Invalid templateSCC-SA1001Invalid regular expressionSCC-SA1000The variable in the loop condition never changesSCC-SA4008Value assigned to a variable is never read before being overwrittenSCC-SA4006Invalid format in `time.Parse`SCC-SA1002Exported function returning value of unexported typeRVV-B0011The result of append is not used anywhereSCC-SA4010Found assignment to `nil` mapSCC-SA5000Found `time.Now().Sub(t)` instead of `time.Since(t)`SCC-S1012Found manual trimming of stringSCC-S1017Found redundant `nil` check in type assertionSCC-S1020Found variable declaration and assignment separatelySCC-S1021Invalid URL in `net/url.Parse`SCC-SA1007Found `for` loop instead of `append`SCC-S1011Found manually copying of struct fieldsSCC-S1016Use `copy()` for sliding elementsSCC-S1018Found redundant control flowSCC-S1023Found `x.Sub(time.Now())` instead of `time.Until(x)`SCC-S1024Don't use `fmt.Sprintf("%s", x)` unnecessarilySCC-S1025Found unnecessary multiple type assertionSCC-S1034Found trapping a signal that cannot be trappedSCC-SA1016Channels used with `signal.Notify` should be bufferedSCC-SA1017Using a deprecated function, variable, constant or fieldSCC-SA1019Found empty critical sectionSCC-SA2001Cannot marshal channels or functionsSCC-SA1026Found non-idiomatic returning of boolean expressionSCC-S1008Invalid first argument to `exec.Command`SCC-SA1005Detected usage of `defer` in `for`/`range` loopSCC-SA9001Found redundant `nil` check on sliceSCC-S1009Found usage of default slice indexSCC-S1010Unsupported argument to functions in `encoding/binary`SCC-SA1003`(*regexp.Regexp).FindAll` called with `n == 0` always returns zero resultsSCC-SA1010Range over the string directlySCC-SA6003Found inefficient `string` comparison with `strings.ToLower` or `strings.ToUpper`SCC-SA6005Empty string test can be improvedCRT-A0004Function call can be replaced with helper functionCRT-A0010Duplicate body found in branchesCRT-D0006Duplicate cases found in `switch` statementCRT-D0007Duplicate operands found around a binary operatorCRT-D0008Suspicious regex patternCRT-D0019Multiple `append` can be combined into a single callCRT-P0001The boolean expression can be simplifiedCRT-D0018Using a deprecated function, variable, constant or fieldGO-W1009Using a deprecated function, variable, constant or field from `archive/tar` packageGO-W1014Using a deprecated function, variable, constant or field from `go/importer` packageGO-W1015Using a deprecated function, variable, constant or field from `os` packageGO-W1010Using a deprecated function, variable, constant or field from `net` packageGO-W1011Using a deprecated function, variable, constant or field from `go/types` packageGO-W1012Using a deprecated function, variable, constant or field from `image` packageGO-W1013Unused method receiverRVV-B0013`sort.Slice` can only be used on slicesGO-W5002Missing an optimization opportunity when indexing maps by byte slicesSCC-SA6001Simplify `error` construction with `fmt.Errorf`SCC-S1028Replace `for` loop with call to `copy` for sliceSCC-S1001Boolean expression has identical expressions on both sidesSCC-SA4000Replace call to `bytes.Compare` with `bytes.Equal`SCC-S1004Found empty body in an `if` or `else` branchSCC-SA9003Flagname has suspicious charactersCRT-D0012Unused parameter in functionRVV-B0012Self-assignment of variablesSCC-SA4018It is not possible to use `time.Timer.Reset()`'s return value correctlySCC-SA1025Error compilingSCC-compileSlice index out of boundsSCC-SA5006Non-pointer value passed to `Unmarshal` or `Decode`SCC-SA1014`time.Tick` used in leaky waySCC-SA1015Some violation of cgo pointer passing rulesVET-V0006Incorrect usage of `sync/atomic` packageVET-V0003Bad usage of boolean operatorsVET-V0004Signature of methods of well-known interfaces probably not satisfiedVET-V0015Shifts >= the width of the integerVET-V0014Lock erroneously passed by valueVET-V0008References