From 229cf63a09e595e1ddbff532ee64e9826822912f Mon Sep 17 00:00:00 2001 From: Cosmin Cojocar Date: Tue, 26 Nov 2024 09:07:11 +0000 Subject: [PATCH] Remove the decryption funtions/methods from G407 check The nonce in the decryption functions/methods is typically provided and it should not be randomnly generated. Change-Id: Id0df0d43aecb2aadb00b9fa901bd060a43a201c5 Signed-off-by: Cosmin Cojocar --- .../{hardcodedNonce.go => hardcoded_nonce.go} | 3 --- testutils/g407_samples.go | 22 +++++++++---------- 2 files changed, 11 insertions(+), 14 deletions(-) rename analyzers/{hardcodedNonce.go => hardcoded_nonce.go} (98%) diff --git a/analyzers/hardcodedNonce.go b/analyzers/hardcoded_nonce.go similarity index 98% rename from analyzers/hardcodedNonce.go rename to analyzers/hardcoded_nonce.go index b07363388d..a514af022b 100644 --- a/analyzers/hardcodedNonce.go +++ b/analyzers/hardcoded_nonce.go @@ -48,10 +48,7 @@ func runHardCodedNonce(pass *analysis.Pass) (interface{}, error) { // Example "Test" 3, 1 -- means the function "Test" which accepts 3 arguments, and has the nonce arg as second argument calls := map[string][]int{ "(crypto/cipher.AEAD).Seal": {4, 1}, - "(crypto/cipher.AEAD).Open": {4, 1}, - "crypto/cipher.NewCBCDecrypter": {2, 1}, "crypto/cipher.NewCBCEncrypter": {2, 1}, - "crypto/cipher.NewCFBDecrypter": {2, 1}, "crypto/cipher.NewCFBEncrypter": {2, 1}, "crypto/cipher.NewCTR": {2, 1}, "crypto/cipher.NewOFB": {2, 1}, diff --git a/testutils/g407_samples.go b/testutils/g407_samples.go index 461fa7cacf..ae0be56ac9 100644 --- a/testutils/g407_samples.go +++ b/testutils/g407_samples.go @@ -173,7 +173,7 @@ func main() { cipherText, _ = aesGCM.Open(nil, []byte("ILoveMyNonce"), cipherText, nil) fmt.Println(string(cipherText)) } -`}, 2, gosec.NewConfig()}, +`}, 1, gosec.NewConfig()}, {[]string{`package main @@ -193,7 +193,7 @@ func main() { cipherText, _ = aesGCM.Open(nil, []byte{}, cipherText, nil) fmt.Println(string(cipherText)) } -`}, 2, gosec.NewConfig()}, +`}, 1, gosec.NewConfig()}, {[]string{`package main @@ -214,7 +214,7 @@ func main() { cipherText, _ = aesGCM.Open(nil, []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}, cipherText, nil) fmt.Println(string(cipherText)) } -`}, 2, gosec.NewConfig()}, +`}, 1, gosec.NewConfig()}, {[]string{`package main @@ -248,7 +248,7 @@ func main() { fmt.Println(string(cipherText)) } -`}, 2, gosec.NewConfig()}, +`}, 1, gosec.NewConfig()}, {[]string{`package main @@ -281,7 +281,7 @@ func main() { }(), cipherText, nil) fmt.Println(string(cipherText)) } -`}, 2, gosec.NewConfig()}, +`}, 1, gosec.NewConfig()}, {[]string{`package main @@ -301,7 +301,7 @@ func main() { fmt.Println(string(cipheredText)) } -`}, 2, gosec.NewConfig()}, +`}, 1, gosec.NewConfig()}, {[]string{`package main @@ -321,7 +321,7 @@ func main() { fmt.Println(string(cipheredText)) } -`}, 2, gosec.NewConfig()}, +`}, 1, gosec.NewConfig()}, {[]string{`package main @@ -342,7 +342,7 @@ func main() { aesCFB.XORKeyStream(output, output) fmt.Println(string(output)) -}`}, 2, gosec.NewConfig()}, +}`}, 1, gosec.NewConfig()}, {[]string{`package main @@ -363,7 +363,7 @@ func main() { aesCFB.XORKeyStream(output, output) fmt.Println(string(output)) -}`}, 2, gosec.NewConfig()}, +}`}, 1, gosec.NewConfig()}, {[]string{`package main @@ -386,7 +386,7 @@ func main() { aesCBC.CryptBlocks(output, output) fmt.Println(string(output)) -}`}, 2, gosec.NewConfig()}, +}`}, 1, gosec.NewConfig()}, {[]string{`package main @@ -410,7 +410,7 @@ func main() { fmt.Println(string(output)) } -`}, 2, gosec.NewConfig()}, +`}, 1, gosec.NewConfig()}, {[]string{`package main