CWE coverage for Go¶
An overview of CWE coverage for Go in the latest release of CodeQL.
Overview¶
| CWE | Language | Query id | Query name |
|---|---|---|---|
| CWE-20 | Go | go/count-untrusted-data-external-api | Frequency counts for external APIs that are used with untrusted data |
| CWE-20 | Go | go/incomplete-hostname-regexp | Incomplete regular expression for hostnames |
| CWE-20 | Go | go/incomplete-url-scheme-check | Incomplete URL scheme check |
| CWE-20 | Go | go/regex/missing-regexp-anchor | Missing regular expression anchor |
| CWE-20 | Go | go/suspicious-character-in-regex | Suspicious characters in a regular expression |
| CWE-20 | Go | go/untrusted-data-to-external-api | Untrusted data passed to external API |
| CWE-20 | Go | go/untrusted-data-to-unknown-external-api | Untrusted data passed to unknown external API |
| CWE-22 | Go | go/path-injection | Uncontrolled data used in path expression |
| CWE-22 | Go | go/unsafe-unzip-symlink | Arbitrary file write extracting an archive containing symbolic links |
| CWE-22 | Go | go/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
| CWE-23 | Go | go/path-injection | Uncontrolled data used in path expression |
| CWE-36 | Go | go/path-injection | Uncontrolled data used in path expression |
| CWE-73 | Go | go/path-injection | Uncontrolled data used in path expression |
| CWE-74 | Go | go/path-injection | Uncontrolled data used in path expression |
| CWE-74 | Go | go/command-injection | Command built from user-controlled sources |
| CWE-74 | Go | go/stored-command | Command built from stored data |
| CWE-74 | Go | go/reflected-xss | Reflected cross-site scripting |
| CWE-74 | Go | go/stored-xss | Stored cross-site scripting |
| CWE-74 | Go | go/sql-injection | Database query built from user-controlled sources |
| CWE-74 | Go | go/unsafe-quoting | Potentially unsafe quoting |
| CWE-74 | Go | go/xml/xpath-injection | XPath injection |
| CWE-74 | Go | go/ldap-injection | LDAP query built from user-controlled sources |
| CWE-74 | Go | go/dsn-injection | SQL Data-source URI built from user-controlled sources |
| CWE-74 | Go | go/dsn-injection-local | SQL Data-source URI built from local user-controlled sources |
| CWE-74 | Go | go/html-template-escaping-passthrough | HTML template escaping passthrough |
| CWE-77 | Go | go/command-injection | Command built from user-controlled sources |
| CWE-77 | Go | go/stored-command | Command built from stored data |
| CWE-77 | Go | go/unsafe-quoting | Potentially unsafe quoting |
| CWE-78 | Go | go/command-injection | Command built from user-controlled sources |
| CWE-78 | Go | go/stored-command | Command built from stored data |
| CWE-78 | Go | go/unsafe-quoting | Potentially unsafe quoting |
| CWE-79 | Go | go/reflected-xss | Reflected cross-site scripting |
| CWE-79 | Go | go/stored-xss | Stored cross-site scripting |
| CWE-79 | Go | go/html-template-escaping-passthrough | HTML template escaping passthrough |
| CWE-89 | Go | go/sql-injection | Database query built from user-controlled sources |
| CWE-89 | Go | go/unsafe-quoting | Potentially unsafe quoting |
| CWE-90 | Go | go/ldap-injection | LDAP query built from user-controlled sources |
| CWE-91 | Go | go/xml/xpath-injection | XPath injection |
| CWE-94 | Go | go/unsafe-quoting | Potentially unsafe quoting |
| CWE-99 | Go | go/path-injection | Uncontrolled data used in path expression |
| CWE-116 | Go | go/reflected-xss | Reflected cross-site scripting |
| CWE-116 | Go | go/stored-xss | Stored cross-site scripting |
| CWE-116 | Go | go/log-injection | Log entries created from user input |
| CWE-117 | Go | go/log-injection | Log entries created from user input |
| CWE-118 | Go | go/wrong-usage-of-unsafe | Wrong usage of package unsafe |
| CWE-119 | Go | go/wrong-usage-of-unsafe | Wrong usage of package unsafe |
| CWE-125 | Go | go/wrong-usage-of-unsafe | Wrong usage of package unsafe |
| CWE-126 | Go | go/wrong-usage-of-unsafe | Wrong usage of package unsafe |
| CWE-183 | Go | go/cors-misconfiguration | CORS misconfiguration |
| CWE-190 | Go | go/allocation-size-overflow | Size computation for allocation may overflow |
| CWE-190 | Go | go/incorrect-integer-conversion | Incorrect conversion between integer types |
| CWE-193 | Go | go/index-out-of-bounds | Off-by-one comparison against length |
| CWE-197 | Go | go/shift-out-of-range | Shift out of range |
