Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Static analysis : gosec high issue : G402 (CWE-295): TLS MinVersion too low. #1553

Closed
jojolb opened this issue Nov 5, 2020 · 2 comments
Closed

Static analysis : gosec high issue : G402 (CWE-295): TLS MinVersion too low. #1553

jojolb opened this issue Nov 5, 2020 · 2 comments
Labels
feature

Comments

@jojolb
Copy link

jojolb commented Nov 5, 2020

Running gosec on go-redis/redis reports one issue with High confidence and high severity.
The issue reported is : G402 (CWE-295): TLS MinVersion too low. (Confidence: HIGH, Severity: HIGH)

Expected Behavior

When running inside project the following:
gosec -quiet -confidence high -severity high ./...
It should return 0 issues with high severity and confidence

Current Behavior

When running inside project the following:
gosec -quiet -confidence high -severity high ./...
It returns:

[/path/to/repo/redis/options.go:249] - G402 (CWE-295): TLS MinVersion too low. (Confidence: HIGH, Severity: HIGH)
    248: 	if u.Scheme == "rediss" {
  > 249: 		o.TLSConfig = &tls.Config{ServerName: h}
    250: 	}

Possible Solution

It can be fixed by either specifying the MinVersion parameter in TLSConfig, or by disabling the reporting of the issue if you believe it is not a true error.

Steps to Reproduce

I am seeing this issue on commit:

commit 51a4ea4358429e8e72978da44cdbbca7584759a7 (HEAD -> master, tag: v8.3.3, origin/master, origin/HEAD)
Merge: caee288 f92951b
Author: Vladimir Mihailenco <vladimir.webdev@gmail.com>
Date:   Wed Oct 28 12:01:51 2020 +0200

    Merge pull request #1549 from go-redis/feature/retry-overflow

    Guard against overflow in retry

With gosec version:

17:37 $ gosec -version
Version: 2.5.0
Git tag: v2.5.0
Build date: 2020-10-26T11:52:22Z

To reproduce, just run the gosec tool at the repo root:

  1. git clone
  2. cd
  3. gosec -quiet -confidence high -severity high ./...

Context (Environment)

In my CICD pipeline I perform gosec on the go dependencies I am using. I personally set the cursor for failure if any issue with HIGH confidence and HIGH severity are found. I was thinking it could impact other people in the same way.

Possible implementation:

Either:

  1. Disable the check of this line using // #nosec G402 like they did here
    OR
  2. Specify TLS MinVersion in options.go file
if u.Scheme == "rediss" {
         o.TLSConfig = &tls.Config{ServerName: h,MinVersion: tls.VersionTLS12}
     }

Thanks for your redis lib ;)
@QuentinBisson QuentinBisson mentioned this issue Mar 23, 2021
Merged
@seremenko-wish seremenko-wish mentioned this issue Jun 28, 2021
Merged
6 tasks
@atc0005 atc0005 mentioned this issue Jun 29, 2021
Closed
monkey92t added a commit to monkey92t/redis that referenced this issue Jul 30, 2021
@monkey92t
Add the default minimum version for tls(fix redis#1553)
913aba4 
Signed-off-by: monkey92t <golang@88.com>
monkey92t added a commit to monkey92t/redis that referenced this issue Jul 30, 2021
@monkey92t
adjust the code, and fix redis#1553, redis#1676
9d9e290 
Signed-off-by: monkey92t <golang@88.com>
@monkey92t monkey92t mentioned this issue Jul 30, 2021
Merged
@Momotoculteur
Copy link

Hello guys !

Do you have some informations about the release of v9 which include this patch ? My Ci is down since i have this issue :(

Thank in advance,
Bastien

@monkey92t
Copy link
Collaborator

Hello guys !

Do you have some informations about the release of v9 which include this patch ? My Ci is down since i have this issue :(

Thank in advance,
Bastien

v9 version needs to wait for a while.

@ajita-bhardwaj ajita-bhardwaj mentioned this issue May 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@vmihailenco @jojolb @Momotoculteur @monkey92t