inkz/insecure-transport-1-go.yaml

## insecure-transport-1-go.yaml
rules:
- id: disallow-old-tls-versions
  patterns:
  - pattern-either:
    - pattern: |
        tls.Config{..., MinVersion: $TLS.$VERSION, ...}
    - pattern: |
        $CONFIG = &tls.Config{...}
        ...
        $CONFIG.MinVersion = $TLS.$VERSION
  - metavariable-regex:
      metavariable: $VERSION
      regex: (VersionTLS10|VersionTLS11|VersionSSL30)
  message: |
    Detects creations of tls configuration objects with an insecure MinVersion of TLS.
    These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.
  metadata:
    vulnerability: Insecure Transport
    owasp: 'A3: Sensitive Data Exposure'
    cwe: 'CWE-319: Cleartext Transmission of Sensitive Information'
    references:
    - https://stackoverflow.com/questions/26429751/java-http-clients-and-poodle
  severity: WARNING
  languages: [go]
- id: bypass-tls-verification
  patterns:
  - pattern-either:
    - pattern: |
        tls.Config{..., InsecureSkipVerify: true, ...}
    - pattern: |
        $CONFIG = &tls.Config{...}
        ...
        $CONFIG.InsecureSkipVerify = true
  message: |
    Checks for disabling of TLS/SSL certificate verification.
     This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.
  metadata:
    vulnerability: Insecure Transport
    owasp: 'A3: Sensitive Data Exposure'
    cwe: 'CWE-319: Cleartext Transmission of Sensitive Information'
    references:
    - https://stackoverflow.com/questions/12122159/how-to-do-a-https-request-with-bad-certificate
  languages: [go]
  severity: WARNING
	rules:
	- id: disallow-old-tls-versions
	patterns:
	- pattern-either:
	- pattern: \|
	tls.Config{..., MinVersion: $TLS.$VERSION, ...}
	- pattern: \|
	$CONFIG = &tls.Config{...}
	...
	$CONFIG.MinVersion = $TLS.$VERSION
	- metavariable-regex:
	metavariable: $VERSION
	regex: (VersionTLS10\|VersionTLS11\|VersionSSL30)
	message: \|
	Detects creations of tls configuration objects with an insecure MinVersion of TLS.
	These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.
	metadata:
	vulnerability: Insecure Transport
	owasp: 'A3: Sensitive Data Exposure'
	cwe: 'CWE-319: Cleartext Transmission of Sensitive Information'
	references:
	- https://stackoverflow.com/questions/26429751/java-http-clients-and-poodle
	severity: WARNING
	languages: [go]
	- id: bypass-tls-verification
	patterns:
	- pattern-either:
	- pattern: \|
	tls.Config{..., InsecureSkipVerify: true, ...}
	- pattern: \|
	$CONFIG = &tls.Config{...}
	...
	$CONFIG.InsecureSkipVerify = true
	message: \|
	Checks for disabling of TLS/SSL certificate verification.
	This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.
	metadata:
	vulnerability: Insecure Transport
	owasp: 'A3: Sensitive Data Exposure'
	cwe: 'CWE-319: Cleartext Transmission of Sensitive Information'
	references:
	- https://stackoverflow.com/questions/12122159/how-to-do-a-https-request-with-bad-certificate
	languages: [go]
	severity: WARNING