fix: Updated MissingMinVersionTLS query to check go version

Apostlex0 · Apostlex0 · commit d8812415ba7c · 2025-12-17T20:49:38.000+05:30
diff --git a/go/src/docs/security/MissingMinVersionTLS/MissingMinVersionTLS.md b/go/src/docs/security/MissingMinVersionTLS/MissingMinVersionTLS.md
@@ -1,9 +1,20 @@
 # Missing MinVersion in tls.Config
-Golang's `tls.Config` struct accepts `MinVersion` parameter that sets minimum accepted TLS version. If the parameter is not provided, default value is used: TLS1.2 for clients, and TLS1.0 for servers. TLS1.0 is considered deprecated and should not be used.
+Golang's `tls.Config` struct accepts `MinVersion` parameter that sets minimum accepted TLS version. If the parameter is not provided, the default depends on the Go version in use:
 
+- Since **Go 1.18**, clients default to TLS 1.2 (previously TLS 1.0)
+- Since **Go 1.22**, servers also default to TLS 1.2 (previously TLS 1.0)
+
+For projects that support older Go versions, leaving `MinVersion` unset may still permit TLS 1.0 or 1.1, which are deprecated and should not be used.
+
+This query flags `tls.Config` values where `MinVersion` is never set explicitly and the project's `go.mod` declares support for:
+- **Go < 1.18** for client-side configs (when client default is TLS 1.0)
+- **Go < 1.22** for server-side configs (when server default is TLS 1.0)
 
 ## Recommendation
-Explicitly set tls version to an up-to-date one.
+Explicitly set the TLS version to TLS 1.2 or higher:
+- For projects using Go < 1.18: Set `MinVersion` for both clients and servers
+- For projects using Go 1.18-1.21: Set `MinVersion` for servers
+- For projects using Go >= 1.22: Defaults are secure, but explicit setting is still recommended
 
 
 ## Example
@@ -50,8 +61,15 @@ func main() {
 }
 
 ```
-In this example, the `http.Server` may be set with TLS configuration created by either `test1` or `test2` functions. The `test1` result will be highlighted by this query, as it fails to explicitly set minimum supported TLS version. The `test2` result will not be marked, even that it also uses the default value for minimum version. That is because the `test2` is explicit, and this query assumes that developers knew what they are doing.
+In this example, the `http.Server` may be set with TLS configuration created by either `test1` or `test2` functions. For projects with `go` directive < 1.22, the `test1` result will be highlighted by this query, as it fails to explicitly set minimum supported TLS version. The `test2` result will not be marked, even though it also uses the default value for minimum version. That is because the `test2` is explicit, and this query assumes that developers knew what they are doing.
+
+Note: The query behavior depends on the `go` directive in `go.mod`:
+- **Go < 1.18**: Both client and server configs without MinVersion are flagged
+- **Go 1.18-1.21**: Only server configs without MinVersion are flagged
+- **Go >= 1.22**: No configs are flagged (both defaults are secure)
 
 
 ## References
 * [tls.Config specification](https://pkg.go.dev/crypto/tls#Config)
+* [Go 1.18 Release Notes - TLS 1.0 and 1.1 disabled by default client-side](https://tip.golang.org/doc/go1.18#tls10)
+* [Go 1.22 Release Notes - TLS 1.2 default for servers](https://tip.golang.org/doc/go1.22#minor_library_changes)
diff --git a/go/src/security/MissingMinVersionTLS/MissingMinVersionTLS.qhelp b/go/src/security/MissingMinVersionTLS/MissingMinVersionTLS.qhelp
@@ -4,29 +4,57 @@
 <qhelp>
 <overview>
 <p>
-Golang's <code>tls.Config</code> struct accepts <code>MinVersion</code> parameter that sets minimum accepted TLS version.
-If the parameter is not provided, default value is used: TLS1.2 for clients, and TLS1.0 for servers.
-TLS1.0 is considered deprecated and should not be used. 
+Golang's <code>tls.Config</code> struct accepts a <code>MinVersion</code> parameter that sets the minimum accepted TLS version.
+If the parameter is not provided, the default depends on the Go version in use. Since Go 1.18, <code>crypto/tls</code> clients default to TLS 1.2 (previously TLS 1.0).
+Since Go 1.22, <code>crypto/tls</code> servers also default to TLS 1.2 (previously TLS 1.0).
+</p>
+<p>
+This query flags <code>tls.Config</code> values where <code>MinVersion</code> is never set explicitly and the project's
+<code>go.mod</code> declares support for a Go version where the defaults are insecure:
+</p>
+<ul>
+<li>Go &lt; 1.18 for client-side configs (when client default is TLS 1.0)</li>
+<li>Go &lt; 1.22 for server-side configs (when server default is TLS 1.0)</li>
+</ul>
+<p>
+TLS 1.0 and 1.1 are deprecated and should not be used.