to loop variable from within nested functionVET-V0010Useless comparisons between functions and `nil`VET-V0012Non-pointer or non-interface values passed to `Unmarshal`VET-V0018`gin.LoadHTMLGlob` with ill-formed pattern would panicGO-E1000Redis function called with an incorrect number of argumentsGO-E1001Unimplemented Redis method call would panicGO-E1002Sanitize insecure filename before useGO-S1000Avoid building query with zero values in a structGO-E1004Avoid model update query with zero values in a structGO-E1005`string` to `int` signedness castingGO-E1006Hidden goroutineGO-E1007Invalid `result` operator in `Compare` functionGO-E1003Use `any` instead of `interface{}`GO-R3001Reorder operands for optimizationGO-P3001Non-idiomatic slice zeroing `for` loopGO-P4001Early return in if-then-else`GO-R3002Potential DoS vulnerability via decompression bombGO-S2110Possible `nil` pointer dereferenceGO-W5016Deleting a directory that shouldn’t be deletedGO-W5019Inappropriate usage of `t.Parallel()` methodGO-W6007Exporting pointer for loop variablesGO-W6005Poorly formed nilness guardsGO-E1008Audit required: Possibly odd compound for assignment operators: '+=' or '-='GO-E1009Using a non-pointer or non-error value with `errors.As`GO-W6001Using `string(int)` for `int` to `string` conversionGO-W1020Using `string(int)` for `int` to `string` conversionGO-W1021`strings.HasPrefix` with constant strings as argumentsGO-W1022`strings.HasSuffix` with constant strings as argumentsGO-W1023Assembly clobbers the frame pointer before saving itGO-W6002Using `string(int)` for `int` to `string` conversionGO-W6003Defering `Close` before checking for a possible errorSCC-SA5001Trying to marshal a struct with no public fields nor custom marshalingSCC-SA9005Using bytes.Equal to compare two net.IPSCC-SA1021Using an invalid `host:port` pair with `net.Listen`SCC-SA1020Invalid `UTF-8` value providedSCC-SA1011Bitwise operations, such as `x ^ 0`, do not do anything usefulSCC-SA4016Simplify `make` call by omitting redundant argumentsSCC-S1019Redundant call to `net/http.CanonicalHeaderKey` in method call on `net/http.Header`SCC-S1035A string cutset contains duplicate charactersSCC-SA1024Deferred Lock right after lockingSCC-SA2003Assigning to `b.N` in benchmarksSCC-SA3001The empty for loop (`for {}`) spins and can block the schedulerSCC-SA5002Comparing a value against NaN even though no value is equal to NaNSCC-SA4012Atomic access to 64-bit variable must be 64-bit alignedSCC-SA1027Called `testing.T.FailNow` or `testing.T.SkipNow` in a goroutineSCC-SA2002Unreachable case clause in a type switchSCC-SA4020`for { select { ... } }` with an empty default branch spinsSCC-SA5004The finalizer references the finalized object, preventing garbage collectionSCC-SA5005`strings.Replace`/ `bytes.Replace` called with `n == 0`, which does nothingSCC-SA1018Comparing unsigned values against negative values is pointlessSCC-SA4003Bind to all interfacesGSC-G102Omit redundant `nil` check around loopSCC-S1031Use `sort.Ints(x)`, `sort.Float64s(x)`, and `sort.Strings(x)`SCC-S1032Found unnecessary guard around call to `delete`SCC-S1033Modifying the buffer in an io.Writer implementationSCC-SA1023sync.(*WaitGroup).Add called inside a goroutineSCC-SA2000`&*x` or `*&x` gets simplified to `x` and it does not copy `x`SCC-SA4001A function argument is overwritten before its first useSCC-SA4009Audit the usage of unescaped data in HTML templatesGSC-G203Simplify regular expression by using raw string literalSCC-S1007Invalid `Printf` callSCC-SA5009Using `regexp.Match` or related in a loopSCC-SA6000The loop exits unconditionally after one iterationSCC-SA4004Invalid tag used in structSCC-SA5008Potential usage of DES, RC4, MD5 or SHA1GSC-G401Potentially bad TLS connection settingsGSC-G402RSA key length less than 2048 bitsGSC-G403Suspiciously small untyped constant in `time.Sleep`SCC-SA1004`Printf` with