Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create rule S5659: JWT should be signed and verified with strong cipher algorithms for Go #4668

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Create rule S5659: JWT should be signed and verified with strong cipher algorithms for Go #4668

wants to merge 2 commits into from

Conversation

github-actions[bot]
Copy link
Contributor

You can preview this rule here (updated a few minutes after each push).

Review

A dedicated reviewer checked the rule description successfully for:

  • logical errors and incorrect information
  • information gaps and missing content
  • text style and tone
  • PR summary and labels follow the guidelines

@github-actions github-actions bot added the go label Feb 17, 2025
@daniel-teuchert-sonarsource daniel-teuchert-sonarsource changed the title Create rule S5659 Create rule S5659: JWT should be signed and verified with strong cipher algorithms Feb 17, 2025
@daniel-teuchert-sonarsource daniel-teuchert-sonarsource changed the title Create rule S5659: JWT should be signed and verified with strong cipher algorithms Create rule S5659: JWT should be signed and verified with strong cipher algorithms for Go Feb 17, 2025
@daniel-teuchert-sonarsource daniel-teuchert-sonarsource marked this pull request as ready for review February 17, 2025 15:37
@sonarqube-next SonarQube-Next
Copy link

Quality Gate passed Quality Gate passed for 'rspec-tools'

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

@sonarqube-next SonarQube-Next
Copy link

Quality Gate passed Quality Gate passed for 'rspec-frontend'

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

teemu-rytilahti-sonarsource
teemu-rytilahti-sonarsource requested changes Feb 19, 2025
View reviewed changes
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The compliant example should probably not use the UnsafeAllowNoneSignatureType, looking good otherwise!

rules/S5659/go/rule.adoc
jwt.MapClaims{
"foo": "bar",
})
token.SignedString(jwt.UnsafeAllowNoneSignatureType)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
token.SignedString(jwt.UnsafeAllowNoneSignatureType)
token.SignedString(hmacSampleSecret)

rules/S5659/go/rule.adoc
import (
jwt "github.com/golang-jwt/jwt/v5"
)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
var hmacSecret = ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@teemu-rytilahti-sonarsource teemu-rytilahti-sonarsource teemu-rytilahti-sonarsource requested changes

Assignees

@daniel-teuchert-sonarsource daniel-teuchert-sonarsource

Labels
appsec go
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@teemu-rytilahti-sonarsource @daniel-teuchert-sonarsource