 </p>
 
 </overview>
 <recommendation>
-<p>Explicitly set tls version to an up-to-date one.</p>
+<p>Explicitly set the TLS version to TLS 1.2 or higher:</p>
+<ul>
+<li>For projects using Go &lt; 1.18: Set <code>MinVersion</code> for both clients and servers</li>
+<li>For projects using Go 1.18-1.21: Set <code>MinVersion</code> for servers</li>
+<li>For projects using Go &gt;= 1.22: Defaults are secure, but explicit setting is still recommended</li>
+</ul>
 
 </recommendation>
 <example>
 <sample src="MissingMinVersionTLS.go" />
 
 <p>In this example, the <code>http.Server</code> may be set with TLS configuration created by either <code>test1</code> or <code>test2</code> functions.
-The <code>test1</code> result will be highlighted by this query, as it fails to explicitly set minimum supported TLS version.
-The <code>test2</code> result will not be marked, even that it also uses the default value for minimum version.
-That is because the <code>test2</code> is explicit, and this query assumes that developers knew what they are doing. 
+For projects with a <code>go</code> directive &lt; 1.22, the <code>test1</code> result will be highlighted by this query, as it fails to explicitly set minimum supported TLS version.
+The <code>test2</code> result will not be marked, even though it also uses the default value for minimum version.
+That is because the <code>test2</code> is explicit, and this query assumes that developers knew what they are doing.
 </p>
+<p>Note: The query behavior depends on the <code>go</code> directive in <code>go.mod</code>:</p>
+<ul>
+<li>Go &lt; 1.18: Both client and server configs without MinVersion are flagged</li>
+<li>Go 1.18-1.21: Only server configs without MinVersion are flagged</li>
+<li>Go &gt;= 1.22: No configs are flagged (both defaults are secure)</li>
+</ul>
 
 </example>
 <references>
 <li>
     <a href="https://pkg.go.dev/crypto/tls#Config">tls.Config specification</a>
 </li>
+<li>
+    <a href="https://tip.golang.org/doc/go1.18#tls10">Go 1.18 Release Notes - TLS 1.0 and 1.1 disabled by default client-side</a>
+</li>
+<li>
+    <a href="https://tip.golang.org/doc/go1.22#minor_library_changes">Go 1.22 Release Notes - TLS 1.2 default for servers</a>
+</li>
 </references>
 </qhelp>
diff --git a/go/src/security/MissingMinVersionTLS/MissingMinVersionTLS.ql b/go/src/security/MissingMinVersionTLS/MissingMinVersionTLS.ql
@@ -1,7 +1,7 @@
 /**
  * @name Missing MinVersion in tls.Config
  * @id tob/go/missing-min-version-tls
- * @description This rule finds cases when you do not set the `tls.Config.MinVersion` explicitly for servers. By default version 1.0 is used, which is considered insecure. This rule does not mark explicitly set insecure versions
+ * @description Finds uses of tls.Config where MinVersion is not set and the project's minimum Go version (from go.mod) indicates insecure defaults: Go < 1.18 for clients (default TLS 1.0) or Go < 1.22 for servers (default TLS 1.0). Does not mark explicitly set insecure versions.
  * @kind problem
  * @tags security
  * @problem.severity error
@@ -11,6 +11,7 @@
  */
 
 import go
+import semmle.go.GoMod as GoMod
 
 /**
  * Flow of a `tls.Config` to a write to the `MinVersion` field.
@@ -103,6 +104,69 @@ predicate configOrConfigPointer(Type t) {
     )
 }
 
+/**
+ * Holds if v is a Go version string for Go 1.x that is >= 1.18.
+ * Matches: "1.18", "1.19", "1.20", ..., "1.99", "1.100", "1.18.0", etc.
+ */
+predicate goVersionAtLeast_1_18(string v) {
+    v.regexpMatch("1\\.(1[89]|[2-9][0-9]|[1-9][0-9]{2,})(\\.\\d+)?")
+}
+
+/**
+ * Holds if v is a Go version string for Go 1.x that is >= 1.22.
+ * Matches: "1.22", "1.23", ..., "1.99", "1.100", "1.22.0", etc.
+ */
+predicate goVersionAtLeast_1_22(string v) {
+    v.regexpMatch("1\\.(2[2-9]|[3-9][0-9]|[1-9][0-9]{2,})(\\.\\d+)?")
+}
+
+/**
+ * Holds if the project may be built with a Go version where a server with
+ * an unset MinVersion still defaults to TLS 1.0/1.1 (Go < 1.22).
+ *
+ * - If there is no go.mod: assume YES (be conservative).
+ * - Otherwise: if ANY go.mod has a `go` directive < 1.22: YES.
+ */
+predicate projectSupportsOldTlsDefaultsForServers() {
+    not exists(GoMod::GoModGoLine _) or
+    exists(GoMod::GoModGoLine l |
+        not goVersionAtLeast_1_22(l.getVersion())
+    )
+}
+
+/**
+ * Holds if the project may be built with a Go version where a client with
+ * an unset MinVersion still defaults to TLS 1.0/1.1 (Go < 1.18).
+ *
+ * - If there is no go.mod: assume YES (be conservative).