| CWE-200 | Go | go/stack-trace-exposure | Information exposure through a stack trace |
| CWE-200 | Go | go/clear-text-logging | Clear-text logging of sensitive information |
| CWE-200 | Go | go/timing-attack | Timing attacks due to comparison of sensitive secrets |
| CWE-203 | Go | go/timing-attack | Timing attacks due to comparison of sensitive secrets |
| CWE-209 | Go | go/stack-trace-exposure | Information exposure through a stack trace |
| CWE-247 | Go | go/sensitive-condition-bypass | User-controlled bypassing of sensitive action |
| CWE-259 | Go | go/hardcoded-credentials | Hard-coded credentials |
| CWE-284 | Go | go/insecure-hostkeycallback | Use of insecure HostKeyCallback implementation |
| CWE-284 | Go | go/email-injection | Email content injection |
| CWE-284 | Go | go/hardcoded-credentials | Hard-coded credentials |
| CWE-284 | Go | go/pam-auth-bypass | PAM authorization bypass due to incorrect usage |
| CWE-284 | Go | go/improper-ldap-auth | Improper LDAP Authentication |
| CWE-284 | Go | go/parse-jwt-with-hardcoded-key | Decoding JWT with hardcoded key |
| CWE-284 | Go | go/sensitive-condition-bypass | User-controlled bypassing of sensitive action |
| CWE-284 | Go | go/cors-misconfiguration | CORS misconfiguration |
| CWE-285 | Go | go/pam-auth-bypass | PAM authorization bypass due to incorrect usage |
| CWE-287 | Go | go/email-injection | Email content injection |
| CWE-287 | Go | go/hardcoded-credentials | Hard-coded credentials |
| CWE-287 | Go | go/improper-ldap-auth | Improper LDAP Authentication |
| CWE-287 | Go | go/parse-jwt-with-hardcoded-key | Decoding JWT with hardcoded key |
| CWE-287 | Go | go/sensitive-condition-bypass | User-controlled bypassing of sensitive action |
| CWE-290 | Go | go/sensitive-condition-bypass | User-controlled bypassing of sensitive action |
| CWE-295 | Go | go/disabled-certificate-check | Disabled TLS certificate check |
| CWE-311 | Go | go/clear-text-logging | Clear-text logging of sensitive information |
| CWE-312 | Go | go/clear-text-logging | Clear-text logging of sensitive information |
| CWE-315 | Go | go/clear-text-logging | Clear-text logging of sensitive information |
| CWE-321 | Go | go/hardcoded-credentials | Hard-coded credentials |
| CWE-321 | Go | go/parse-jwt-with-hardcoded-key | Decoding JWT with hardcoded key |
| CWE-322 | Go | go/insecure-hostkeycallback | Use of insecure HostKeyCallback implementation |
| CWE-326 | Go | go/weak-crypto-key | Use of a weak cryptographic key |
| CWE-326 | Go | go/weak-crypto-algorithm | Use of a weak cryptographic algorithm |
| CWE-327 | Go | go/insecure-tls | Insecure TLS configuration |
| CWE-327 | Go | go/weak-crypto-algorithm | Use of a weak cryptographic algorithm |
| CWE-328 | Go | go/weak-crypto-algorithm | Use of a weak cryptographic algorithm |
| CWE-330 | Go | go/insecure-randomness | Use of insufficient randomness as the key of a cryptographic algorithm |
| CWE-330 | Go | go/hardcoded-credentials | Hard-coded credentials |
| CWE-330 | Go | go/parse-jwt-with-hardcoded-key | Decoding JWT with hardcoded key |
| CWE-338 | Go | go/insecure-randomness | Use of insufficient randomness as the key of a cryptographic algorithm |
| CWE-344 | Go | go/hardcoded-credentials | Hard-coded credentials |
| CWE-344 | Go | go/parse-jwt-with-hardcoded-key | Decoding JWT with hardcoded key |
| CWE-345 | Go | go/missing-jwt-signature-check | Missing JWT signature check |
| CWE-345 | Go | go/constant-oauth2-state | Use of constant state value in OAuth 2.0 URL |
| CWE-345 | Go | go/cors-misconfiguration | CORS misconfiguration |
| CWE-346 | Go | go/cors-misconfiguration | CORS misconfiguration |
| CWE-347 | Go | go/missing-jwt-signature-check | Missing JWT signature check |
| CWE-350 | Go | go/sensitive-condition-bypass | User-controlled bypassing of sensitive action |
| CWE-352 | Go | go/constant-oauth2-state | Use of constant state value in OAuth 2.0 URL |
| CWE-359 | Go | go/clear-text-logging | Clear-text logging of sensitive information |
| CWE-369 | Go | go/divide-by-zero | Divide by zero |
| CWE-398 | Go | go/comparison-of-identical-expressions | Comparison of identical values |
| CWE-398 | Go | go/useless-assignment-to-field | Useless assignment to field |
| CWE-398 | Go | go/useless-assignment-to-local | Useless assignment to local variable |
| CWE-398 | Go | go/duplicate-branches | Duplicate 'if' branches |
| CWE-398 | Go | go/duplicate-condition | Duplicate 'if' condition |
