Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Rule G401 split into two different rules #1159

Merged
merged 5 commits into from
Jun 24, 2024
Merged

Feature: Rule G401 split into two different rules #1159

merged 5 commits into from
Jun 24, 2024

Conversation

expp121
Copy link

@expp121 expp121 commented Jun 20, 2024
edited
Loading

Currently, rule G401 is used both for encryption and hashing algorithms, this might result in wrong categorization of a weakness.

This pull request aims to solve that problem, by splitting the rule into two separate ones(G401, G405).

Rule G401 is now responsible for only checking hashing algorithms such as MD5 and SHA1. Code containing those algorithms is flagged with CWE-328.

And the new rule G405 is responsible for checking encryption algorithms such as DES and RC4. And it flags code containing them with CWE-327.

closes #1158

Dimitar Banchev added 3 commits June 17, 2024 15:58
Updated G401 corresponding CWE
2f74a03 
The corresponding CWE from G401 rule was changed from CWE-326 -> CWE-328.
In my opinion, this CWE suits better the rule.
Split the G401 rule into two separate ones
89f3249 
Now the G401 rule is split into hashing and encryption algorithms.

G401 is responsible for checking the usage of MD5 and SHA1, with corresponding CWE of 328.
And G405(New rule) is responsible for checking the usege of DES and RC4, with corresponding CWE of 327.
Minor changes
42b754d 
* Renamed the file responsible for rule G401
* Removed copyright of HP from the new rule
ccojocar
ccojocar approved these changes Jun 23, 2024
View reviewed changes
Copy link
Member

@ccojocar ccojocar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for splitting this up.

@ccojocar
Copy link
Member

@expp121 There seems to be some lint warnings, please could you fix them. I think the test file needs to be formatted. Thanks

Fixed CI workflow
33b573b 
The CI workflow wasn't able to complete succesfully.

* Formatted the call_list_test.go file
@expp121
Copy link
Author

expp121 commented Jun 24, 2024

Thank you for the advice @ccojocar! I hope I've fixed (quite new to github actions) the issue with the most recent commit.

I would also like to ask whether the analyzer_test.go file, should contain a license of some sort?

@expp121 expp121 requested a review from ccojocar June 24, 2024 12:36
Fixed coverage workflow
5a18a37 
* Renamed file(removed space)
* Changed the expected issues ( 1 -> 2)
@ccojocar
Copy link
Member

I would also like to ask whether the analyzer_test.go file, should contain a license of some sort?

@expp121 Yeah, it should have the same Apache license header file like the other files with an updated year. Please could you add it? Thanks a lot

@ccojocar
Copy link
Member

@expp121 I'll merge this. You can add the license header in a separate PR. Thanks

@ccojocar ccojocar merged commit 6382394 into securego:master Jun 24, 2024
6 checks passed
@zak-pawel zak-pawel mentioned this pull request Sep 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ccojocar ccojocar ccojocar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Rule G401 covers multiple different CWEs.
2 participants
@expp121 @ccojocar