feat(golang): copy first rules from gosec

rules/go/gosec/blocklist/cgi.yml

@@ -0,0 +1,29 @@
+patterns:
+  - pattern: |
+      import "net/http/cgi"
+  - pattern: |
+      import (
+        "net/http/cgi"
+      )
+languages:
+  - go
+metadata:
+  description: "Use of a Broken or Risky Cryptographic Algorithm"
+  remediation_message: |
+    ## Description
+
+    It's not recommended to use `net/http/cgi` package.
+    Go versions < 1.6.3 are vulnerable to Httpoxy attack: (CVE-2016-5386).
+
+    ## Remediations
+
+    ❌ Avoid using `net/http/cgi`:
+
+    ```go
+    import "net/http/cgi"
+    ```
+
+  cwe_id:
+    - 327
+  id: go_gosec_blocklist_cgi
+  documentation_url: https://docs.bearer.com/reference/rules/go_gosec_blocklist_cgi

rules/go/gosec/blocklist/des.yml

@@ -0,0 +1,67 @@
+patterns:
+  - pattern: |
+      import "crypto/des"
+  - pattern: |
+      import (
+        "crypto/des"
+      )
+languages:
+  - go
+metadata:
+  description: "Use of a Broken or Risky Cryptographic Algorithm"
+  remediation_message: |
+    ## Description
+
+    The DES algorithm has not been recommended for over 15 years and was withdrawn from NIST (FIPS 46-3) in 2005.
+
+    ## Remediation
+
+    It is recommended that an algorithm that provides message integrity be used instead.
+
+    ✅ Prefer the usage of `AES-256`:
+
+    ```go
+    // 32 byte keys will configure AES-256
+    key := make([]byte, 32)
+    if _, err := io.ReadFull(rand.Reader, key); err != nil {
+      log.Fatal(err)
+    }
+
+    blockCipher, err := aes.NewCipher(key)
+    if err != nil {
+      log.Fatal(err)
+    }
+
+    aead, err := cipher.NewGCM(blockCipher)
+    if err != nil {
+      log.Fatal(err)
+    }
+
+    var encrypted = []byte{}
+    var nonce = []byte{}
+    // Encryption routine
+    {
+      msg := []byte("Some secret message")
+      // note that the key must be rotated every 2^32 random nonces used otherwise
+      // cipher text could be repeated
+      nonce = make([]byte, 12)
+      if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+        log.Fatal(err)
+      }
+      encrypted = aead.Seal(nil, nonce, msg, nil)
+    }
+
+    // Decryption routine
+    {
+      msg, err := aead.Open(nil, nonce, encrypted, nil)
+      if err != nil {
+        log.Fatal(err)
+      }
+      fmt.Printf("Decrypted: %s\n", msg)
+    }
+    ```
+
+  cwe_id:
+    - 327
+  id: go_gosec_blocklist_des
+  documentation_url: https://docs.bearer.com/reference/rules/go_gosec_blocklist_des

rules/go/gosec/blocklist/md5.yml

@@ -0,0 +1,39 @@
+patterns:
+  - pattern: |
+      import "crypto/md5"
+  - pattern: |
+      import (
+        "crypto/md5"
+      )
+languages:
+  - go
+metadata:
+  description: "Use of a Broken or Risky Cryptographic Algorithm"
+  remediation_message: |
+    ## Description
+
+    The MD5 message-digest algorithm has been cryptographically broken and is unsuitable for further use. The MD5 hash algorithm has been found to be vulnerable to producing collisions. This means that two different values, when hashed, can lead to the same hash value.
+
+    ## Remediations
+
+    ✅ It is recommended that the SHA-3 or BLAKE2 family of algorithms be used for non-password based cryptographic hashes instead.
+
+    ```go
+    fileContents := []byte("some file contents to create hash for")
+    blake2bHasher, err := blake2b.New512(nil)
+    if err != nil {
+      log.Fatal(err)
+    }
+    hashedValue := blake2bHasher.Sum(fileContents)
+    fmt.Printf("%s\n", hex.EncodeToString(hashedValue))
+    ```
+
+    ✅ For password based cryptographic hashes, consider using the bcrypt or Argon2id family of cryptographic hashes.
+
+    ## Resources
+    - [OWASP Password Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)
+
+  cwe_id:
+    - 327
+  id: go_gosec_blocklist_md5
+  documentation_url: https://docs.bearer.com/reference/rules/go_gosec_blocklist_md5

