Invalid templateSCC-SA1001Invalid regular expressionSCC-SA1000The variable in the loop condition never changesSCC-SA4008Value assigned to a variable is never read before being overwrittenSCC-SA4006Invalid format in `time.Parse`SCC-SA1002Exported function returning value of unexported typeRVV-B0011The result of append is not used anywhereSCC-SA4010Found assignment to `nil` mapSCC-SA5000Found `time.Now().Sub(t)` instead of `time.Since(t)`SCC-S1012Found manual trimming of stringSCC-S1017Found redundant `nil` check in type assertionSCC-S1020Found variable declaration and assignment separatelySCC-S1021Invalid URL in `net/url.Parse`SCC-SA1007Found `for` loop instead of `append`SCC-S1011Found manually copying of struct fieldsSCC-S1016Use `copy()` for sliding elementsSCC-S1018Found redundant control flowSCC-S1023Found `x.Sub(time.Now())` instead of `time.Until(x)`SCC-S1024Don't use `fmt.Sprintf("%s", x)` unnecessarilySCC-S1025Found unnecessary multiple type assertionSCC-S1034Found trapping a signal that cannot be trappedSCC-SA1016Channels used with `signal.Notify` should be bufferedSCC-SA1017Using a deprecated function, variable, constant or fieldSCC-SA1019Found empty critical sectionSCC-SA2001Cannot marshal channels or functionsSCC-SA1026Found non-idiomatic returning of boolean expressionSCC-S1008Invalid first argument to `exec.Command`SCC-SA1005Detected usage of `defer` in `for`/`range` loopSCC-SA9001Found redundant `nil` check on sliceSCC-S1009Found usage of default slice indexSCC-S1010Unsupported argument to functions in `encoding/binary`SCC-SA1003`(*regexp.Regexp).FindAll` called with `n == 0` always returns zero resultsSCC-SA1010Range over the string directlySCC-SA6003Found inefficient `string` comparison with `strings.ToLower` or `strings.ToUpper`SCC-SA6005Empty string test can be improvedCRT-A0004Function call can be replaced with helper functionCRT-A0010Duplicate body found in branchesCRT-D0006Duplicate cases found in `switch` statementCRT-D0007Duplicate operands found around a binary operatorCRT-D0008Suspicious regex patternCRT-D0019Multiple `append` can be combined into a single callCRT-P0001The boolean expression can be simplifiedCRT-D0018Using a deprecated function, variable, constant or fieldGO-W1009Using a deprecated function, variable, constant or field from `archive/tar` packageGO-W1014Using a deprecated function, variable, constant or field from `go/importer` packageGO-W1015Using a deprecated function, variable, constant or field from `os` packageGO-W1010Using a deprecated function, variable, constant or field from `net` packageGO-W1011Using a deprecated function, variable, constant or field from `go/types` packageGO-W1012Using a deprecated function, variable, constant or field from `image` packageGO-W1013Unused method receiverRVV-B0013`sort.Slice` can only be used on slicesGO-W5002Missing an optimization opportunity when indexing maps by byte slicesSCC-SA6001Simplify `error` construction with `fmt.Errorf`SCC-S1028Replace `for` loop with call to `copy` for sliceSCC-S1001Boolean expression has identical expressions on both sidesSCC-SA4000Replace call to `bytes.Compare` with `bytes.Equal`SCC-S1004Found empty body in an `if` or `else` branchSCC-SA9003Flagname has suspicious charactersCRT-D0012Unused parameter in functionRVV-B0012Self-assignment of variablesSCC-SA4018It is not possible to use `time.Timer.Reset()`'s return value correctlySCC-SA1025Error compilingSCC-compileSlice index out of boundsSCC-SA5006Non-pointer value passed to `Unmarshal` or `Decode`SCC-SA1014`time.Tick` used in leaky waySCC-SA1015Some violation of cgo pointer passing rulesVET-V0006Incorrect usage of `sync/atomic` packageVET-V0003Bad usage of