dynamic first argument and no further argumentsSCC-SA1006Non-canonical key in `http.Header` mapSCC-SA1008`nil` `context.Context` passed to functionSCC-SA1012io.Seeker.Seek is being called with the whence constant IncorrectlySCC-SA1013Storing non-pointer values in `sync.Pool` allocates memorySCC-SA6002Useless assignmentVET-V0002Mismatch between assembly file and Go declarationVET-V0001Possibly malformed build tagVET-V0005Unkeyed composite literalsVET-V0007Issues with `cancel` func returned by context.WithCancelVET-V0011Bad usage of tests and examplesVET-V0017`sync.WaitGroup` should be passed as a pointerRVV-B0014Unused codeSCC-U1000Shadowing a `builtin`CRT-A0001Empty `fallthrough` in switch statement can be avoidedCRT-A0003Invalid conversions of `uintptr` to `unsafe.Pointer`VET-V0020Method expression can be replaced with method callCRT-A0006Redundant conversion between `string` and `[]byte`CRT-A0007Nested `if` can be replaced with `else if`CRT-A0011Simplify slice expression to sliced value itselfCRT-A0016Function literal can be simplifiedCRT-A0018`case` in `switch` is unreachableCRT-D0004Duplicate arguments passed to functionCRT-D0005Pointer from `flag` package's method dereferenced immediatelyCRT-D0009Call to `os.Exit` or `log.Fatal` and friends made in function using `defer`CRT-D0011Return of `nil` valueCRT-D0013Incomplete conditionCRT-D0017Potential truncation issueCRT-D0020Function params involve heavy amount of copyingCRT-P0003`strings.Index` call cause unwanted allocationsCRT-P0004Copy of large value in `range`CRT-P0005Copy of large value inside loopCRT-P0006Exit inside non-main functionRVV-A0003Functions prefixed with `Get` should return a valueRVV-A0006Redundant else-blocks can be eliminatedRVV-A0009Redundant statements can be removedRVV-A0010Duplicate importsRVV-B0004Redundant error checkingRVV-B0005Possibly undesired value being used in goroutineRVV-B0007Suspicious assignment of range-loop varsRVV-B0008Redefinition of builtinRVV-B0009Explicit type conversionRVV-B0010Possible bad usage of HTTP responseVET-V0009Unused results of calls to some functionsVET-V0021Unnecessary guard around mapSCC-S1036`TestMain` doesn't call `os.Exit`, hiding test failuresSCC-SA3000Audit required: Insecure gRPC serverGO-S0902Audit required: XML package may be vulnerable to XXE attacksGO-S0903Audit required: Exposure of sensitive headersGO-S0901Dot imports are discouragedSCC-ST1001Unnecessary dereference expressionsCRT-S0012Use of deprecated Redis methodsGO-W1000Use of bare return statementsGO-R3003Use of boolean literals in logic expressionsGO-R3004Name of an un-exportable symbol starts with a capital letterGO-R3005Use `http.NoBody` instead of `nil` in `http.NewRequest` callsGO-R4001Unsafe defer of `.Close` methodGO-S2307Invalid argument in call to a function from `strconv` packageGO-W5004Incomplete URL scheme validationGO-S1004Impossible comparison of interface value with untyped `nil`GO-W5006String concatenation can be simplifiedGO-R4003Unnecessary dereference expressionsGO-R4004Audit required: XPath InjectionGO-S1013Audit required: Command injection from user-controlled sourcesGO-S1015Audit required: Incomplete regular expression for hostnameGO-S1016Audit required: Unsafe quoting for `github.com/Masterminds/squirrel` packageGO-S1017`break` statement with no effectSCC-SA4011Audit required: DES cipher algorithm is cryptographically brokenGO-S1022Audit required: MD5 cipher algorithm is cryptographically brokenGO-S1023Audit required: RC4 cipher algorithm is cryptographically brokenGO-S1024Audit required: SHA1 cipher algorithm is cryptographically brokenGO-S1025Audit required: `SkipDefaultTransaction` set to `false`GO-W1004Comparing the address of a variable against nilGO-W5005Poor file permissions used when writing to a new fileGO-S2306Audit required: `GetLogger` is only for internal use of etcd's clientGO-W1003`x % 1` is always