rules/go/gosec/blocklist/rc4.yml

@@ -0,0 +1,67 @@
+patterns:
+  - pattern: |
+      import "crypto/rc4"
+  - pattern: |
+      import (
+        "crypto/rc4"
+      )
+languages:
+  - go
+metadata:
+  description: "Use of a Broken or Risky Cryptographic Algorithm"
+  remediation_message: |
+    ## Description
+
+    The RC4 stream-cipher has been cryptographically broken and is unsuitable for use in production.
+
+    ## Remediations
+
+    It is recommended that Advanced Encryption Standard (AES) be used instead.
+
+    ✅ Consider using `AES-256`
+
+    ```go
+    // 32 byte keys will configure AES-256
+    key := make([]byte, 32)
+    if _, err := io.ReadFull(rand.Reader, key); err != nil {
+      log.Fatal(err)
+    }
+
+    blockCipher, err := aes.NewCipher(key)
+    if err != nil {
+      log.Fatal(err)
+    }
+
+    aead, err := cipher.NewGCM(blockCipher)
+    if err != nil {
+      log.Fatal(err)
+    }
+
+    var encrypted = []byte{}
+    var nonce = []byte{}
+    // Encryption routine
+    {
+      msg := []byte("Some secret message")
+      // note that the key must be rotated every 2^32 random nonces used otherwise
+      // cipher text could be repeated
+      nonce = make([]byte, 12)
+      if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+        log.Fatal(err)
+      }
+      encrypted = aead.Seal(nil, nonce, msg, nil)
+    }
+
+    // Decryption routine
+    {
+      msg, err := aead.Open(nil, nonce, encrypted, nil)
+      if err != nil {
+        log.Fatal(err)
+      }
+      fmt.Printf("Decrypted: %s\n", msg)
+    }
+    ```
+
+  cwe_id:
+    - 327
+  id: go_gosec_blocklist_rc4
+  documentation_url: https://docs.bearer.com/reference/rules/go_gosec_blocklist_rc4

rules/go/gosec/blocklist/sha1.yml

@@ -0,0 +1,65 @@
+patterns:
+  - pattern: |
+      import "crypto/sha1"
+  - pattern: |
+      import (
+        "crypto/sha1"
+      )
+languages:
+  - go
+metadata:
+  description: "Use of a Broken or Risky Cryptographic Algorithm"
+  remediation_message: |
+    ## Description
+
+    The SHA-1 message-digest algorithm has been cryptographically broken and is unsuitable for further use.
+
+    ## Remediations
+
+    It is recommended that the SHA-3, or BLAKE2 family of algorithms be used for non-password based cryptographic hashes instead. For password based cryptographic hashes, consider using the bcrypt or Argon2id family of cryptographic hashes.
+
+    ```go
+    // 32 byte keys will configure AES-256
+    key := make([]byte, 32)
+    if _, err := io.ReadFull(rand.Reader, key); err != nil {
+      log.Fatal(err)
+    }
+
+    blockCipher, err := aes.NewCipher(key)
+    if err != nil {
+      log.Fatal(err)
+    }
+
+    aead, err := cipher.NewGCM(blockCipher)
+    if err != nil {
+      log.Fatal(err)
+    }
+
+    var encrypted = []byte{}
+    var nonce = []byte{}
+    // Encryption routine
+    {
+      msg := []byte("Some secret message")
+      // note that the key must be rotated every 2^32 random nonces used otherwise
+      // cipher text could be repeated
+      nonce = make([]byte, 12)
+      if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+        log.Fatal(err)
+      }
+      encrypted = aead.Seal(nil, nonce, msg, nil)
+    }
+
+    // Decryption routine
+    {
+      msg, err := aead.Open(nil, nonce, encrypted, nil)
+      if err != nil {
+        log.Fatal(err)
+      }
+      fmt.Printf("Decrypted: %s\n", msg)
+    }
+    ```
+
+  cwe_id:
+    - 327
+  id: go_gosec_blocklist_sha1
+  documentation_url: https://docs.bearer.com/reference/rules/go_gosec_blocklist_sha1