boolean operatorsVET-V0004Signature of methods of well-known interfaces probably not satisfiedVET-V0015Shifts >= the width of the integerVET-V0014Lock erroneously passed by valueVET-V0008References to loop variable from within nested functionVET-V0010Useless comparisons between functions and `nil`VET-V0012Non-pointer or non-interface values passed to `Unmarshal`VET-V0018`gin.LoadHTMLGlob` with ill-formed pattern would panicGO-E1000Redis function called with an incorrect number of argumentsGO-E1001Unimplemented Redis method call would panicGO-E1002Sanitize insecure filename before useGO-S1000Avoid building query with zero values in a structGO-E1004Avoid model update query with zero values in a structGO-E1005`string` to `int` signedness castingGO-E1006Hidden goroutineGO-E1007Invalid `result` operator in `Compare` functionGO-E1003Use `any` instead of `interface{}`GO-R3001Reorder operands for optimizationGO-P3001Non-idiomatic slice zeroing `for` loopGO-P4001Early return in if-then-else`GO-R3002Potential DoS vulnerability via decompression bombGO-S2110Possible `nil` pointer dereferenceGO-W5016Deleting a directory that shouldn’t be deletedGO-W5019Inappropriate usage of `t.Parallel()` methodGO-W6007Exporting pointer for loop variablesGO-W6005Poorly formed nilness guardsGO-E1008Audit required: Possibly odd compound for assignment operators: '+=' or '-='GO-E1009Using a non-pointer or non-error value with `errors.As`GO-W6001Using `string(int)` for `int` to `string` conversionGO-W1020Using `string(int)` for `int` to `string` conversionGO-W1021`strings.HasPrefix` with constant strings as argumentsGO-W1022`strings.HasSuffix` with constant strings as argumentsGO-W1023Assembly clobbers the frame pointer before saving itGO-W6002Using `string(int)` for `int` to `string` conversionGO-W6003Defering `Close` before checking for a possible errorSCC-SA5001Trying to marshal a struct with no public fields nor custom marshalingSCC-SA9005Using bytes.Equal to compare two net.IPSCC-SA1021Using an invalid `host:port` pair with `net.Listen`SCC-SA1020Invalid `UTF-8` value providedSCC-SA1011Bitwise operations, such as `x ^ 0`, do not do anything usefulSCC-SA4016Simplify `make` call by omitting redundant argumentsSCC-S1019Redundant call to `net/http.CanonicalHeaderKey` in method call on `net/http.Header`SCC-S1035A string cutset contains duplicate charactersSCC-SA1024Deferred Lock right after lockingSCC-SA2003Assigning to `b.N` in benchmarksSCC-SA3001The empty for loop (`for {}`) spins and can block the schedulerSCC-SA5002Comparing a value against NaN even though no value is equal to NaNSCC-SA4012Atomic access to 64-bit variable must be 64-bit alignedSCC-SA1027Called `testing.T.FailNow` or `testing.T.SkipNow` in a goroutineSCC-SA2002Unreachable case clause in a type switchSCC-SA4020`for { select { ... } }` with an empty default branch spinsSCC-SA5004The finalizer references the finalized object, preventing garbage collectionSCC-SA5005`strings.Replace`/ `bytes.Replace` called with `n == 0`, which does nothingSCC-SA1018Comparing unsigned values against negative values is pointlessSCC-SA4003Bind to all interfacesGSC-G102Omit redundant `nil` check around loopSCC-S1031Use `sort.Ints(x)`, `sort.Float64s(x)`, and `sort.Strings(x)`SCC-S1032Found unnecessary guard around call to `delete`SCC-S1033Modifying the buffer in an io.Writer implementationSCC-SA1023sync.