Remove rule G105 which detects the use of math/big#Int.Exp

The big#Int.Exp used to be vulnerable in older versions of Go, but in the meantime has been fixed (https://github.com/golang/go/issues/15184). Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2025-03-01 04:33:29 +00:00 · 2019-09-09 14:16:26 +02:00 · 2019-09-09 14:16:26 +02:00 · 338b50debb
commit 338b50debb
parent 43e3664713
5 changed files with 9 additions and 78 deletions
--- a/README.md
+++ b/README.md
@ -60,10 +60,6 @@ paths, and produce reports in different formats. By default all rules will be
 run against the supplied input files. To recursively scan from the current
 directory you can supply './...' as the input argument.
 ### Selecting rules
 By default gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the '-include=' flag,
 or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
 ### Available rules
@ -71,7 +67,6 @@ or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
 - G102: Bind to all interfaces
 - G103: Audit the use of unsafe block
 - G104: Audit errors not checked
 - G105: Audit the use of math/big.Int.Exp
 - G106: Audit the use of ssh.InsecureIgnoreHostKey
 - G107: Url provided to HTTP request as taint input
 - G201: SQL query construction using format string
@ -93,6 +88,15 @@ or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
 - G504: Import blacklist: net/http/cgi
 - G505: Import blacklist: crypto/sha1
 ### Retired rules
 - G105: Audit the use of math/big.Int.Exp - [CVE is fixed](https://github.com/golang/go/issues/15184)
 ### Selecting rules
 By default gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the '-include=' flag,
 or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
 ```bash
 # Run a specific set of rules
 $ gosec -include=G101,G203,G401 ./...
--- a/rules/big.go
+++ b/rules/big.go
@ -1,52 +0,0 @@
 // (c) Copyright 2016 Hewlett Packard Enterprise Development LP
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package rules
 import (
 	"go/ast"
 	"github.com/securego/gosec"
 )
 type usingBigExp struct {
 	gosec.MetaData
 	pkg   string
 	calls []string
 }
 func (r *usingBigExp) ID() string {
 	return r.MetaData.ID
 }
 func (r *usingBigExp) Match(n ast.Node, c *gosec.Context) (gi *gosec.Issue, err error) {
 	if _, matched := gosec.MatchCallByType(n, c, r.pkg, r.calls...); matched {
 		return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil
 	}
 	return nil, nil
 }
 // NewUsingBigExp detects issues with modulus == 0 for Bignum
 func NewUsingBigExp(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
 	return &usingBigExp{
 		pkg:   "*math/big.Int",
 		calls: []string{"Exp"},
 		MetaData: gosec.MetaData{
 			ID:         id,
 			What:       "Use of math/big.Int.Exp function should be audited for modulus == 0",
 			Severity:   gosec.Low,
 			Confidence: gosec.High,
 		},
 	}, []ast.Node{(*ast.CallExpr)(nil)}
 }
--- a/rules/rulelist.go
+++ b/rules/rulelist.go
@ -63,7 +63,6 @@ func Generate(filters ...RuleFilter) RuleList {
 		{"G102", "Bind to all interfaces", NewBindsToAllNetworkInterfaces},
 		{"G103", "Audit the use of unsafe block", NewUsingUnsafe},
 		{"G104", "Audit errors not checked", NewNoErrorCheck},
 		{"G105", "Audit the use of big.Exp function", NewUsingBigExp},
 		{"G106", "Audit the use of ssh.InsecureIgnoreHostKey function", NewSSHHostKey},
 		{"G107", "Url provided to HTTP request as taint input", NewSSRFCheck},
--- a/rules/rules_test.go
+++ b/rules/rules_test.go
@ -71,10 +71,6 @@ var _ = Describe("gosec rules", func() {
 			runner("G104", testutils.SampleCodeG104Audit)
 		})
 		It("should detect of big.Exp function", func() {
 			runner("G105", testutils.SampleCodeG105)
 		})
 		It("should detect of ssh.InsecureIgnoreHostKey function", func() {
 			runner("G106", testutils.SampleCodeG106)
 		})
--- a/testutils/source.go
+++ b/testutils/source.go
@ -304,22 +304,6 @@ func main() {
 package main
 func dummy(){}
 `}, 0, gosec.Config{gosec.Globals: map[gosec.GlobalOption]string{gosec.Audit: "enabled"}}}}
 	// SampleCodeG105 - bignum overflow
 	SampleCodeG105 = []CodeSample{{[]string{`
 package main
 import (
 	"math/big"
 )
 func main() {
 	z := new(big.Int)
 	x := new(big.Int)
 	x = x.SetUint64(2)
 	y := new(big.Int)
    y = y.SetUint64(4)
   	m := new(big.Int)
    m = m.SetUint64(0)
    z = z.Exp(x, y, m)
 }`}, 1, gosec.NewConfig()}}
 	// SampleCodeG106 - ssh InsecureIgnoreHostKey
 	SampleCodeG106 = []CodeSample{{[]string{`