feat(golang): add initial rules

rules/go/lang/logger.yml

@@ -0,0 +1,48 @@
+imports:
+  - go_shared_lang_datatype
+patterns:
+  - pattern: log.$<LOGLEVEL>().$<METHOD>($<DATA_TYPE>)
+    filters:
+      - variable: LOGLEVEL
+        values:
+          - Error
+          - Debug
+      - variable: METHOD
+        values:
+          - Msgf
+          - Msg
+      - variable: DATA_TYPE
+        detection: go_shared_lang_datatype
+        scope: result
+languages:
+  - go
+skip_data_types:
+  - "Unique Identifier"
+metadata:
+  description: "Sensitive data in a logger message detected."
+  remediation_message: |
+    ## Description
+
+    Leaking sensitive data to loggers is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to loggers.
+
+    ## Remediations
+
+    ❌ Avoid using sensitive data in logger messages:
+
+    ```go
+    logger.info(f"User is: '{user.email}'")
+    ```
+
+    ✅ If you need to identify a user, ensure to use their unique identifier instead of their personal identifiable information:
+
+    ```go
+    logger.info(f"User is: '{user.uuid}'")
+    ```
+
+    ## Resources
+    - [OWASP logging cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)
+  cwe_id:
+    - 209
+    - 532
+  id: go_lang_logger
+  documentation_url: https://docs.bearer.com/reference/rules/go_lang_logger

rules/go/lang/weak_hash_md5.yml

@@ -0,0 +1,61 @@
+imports:
+  - go_shared_lang_datatype
+patterns:
+  - pattern: $<MD5_INIT>.Sum($<OPTIONAL_DATA_TYPE>)
+    filters:
+      - variable: MD5_INIT
+        detection: go_lang_weak_hash_md5_init
+        scope: cursor
+      - either:
+          - variable: OPTIONAL_DATA_TYPE
+            detection: go_shared_lang_datatype
+            scope: result
+          - not:
+              variable: OPTIONAL_DATA_TYPE
+              detection: go_shared_lang_datatype
+              scope: result
+  - pattern: md5.Sum($<OPTIONAL_DATA_TYPE>)
+    filters:
+      - either:
+          - variable: OPTIONAL_DATA_TYPE
+            detection: go_shared_lang_datatype
+            scope: result
+          - not:
+              variable: OPTIONAL_DATA_TYPE
+              detection: go_shared_lang_datatype
+              scope: result
+auxiliary:
+  - id: go_lang_weak_hash_md5_init
+    patterns:
+      - md5.New()
+languages:
+  - go
+skip_data_types:
+  - "Unique Identifier"
+  - "Passwords" # see go_lang_weak_password_encryption_md5
+metadata:
+  description: "Weak hashing library (MD5) detected."
+  remediation_message: |
+    ## Description
+
+    A weak hashing library can lead to data breaches and greater security risk.
+
+    ## Remediations
+    According to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), MD5 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.
+
+    ❌ Avoid libraries and algorithms with known weaknesses:
+
+    ```go
+    md5.Sum([]byte('password'))
+    ```
+
+    ✅ Instead, we recommend using sha256:
+
+    ```go
+    sha256.Sum256([]byte('string'))
+    ```
+  cwe_id:
+    - 331
+    - 328
+  id: go_lang_weak_hash_md5
+  documentation_url: https://docs.bearer.com/reference/rules/go_lang_weak_hash_md5

rules/go/lang/weak_hash_sha1.yml

@@ -0,0 +1,61 @@
+imports:
+  - go_shared_lang_datatype
+patterns:
+  - pattern: $<SHA1_INIT>.Sum($<OPTIONAL_DATA_TYPE>)
+    filters:
+      - variable: SHA1_INIT
+        detection: go_lang_weak_hash_sha1_init
+        scope: cursor
+      - either:
+          - variable: OPTIONAL_DATA_TYPE
+            detection: go_shared_lang_datatype
+            scope: result
+          - not:
+              variable: OPTIONAL_DATA_TYPE
+              detection: go_shared_lang_datatype
+              scope: result
+  - pattern: sha1.Sum($<OPTIONAL_DATA_TYPE>)
+    filters:
+      - either:
+          - variable: OPTIONAL_DATA_TYPE
+            detection: go_shared_lang_datatype
+            scope: result
+          - not:
+              variable: OPTIONAL_DATA_TYPE
+              detection: go_shared_lang_datatype
+              scope: result
+auxiliary:
+  - id: go_lang_weak_hash_sha1_init
+    patterns:
+      - sha1.New()
+languages:
+  - go
+skip_data_types:
+  - "Unique Identifier"
+  - "Passwords" # see go_lang_weak_password_encryption_sha1
+metadata:
+  description: "Weak hashing library (SHA1) detected."
+  remediation_message: |
+    ## Description
+
+    A weak hashing library can lead to data breaches and greater security risk.
+
+    ## Remediations
+    According to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), MD5 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.
+
+    ❌ Avoid libraries and algorithms with known weaknesses:
+
+    ```go
+    sha1.Sum([]byte('password'))
+    ```
+
+    ✅ Instead, we recommend using sha256:
+
+    ```go
+    sha256.Sum256([]byte('string'))
+    ```
+  cwe_id:
+    - 331
+    - 328
+  id: go_lang_weak_hash_sha1
+  documentation_url: https://docs.bearer.com/reference/rules/go_lang_weak_hash_sha1