(*WaitGroup).Add called inside a goroutineSCC-SA2000`&*x` or `*&x` gets simplified to `x` and it does not copy `x`SCC-SA4001A function argument is overwritten before its first useSCC-SA4009Audit the usage of unescaped data in HTML templatesGSC-G203Simplify regular expression by using raw string literalSCC-S1007Invalid `Printf` callSCC-SA5009Using `regexp.Match` or related in a loopSCC-SA6000The loop exits unconditionally after one iterationSCC-SA4004Invalid tag used in structSCC-SA5008Potential usage of DES, RC4, MD5 or SHA1GSC-G401Potentially bad TLS connection settingsGSC-G402RSA key length less than 2048 bitsGSC-G403Suspiciously small untyped constant in `time.Sleep`SCC-SA1004`Printf` with dynamic first argument and no further argumentsSCC-SA1006Non-canonical key in `http.Header` mapSCC-SA1008`nil` `context.Context` passed to functionSCC-SA1012io.Seeker.Seek is being called with the whence constant IncorrectlySCC-SA1013Storing non-pointer values in `sync.Pool` allocates memorySCC-SA6002Useless assignmentVET-V0002Mismatch between assembly file and Go declarationVET-V0001Possibly malformed build tagVET-V0005Unkeyed composite literalsVET-V0007Issues with `cancel` func returned by context.WithCancelVET-V0011Bad usage of tests and examplesVET-V0017`sync.WaitGroup` should be passed as a pointerRVV-B0014Unused codeSCC-U1000Shadowing a `builtin`CRT-A0001Empty `fallthrough` in switch statement can be avoidedCRT-A0003Invalid conversions of `uintptr` to `unsafe.Pointer`VET-V0020Method expression can be replaced with method callCRT-A0006Redundant conversion between `string` and `[]byte`CRT-A0007Nested `if` can be replaced with `else if`CRT-A0011Simplify slice expression to sliced value itselfCRT-A0016Function literal can be simplifiedCRT-A0018`case` in `switch` is unreachableCRT-D0004Duplicate arguments passed to functionCRT-D0005Pointer from `flag` package's method dereferenced immediatelyCRT-D0009Call to `os.Exit` or `log.Fatal` and friends made in function using `defer`CRT-D0011Return of `nil` valueCRT-D0013Incomplete conditionCRT-D0017Potential truncation issueCRT-D0020Function params involve heavy amount of copyingCRT-P0003`strings.Index` call cause unwanted allocationsCRT-P0004Copy of large value in `range`CRT-P0005Copy of large value inside loopCRT-P0006Exit inside non-main functionRVV-A0003Functions prefixed with `Get` should return a valueRVV-A0006Redundant else-blocks can be eliminatedRVV-A0009Redundant statements can be removedRVV-A0010Duplicate importsRVV-B0004Redundant error checkingRVV-B0005Possibly undesired value being used in goroutineRVV-B0007Suspicious assignment of range-loop varsRVV-B0008Redefinition of builtinRVV-B0009Explicit type conversionRVV-B0010Possible bad usage of HTTP responseVET-V0009Unused results of calls to some functionsVET-V0021Unnecessary guard around mapSCC-S1036`TestMain` doesn't call `os.Exit`, hiding test failuresSCC-SA3000Audit required: Insecure gRPC serverGO-S0902Audit required: XML package may be vulnerable to XXE attacksGO-S0903Audit required: Exposure of sensitive headersGO-S0901Dot imports are discouragedSCC-ST1001Unnecessary dereference expressionsCRT-S0012Use of deprecated Redis methodsGO-W1000Use of bare return statementsGO-R3003Use of boolean literals in logic expressionsGO-R3004Name of an un-exportable symbol starts with a capital letterGO-R3005Use `http.NoBody` instead of `nil` in `http.NewRequest` callsGO-R4001Unsafe defer of `.Close` methodGO-S2307Invalid argument in call to a function from `strconv` packageGO-W5004Incomplete URL scheme validationGO-S1004Impossible comparison of interface value with untyped `nil`GO-W5006String concatenation can be simplifiedGO-R4003Unnecessary dereference expressionsGO-R4004Audit required: XPath InjectionGO-S1013Audit required: Command injection from user-controlled sourcesGO-S1015Audit required: Incomplete regular expression for hostnameGO-S1016Audit required: Unsafe quoting for `github.com/Masterminds/squirrel` packageGO-S1017`break` statement with no