diff --git a/go/src/docs/security/MissingMinVersionTLS/MissingMinVersionTLS.md b/go/src/docs/security/MissingMinVersionTLS/MissingMinVersionTLS.md index 2734ffe..e9c936f 100644 --- a/go/src/docs/security/MissingMinVersionTLS/MissingMinVersionTLS.md +++ b/go/src/docs/security/MissingMinVersionTLS/MissingMinVersionTLS.md @@ -1,9 +1,20 @@ # Missing MinVersion in tls.Config -Golang's `tls.Config` struct accepts `MinVersion` parameter that sets minimum accepted TLS version. If the parameter is not provided, default value is used: TLS1.2 for clients, and TLS1.0 for servers. TLS1.0 is considered deprecated and should not be used. +Golang's `tls.Config` struct accepts `MinVersion` parameter that sets minimum accepted TLS version. If the parameter is not provided, the default depends on the Go version in use: +- Since **Go 1.18**, clients default to TLS 1.2 (previously TLS 1.0) +- Since **Go 1.22**, servers also default to TLS 1.2 (previously TLS 1.0) + +For projects that support older Go versions, leaving `MinVersion` unset may still permit TLS 1.0 or 1.1, which are deprecated and should not be used. + +This query flags `tls.Config` values where `MinVersion` is never set explicitly and the project's `go.mod` declares support for: +- **Go < 1.18** for client-side configs (when client default is TLS 1.0) +- **Go < 1.22** for server-side configs (when server default is TLS 1.0) ## Recommendation -Explicitly set tls version to an up-to-date one. +Explicitly set the TLS version to TLS 1.2 or higher: +- For projects using Go < 1.18: Set `MinVersion` for both clients and servers +- For projects using Go 1.18-1.21: Set `MinVersion` for servers +- For projects using Go >= 1.22: Defaults are secure, but explicit setting is still recommended ## Example @@ -50,8 +61,15 @@ func main() { } ``` -In this example, the `http.Server` may be set with TLS configuration created by either `test1` or `test2` functions. The `test1` result will be highlighted by this query, as it fails to explicitly set minimum supported TLS version. The `test2` result will not be marked, even that it also uses the default value for minimum version. That is because the `test2` is explicit, and this query assumes that developers knew what they are doing. +In this example, the `http.Server` may be set with TLS configuration created by either `test1` or `test2` functions. For projects with `go` directive < 1.22, the `test1` result will be highlighted by this query, as it fails to explicitly set minimum supported TLS version. The `test2` result will not be marked, even though it also uses the default value for minimum version. That is because the `test2` is explicit, and this query assumes that developers knew what they are doing. + +Note: The query behavior depends on the `go` directive in `go.mod`: +- **Go < 1.18**: Both client and server configs without MinVersion are flagged +- **Go 1.18-1.21**: Only server configs without MinVersion are flagged +- **Go >= 1.22**: No configs are flagged (both defaults are secure) ## References * [tls.Config specification](https://pkg.go.dev/crypto/tls#Config) +* [Go 1.18 Release Notes - TLS 1.0 and 1.1 disabled by default client-side](https://tip.golang.org/doc/go1.18#tls10) +* [Go 1.22 Release Notes - TLS 1.2 default for servers](https://tip.golang.org/doc/go1.22#minor_library_changes) diff --git a/go/src/security/MissingMinVersionTLS/MissingMinVersionTLS.qhelp b/go/src/security/MissingMinVersionTLS/MissingMinVersionTLS.qhelp index 5b3eee1..ff256f2 100644 --- a/go/src/security/MissingMinVersionTLS/MissingMinVersionTLS.qhelp +++ b/go/src/security/MissingMinVersionTLS/MissingMinVersionTLS.qhelp @@ -4,29 +4,57 @@

-Golang's tls.Config struct accepts MinVersion parameter that sets minimum accepted TLS version. -If the parameter is not provided, default value is used: TLS1.2 for clients, and TLS1.0 for servers. -TLS1.0 is considered deprecated and should not be used. +Golang's tls.Config struct accepts a MinVersion parameter that sets the minimum accepted TLS version. +If the parameter is not provided, the default depends on the Go version in use. Since Go 1.18, crypto/tls clients default to TLS 1.2 (previously TLS 1.0). +Since Go 1.22, crypto/tls servers also default to TLS 1.2 (previously TLS 1.0). +

+

+This query flags tls.Config values where MinVersion is never set explicitly and the project's +go.mod declares support for a Go version where the defaults are insecure: +

+ +

+TLS 1.0 and 1.1 are deprecated and should not be used.