zeroGO-W5011`defer`red function literal can be simplifiedGO-C4005Constant state value in OAuth 2.0 URLGO-S1001Stack trace exposureGO-S1002Open URL RedirectGO-S1003Incomplete Redirect URL validationGO-S1005Reflected cross-site scriptingGO-S1006Checking for impossible return value from a builtin functionGO-W5007Risky constant length comparisonGO-S1007Size computation for allocation may overflowGO-S1008Missing regular expression anchorGO-S1009Integer division of literals that results in zeroGO-W5008Bitwise exclusive-or used like exponentiationGO-S1012Email content injectionGO-S1014Decoding JWT token without validation stepGO-S1019`MinVersion` is missing from this TLS configurationGO-S1020Potential slowloris attackGO-S2112SSLv3 is irreparably broken transport security protocolGO-S1021Use `net.JoinHostPort` instead of `fmt.Sprintf(...)`GO-S1027`http.NewRequest` request send to `http://` URLsGO-S1028TLS cipher suite used is considered weakGO-S1029Profiling endpoint automatically exposed on `/debug/pprof`GO-S2108Potential path traversalGO-S2111Use of `net/http`'s `ListenAndServe` function has no support for setting timeoutsGO-S2114Impossible interface `nil` checkGO-W1001`if` and `else`'s condition  are the sameGO-W1002`DryRun` is enabledGO-W1005Audit required: Use of `reflect.MakeFunc`GO-W1006Potential issue in `filepath.Join()` function callsGO-W4001Malformed "code generated" commentGO-W4002Suspicious `regexp`GO-W4004Type assertion to current typeGO-W5001Go constants cannot express negative zeroGO-W5009`(*net/url.URL).Query` returns a copy, modifying it doesn’t change the URLGO-W5010Ineffective attempt at sorting sliceGO-W5012Checking never-nil value against `nil`GO-W5014Impossible type assertionGO-W5015Passing odd-sized slice to function expecting even sizeGO-W5017Dubious bit shifting of a fixed size integer valueGO-W5018`else` branch of a type assertion is probably not reading the right valueGO-W5020Ineffective attempt generating random numberGO-W5013Inappropriate key in call to `context.WithValue`GO-W5003Bad usage of tests and examplesGO-W1019Use `(*mail.Address).String()` instead of `fmt.Sprintf` for mail addressGO-W1031Use `t.Setenv` and friends instead of `os.Setenv` for test file(s)GO-W1032`Printf`-like function without `f` suffixGO-W6006Bad usage of tests and examplesGO-W1018Redundant boolean conditionGO-W1028Bad use of `recover()`GO-W1030Audit required: Use of PKCS #1 v1.5 padding with RSAGO-S1030Audit required: Possible uncontrolled resource consumption using `doublestar.FilepathGlob`GO-S1048Audit required: `(*crypto/x509.Certificate).Verify` does not use the system time for verificationGO-S1032Audit Required: Insecure cookie for fiber sessionsGO-S1040Audit Required: `Same-Site` attribute improperly configured for fiber session cookieGO-S1041Audit Required: `Same-Site` attribute improperly configured for gin session cookieGO-S1042Audit required: Possible uncontrolled resource consumption using `doublestar.Glob`GO-S1047Audit required: Exposure of directory listing using `net/http.FileServer`GO-S1034Exposure of directory listing using `Static`GO-S1036Audit Required: Insecure cookie for gin sessionsGO-S1044Redundant type in variable declarationGO-C5001Malformed "deprecated" doc commentGO-D4001Use `utf8.DecodeRuneInString` instead of `[]rune(string)[0]`GO-P4006Use `fmt.Fprint` instead of `(io.Writer).Write` along with `fmt.Sprint`GO-P4007Use `(io.StringWriter).WriteString` for writing stringsGO-P4008Audit required: `(*crypto/x509.Certificate).Verify` does not check for certificate revocationGO-S1031Random number generator seed doesn't have enough entropyGO-S1033Exposure of directory listing using `Serve` / `ServeFS`GO-S1035Using less than 310,000 iterations for PBKDF2GO-S1037Using a constant salt for PBKDF2GO-S1038Non HTTP-only cookie for fiber sessionsGO-S1039Non HTTP-only cookie for gin sessionsGO-S1043Using a cost