Static analysis : gosec high issue : G402 (CWE-295): TLS MinVersion too low. #1553
Description
Running gosec on go-redis/redis reports one issue with High confidence and high severity.
The issue reported is : G402 (CWE-295): TLS MinVersion too low. (Confidence: HIGH, Severity: HIGH)
Expected Behavior
When running inside project the following:
gosec -quiet -confidence high -severity high ./...
It should return 0 issues with high severity and confidence
Current Behavior
When running inside project the following:
gosec -quiet -confidence high -severity high ./...
It returns:
[/path/to/repo/redis/options.go:249] - G402 (CWE-295): TLS MinVersion too low. (Confidence: HIGH, Severity: HIGH)
248: if u.Scheme == "rediss" {
> 249: o.TLSConfig = &tls.Config{ServerName: h}
250: }
Possible Solution
It can be fixed by either specifying the MinVersion parameter in TLSConfig, or by disabling the reporting of the issue if you believe it is not a true error.
Steps to Reproduce
I am seeing this issue on commit:
commit 51a4ea4358429e8e72978da44cdbbca7584759a7 (HEAD -> master, tag: v8.3.3, origin/master, origin/HEAD)
Merge: caee288 f92951b
Author: Vladimir Mihailenco <[email protected]>
Date: Wed Oct 28 12:01:51 2020 +0200
Merge pull request #1549 from go-redis/feature/retry-overflow
Guard against overflow in retry
With gosec version:
17:37 $ gosec -version
Version: 2.5.0
Git tag: v2.5.0
Build date: 2020-10-26T11:52:22Z
To reproduce, just run the gosec tool at the repo root:
- git clone
- cd
gosec -quiet -confidence high -severity high ./...
Context (Environment)
In my CICD pipeline I perform gosec on the go dependencies I am using. I personally set the cursor for failure if any issue with HIGH confidence and HIGH severity are found. I was thinking it could impact other people in the same way.
Possible implementation:
Either:
- Disable the check of this line using
// #nosec G402like they did here
OR - Specify TLS MinVersion in
options.gofile
if u.Scheme == "rediss" {
o.TLSConfig = &tls.Config{ServerName: h,MinVersion: tls.VersionTLS12}
}