effectSCC-SA4011Audit required: DES cipher algorithm is cryptographically brokenGO-S1022Audit required: MD5 cipher algorithm is cryptographically brokenGO-S1023Audit required: RC4 cipher algorithm is cryptographically brokenGO-S1024Audit required: SHA1 cipher algorithm is cryptographically brokenGO-S1025Audit required: `SkipDefaultTransaction` set to `false`GO-W1004Comparing the address of a variable against nilGO-W5005Poor file permissions used when writing to a new fileGO-S2306Audit required: `GetLogger` is only for internal use of etcd's clientGO-W1003`x % 1` is always zeroGO-W5011`defer`red function literal can be simplifiedGO-C4005Constant state value in OAuth 2.0 URLGO-S1001Stack trace exposureGO-S1002Open URL RedirectGO-S1003Incomplete Redirect URL validationGO-S1005Reflected cross-site scriptingGO-S1006Checking for impossible return value from a builtin functionGO-W5007Risky constant length comparisonGO-S1007Size computation for allocation may overflowGO-S1008Missing regular expression anchorGO-S1009Integer division of literals that results in zeroGO-W5008Bitwise exclusive-or used like exponentiationGO-S1012Email content injectionGO-S1014Decoding JWT token without validation stepGO-S1019`MinVersion` is missing from this TLS configurationGO-S1020Potential slowloris attackGO-S2112SSLv3 is irreparably broken transport security protocolGO-S1021Use `net.JoinHostPort` instead of `fmt.Sprintf(...)`GO-S1027`http.NewRequest` request send to `http://` URLsGO-S1028TLS cipher suite used is considered weakGO-S1029Profiling endpoint automatically exposed on `/debug/pprof`GO-S2108Potential path traversalGO-S2111Use of `net/http`'s `ListenAndServe` function has no support for setting timeoutsGO-S2114Impossible interface `nil` checkGO-W1001`if` and `else`'s condition  are the sameGO-W1002`DryRun` is enabledGO-W1005Audit required: Use of `reflect.MakeFunc`GO-W1006Potential issue in `filepath.Join()` function callsGO-W4001Malformed "code generated" commentGO-W4002Suspicious `regexp`GO-W4004Type assertion to current typeGO-W5001Go constants cannot express negative zeroGO-W5009`(*net/url.URL).Query` returns a copy, modifying it doesn’t change the URLGO-W5010Ineffective attempt at sorting sliceGO-W5012Checking never-nil value against `nil`GO-W5014Impossible type assertionGO-W5015Passing odd-sized slice to function expecting even sizeGO-W5017Dubious bit shifting of a fixed size integer valueGO-W5018`else` branch of a type assertion is probably not reading the right valueGO-W5020Ineffective attempt generating random numberGO-W5013Inappropriate key in call to `context.WithValue`GO-W5003Bad usage of tests and examplesGO-W1019Use `(*mail.Address).String()` instead of `fmt.Sprintf` for mail addressGO-W1031Use `t.Setenv` and friends instead of `os.Setenv` for test file(s)GO-W1032`Printf`-like function without `f` suffixGO-W6006Bad usage of tests and examplesGO-W1018Redundant boolean conditionGO-W1028Bad use of `recover()`GO-W1030Audit required: Use of PKCS #1 v1.5 padding with RSAGO-S1030Audit required: Possible uncontrolled resource consumption using `doublestar.FilepathGlob`GO-S1048Audit required: `(*crypto/x509.Certificate).Verify` does not use the system time for verificationGO-S1032Audit Required: Insecure cookie for fiber sessionsGO-S1040Audit Required: `Same-Site` attribute improperly configured for fiber session cookieGO-S1041Audit Required: `Same-Site` attribute improperly configured for gin session cookieGO-S1042Audit required: Possible uncontrolled resource consumption using `doublestar.Glob`GO-S1047Audit required: Exposure of directory listing using `net/http.FileServer`GO-S1034Exposure of directory listing using `Static`GO-S1036Audit