feat(golang): add initial rules (#160)

.envrc.example

@@ -1,4 +1,5 @@
 export BEARER_VERSION=latest
 export BEARER_WORKSPACE=$PWD/../bearer
-export BEARER_PYTHON_ENABLED=true
 export BEARER_PHP_ENABLED=true
+export BEARER_PYTHON_ENABLED=true
+export BEARER_GOLANG_ENABLED=true

.github/workflows/canary.yml

@@ -41,10 +41,12 @@ jobs:
         run: tar -czvf release/javascript.tar.gz --directory ./rules javascript
       - name: Archive Java
         run: tar -czvf release/java.tar.gz --directory ./rules java
-      - name: Archive Python
-        run: tar -czvf release/python.tar.gz --directory ./rules python
       - name: Archive PHP
         run: tar -czvf release/php.tar.gz --directory ./rules php
+      - name: Archive Python
+        run: tar -czvf release/python.tar.gz --directory ./rules python
+      - name: Archive Go
+        run: tar -czvf release/go.tar.gz --directory ./rules go
       - name: Create a GitHub release
         uses: ncipollo/release-action@v1
         with:

.github/workflows/canary_integration_tests.yml

@@ -29,10 +29,11 @@ jobs:
             "ruby/third_parties",
             "java/lang",
             "java/spring",
-            "python/lang",
             "php/lang",
             "php/symfony",
             "php/third_parties",
+            "python/lang",
+            "go/lang",
           ]
     steps:
       - uses: actions/checkout@v3

.github/workflows/integration_tests.yml

@@ -36,10 +36,11 @@ jobs:
             "ruby/third_parties",
             "java/lang",
             "java/spring",
-            "python/lang",
             "php/lang",
             "php/symfony",
             "php/third_parties",
+            "python/lang",
+            "go/lang",
           ]
     steps:
       - uses: actions/checkout@v3

.github/workflows/release.yml

@@ -44,6 +44,8 @@ jobs:
         run: tar -czvf release/java.tar.gz --directory ./rules java
       - name: Archive Python
         run: tar -czvf release/python.tar.gz --directory ./rules python
+      - name: Archive Go
+        run: tar -czvf release/go.tar.gz --directory ./rules go
       - name: Create a GitHub release
         uses: ncipollo/release-action@v1
         with:

rules/go/lang/logger.yml

@@ -0,0 +1,48 @@
+imports:
+  - go_shared_lang_datatype
+patterns:
+  - pattern: log.$<LOGLEVEL>().$<METHOD>($<DATA_TYPE>)
+    filters:
+      - variable: LOGLEVEL
+        values:
+          - Error
+          - Debug
+      - variable: METHOD
+        values:
+          - Msgf
+          - Msg
+      - variable: DATA_TYPE
+        detection: go_shared_lang_datatype
+        scope: result
+languages:
+  - go
+skip_data_types:
+  - "Unique Identifier"
+metadata:
+  description: "Sensitive data in a logger message detected."
+  remediation_message: |
+    ## Description
+
+    Leaking sensitive data to loggers is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to loggers.
+
+    ## Remediations
+
+    ❌ Avoid using sensitive data in logger messages:
+
+    ```go
+    logger.info(f"User is: '{user.email}'")
+    ```
+
+    ✅ If you need to identify a user, ensure to use their unique identifier instead of their personal identifiable information:
+
+    ```go
+    logger.info(f"User is: '{user.uuid}'")
+    ```
+
+    ## Resources
+    - [OWASP logging cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)
+  cwe_id:
+    - 209
+    - 532
+  id: go_lang_logger
+  documentation_url: https://docs.bearer.com/reference/rules/go_lang_logger

