Add new rule G407 to detect hard-coded nonce and initialization vectors in crypto algorithms #1197
Conversation
|
@expp121 there are some lint errors, please could you have a look https://github.com/securego/gosec/actions/runs/10630482755/job/29469424412?pr=1197? |
Yep, I was about to fix them! Thank you for pointing that out! |
|
Codecov ReportAttention: Patch coverage is
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## master #1197 +/- ##
==========================================
+ Coverage 67.35% 67.82% +0.47%
==========================================
Files 74 75 +1
Lines 4046 4177 +131
==========================================
+ Hits 2725 2833 +108
- Misses 1195 1209 +14
- Partials 126 135 +9 ☔ View full report in Codecov by Sentry. |
|
I wasn't sure what you meant in all of your suggestions, but if there's something else that has to be change, please feel free to inform me! |
Thanks for fixing my review comments. What I meant with I pushed the change in your pull request. |
ccojocar
changed the title
The rule is supposed to detect for the usage of hardcoded or static nonce/Iv in many encryption algorithms: * The different modes of AES (mainly tested here) * It should be able to work with ascon Currently the rules doesn't check when constant variables are used. TODO: Improve the rule, to detected for constatant variable usage
* Removed old way of initializing analyzers * Added the new analyzer to the rest of the default analyzers * Fixed small bug in the rule * Removed the test for the new analyzer from the file responsible for testing the rules * Merged the diffrent examples into 1 variable * Added tests for the analyzer * Removed code that was used for testing rules, but it was used to test the analyzer
The value doens't require to be passed as a pointer since is a interface. Change-Id: Ia21bceb5f315f4c30bd28425d62f678e9203e93f Signed-off-by: Cosmin Cojocar <[email protected]>
Change-Id: I7f42c1de4e39dceb8e8144037d5af9223331ff06 Signed-off-by: Cosmin Cojocar <[email protected]>
Change-Id: I49caeb75f1bd7ecdb9b4f99466d96ad81e2e95ac Signed-off-by: Cosmin Cojocar <[email protected]>
Change-Id: Ifa141b70351136cfe7d0756a83e8166a24b5d538 Signed-off-by: Cosmin Cojocar <[email protected]>
Change-Id: I5b863c0da6cc3d01efa527c60c93fdcbc8c5a53c Signed-off-by: Cosmin Cojocar <[email protected]>
ccojocar
force-pushed
the
feature-new-rule-hardcoded-iv
branch
from
238545a
to
d9eaa05
Compare
This rule looks for hard-coded nonce/ initialization vectors or variables which have hard-coded nonces/IV, that are given to multiple encryption algorithms such as: AES CBC,CTR,OFB,CFB,ASCON,CHACHA20
The rule has the following features:
func cool(){ cipher.NewCTR(bloc,nonce)}closes #1196