Required: Insecure cookie for gin sessionsGO-S1044Redundant type in variable declarationGO-C5001Malformed "deprecated" doc commentGO-D4001Use `utf8.DecodeRuneInString` instead of `[]rune(string)[0]`GO-P4006Use `fmt.Fprint` instead of `(io.Writer).Write` along with `fmt.Sprint`GO-P4007Use `(io.StringWriter).WriteString` for writing stringsGO-P4008Audit required: `(*crypto/x509.Certificate).Verify` does not check for certificate revocationGO-S1031Random number generator seed doesn't have enough entropyGO-S1033Exposure of directory listing using `Serve` / `ServeFS`GO-S1035Using less than 310,000 iterations for PBKDF2GO-S1037Using a constant salt for PBKDF2GO-S1038Non HTTP-only cookie for fiber sessionsGO-S1039Non HTTP-only cookie for gin sessionsGO-S1043Using a cost factor of less than 10 for bcryptGO-S1045Using a cost factor of less than 32768 for `scrypt`GO-S1046Audit required: Tainted value reached a sinkGO-S7000Pointer from `flag` package's method dereferenced immediatelyGO-W1017Empty error stringGO-W1024Recursive call to the `String` receiverGO-W1025Recursive call to the `Format` receiverGO-W1026Usage of both value and pointer receiversGO-W1029Potentially unwanted dependency on evaluation orderGO-W4006Reassignment of an error from another packageGO-W4007Suspicious `http.Error` call without following returnGO-W4008Suspicious call to `sort.Slice`GO-W4009Potential issue in `Query` callGO-W4010Subsequent calls to `Load` and `Delete` on `sync.Map` should be replaced with `LoadAndDelete`GO-W4011`sync.Mutex` or `sync.RWMutex` methods exposedGO-W4013Call to `(*testing.T).Fatal` and friends from the non-test goroutineGO-W6004Calling functions like `math.Ceil` on floats converted from integersSCC-SA4015`if`-`else-if` chain has duplicate conditions without side-effectSCC-SA4014Pure function's return value is discarded, making the call pointlessSCC-SA4017Duplicate build constraintsSCC-SA4019Incorrect usage of `append`SCC-SA4021Logical expression evaluating to constant valueRVV-A0001Use `for { ... }` instead of `for true { ... }` loopsSCC-S1006Use `(*bytes.Buffer).String` or `(*bytes.Buffer).Bytes`SCC-S1030Inconsistency of Printf format strings and argumentsVET-V0013Infinite recursive callSCC-SA5007Import blacklist: crypto/desGSC-G502Import blacklist: crypto/rc4GSC-G503Import blacklist: net/http/cgiGSC-G504Pointer from `flag` package's method dereferenced immediatelyGO-W1016Swapping can be done using parallel assignmentCRT-A0009Import blacklist: crypto/sha1GSC-G505Use plain channel send or receiveSCC-S1000Poor file permissions used when creating a directoryGSC-G301Poor file permissions used when creating a file or using `os.Chmod`GSC-G302Creating tempfile using a predictable pathGSC-G303Method modifies receiverRVV-B0006Using a non-octal os.FileModeSCC-SA9002Only the first constant has an explicit typeSCC-SA9004Replace call to `strings.Index` with `strings.Contains`SCC-S1003Drop unnecessary use of the blank identifierSCC-S1005Defers in infinite loops will never executeSCC-SA5003Off-by-one errorCRT-D0015Use `time.Sleep` instead of single case `select`SCC-S1037A switch's default case should be the first or last caseSCC-ST1015Unnecessary blockCRT-A0008Audit the use of `ssh.InsecureIgnoreHostKey` functionGSC-G106Audit the random number generation source (rand)GSC-G404A function's error value should be its last return valueSCC-ST1008File path traversal when extracting zip archiveGSC-G305Import blacklist: crypto/md5GSC-G501`true` is implicit in `switch` statementsCRT-A0015Hex literal with mixed case lettersCRT-A0005`switch` with single case can be rewritten as `if` or `if-else`CRT-A0014Types of function parameters can be combinedCRT-A0017`append` possibly