factor of less than 10 for bcryptGO-S1045Using a cost factor of less than 32768 for `scrypt`GO-S1046Audit required: Tainted value reached a sinkGO-S7000Pointer from `flag` package's method dereferenced immediatelyGO-W1017Empty error stringGO-W1024Recursive call to the `String` receiverGO-W1025Recursive call to the `Format` receiverGO-W1026Usage of both value and pointer receiversGO-W1029Potentially unwanted dependency on evaluation orderGO-W4006Reassignment of an error from another packageGO-W4007Suspicious `http.Error` call without following returnGO-W4008Suspicious call to `sort.Slice`GO-W4009Potential issue in `Query` callGO-W4010Subsequent calls to `Load` and `Delete` on `sync.Map` should be replaced with `LoadAndDelete`GO-W4011`sync.Mutex` or `sync.RWMutex` methods exposedGO-W4013Call to `(*testing.T).Fatal` and friends from the non-test goroutineGO-W6004Calling functions like `math.Ceil` on floats converted from integersSCC-SA4015`if`-`else-if` chain has duplicate conditions without side-effectSCC-SA4014Pure function's return value is discarded, making the call pointlessSCC-SA4017Duplicate build constraintsSCC-SA4019Incorrect usage of `append`SCC-SA4021Logical expression evaluating to constant valueRVV-A0001Use `for { ... }` instead of `for true { ... }` loopsSCC-S1006Use `(*bytes.Buffer).String` or `(*bytes.Buffer).Bytes`SCC-S1030Inconsistency of Printf format strings and argumentsVET-V0013Infinite recursive callSCC-SA5007Import blacklist: crypto/desGSC-G502Import blacklist: crypto/rc4GSC-G503Import blacklist: net/http/cgiGSC-G504Pointer from `flag` package's method dereferenced immediatelyGO-W1016Swapping can be done using parallel assignmentCRT-A0009Import blacklist: crypto/sha1GSC-G505Use plain channel send or receiveSCC-S1000Poor file permissions used when creating a directoryGSC-G301Poor file permissions used when creating a file or using `os.Chmod`GSC-G302Creating tempfile using a predictable pathGSC-G303Method modifies receiverRVV-B0006Using a non-octal os.FileModeSCC-SA9002Only the first constant has an explicit typeSCC-SA9004Replace call to `strings.Index` with `strings.Contains`SCC-S1003Drop unnecessary use of the blank identifierSCC-S1005Defers in infinite loops will never executeSCC-SA5003Off-by-one errorCRT-D0015Use `time.Sleep` instead of single case `select`SCC-S1037A switch's default case should be the first or last caseSCC-ST1015Unnecessary blockCRT-A0008Audit the use of `ssh.InsecureIgnoreHostKey` functionGSC-G106Audit the random number generation source (rand)GSC-G404A function's error value should be its last return valueSCC-ST1008File path traversal when extracting zip archiveGSC-G305Import blacklist: crypto/md5GSC-G501`true` is implicit in `switch` statementsCRT-A0015Hex literal with mixed case lettersCRT-A0005`switch` with single case can be rewritten as `if` or `if-else`CRT-A0014Types of function parameters can be combinedCRT-A0017`append` possibly assigns to a wrong variableCRT-D0001Possibly incorrect order of argumentsCRT-D0002Possibly wrong conditional expressionCRT-D0003`context.Context` should be the first paramRVV-A0002Confusing naming of struct fields or methodsRVV-B0001Use constants from `net/http` for HTTP status codes, not the codes directlySCC-ST1013Don't use Yoda conditionsSCC-ST1017Avoid zero-width and control characters in string literalsSCC-ST1018Unnecessary use of `fmt.Sprint/Sprintf`SCC-S1039Use consistent method receiver namesSCC-ST1016Poorly chosen name for error variableSCC-ST1012Poorly chosen name for variable of type time.DurationSCC-ST1011Audit required: Insecure use of loggerGO-S0904Audit required: `encoding/xml` is unsafe for security-critical operationsGO-S0905Incorrect or missing package commentSCC-ST1000Poorly chosen identifierSCC-ST1003Poorly chosen receiver nameSCC-ST1006Use `http.FileSystem(http.Dir(...))