rules/go/lang/weak_password_encryption_md5.yml

@@ -0,0 +1,50 @@
+imports:
+  - go_shared_lang_datatype
+patterns:
+  - pattern: $<MD5_INIT>.Sum($<DATA_TYPE>)
+    filters:
+      - variable: MD5_INIT
+        detection: go_lang_weak_hash_md5_init
+        scope: cursor
+      - variable: DATA_TYPE
+        detection: go_shared_lang_datatype
+        scope: result
+  - pattern: md5.Sum($<DATA_TYPE>)
+    filters:
+      - variable: DATA_TYPE
+        detection: go_shared_lang_datatype
+        scope: result
+auxiliary:
+  - id: go_lang_weak_hash_md5_init
+    patterns:
+      - md5.New()
+languages:
+  - go
+only_data_types:
+  - Passwords
+metadata:
+  description: "Weak password encryption algorithm (MD5) used for password detected."
+  remediation_message: |
+    ## Description
+
+    A weak hashing library can lead to data breaches and greater security risk.
+
+    ## Remediations
+    According to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), MD5 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.
+
+    ❌ Do not use encryption for passwords, wherever possible:
+
+    ```go
+    md5.Sum([]byte('password'))
+    ```
+
+    ✅ Instead, we recommend using sha256:
+
+    ```go
+    sha256.Sum256([]byte('string'))
+    ```
+  cwe_id:
+    - 331
+    - 328
+  id: go_lang_weak_password_encryption_md5
+  documentation_url: https://docs.bearer.com/reference/rules/go_lang_weak_password_encryption_md5

rules/go/lang/weak_password_encryption_sha1.yml

@@ -0,0 +1,50 @@
+imports:
+  - go_shared_lang_datatype
+patterns:
+  - pattern: $<SHA1_INIT>.Sum($<DATA_TYPE>)
+    filters:
+      - variable: SHA1_INIT
+        detection: go_lang_weak_hash_sha1_init
+        scope: cursor
+      - variable: DATA_TYPE
+        detection: go_shared_lang_datatype
+        scope: result
+  - pattern: sha1.Sum($<DATA_TYPE>)
+    filters:
+      - variable: DATA_TYPE
+        detection: go_shared_lang_datatype
+        scope: result
+auxiliary:
+  - id: go_lang_weak_hash_sha1_init
+    patterns:
+      - sha1.New()
+languages:
+  - go
+only_data_types:
+  - Passwords
+metadata:
+  description: "Weak password encryption algorithm (SHA1) used for password detected."
+  remediation_message: |
+    ## Description
+
+    A weak hashing library can lead to data breaches and greater security risk.
+
+    ## Remediations
+    According to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), MD5 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.
+
+    ❌ Do not use encryption for passwords, wherever possible:
+
+    ```go
+    sha1.Sum([]byte('password'))
+    ```
+
+    ✅ Instead, we recommend using sha256:
+
+    ```go
+    sha256.Sum256([]byte('string'))
+    ```
+  cwe_id:
+    - 331
+    - 328
+  id: go_lang_weak_password_encryption_sha1
+  documentation_url: https://docs.bearer.com/reference/rules/go_lang_weak_password_encryption_sha1

rules/go/shared/lang/datatype.yml

@@ -0,0 +1,21 @@
+type: shared
+languages:
+  - go
+sanitizer: go_shared_lang_datatype_sanitizer
+patterns:
+  - pattern: $<DATA_TYPE>
+    filters:
+      - variable: DATA_TYPE
+        detection: datatype
+        scope: cursor_strict
+auxiliary:
+  - id: go_shared_lang_datatype_sanitizer
+    # these patterns correspond to the projections in the built-in object detector
+    patterns:
+      - pattern: $<OBJECT>.$<_>
+        focus: OBJECT
+      - pattern: $<OBJECT>[$<_>]
+        focus: OBJECT
+metadata:
+  description: "Go datatype."
+  id: go_shared_lang_datatype