-

Explicitly set tls version to an up-to-date one.

+

Explicitly set the TLS version to TLS 1.2 or higher:

+

In this example, the http.Server may be set with TLS configuration created by either test1 or test2 functions. -The test1 result will be highlighted by this query, as it fails to explicitly set minimum supported TLS version. -The test2 result will not be marked, even that it also uses the default value for minimum version. -That is because the test2 is explicit, and this query assumes that developers knew what they are doing. +For projects with a go directive < 1.22, the test1 result will be highlighted by this query, as it fails to explicitly set minimum supported TLS version. +The test2 result will not be marked, even though it also uses the default value for minimum version. +That is because the test2 is explicit, and this query assumes that developers knew what they are doing.

+

Note: The query behavior depends on the go directive in go.mod:

+
    +
  • Go < 1.18: Both client and server configs without MinVersion are flagged
    • +
  • Go 1.18-1.21: Only server configs without MinVersion are flagged
    • +
  • Go >= 1.22: No configs are flagged (both defaults are secure)
    • +
  • tls.Config specification
    • +
  • + Go 1.18 Release Notes - TLS 1.0 and 1.1 disabled by default client-side +
    • +
  • + Go 1.22 Release Notes - TLS 1.2 default for servers +
    •      \ No newline at end of file diff --git a/go/src/security/MissingMinVersionTLS/MissingMinVersionTLS.ql b/go/src/security/MissingMinVersionTLS/MissingMinVersionTLS.ql index b79bb8b..baa0f8d 100644 --- a/go/src/security/MissingMinVersionTLS/MissingMinVersionTLS.ql +++ b/go/src/security/MissingMinVersionTLS/MissingMinVersionTLS.ql @@ -1,7 +1,7 @@ /** * @name Missing MinVersion in tls.Config * @id tob/go/missing-min-version-tls - * @description This rule finds cases when you do not set the `tls.Config.MinVersion` explicitly for servers. By default version 1.0 is used, which is considered insecure. This rule does not mark explicitly set insecure versions + * @description Finds uses of tls.Config where MinVersion is not set and the project's minimum Go version (from go.mod) indicates insecure defaults: Go < 1.18 for clients or Go < 1.22 for servers. Does not mark explicitly set versions (including explicitly insecure ones). * @kind problem * @tags security * @problem.severity error @@ -11,6 +11,7 @@ */ import go +import semmle.go.GoMod as GoMod /** * Flow of a `tls.Config` to a write to the `MinVersion` field. @@ -19,67 +20,59 @@ module TlsVersionConfig implements DataFlow::ConfigSig { /** * Holds if `source` is a TLS.Config instance. */ - predicate isSource(DataFlow::Node source) { - exists(Variable v | - configOrConfigPointer(v.getType()) and - source.asExpr() = v.getAReference() - ) - } - + predicate isSource(DataFlow::Node source) { + exists(Variable v | + configOrConfigPointer(v.getType()) and + source.asExpr() = v.getAReference() + ) + } + /** * Holds if a write to `sink`.MinVersion exists. */ - predicate isSink(DataFlow::Node sink) { - exists(Write fieldWrite, Field fld | - fld.hasQualifiedName( "crypto/tls", "Config", "MinVersion") and - fieldWrite.writesField(sink, fld, _) - ) - } + predicate isSink(DataFlow::Node sink) { + exists(Write fieldWrite, Field fld | + fld.hasQualifiedName("crypto/tls", "Config", "MinVersion") and + fieldWrite.writesField(sink, fld, _) + ) + } } module TlsVersionFlow = TaintTracking::Global; +predicate structLitSetsMinVersion(StructLit lit) { + exists(Write w, Field fld | + fld.hasQualifiedName("crypto/tls", "Config", "MinVersion") and + w.writesField(DataFlow::exprNode(lit), fld, _) + ) +} -/** - * Flow of a `tls.Config` with `MinVersion` to a variable. - */ module TlsConfigCreationConfig implements DataFlow::ConfigSig { - additional predicate isSecure(DataFlow::Node source) { - exists(StructLit lit, Field fld | - lit.getType().hasQualifiedName("crypto/tls", "Config") and - fld.hasQualifiedName("crypto/tls", "Config", "MinVersion") and - source.asExpr() = lit and - fld = lit.getType().getField(_) and - exists(Write w | w.writesField(DataFlow::exprNode(lit), fld, _)) - ) - } - /** - * Holds if `source` is a TLS.Config literal. + * Holds if `source` is a TLS.Config literal without MinVersion set. */ - predicate isSource(DataFlow::Node source) { - exists(StructLit lit, Field fld | - lit.getType().hasQualifiedName("crypto/tls", "Config") and - fld.hasQualifiedName("crypto/tls", "Config", "MinVersion") and - source.asExpr() = lit - ) - and not isSecure(source) - } - + predicate isSource(DataFlow::Node source) { + exists(StructLit lit | + lit.getType().hasQualifiedName("crypto/tls", "Config") and + source.asExpr() = lit and + not structLitSetsMinVersion(lit) + ) + } + /** * Holds if it is TLS.Config instance (a Variable). */ - predicate isSink(DataFlow::Node sink) { + predicate isSink(DataFlow::Node sink) { exists(Variable v | sink.asExpr() = v.getAReference() ) - } + } /** * Holds if TLS.Config literal is saved in a structure's field */ - predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(Write w | w.writesField(succ, _, pred)) - } + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Write w | w.writesField(succ, _, pred)) + } } module TlsConfigCreationFlow = TaintTracking::Global; @@ -103,50 +96,173 @@ predicate configOrConfigPointer(Type t) { ) } +/** + * Holds if v is a Go version string for Go 1.x that is >= 1.18. + * Matches: "1.18", "1.19", "1.20", ..., "1.99", "1.100", "1.18.0", etc. + */ +bindingset[v] +predicate goVersionAtLeast_1_18(string v) { + v.regexpMatch("1\\.(1[89]|[2-9][0-9]|[1-9][0-9]{2,})(\\.\\d+)?") +} + +/** + * Holds if v is a Go version string for Go 1.x that is >= 1.22. + * Matches: "1.22", "1.23", ..., "1.99", "1.100", "1.22.0", etc. + */ +bindingset[v] +predicate goVersionAtLeast_1_22(string v) { + v.regexpMatch("1\\.(2[2-9]|[3-9][0-9]|[1-9][0-9]{2,})(\\.\\d+)?") +} + +/** + * Holds if the project may be built with a Go version where a server with + * an unset MinVersion still defaults to TLS 1.0/1.1 (Go < 1.22). + * + * - If there is no go.mod: assume yes + * - Otherwise: if any go.mod has a `go` < 1.22: yes. + */ +predicate projectSupportsOldTlsDefaultsForServers() { + not exists(GoModGoLine l | l = l) or + exists(GoModGoLine l | + not goVersionAtLeast_1_22(l.getVersion()) + ) +} + +/** + * Holds if the project may be built with a Go version where a client with + * an unset MinVersion still defaults to TLS 1.0/1.1 (Go < 1.18). + * + * - If there is no go.mod: assume YES (be conservative). + * - Otherwise: if any go.mod has a `go` < 1.18: YES. + */ +predicate projectSupportsOldTlsDefaultsForClients() { + not exists(GoModGoLine l | l = l) or + exists(GoModGoLine l | + not goVersionAtLeast_1_18(l.getVersion()) + ) +} + +/** + * Holds if expression `e` mentions the config variable or struct literal. + */ +predicate mentionsConfig(Expr e, Variable v, StructLit configStruct) { + e.getAChild*() = v.getARead().asExpr() or + e.getAChild*() = configStruct +} + +/** + * Holds if the config is used as a client config (TLSClientConfig or tls.Dial/Client APIs). + */ +predicate usedAsClient(Variable v, StructLit configStruct) { + exists(StructLit outer, KeyValueExpr kv | + outer.getType().hasQualifiedName("net/http", "Transport") and + kv.getParent*() = outer and + kv.getKey().