious content into the logs.

Audit required: `encoding/xml` is unsafe for security-critical operationsGO-S0905
Security

Go's encoding/xml is vulnerable for security-critical operations such as XML signature validation and SAML.