Remove rule G105 which detects the use of math/big#Int.Exp

The big#Int.Exp used to be vulnerable in older versions of Go, but in the meantime has been fixed (https://github.com/golang/go/issues/15184). Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2024-11-05 19:45:51 +00:00 · 2019-09-09 14:16:26 +02:00 · 2019-09-09 14:16:26 +02:00 · 338b50debb
commit 338b50debb
parent 43e3664713
5 changed files with 9 additions and 78 deletions
--- a/README.md
+++ b/README.md
@ -60,10 +60,6 @@ paths, and produce reports in different formats. By default all rules will be
 run against the supplied input files. To recursively scan from the current
 directory you can supply './...' as the input argument.

-### Selecting rules
-
-By default gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the '-include=' flag,
-or to specify a set of rules to explicitly exclude using the '-exclude=' flag.

 ### Available rules

@ -71,7 +67,6 @@ or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
 - G102: Bind to all interfaces
 - G103: Audit the use of unsafe block
 - G104: Audit errors not checked
- G105: Audit the use of math/big.Int.Exp
 - G106: Audit the use of ssh.InsecureIgnoreHostKey
 - G107: Url provided to HTTP request as taint input
 - G201: SQL query construction using format string
@ -93,6 +88,15 @@ or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
 - G504: Import blacklist: net/http/cgi
 - G505: Import blacklist: crypto/sha1

+### Retired rules
+
+- G105: Audit the use of math/big.Int.Exp - [CVE is fixed](https://github.com/golang/go/issues/15184)
+
+### Selecting rules
+
+By default gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the '-include=' flag,
+or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
+
 ```bash
 # Run a specific set of rules
 $ gosec -include=G101,G203,G401 ./...
--- a/rules/big.go
+++ b/rules/big.go
@ -1,52 +0,0 @@
-// (c) Copyright 2016 Hewlett Packard Enterprise Development LP
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package rules
-
-import (
-	"go/ast"
-
-	"github.com/securego/gosec"
-)
-
-type usingBigExp struct {
-	gosec.MetaData
-	pkg   string
-	calls []string
-}
-
-func (r *usingBigExp) ID() string {
-	return r.MetaData.ID
-}
-
-func (r *usingBigExp) Match(n ast.Node, c *gosec.Context) (gi *gosec.Issue, err error) {
-	if _, matched := gosec.MatchCallByType(n, c, r.pkg, r.calls...); matched {
-		return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil
-	}
-	return nil, nil
-}
-
-// NewUsingBigExp detects issues with modulus == 0 for Bignum
-func NewUsingBigExp(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
-	return &usingBigExp{
-		pkg:   "*math/big.Int",
-		calls: []string{"Exp"},
-		MetaData: gosec.MetaData{
-			ID:         id,
-			What:       "Use of math/big.Int.Exp function should be audited for modulus == 0",
-			Severity:   gosec.Low,
-			Confidence: gosec.High,
-		},
-	}, []ast.Node{(*ast.CallExpr)(nil)}
-}
--- a/rules/rulelist.go
+++ b/rules/rulelist.go
@ -63,7 +63,6 @@ func Generate(filters ...RuleFilter) RuleList {
 		{"G102", "Bind to all interfaces", NewBindsToAllNetworkInterfaces},
 		{"G103", "Audit the use of unsafe block", NewUsingUnsafe},
 		{"G104", "Audit errors not checked", NewNoErrorCheck},
-		{"G105", "Audit the use of big.Exp function", NewUsingBigExp},
 		{"G106", "Audit the use of ssh.InsecureIgnoreHostKey function", NewSSHHostKey},
 		{"G107", "Url provided to HTTP request as taint input", NewSSRFCheck},

--- a/rules/rules_test.go
+++ b/rules/rules_test.go
@ -71,10 +71,6 @@ var _ = Describe("gosec rules", func() {
 			runner("G104", testutils.SampleCodeG104Audit)
 		})

-		It("should detect of big.Exp function", func() {
-			runner("G105", testutils.SampleCodeG105)
-		})
-
 		It("should detect of ssh.InsecureIgnoreHostKey function", func() {
 			runner("G106", testutils.SampleCodeG106)
 		})
--- a/testutils/source.go
+++ b/testutils/source.go
@ -304,22 +304,6 @@ func main() {
 package main
 func dummy(){}
 `}, 0, gosec.Config{gosec.Globals: map[gosec.GlobalOption]string{gosec.Audit: "enabled"}}}}
-	// SampleCodeG105 - bignum overflow
-	SampleCodeG105 = []CodeSample{{[]string{`
-package main
-import (
-	"math/big"
-)
-func main() {
-	z := new(big.Int)
-	x := new(big.Int)
-	x = x.SetUint64(2)
-	y := new(big.Int)
-    y = y.SetUint64(4)
-   	m := new(big.Int)
-    m = m.SetUint64(0)
-    z = z.Exp(x, y, m)
-}`}, 1, gosec.NewConfig()}}

 	// SampleCodeG106 - ssh InsecureIgnoreHostKey
 	SampleCodeG106 = []CodeSample{{[]string{`