Create rule S5527: Server hostnames should be verified during SSL/TLS…

… connections for go (#4656) * Add go to rule S5527 * Add text * Fix wording * Fix wording++ * Update rules/S5527/go/how-to-fix-it/std.adoc Co-authored-by: daniel-teuchert-sonarsource <[email protected]> * Move fix it section into the main adoc * Fix non-compliant->noncompliant --------- Co-authored-by: teemu-rytilahti-sonarsource <[email protected]> Co-authored-by: Teemu Rytilahti <[email protected]> Co-authored-by: daniel-teuchert-sonarsource <[email protected]>
SonarSource · Feb 12, 2025 · 2619fbc · 2619fbc
1 parent 4903879
commit 2619fbc
Show file tree

Hide file tree

Showing 2 changed files with 70 additions and 0 deletions.
diff --git a/rules/S5527/go/metadata.json b/rules/S5527/go/metadata.json
@@ -0,0 +1,3 @@
+{
+
+}
diff --git a/rules/S5527/go/rule.adoc b/rules/S5527/go/rule.adoc
@@ -0,0 +1,67 @@
+include::../summary.adoc[]
+
+== Why is this an issue?
+
+include::../rationale.adoc[]
+
+include::../impact.adoc[]
+
+// How to fix it section
+
+== How to fix it
+
+=== Code examples
+
+include::../common/fix/code-rationale.adoc[]
+
+Hostname validation is disabled if ``++InsecureSkipVerify++`` is set to `true` for ``++TLSClientConfig++`` used for the transport class.
+
+For HTTPS, it is recommended to use high-level interfaces (like ``++http.Get()++``), which perform the certificate validation instead of using ``++http.Client++`` directly.
+
+==== Noncompliant code example
+
+[source,go,diff-id=1,diff-type=noncompliant]
+----
+client := &http.Client{
+    Transport: &http.Transport{
+        TLSClientConfig: &tls.Config{
+            InsecureSkipVerify: true, // Noncompliant
+        },
+    },
+}
+
+client.Get("https://example.com")
+----
+
+==== Compliant solution
+
+Usage of high-level interfaces is recommended:
+[source,go,diff-id=1,diff-type=compliant]
+----
+http.Get("https://example.com")
+----
+
+=== How does this work?
+
+include::../common/fix/validation.adoc[]
+
+== Resources
+
+include::../common/resources/standards.adoc[]
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::../message.adoc[]
+
+'''
+== Comments And Links
+(visible only on this page)
+
+include::../comments-and-links.adoc[]
+
+endif::env-github,rspecator-view[]
+