Note: Go Gen 2 is in closed beta.
Mend SAST-supported Go file types
* Note: These extensions are marked as ‘Secondary’ file extensions.
They will only be scanned if at least one file with any of the other ‘Primary’ file extensions is present to identify the language as the relevant language.
Mend SAST-supported Go frameworks
Framework |
|---|
net/http |
gin |
echo |
fiber |
chi |
gorilla/mux |
httprouter |
beego |
iris |
buffalo |
fasthttp |
revel |
graphql-go |
Mend SAST-supported Go vulnerability types
The Go vulnerability types detected by SAST are provided below and are organized by CWE ID within each of their identified severities.
Go high-severity vulnerability types
CWE | Vulnerability Type | Low Probability Impact |
CWE-22 | Path/Directory Traversal | Additional Taint Sources:
Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
|
CWE-78 | Command Injection | Additional Taint Sources:
Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
|
CWE-79 | Cross-Site Scripting | Additional Taint Sources:
Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
|
CWE-89 | SQL Injection | Additional Taint Sources:
Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
|
CWE-643 | XPath Injection | Additional Taint Sources:
Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
|
CWE-918 | Server-Side Request Forgery | Additional Taint Sources:
Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
|
CWE-943 | No-SQL Injection | Additional Taint Sources:
Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
|
Go medium-severity vulnerability types
CWE | Vulnerability Type | Low Probability Impact |
CWE-90 | LDAP Injection | Additional Taint Sources:
Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
|
CWE-295 | Insecure TLS Configuration | |
CWE-322 | Insecure SSH Configuration | |
CWE-327 | Weak Crypto | |
CWE-328 | Weak Hash | |
CWE-347 | Improper Signature Verification | |
CWE-377 | Insecure Temporary File | |
CWE-400 | Sleep Denial of Service | Additional Taint Sources:
Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
|
CWE-798 | Hardcoded Password/Credentials | |
CWE-1333 | ReDoS | Additional Taint Sources:
Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
|
Go low-severity vulnerability types
CWE | Vulnerability Type | Low Probability Impact |
CWE-20 | Mail Relay | Additional Taint Sources:
Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
|
CWE-20 | Cookie Injection | Additional Taint Sources:
Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
|
CWE-117 | Log Injection | |
CWE-242 | Dangerous Function | Additional Taint Sources:
Content from files and streams, databases, environment (command line calls, main method arguments, environment variables, configurations, url access)
|
CWE-326 | Weak Encryption Strength | |
CWE-601 | Open Redirect | |
CWE-614 | Sensitive Cookie Without 'Secure' | |
CWE-1004 | Sensitive Cookie Without 'HttpOnly' | |