rules/go/lang/weak_hash_md5.yml

@@ -0,0 +1,61 @@
+imports:
+  - go_shared_lang_datatype
+patterns:
+  - pattern: $<MD5_INIT>.Sum($<OPTIONAL_DATA_TYPE>)
+    filters:
+      - variable: MD5_INIT
+        detection: go_lang_weak_hash_md5_init
+        scope: cursor
+      - either:
+          - variable: OPTIONAL_DATA_TYPE
+            detection: go_shared_lang_datatype
+            scope: result
+          - not:
+              variable: OPTIONAL_DATA_TYPE
+              detection: go_shared_lang_datatype
+              scope: result
+  - pattern: md5.Sum($<OPTIONAL_DATA_TYPE>)
+    filters:
+      - either:
+          - variable: OPTIONAL_DATA_TYPE
+            detection: go_shared_lang_datatype
+            scope: result
+          - not:
+              variable: OPTIONAL_DATA_TYPE
+              detection: go_shared_lang_datatype
+              scope: result
+auxiliary:
+  - id: go_lang_weak_hash_md5_init
+    patterns:
+      - md5.New()
+languages:
+  - go
+skip_data_types:
+  - "Unique Identifier"
+  - "Passwords" # see go_lang_weak_password_encryption_md5
+metadata:
+  description: "Weak hashing library (MD5) detected."
+  remediation_message: |
+    ## Description
+
+    A weak hashing library can lead to data breaches and greater security risk.
+
+    ## Remediations
+    According to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), MD5 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.
+
+    ❌ Avoid libraries and algorithms with known weaknesses:
+
+    ```go
+    md5.Sum([]byte('password'))
+    ```
+
+    ✅ Instead, we recommend using sha256:
+
+    ```go
+    sha256.Sum256([]byte('string'))
+    ```
+  cwe_id:
+    - 331
+    - 328
+  id: go_lang_weak_hash_md5
+  documentation_url: https://docs.bearer.com/reference/rules/go_lang_weak_hash_md5

rules/go/lang/weak_hash_sha1.yml

@@ -0,0 +1,61 @@
+imports:
+  - go_shared_lang_datatype
+patterns:
+  - pattern: $<SHA1_INIT>.Sum($<OPTIONAL_DATA_TYPE>)
+    filters:
+      - variable: SHA1_INIT
+        detection: go_lang_weak_hash_sha1_init
+        scope: cursor
+      - either:
+          - variable: OPTIONAL_DATA_TYPE
+            detection: go_shared_lang_datatype
+            scope: result
+          - not:
+              variable: OPTIONAL_DATA_TYPE
+              detection: go_shared_lang_datatype
+              scope: result
+  - pattern: sha1.Sum($<OPTIONAL_DATA_TYPE>)
+    filters:
+      - either:
+          - variable: OPTIONAL_DATA_TYPE
+            detection: go_shared_lang_datatype
+            scope: result
+          - not:
+              variable: OPTIONAL_DATA_TYPE
+              detection: go_shared_lang_datatype
+              scope: result
+auxiliary:
+  - id: go_lang_weak_hash_sha1_init
+    patterns:
+      - sha1.New()
+languages:
+  - go
+skip_data_types:
+  - "Unique Identifier"
+  - "Passwords" # see go_lang_weak_password_encryption_sha1
+metadata:
+  description: "Weak hashing library (SHA1) detected."
+  remediation_message: |
+    ## Description
+
+    A weak hashing library can lead to data breaches and greater security risk.
+
+    ## Remediations
+    According to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), MD5 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.
+
+    ❌ Avoid libraries and algorithms with known weaknesses:
+
+    ```go
+    sha1.Sum([]byte('password'))
+    ```
+
+    ✅ Instead, we recommend using sha256:
+
+    ```go
+    sha256.Sum256([]byte('string'))
+    ```
+  cwe_id:
+    - 331
+    - 328
+  id: go_lang_weak_hash_sha1
+  documentation_url: https://docs.bearer.com/reference/rules/go_lang_weak_hash_sha1

rules/go/lang/weak_password_encryption_md5.yml

@@ -0,0 +1,50 @@
+imports:
+  - go_shared_lang_datatype
+patterns:
+  - pattern: $<MD5_INIT>.Sum($<DATA_TYPE>)
+    filters:
+      - variable: MD5_INIT
+        detection: go_lang_weak_hash_md5_init
+        scope: cursor
+      - variable: DATA_TYPE
+        detection: go_shared_lang_datatype
+        scope: result
+  - pattern: md5.Sum($<DATA_TYPE>)
+    filters:
+      - variable: DATA_TYPE
+        detection: go_shared_lang_datatype
+        scope: result
+auxiliary:
+  - id: go_lang_weak_hash_md5_init
+    patterns:
+      - md5.New()
+languages:
+  - go
+only_data_types:
+  - Passwords
+metadata:
+  description: "Weak password encryption algorithm (MD5) used for password detected."
+  remediation_message: |
+    ## Description
+
+    A weak hashing library can lead to data breaches and greater security risk.
+
+    ## Remediations
+    According to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), MD5 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.
+
+    ❌ Do not use encryption for passwords, wherever possible:
+
+    ```go
+    md5.Sum([]byte('password'))
+    ```
+
+    ✅ Instead, we recommend using sha256:
+
+    ```go
+    sha256.Sum256([]byte('string'))
+    ```
+  cwe_id:
+    - 331
+    - 328
+  id: go_lang_weak_password_encryption_md5
+  documentation_url: https://docs.bearer.com/reference/rules/go_lang_weak_password_encryption_md5