(Ident).getName() = "TLSClientConfig" and + mentionsConfig(kv.getValue(), v, configStruct) + ) + or + exists(Write w, Field fld, DataFlow::Node recv, DataFlow::Node rhs | + fld.hasQualifiedName("net/http", "Transport", "TLSClientConfig") and + w.writesField(recv, fld, rhs) and + mentionsConfig(rhs.asExpr(), v, configStruct) + ) + or + exists(CallExpr call | + // tls.Dial(network, addr, config) => argument 2 is config (0-based) + call.getTarget().hasQualifiedName("crypto/tls", "Dial") and + mentionsConfig(call.getArgument(2), v, configStruct) + ) + or + exists(CallExpr call | + // tls.DialWithDialer(dialer, network, addr, config) => argument 3 is config + call.getTarget().hasQualifiedName("crypto/tls", "DialWithDialer") and + mentionsConfig(call.getArgument(3), v, configStruct) + ) + or + exists(CallExpr call | + // tls.Client(conn, config) => argument 1 is config + call.getTarget().hasQualifiedName("crypto/tls", "Client") and + mentionsConfig(call.getArgument(1), v, configStruct) + ) +} + +/** + * Holds if the config is used as a server config (TLSConfig or tls.Listen/Server APIs). + */ +predicate usedAsServer(Variable v, StructLit configStruct) { + exists(StructLit outer, KeyValueExpr kv | + outer.getType().hasQualifiedName("net/http", "Server") and + kv.getParent*() = outer and + kv.getKey().(Ident).getName() = "TLSConfig" and + mentionsConfig(kv.getValue(), v, configStruct) + ) + or + exists(Write w, Field fld, DataFlow::Node recv, DataFlow::Node rhs | + fld.hasQualifiedName("net/http", "Server", "TLSConfig") and + w.writesField(recv, fld, rhs) and + mentionsConfig(rhs.asExpr(), v, configStruct) + ) + or + exists(CallExpr call | + // tls.Listen(network, addr, config) => argument 2 is config + call.getTarget().hasQualifiedName("crypto/tls", "Listen") and + mentionsConfig(call.getArgument(2), v, configStruct) + ) + or + exists(CallExpr call | + // tls.NewListener(inner, config) => argument 1 is config + call.getTarget().hasQualifiedName("crypto/tls", "NewListener") and + mentionsConfig(call.getArgument(1), v, configStruct) + ) + or + exists(CallExpr call | + // tls.Server(conn, config) => argument 1 is config + call.getTarget().hasQualifiedName("crypto/tls", "Server") and + mentionsConfig(call.getArgument(1), v, configStruct) + ) +} + // v - a variable holding any structure which is or contains the tls.Config from StructLit configStruct, Variable v, DataFlow::Node source, DataFlow::Node sink where // find tls.Config structures with MinVersion not set on the structure initialization ( - TlsConfigCreationFlow::flow(source, sink) and - sink.asExpr() = v.getAReference() and + TlsConfigCreationFlow::flow(source, sink) and + sink.asExpr() = v.getAReference() and source.asExpr() = configStruct ) - - // exclude if tls.Config is used as TLSClientConfig, as default for clients is TLS 1.2 - and not exists(KeyValueExpr kv | - kv.getKey().(VariableName).getTarget().getName() = "TLSClientConfig" and - ( - kv.getValue().getAChild*() = v.getARead().asExpr() - or - kv.getValue().getAChild*() = configStruct - ) - ) - - and not exists(Type t | - t.hasQualifiedName("net/http", "Client") and - v.getType() = t.getPointerType*() - ) // only explicitely defined, e.g., skip function arguments and ( exists(DeclStmt decl | v.getAReference() = decl.getAChild+()) or - exists(DefineStmt decl | v.getAReference() = decl.getAChild+()) + exists(DefineStmt decl | v.getAReference() = decl.getAChild+()) ) // skip field declarations and not exists(FieldDecl decl | v.getAReference() = decl.getAChild+()) - + // if the tls.Config is assigned to a variable and if configOrConfigPointer(v.getType()) then - ( + ( // exclude if there is a later write to MinVersion not exists(DataFlow::Node source2, DataFlow::Node sink2 | - TlsVersionFlow::flow(source2, sink2) and - source2.asExpr() = v.getAReference() - ) + TlsVersionFlow::flow(source2, sink2) and + source2.asExpr() = v.getAReference() + ) ) else any() -select configStruct, "TLS.Config.MinVersion is never set for variable $@ ", v, v.getName() \ No newline at end