rules/go/gosec/crypto/bad_tls_settings.yml

@@ -0,0 +1,105 @@
+patterns:
+  - pattern: |
+      tls.Config{$<...>CipherSuites: []$<_>{$<...>$<CIPHERS>$<...>}$<...>}
+    filters:
+      - variable: CIPHERS
+        values:
+          - tls.TLS_AES_128_GCM_SHA256
+          - tls.TLS_AES_256_GCM_SHA384
+          - tls.TLS_CHACHA20_POLY1305_SHA256
+          - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+          - tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+          - tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+          - tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+          - tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+          - tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+          - tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+          - tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+          - tls.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+          - tls.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+  - pattern: |
+      tls.CipherSuite{$<...>ID: $<CIPHERS>$<...>}
+    filters:
+      - variable: CIPHERS
+        values:
+          - tls.TLS_AES_128_GCM_SHA256
+          - tls.TLS_AES_256_GCM_SHA384
+          - tls.TLS_CHACHA20_POLY1305_SHA256
+          - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+          - tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+          - tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+          - tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+          - tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+          - tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+          - tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+          - tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+          - tls.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+          - tls.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+languages:
+  - go
+metadata:
+  description: "Use of a broken or risky cryptographic algorithm"
+  remediation_message: |
+    ## Description
+
+    Usage of a cryptographically insecure cipher suite has been detected.
+
+    ## Remediations
+
+    ✅ It is recommended that alternative ciphers be used instead.
+
+    ✅ It is strongly recommended that all TLS connections use TLS 1.3
+
+    Go will automatically choose the most secure cipher when negotiating the TLS handshake with client or servers. TLS 1.3 cipher suites are configured to require Perfect
+    Forward Secrecy (PFS).
+    PFS is an important property as it will ensure that past encrypted transmissions could not be
+    decrypted if the TLS certificate was compromised.
+
+    ```go
+    cert, err := tls.LoadX509KeyPair("server.crt", "server.key")
+    if err != nil {
+      log.Fatal(err)
+    }
+
+    cfg := &tls.Config{Certificates: []tls.Certificate{cert}, MinVersion: tls.VersionTLS13}
+    srv := &http.Server{
+      Addr:         ":8999",
+      TLSConfig:    cfg,
+      ReadTimeout:  time.Minute,
+      WriteTimeout: time.Minute,
+    }
+    log.Fatal(srv.ListenAndServeTLS("", ""))
+    ```
+
+    If TLS 1.0-1.2 must be used, then the following list of ciphers should be chosen as they
+    support
+    Perfect Forward Secrecy (PFS):
+
+    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+
+
+    Example `tls.Config` using the recommended cipher suites:
+
+    ```go
+    cfg := &tls.Config{
+        MinVersion: tls.VersionTLS12,
+        CipherSuites: []uint16{
+            tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+            tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+            tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+            tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+            tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+            tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+        },
+    }
+    ```
+
+  cwe_id:
+    - 327
+  id: go_gosec_crypto_bad_tls_settings
+  documentation_url: https://docs.bearer.com/reference/rules/go_gosec_crypto_bad_tls_settings