` instead of `gin.Dir(...,true)`GO-R1000Use `%q` to quote a string in `fmt.Sprintf` format specifiersGO-R4002Non-idiomatic comment formattingGO-C4004Deprecated `io/ioutil` package usageGO-C4001Immediate dereferencing of `new` expressionsGO-C4002Manual conversion to milli or micro secondsGO-C4003Regular expression can be simplifiedGO-C4007Function returns too many resultsGO-C4008Prefer `WriteByte` over `WriteRune` for byte literalsGO-P4005Use `KeyExists` from `go.etcd.io/etcd/client/v3/clientv3util` insteadGO-R1001Use `KeyMissing` from `go.etcd.io/etcd/client/v3/clientv3util` insteadGO-R1002Uncontrolled data used in network requestGO-S1010Inconsistent direction of `for` loopGO-S1011`strings.Index` used to cut a stringGO-W1008Suspicious map literal keyGO-W4003Importing the same package multiple timesGO-W5021The documentation of an exported type should start with the type’s nameGO-D5002Simplify `if` statement for single bool judgmentGO-R1004Empty declarationGO-W4005Method declaration preceding the type definitionGO-C4009TODO comments written without any detail or assigneeGO-C4010Simplify `Before` or `After` call of `time.Time`GO-C4011Unnecessary call to `strings.Compare`GO-C4012Documentation of an exported function should start with the function’s nameGO-D5001The documentation of an exported variable or constant should start with the variable’s nameGO-D5003Use `(*bytes.Buffer).Reset` insteadGO-R1003Empty slice literal used to declare a variableGO-W1027Redundant `defer`ring of callsGO-W4012Prefer `filepath.Join` instead of concatenating strings with `os.PathSeparator`GO-W4014Redundant type assertionsGO-W4015Unchecked error in `if` statementGO-W4016Suspicious formatting of errorsGO-W4017Function with cyclomatic complexity higher than thresholdGO-R1005Negating a boolean twiceSCC-SA4013Function call made to an `unsafe` packageGSC-G103Omit comparison with boolean constantSCC-S1002Incorrectly formatted error stringSCC-ST1005
Audit required: `(*crypto/x509.Certificate).Verify` does not use the system time for verificationGO-S1032
 a02, owasp-top-10, cwe-324
(*crypto/x509.Certificate).Verify accepts a CurrentTime parameter to specify the system time used to verify the certificate. Providing
something other than the current system time may allow expired certificates to
be marked as valid.
Bad practice
package main
import (
    "crypto/x509"
    "encoding/pem"
    "time"
)
func main() {
    const rootPEM = "..."
    const certPEM = "..."
    roots := x509.NewCertPool()
    ok := roots.AppendCertsFromPEM([]byte(rootPEM))
    if !ok {
        // ...
    }
    block, _ := pem.Decode([]byte(certPEM))
    if block == nil {
        // ...
    }
    cert, err := x509.ParseCertificate(block.Bytes)
    if err != nil {
        // ...
    }
    opts := x509.VerifyOptions{
        DNSName:     "deepsource.io",
        Roots:       roots,
        CurrentTime: time.Parse(time.RFC822Z, "02 April 2022 10:10 +0530"),
    }
    if _, err := cert.Verify(opts); err != nil { // it uses some other time for verification
        panic("failed to verify certificate: " + err.Error())
    }
}
Recommended
package main
import (
    "crypto/x509"
    "encoding/pem"
    "time"
)
func main() {
    const rootPEM = "..."
    const certPEM = "..."
    roots := x509.NewCertPool()
    ok := roots.AppendCertsFromPEM([]byte(rootPEM))
    if !ok {
        // ...
    }
    block, _ := pem.Decode([]byte(certPEM))
    if block == nil {
        // ...
    }
    cert, err := x509.ParseCertificate(block.Bytes)
    if err != nil {
        // ...
    }
    opts := x509.VerifyOptions{
        DNSName:     "deepsource.io",
        Roots:       roots,
        CurrentTime: time.Now(),
    }
    // or
    opts := x509.VerifyOptions{
        DNSName: "deepsource.io",
        Roots:   roots,
    }
    if _, err := cert.Verify(opts); err != nil {
        panic("failed to verify certificate: " + err.Error())
    }
}
 Slither
 Slither