of file + // Version-aware filtering based on client vs server usage: + // - For clients: only flag if Go < 1.18 (when client default is TLS 1.0) + // - For servers: only flag if Go < 1.22 (when server default is TLS 1.0) + // - If neither classified, be conservative as "server-like" + and ( + (usedAsClient(v, configStruct) and projectSupportsOldTlsDefaultsForClients()) + or + (usedAsServer(v, configStruct) and projectSupportsOldTlsDefaultsForServers()) + or + (not usedAsClient(v, configStruct) and not usedAsServer(v, configStruct) and projectSupportsOldTlsDefaultsForServers()) + ) + +select configStruct, "TLS.Config.MinVersion is never set for variable $@.", v, v.getName() \ No newline at end of file diff --git a/go/test/query-tests/security/MissingMinVersionTLS/MissingMinVersionTLS.expected b/go/test/query-tests/security/MissingMinVersionTLS/MissingMinVersionTLS.expected index 021c3d1..602b4e0 100644 --- a/go/test/query-tests/security/MissingMinVersionTLS/MissingMinVersionTLS.expected +++ b/go/test/query-tests/security/MissingMinVersionTLS/MissingMinVersionTLS.expected @@ -1,15 +1,18 @@ -| MissingMinVersionTLS.go:25:14:25:25 | struct literal | TLS.Config.MinVersion is never set for variable $@ | MissingMinVersionTLS.go:25:3:25:8 | config | config | -| MissingMinVersionTLS.go:35:14:37:3 | struct literal | TLS.Config.MinVersion is never set for variable $@ | MissingMinVersionTLS.go:35:3:35:8 | config | config | -| MissingMinVersionTLS.go:50:13:50:24 | struct literal | TLS.Config.MinVersion is never set for variable $@ | MissingMinVersionTLS.go:50:3:50:8 | config | config | -| MissingMinVersionTLS.go:61:13:61:24 | struct literal | TLS.Config.MinVersion is never set for variable $@ | MissingMinVersionTLS.go:61:3:61:8 | config | config | -| MissingMinVersionTLS.go:91:12:91:23 | struct literal | TLS.Config.MinVersion is never set for variable $@ | MissingMinVersionTLS.go:110:3:110:3 | c | c | -| MissingMinVersionTLS.go:103:12:105:2 | struct literal | TLS.Config.MinVersion is never set for variable $@ | MissingMinVersionTLS.go:118:3:118:3 | c | c | -| MissingMinVersionTLS.go:103:12:105:2 | struct literal | TLS.Config.MinVersion is never set for variable $@ | MissingMinVersionTLS.go:149:3:149:3 | c | c | -| MissingMinVersionTLS.go:126:23:126:62 | struct literal | TLS.Config.MinVersion is never set for variable $@ | MissingMinVersionTLS.go:126:3:126:3 | c | c | -| MissingMinVersionTLS.go:135:10:135:49 | struct literal | TLS.Config.MinVersion is never set for variable $@ | MissingMinVersionTLS.go:135:3:135:5 | tmp | tmp | -| MissingMinVersionTLS.go:135:10:135:49 | struct literal | TLS.Config.MinVersion is never set for variable $@ | MissingMinVersionTLS.go:136:3:136:3 | c | c | -| MissingMinVersionTLS.go:142:23:142:62 | struct literal | TLS.Config.MinVersion is never set for variable $@ | MissingMinVersionTLS.go:142:3:142:3 | c | c | -| MissingMinVersionTLS.go:149:23:149:62 | struct literal | TLS.Config.MinVersion is never set for variable $@ | MissingMinVersionTLS.go:149:3:149:3 | c | c | -| MissingMinVersionTLS.go:168:16:168:55 | struct literal | TLS.Config.MinVersion is never set for variable $@ | MissingMinVersionTLS.go:167:3:167:5 | srv | srv | -| MissingMinVersionTLS.go:171:16:171:55 | struct literal | TLS.Config.MinVersion is never set for variable $@ | MissingMinVersionTLS.go:170:3:170:6 | srv2 | srv2 | -| MissingMinVersionTLS.go:176:9:176:48 | struct literal | TLS.Config.MinVersion is never set for variable $@ | MissingMinVersionTLS.go:182:3:182:6 | srv3 | srv3 | +| MissingMinVersionTLS.go:25:14:25:25 | struct literal | TLS.Config.MinVersion is never set for variable $@. | MissingMinVersionTLS.go:25:3:25:8 | config | config | +| MissingMinVersionTLS.go:35:14:37:3 | struct literal | TLS.Config.MinVersion is never set for variable $@. | MissingMinVersionTLS.go:35:3:35:8 | config | config | +| MissingMinVersionTLS.go:50:13:50:24 | struct literal | TLS.Config.MinVersion is never set for variable $@. | MissingMinVersionTLS.go:50:3:50:8 | config | config | +| MissingMinVersionTLS.go:61:13:61:24 | struct literal | TLS.Config.MinVersion is never set for variable $@. | MissingMinVersionTLS.go:61:3:61:8 | config | config | +| MissingMinVersionTLS.go:91:12:91:23 | struct literal | TLS.Config.MinVersion is never set for variable $@. | MissingMinVersionTLS.go:110:3:110:3 | c | c | +| MissingMinVersionTLS.go:103:12:105:2 | struct literal | TLS.Config.MinVersion is never set for variable $@. | MissingMinVersionTLS.go:118:3:118:3 | c | c | +| MissingMinVersionTLS.go:103:12:105:2 | struct literal | TLS.Config.MinVersion is never set for variable $@. | MissingMinVersionTLS.go:149:3:149:3 | c | c | +| MissingMinVersionTLS.go:126:23:126:62 | struct literal | TLS.Config.MinVersion is never set for variable $@. | MissingMinVersionTLS.go:126:3:126:3 | c | c | +| MissingMinVersionTLS.go:135:10:135:49 | struct literal | TLS.Config.MinVersion is never set for variable $@. | MissingMinVersionTLS.go:135:3:135:5 | tmp | tmp | +| MissingMinVersionTLS.go:135:10:135:49 | struct literal | TLS.Config.MinVersion is never set for variable $@. | MissingMinVersionTLS.go:136:3:136:3 | c | c | +| MissingMinVersionTLS.go:142:23:142:62 | struct literal | TLS.Config.MinVersion is never set for variable $@. | MissingMinVersionTLS.go:142:3:142:3 | c | c | +| MissingMinVersionTLS.go:149:23:149:62 | struct literal | TLS.Config.MinVersion is never set for variable $@. | MissingMinVersionTLS.go:149:3:149:3 | c | c | +| MissingMinVersionTLS.go:159:23:161:5 | struct literal | TLS.Config.MinVersion is never set for variable $@. | MissingMinVersionTLS.go:157:3:157:8 | client | client | +| MissingMinVersionTLS.go:169:16:169:55 | struct literal | TLS.Config.MinVersion is never set for variable $@. | MissingMinVersionTLS.go:168:3:168:5 | srv | srv | +| MissingMinVersionTLS.go:172:16:172:55 | struct literal | TLS.Config.MinVersion is never set for variable $@. | MissingMinVersionTLS.go:171:3:171:6 | srv2 | srv2 | +| MissingMinVersionTLS.go:177:9:177:48 | struct literal | TLS.Config.MinVersion is never set for variable $@. | MissingMinVersionTLS.go:177:3:177:3 | c | c | +| MissingMinVersionTLS.go:177:9:177:48 | struct literal | TLS.Config.MinVersion is never set for variable $@. | MissingMinVersionTLS.go:178:3:178:8 | client | client | +| MissingMinVersionTLS.go:177:9:177:48 | struct literal | TLS.Config.MinVersion is never set for variable $@. | MissingMinVersionTLS.go:183:3:183:6 | srv3 | srv3 | diff --git a/go/test/query-tests/security/MissingMinVersionTLS/MissingMinVersionTLS.go b/go/test/query-tests/security/MissingMinVersionTLS/MissingMinVersionTLS.go index 48493dc..529f311 100644 --- a/go/test/query-tests/security/MissingMinVersionTLS/MissingMinVersionTLS.go +++ b/go/test/query-tests/security/MissingMinVersionTLS/MissingMinVersionTLS.go @@ -151,7 +151,8 @@ func main() { c.Init3() } } - // OK: config used only for a client + // BAD for Go < 1.18: config used for a client (clients default to TLS 1.0) + // OK for Go >= 1.18: clients default to TLS 1.2 { client := &http.Client{ Transport: &http.Transport{ diff --git a/go/test/query-tests/security/MissingMinVersionTLS/go.mod b/go/test/query-tests/security/MissingMinVersionTLS/go.mod index fb79f49..3fe31f9 100644 --- a/go/test/query-tests/security/MissingMinVersionTLS/go.mod +++ b/go/test/query-tests/security/MissingMinVersionTLS/go.mod @@ -1,3 +1,5 @@ module codeql-go-tests/query/MissingMinVersionTLS +// Using Go 1.15 (< 1.18) to test the case where both clients and servers +// default to TLS 1.0, so both should be flagged when MinVersion is not set go 1.15