rules/go/lang/weak_password_encryption_sha1.yml

@@ -0,0 +1,50 @@
+imports:
+  - go_shared_lang_datatype
+patterns:
+  - pattern: $<SHA1_INIT>.Sum($<DATA_TYPE>)
+    filters:
+      - variable: SHA1_INIT
+        detection: go_lang_weak_hash_sha1_init
+        scope: cursor
+      - variable: DATA_TYPE
+        detection: go_shared_lang_datatype
+        scope: result
+  - pattern: sha1.Sum($<DATA_TYPE>)
+    filters:
+      - variable: DATA_TYPE
+        detection: go_shared_lang_datatype
+        scope: result
+auxiliary:
+  - id: go_lang_weak_hash_sha1_init
+    patterns:
+      - sha1.New()
+languages:
+  - go
+only_data_types:
+  - Passwords
+metadata:
+  description: "Weak password encryption algorithm (SHA1) used for password detected."
+  remediation_message: |
+    ## Description
+
+    A weak hashing library can lead to data breaches and greater security risk.
+
+    ## Remediations
+    According to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), MD5 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.
+
+    ❌ Do not use encryption for passwords, wherever possible:
+
+    ```go
+    sha1.Sum([]byte('password'))
+    ```
+
+    ✅ Instead, we recommend using sha256:
+
+    ```go
+    sha256.Sum256([]byte('string'))
+    ```
+  cwe_id:
+    - 331
+    - 328
+  id: go_lang_weak_password_encryption_sha1
+  documentation_url: https://docs.bearer.com/reference/rules/go_lang_weak_password_encryption_sha1

rules/go/shared/lang/datatype.yml

@@ -0,0 +1,21 @@
+type: shared
+languages:
+  - go
+sanitizer: go_shared_lang_datatype_sanitizer
+patterns:
+  - pattern: $<DATA_TYPE>
+    filters:
+      - variable: DATA_TYPE
+        detection: datatype
+        scope: cursor_strict
+auxiliary:
+  - id: go_shared_lang_datatype_sanitizer
+    # these patterns correspond to the projections in the built-in object detector
+    patterns:
+      - pattern: $<OBJECT>.$<_>
+        focus: OBJECT
+      - pattern: $<OBJECT>[$<_>]
+        focus: OBJECT
+metadata:
+  description: "Go datatype."
+  id: go_shared_lang_datatype

scripts/invoke.sh

@@ -16,7 +16,10 @@ cp -R $test_location $tmp_location
 
 if [ -n "$BEARER_WORKSPACE" ]; then
   cd $BEARER_WORKSPACE
-  BEARER_PYTHON_ENABLED=true BEARER_PHP_ENABLED=true go run ./cmd/bearer/main.go scan $tmp_location \
+  BEARER_GOLANG_ENABLED=true \
+  BEARER_PYTHON_ENABLED=true \
+  BEARER_PHP_ENABLED=true \
+  go run ./cmd/bearer/main.go scan $tmp_location \
     --only-rule=$rule_id \
     --quiet \
     --disable-default-rules=true \
@@ -32,8 +35,9 @@ else
     --rm \
     -v /tmp/bearer-scan:/tmp/bearer-scan \
     -v $rule_loc:/tmp/rules \
-    -e BEARER_PYTHON_ENABLED=true \
     -e BEARER_PHP_ENABLED=true \
+    -e BEARER_PYTHON_ENABLED=true \
+    -e BEARER_GOLANG_ENABLED=true \
     bearer/bearer:$BEARER_VERSION \
       scan $tmp_location \
       --only-rule=$rule_id \