assigns to a wrong variableCRT-D0001Possibly incorrect order of argumentsCRT-D0002Possibly wrong conditional expressionCRT-D0003`context.Context` should be the first paramRVV-A0002Confusing naming of struct fields or methodsRVV-B0001Use constants from `net/http` for HTTP status codes, not the codes directlySCC-ST1013Don't use Yoda conditionsSCC-ST1017Avoid zero-width and control characters in string literalsSCC-ST1018Unnecessary use of `fmt.Sprint/Sprintf`SCC-S1039Use consistent method receiver namesSCC-ST1016Poorly chosen name for error variableSCC-ST1012Poorly chosen name for variable of type time.DurationSCC-ST1011Audit required: Insecure use of loggerGO-S0904Audit required: `encoding/xml` is unsafe for security-critical operationsGO-S0905Incorrect or missing package commentSCC-ST1000Poorly chosen identifierSCC-ST1003Poorly chosen receiver nameSCC-ST1006Use `http.FileSystem(http.Dir(...))` instead of `gin.Dir(...,true)`GO-R1000Use `%q` to quote a string in `fmt.Sprintf` format specifiersGO-R4002Non-idiomatic comment formattingGO-C4004Deprecated `io/ioutil` package usageGO-C4001Immediate dereferencing of `new` expressionsGO-C4002Manual conversion to milli or micro secondsGO-C4003Regular expression can be simplifiedGO-C4007Function returns too many resultsGO-C4008Prefer `WriteByte` over `WriteRune` for byte literalsGO-P4005Use `KeyExists` from `go.etcd.io/etcd/client/v3/clientv3util` insteadGO-R1001Use `KeyMissing` from `go.etcd.io/etcd/client/v3/clientv3util` insteadGO-R1002Uncontrolled data used in network requestGO-S1010Inconsistent direction of `for` loopGO-S1011`strings.Index` used to cut a stringGO-W1008Suspicious map literal keyGO-W4003Importing the same package multiple timesGO-W5021The documentation of an exported type should start with the type’s nameGO-D5002Simplify `if` statement for single bool judgmentGO-R1004Empty declarationGO-W4005Method declaration preceding the type definitionGO-C4009TODO comments written without any detail or assigneeGO-C4010Simplify `Before` or `After` call of `time.Time`GO-C4011Unnecessary call to `strings.Compare`GO-C4012Documentation of an exported function should start with the function’s nameGO-D5001The documentation of an exported variable or constant should start with the variable’s nameGO-D5003Use `(*bytes.Buffer).Reset` insteadGO-R1003Empty slice literal used to declare a variableGO-W1027Redundant `defer`ring of callsGO-W4012Prefer `filepath.Join` instead of concatenating strings with `os.PathSeparator`GO-W4014Redundant type assertionsGO-W4015Unchecked error in `if` statementGO-W4016Suspicious formatting of errorsGO-W4017Function with cyclomatic complexity higher than thresholdGO-R1005Negating a boolean twiceSCC-SA4013Function call made to an `unsafe` packageGSC-G103Omit comparison with boolean constantSCC-S1002Incorrectly formatted error stringSCC-ST1005
Using less than 310,000 iterations for PBKDF2GO-S1037
 a02, owasp-top-10
Using a more significant amount of iterations significantly increases the compute required to brute-force the passwords from the keys. OWASP recommends using more than 310,000 iterations for PBKDF2. But do note that there's a trade-off, a higher iteration count will increase the cost of an exhaustive search and make derivation proportionally slower.
Bad practice
package main
import (
    "crypto/sha256"
    "golang.org/x/crypto/pbkdf2"
)
func main() {
    pbkdf2.Key([]byte("pass"), []byte("salt"), 10000, 64, sha256.New) // using less than 310,000 iterations
}
Recommended
package main
import (
    "crypto/sha256"
    "golang.org/x/crypto/pbkdf2"
)
func main() {
    pbkdf2.Key([]byte("pass"), []byte("salt"), 310000, 64, sha256.New)
}
 Slither
 Slither