Merge pull request #791 from tsmithv11/sast-update-jul-24

Add new Go policies

docs/en/enterprise-edition/policy-reference/book.yml

@@ -146,6 +146,8 @@ topics:
     file: terraform-policies.adoc
   - name: Terraform module sources do not use a git url with a commit hash revision
     file: ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.adoc
+  - name: Terraform module sources do not use a git url with a tag or commit hash revision
+    file: ensure-terraform-module-sources-use-tag.adoc
 ---
 kind: chapter
 name: Ansible Policies
@@ -2959,15 +2961,45 @@ kind: chapter
 name: SAST Policies
 dir: sast-policies
 topics:
- - name: SAST Policies
-   file: sast-policies.adoc
- - name: Go policies
-   dir: go-policies
-   topics:
-   - name: SAST Go Policy Index
-     file: go-policies.adoc
-   - name: Insecure SSH ignoring host key validation
-     file: sast-policy-198.adoc
+- name: SAST Policies
+  file: sast-policies.adoc
+- name: Go policies
+  dir: go-policies
+  topics:
+  - name: SAST Go Policy Index
+    file: go-policies.adoc
+  - name: Insecure SSH ignoring host key validation
+    file: sast-policy-198.adoc
+  - name: Weak RSA key length
+    file: sast-policy-200.adoc
+  - name: Usage of weak DES encryption algorithms
+    file: sast-policy-239.adoc
+  - name: Usage of weak MD5 hashing algorithm
+    file: sast-policy-240.adoc
+  - name: Usage of insecure RC4 cipher
+    file: sast-policy-241.adoc
+  - name: Usage of insecure SHA1 hashing algorithm
+    file: sast-policy-242.adoc
+  - name: Unsafe Go package in use
+    file: sast-policy-243.adoc
+  - name: Usage of weak random key generation
+    file: sast-policy-248.adoc
+  - name: Excessive directory permissions in Go applications
+    file: sast-policy-249.adoc
+  - name: Excessive file modification permissions
+    file: sast-policy-250.adoc
+  - name: Use of root directory in HTTP handler
+    file: sast-policy-253.adoc
+  - name: Excessive file write permissions
+    file: sast-policy-254.adoc
+  - name: Unsecured Creation of Temporary Files
+    file: sast-policy-255.adoc
+  - name: Missing HTTP server timeouts
+    file: sast-policy-256.adoc
+  - name: Usage of profiling endpoint in production
+    file: sast-policy-259.adoc
+  - name: Binding to all network interfaces
+    file: sast-policy-262.adoc
  - name: Java policies
    dir: java-policies
    topics:
@@ -3231,6 +3263,8 @@ topics:
      file: sast-policy-196.adoc
    - name: Unrobust cryptographic keys
      file: sast-policy-197.adoc
+   - name: Risky usage of malicious Polyfill.io library
+     file: sast-policy-263.adoc
  - name: Python policies
    dir: python-policies
    topics:
@@ -3256,8 +3290,6 @@ topics:
      file: sast-policy-169.adoc
    - name: Improper Neutralization of Wildcards or Matching Symbols
      file: sast-policy-170.adoc
-   - name: Unsafe use of 'exec' command
-     file: sast-policy-2.adoc
    - name: chmod sets a permissive mask on file
      file: sast-policy-3.adoc
    - name: Use of insecure IPMI-related modules

docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/go-policies.adoc

@@ -9,5 +9,65 @@
 |CKV3_SAST_198
 |LOW
 
+|xref:sast-policy-200.adoc[Weak RSA key length]
+|CKV3_SAST_200
+|MEDIUM
+
+|xref:sast-policy-239.adoc[Usage of weak DES encryption algorithms]
+|CKV3_SAST_239
+|MEDIUM
+
+|xref:sast-policy-240.adoc[Usage of weak MD5 hashing algorithm]
+|CKV3_SAST_240
+|MEDIUM
+
+|xref:sast-policy-241.adoc[Usage of insecure RC4 cipher]
+|CKV3_SAST_241
+|LOW
+
+|xref:sast-policy-242.adoc[Usage of insecure SHA1 hashing algorithm]
+|CKV3_SAST_242
+|LOW
+
+|xref:sast-policy-243.adoc[Unsafe Go package in use]
+|CKV3_SAST_243
+|LOW
+
+|xref:sast-policy-248.adoc[Usage of weak random key generation]
+|CKV3_SAST_248
+|MEDIUM
+
+|xref:sast-policy-249.adoc[Excessive directory permissions in Go applications]
+|CKV3_SAST_249
+|MEDIUM
+
+|xref:sast-policy-250.adoc[Excessive file modification permissions]
+|CKV3_SAST_250
+|MEDIUM
+
+|xref:sast-policy-253.adoc[Use of root directory in HTTP handler]
+|CKV3_SAST_253
+|MEDIUM
+
+|xref:sast-policy-254.adoc[Excessive file write permissions]
+|CKV3_SAST_254
+|MEDIUM
+
+|xref:sast-policy-255.adoc[Unsecured Creation of Temporary Files]
+|CKV3_SAST_255
+|MEDIUM
+
+|xref:sast-policy-256.adoc[Missing HTTP server timeouts]
+|CKV3_SAST_256
+|MEDIUM
+
+|xref:sast-policy-259.adoc[Usage of profiling endpoint in production]
+|CKV3_SAST_259
+|HIGH
+
+|xref:sast-policy-262.adoc[Binding to all network interfaces]
+|CKV3_SAST_262
+|MEDIUM
+
 
 |===

docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-200.adoc

@@ -0,0 +1,81 @@
+== Weak RSA key length
+
+=== Policy Details
+
+[width=45%]
+[cols="1,1"]
+|=== 
+|Prisma Cloud Policy ID 
+| TBD
+
+|Checkov ID 
+|CKV3_SAST_200
+
+|Severity
+|MEDIUM
+
+|Subtype
+|Build
+
+|Language
+|Go
+
+|CWEs
+|https://cwe.mitre.org/data/definitions/326.html[CWE-326: Inadequate Encryption Strength]
+
+|OWASP Categories
+|https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[A02:2021-Cryptographic Failures]
+
+|=== 
+
+=== Description
+
+This policy identifies instances where RSA keys with less than 2048 bits are generated using the `crypto/rsa` package in Go applications. RSA keys with less than 2048 bits are considered insecure due to their inadequate encryption strength. It is recommended to use RSA keys with at least 2048 bits to ensure sufficient security.
+
+In this example, the provided code generates a vulnerable RSA key due to its insufficient 2048-bit key length.
+
+[source,Go]
+----
+package main
+
+import (
+    "crypto/rand"
+    "crypto/rsa"
+    "log"
+)
+
+func main() {
+    // Insecure RSA key generation with less than 2048 bits
+    key, err := rsa.GenerateKey(rand.Reader, 1024)
+    if err != nil {
+        log.Fatal(err)
+    }
+    log.Println("Generated RSA key with 1024 bits:", key)
+}
+----
+
+=== Fix - Buildtime
+
+To mitigate this issue, generate RSA keys with at least 2048 bits. This ensures adequate encryption strength and security.
+
+In this example, the application generates an RSA key with 2048 bits.
+
+[source,Go]
+----
+package main
+
+import (
+    "crypto/rand"
+    "crypto/rsa"
+    "log"
+)
+
+func main() {
+    // Secure RSA key generation with 2048 bits
+    key, err := rsa.GenerateKey(rand.Reader, 2048)
+    if err != nil {
+        log.Fatal(err)
+    }
+    log.Println("Generated RSA key with 2048 bits:", key)
+}
+----

docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-239.adoc

@@ -0,0 +1,79 @@
+== Usage of weak DES encryption algorithms
+
+=== Policy Details
+
+[width=45%]
+[cols="1,1"]
+|=== 
+|Prisma Cloud Policy ID 
+| 35640d3e-f7f7-4289-a97b-a310d4789521
+
+|Checkov ID 
+|CKV3_SAST_239
+
+|Severity
+|MEDIUM
+
+|Subtype
+|Build
+
+|Language
+|Go
+
+|CWEs
+|https://cwe.mitre.org/data/definitions/327.html[CWE-327: Use of a Broken or Risky Cryptographic Algorithm]
+
+|OWASP Categories
+|https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[A02:2021-Cryptographic Failures]
+
+|=== 
+
+=== Description
+
+This policy checks whether DES and Triple DES encryption algorithms from the crypto/des package in Go applications are in use. DES encryption algorithms are considered weak due to their small key size and are vulnerable to modern cryptanalysis techniques. Stronger algorithms such as AES from the crypto/des package with larger key sizes are recommended for enhanced security.
+
+The following code snippet uses the weak and insecure DES encryption algorithm from the crypto/des package.
+
+[source,Go]
+----
+package main
+
+import (
+    "crypto/des"
+    "log"
+)
+
+func main() {
+    // Insecure use of DES encryption
+    key := []byte("weakkey")
+    _, err := des.NewCipher(key)
+    if err != nil {
+        log.Fatal(err)
+    }
+}
+----
+
+=== Fix - Buildtime
+
+To mitigate this issue, replace the weak DES encryption with the more secure AES algorithm from the crypto/aes package.
+
+In this example, the application employs AES encryption rather than DES.
+
+[source,Go]
+----
+package main
+
+import (
+    "crypto/aes"
+    "log"
+)
+
+func main() {
+    // Secure use of AES encryption
+    key := []byte("a very very very very secret key") // 32 bytes for AES-256
+    _, err := aes.NewCipher(key)
+    if err != nil {
+        log.Fatal(err)
+    }
+}
+----

docs/en/enterprise-edition/policy-reference/sast-policies/go-policies/sast-policy-240.adoc

@@ -0,0 +1,75 @@
+== Usage of weak MD5 hashing algorithm
+
+=== Policy Details
+
+[width=45%]
+[cols="1,1"]
+|=== 
+|Prisma Cloud Policy ID 
+| 7c48cc99-087b-4a47-9a06-54f44f5bf0d8
+
+|Checkov ID 
+|CKV3_SAST_240
+
+|Severity
+|LOW
+
+|Subtype
+|Build
+
+|Language
+|Go
+
+|CWEs
+|https://cwe.mitre.org/data/definitions/328.html[CWE-328: Use of Weak Hash]
+
+|OWASP Categories
+|https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[A02:2021-Cryptographic Failures]
+
+|=== 
+
+=== Description
+
+This policy checks whether the MD5 hashing algorithm from the crypto/md5 package is used in Go applications. The MD5 algorithm is cryptographically broken and vulnerable to producing collisions, making it unsuitable for secure hashing.
+
+In the following example, the application imports the crypto/md5 package and uses the weak and insecure MD5 hashing algorithm.
+
+[source,Go]
+----
+package main
+
+import (
+    "crypto/md5"
+    "fmt"
+)
+
+func main() {
+    // Insecure use of MD5 hashing
+    data := []byte("sensitive data")
+    hash := md5.Sum(data)
+    fmt.Printf("%x\n", hash)
+}
+----
+
+=== Fix - Buildtime
+
+To mitigate this issue, replace the weak MD5 hashing algorithm with the more robust SHA-256 hashing algorithm from the crypto/sha256 package. SHA-256 provides better security due to its resistance to collision attacks.
+
+In this example, the application uses SHA-256 hashing instead of the less secure MD5 algorithm.
+
+[source,Go]
+----
+package main
+
+import (
+    "crypto/sha256"
+    "fmt"
+)
+
+func main() {
+    // Secure use of SHA-256 hashing
+    data := []byte("sensitive data")
+    hash := sha256.Sum256(data)
+    fmt.Printf("%x\n", hash)
+}
+----