Remove rule G105 which detects the use of math/big#Int.Exp

The big#Int.Exp used to be vulnerable in older versions of Go, but in the meantime has been fixed (golang/go#15184). Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
securego · Sep 10, 2019 · 338b50d · 338b50d
1 parent 43e3664
commit 338b50d
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 78 deletions.
diff --git a/README.md b/README.md
@@ -60,18 +60,13 @@ paths, and produce reports in different formats. By default all rules will be
 run against the supplied input files. To recursively scan from the current
 directory you can supply './...' as the input argument.
 
-### Selecting rules
-
-By default gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the '-include=' flag,
-or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
 
 ### Available rules
 
 - G101: Look for hard coded credentials
 - G102: Bind to all interfaces
 - G103: Audit the use of unsafe block
 - G104: Audit errors not checked
-- G105: Audit the use of math/big.Int.Exp
 - G106: Audit the use of ssh.InsecureIgnoreHostKey
 - G107: Url provided to HTTP request as taint input
 - G201: SQL query construction using format string
@@ -93,6 +88,15 @@ or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
 - G504: Import blacklist: net/http/cgi
 - G505: Import blacklist: crypto/sha1
 
+### Retired rules
+
+- G105: Audit the use of math/big.Int.Exp - [CVE is fixed](https://github.com/golang/go/issues/15184)
+
+### Selecting rules
+
+By default gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the '-include=' flag,
+or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
+
 ```bash
 # Run a specific set of rules
 $ gosec -include=G101,G203,G401 ./...

diff --git a/rules/big.go b/rules/big.go
diff --git a/rules/rulelist.go b/rules/rulelist.go
@@ -63,7 +63,6 @@ func Generate(filters ...RuleFilter) RuleList {
 		{"G102", "Bind to all interfaces", NewBindsToAllNetworkInterfaces},
 		{"G103", "Audit the use of unsafe block", NewUsingUnsafe},
 		{"G104", "Audit errors not checked", NewNoErrorCheck},
-		{"G105", "Audit the use of big.Exp function", NewUsingBigExp},
 		{"G106", "Audit the use of ssh.InsecureIgnoreHostKey function", NewSSHHostKey},
 		{"G107", "Url provided to HTTP request as taint input", NewSSRFCheck},
 

diff --git a/rules/rules_test.go b/rules/rules_test.go
@@ -71,10 +71,6 @@ var _ = Describe("gosec rules", func() {
 			runner("G104", testutils.SampleCodeG104Audit)
 		})
 
-		It("should detect of big.Exp function", func() {
-			runner("G105", testutils.SampleCodeG105)
-		})
-
 		It("should detect of ssh.InsecureIgnoreHostKey function", func() {
 			runner("G106", testutils.SampleCodeG106)
 		})

diff --git a/testutils/source.go b/testutils/source.go
@@ -304,22 +304,6 @@ func main() {
 package main
 func dummy(){}
 `}, 0, gosec.Config{gosec.Globals: map[gosec.GlobalOption]string{gosec.Audit: "enabled"}}}}
-	// SampleCodeG105 - bignum overflow
-	SampleCodeG105 = []CodeSample{{[]string{`
-package main
-import (
-	"math/big"
-)
-func main() {
-	z := new(big.Int)
-	x := new(big.Int)
-	x = x.SetUint64(2)
-	y := new(big.Int)
-    y = y.SetUint64(4)
-   	m := new(big.Int)
-    m = m.SetUint64(0)
-    z = z.Exp(x, y, m)
-}`}, 1, gosec.NewConfig()}}
 
 	// SampleCodeG106 - ssh InsecureIgnoreHostKey
 	SampleCodeG106 = []CodeSample{{[]string{`