+ * - Otherwise: if ANY go.mod has a `go` directive < 1.18: YES.
+ */
+predicate projectSupportsOldTlsDefaultsForClients() {
+    not exists(GoMod::GoModGoLine _) or
+    exists(GoMod::GoModGoLine l |
+        not goVersionAtLeast_1_18(l.getVersion())
+    )
+}
+
+/**
+ * Holds if the config is used as a client config (TLSClientConfig).
+ */
+predicate isClientConfig(Variable v, StructLit configStruct) {
+    exists(KeyValueExpr kv |
+        kv.getKey().(VariableName).getTarget().getName() = "TLSClientConfig" and
+        (
+            kv.getValue().getAChild*() = v.getARead().asExpr()
+            or
+            kv.getValue().getAChild*() = configStruct
+        )
+    )
+    or
+    exists(Type t | 
+        t.hasQualifiedName("net/http", "Client") and
+        v.getType() = t.getPointerType*()
+    )
+}
+
 // v - a variable holding any structure which is or contains the tls.Config
 from StructLit configStruct, Variable v, DataFlow::Node source, DataFlow::Node sink
 where
@@ -112,21 +176,6 @@ where
         sink.asExpr() = v.getAReference() and
         source.asExpr() = configStruct
     )
-    
-    // exclude if tls.Config is used as TLSClientConfig, as default for clients is TLS 1.2
-    and not exists(KeyValueExpr kv |
-        kv.getKey().(VariableName).getTarget().getName() = "TLSClientConfig" and
-        (
-        kv.getValue().getAChild*() = v.getARead().asExpr()
-        or
-        kv.getValue().getAChild*() = configStruct
-        )
-    )
-
-    and not exists(Type t | 
-        t.hasQualifiedName("net/http", "Client") and
-        v.getType() = t.getPointerType*()
-    )
 
     // only explicitely defined, e.g., skip function arguments
     and (
@@ -149,4 +198,13 @@ where
     ) else
         any()
 
+    // Version-aware filtering based on client vs server usage:
+    // - For clients: only flag if Go < 1.18 (when client default is TLS 1.0)
+    // - For servers: only flag if Go < 1.22 (when server default is TLS 1.0)
+    and (
+        (isClientConfig(v, configStruct) and projectSupportsOldTlsDefaultsForClients())
+        or
+        (not isClientConfig(v, configStruct) and projectSupportsOldTlsDefaultsForServers())
+    )
+
 select configStruct, "TLS.Config.MinVersion is never set for variable $@ ", v, v.getName()
diff --git a/go/test/query-tests/security/MissingMinVersionTLS/MissingMinVersionTLS.expected b/go/test/query-tests/security/MissingMinVersionTLS/MissingMinVersionTLS.expected
@@ -10,6 +10,7 @@
 | MissingMinVersionTLS.go:135:10:135:49 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:136:3:136:3 | c | c |
 | MissingMinVersionTLS.go:142:23:142:62 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:142:3:142:3 | c | c |
 | MissingMinVersionTLS.go:149:23:149:62 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:149:3:149:3 | c | c |
+| MissingMinVersionTLS.go:159:21:161:5 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:157:3:157:8 | client | client |
 | MissingMinVersionTLS.go:168:16:168:55 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:167:3:167:5 | srv | srv |
 | MissingMinVersionTLS.go:171:16:171:55 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:170:3:170:6 | srv2 | srv2 |
 | MissingMinVersionTLS.go:176:9:176:48 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:182:3:182:6 | srv3 | srv3 |
diff --git a/go/test/query-tests/security/MissingMinVersionTLS/MissingMinVersionTLS.go b/go/test/query-tests/security/MissingMinVersionTLS/MissingMinVersionTLS.go
@@ -151,7 +151,8 @@ func main() {
 			c.Init3()
 		}
 	}
-	// OK: config used only for a client
+	// BAD for Go < 1.18: config used for a client (clients default to TLS 1.0)
+	// OK for Go >= 1.18: clients default to TLS 1.2
 	{
 		client := &http.Client{
 			Transport: &http.Transport{
diff --git a/go/test/query-tests/security/MissingMinVersionTLS/go.mod b/go/test/query-tests/security/MissingMinVersionTLS/go.mod
@@ -1,3 +1,5 @@
 module codeql-go-tests/query/MissingMinVersionTLS
 
+// Using Go 1.15 (< 1.18) to test the case where both clients and servers
+// default to TLS 1.0, so both should be flagged when MinVersion is not set
 go 1.15

Original file line number	Diff line number	Diff line change
`@@ -151,7 +151,8 @@ func main() {`
`151`	`151`	`c.Init3()`
`152`	`152`	`}`
`153`	`153`	`}`
`154`		`- // OK: config used only for a client`
	`154`	`+ // BAD for Go < 1.18: config used for a client (clients default to TLS 1.0)`
	`155`	`+ // OK for Go >= 1.18: clients default to TLS 1.2`
`155`	`156`	`{`
`156`	`157`	`client := &http.Client{`
`157`	`158`	`Transport: &http.Transport{`