Skip to content

Draft#276

Closed
fproulx-boostsecurity wants to merge 1 commit intomainfrom
update-gosec-2.22.10
Closed

Draft#276
fproulx-boostsecurity wants to merge 1 commit intomainfrom
update-gosec-2.22.10

Conversation

@fproulx-boostsecurity
Copy link
Collaborator

@fproulx-boostsecurity fproulx-boostsecurity commented Dec 4, 2025

Summary

  • Updates gosec from 2.20.0 to 2.22.10
  • Adds 6 new rules (all with boost-baseline + boost-hardened)
  • Removes 1 deprecated rule (G113)
  • Updates G401 description (DES/RC4 moved to G405)

New Rules

Rule Description CWE GitHub Link
G115 Type conversion which leads to integer overflow CWE-190 securego/gosec#1187
G405 Detect the usage of DES or RC4 CWE-327 securego/gosec#1127
G406 Detect the usage of deprecated MD4 or RIPEMD160 CWE-327 securego/gosec#1127
G407 Use of hardcoded IV/nonce for encryption CWE-329 securego/gosec#1127
G506 Import blocklist: golang.org/x/crypto/md4 CWE-327 securego/gosec#1127
G507 Import blocklist: golang.org/x/crypto/ripemd160 CWE-327 securego/gosec#1127

Removed Rules

Rule Description Reason
G113 Usage of Rat.SetString in math/big with an overflow CVE-2022-23772 fixed in Go stdlib

Test Plan

  • Tested with boost scan against govwa (Go Vulnerable Web Application)
  • Compared finding counts: baseline=21, updated=21 (consistent)
  • Verified all new rules have proper CWE mappings

🤖 Generated with Claude Code

@fproulx-boostsecurity @claude
Update gosec to 2.22.10
7186f4b 
- Updated from 2.20.0 to 2.22.10
- Added 6 new rules: G115, G405, G406, G407, G506, G507
- Removed deprecated rule: G113 (CVE-2022-23772 fix now in Go stdlib)
- Updated G401 description (DES/RC4 detection moved to new G405)

New rules:
- G115: Type conversion which leads to integer overflow (CWE-190)
- G405: Detect the usage of DES or RC4 (CWE-327)
- G406: Detect the usage of deprecated MD4 or RIPEMD160 (CWE-327)
- G407: Use of hardcoded IV/nonce for encryption (CWE-329)
- G506: Import blocklist: golang.org/x/crypto/md4 (CWE-327)
- G507: Import blocklist: golang.org/x/crypto/ripemd160 (CWE-327)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@fproulx-boostsecurity fproulx-boostsecurity changed the title Update gosec to 2.22.10 Draft Dec 4, 2025
@fproulx-boostsecurity fproulx-boostsecurity deleted the update-gosec-2.22.10 branch December 4, 2025 21:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fproulx-boostsecurity