alpTom/gosec
1
0
Fork 0
mirror of https://github.com/securego/gosec.git synced 2026-01-15 01:33:41 +08:00
Code Issues Packages Projects Releases Wiki Activity

Added new rule G407(hardcoded IV/nonce)

Browse Source 
The rule is supposed to detect for the usage of hardcoded or static nonce/Iv in many encryption algorithms:

* The different modes of AES (mainly tested here)
* It should be able to work with ascon

Currently the rules doesn't check when constant variables are used.

TODO: Improve the rule, to detected for constatant variable usage
This commit is contained in:
Dimitar Banchev
2024-08-14 17:07:59 +02:00
committed by Cosmin Cojocar
parent 4ae73c8ba3
commit 0eb8143c23
9 changed files with 889 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
cwe/data.go
View File

@@ -133,6 +133,11 @@ var idWeaknesses = map[string]*Weakness{
Description: "The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.",
Name: "Use of Hard-coded Credentials",
},
"1204": {
ID: "1204",
Description: "The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.",
Name: "Generation of Weak Initialization Vector (IV)",
},
}
// Get Retrieves a CWE weakness by it's id