GO-S1020 @ 53b9168 • superfly / flyctl

Run summary

a month ago

66e058d..53b9168

3 mins 33 s

MinVersion is missing from this TLS configuration GO-S1020

Security

Major

1 occurrence in this check

a05 a02 a06 cwe-327 sans top 25 owasp top 10

MinVersion is missing from this TLS configuration: tls.Config

internal/build/imgsrc/docker.go

235		client := &http.Client{
236			Transport: &http.Transport{
237				DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
238					return tls.Dial("tcp", fmt.Sprintf("%s.fly.dev:443", builderApp.Name), &tls.Config{})239				},
240			},
241		}

Description

MinVersion is missing from this TLS configuration. As the default value is TLS 1.0, which is considered insecure, it is recommended to explicitly set the MinVersion to a secure version of TLS, such as VersionTLS13.

Bad practice

client := &http.Client{
    Transport: &http.Transport{
        TLSClientConfig: &tls.Config{
            KeyLogWriter:       w,
            Rand:               rand{},
            InsecureSkipVerify: true,
        },
    },
}

superfly / flyctl

Bad practice

Recommended

References