| CWE-398 | Go | go/duplicate-switch-case | Duplicate switch case |
| CWE-398 | Go | go/useless-expression | Expression has no effect |
| CWE-398 | Go | go/redundant-operation | Identical operands |
| CWE-398 | Go | go/redundant-assignment | Self assignment |
| CWE-398 | Go | go/unreachable-statement | Unreachable statement |
| CWE-398 | Go | go/pam-auth-bypass | PAM authorization bypass due to incorrect usage |
| CWE-400 | Go | go/uncontrolled-allocation-size | Slice memory allocation with excessive size value |
| CWE-405 | Go | go/uncontrolled-file-decompression | Uncontrolled file decompression |
| CWE-409 | Go | go/uncontrolled-file-decompression | Uncontrolled file decompression |
| CWE-441 | Go | go/request-forgery | Uncontrolled data used in network request |
| CWE-441 | Go | go/ssrf | Uncontrolled data used in network request |
| CWE-480 | Go | go/useless-expression | Expression has no effect |
| CWE-480 | Go | go/redundant-operation | Identical operands |
| CWE-480 | Go | go/redundant-assignment | Self assignment |
| CWE-497 | Go | go/stack-trace-exposure | Information exposure through a stack trace |
| CWE-561 | Go | go/comparison-of-identical-expressions | Comparison of identical values |
| CWE-561 | Go | go/duplicate-branches | Duplicate 'if' branches |
| CWE-561 | Go | go/duplicate-condition | Duplicate 'if' condition |
| CWE-561 | Go | go/duplicate-switch-case | Duplicate switch case |
| CWE-561 | Go | go/useless-expression | Expression has no effect |
| CWE-561 | Go | go/redundant-operation | Identical operands |
| CWE-561 | Go | go/redundant-assignment | Self assignment |
| CWE-561 | Go | go/unreachable-statement | Unreachable statement |
| CWE-561 | Go | go/pam-auth-bypass | PAM authorization bypass due to incorrect usage |
| CWE-563 | Go | go/useless-assignment-to-field | Useless assignment to field |
| CWE-563 | Go | go/useless-assignment-to-local | Useless assignment to local variable |
| CWE-570 | Go | go/comparison-of-identical-expressions | Comparison of identical values |
| CWE-571 | Go | go/comparison-of-identical-expressions | Comparison of identical values |
| CWE-592 | Go | go/sensitive-condition-bypass | User-controlled bypassing of sensitive action |
| CWE-601 | Go | go/bad-redirect-check | Bad redirect check |
| CWE-601 | Go | go/unvalidated-url-redirection | Open URL redirect |
| CWE-610 | Go | go/path-injection | Uncontrolled data used in path expression |
| CWE-610 | Go | go/bad-redirect-check | Bad redirect check |
| CWE-610 | Go | go/unvalidated-url-redirection | Open URL redirect |
| CWE-610 | Go | go/request-forgery | Uncontrolled data used in network request |
| CWE-610 | Go | go/ssrf | Uncontrolled data used in network request |
| CWE-640 | Go | go/email-injection | Email content injection |
| CWE-642 | Go | go/path-injection | Uncontrolled data used in path expression |
| CWE-643 | Go | go/xml/xpath-injection | XPath injection |
| CWE-657 | Go | go/hardcoded-credentials | Hard-coded credentials |
| CWE-657 | Go | go/parse-jwt-with-hardcoded-key | Decoding JWT with hardcoded key |
| CWE-664 | Go | go/shift-out-of-range | Shift out of range |
| CWE-664 | Go | go/path-injection | Uncontrolled data used in path expression |
| CWE-664 | Go | go/unsafe-unzip-symlink | Arbitrary file write extracting an archive containing symbolic links |
| CWE-664 | Go | go/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
| CWE-664 | Go | go/unsafe-quoting | Potentially unsafe quoting |
| CWE-664 | Go | go/stack-trace-exposure | Information exposure through a stack trace |
| CWE-664 | Go | go/clear-text-logging | Clear-text logging of sensitive information |
| CWE-664 | Go | go/insecure-hostkeycallback | Use of insecure HostKeyCallback implementation |
| CWE-664 | Go | go/bad-redirect-check | Bad redirect check |
| CWE-664 | Go | go/unvalidated-url-redirection | Open URL redirect |
| CWE-664 | Go | go/email-injection | Email content injection |
| CWE-664 | Go | go/incorrect-integer-conversion | Incorrect conversion between integer types |
| CWE-664 | Go | go/uncontrolled-allocation-size | Slice memory allocation with excessive size value |
| CWE-664 | Go | go/hardcoded-credentials | Hard-coded credentials |
| CWE-664 | Go | go/request-forgery | Uncontrolled data used in network request |
| CWE-664 | Go | go/timing-attack | Timing attacks due to comparison of sensitive secrets |
| CWE-664 | Go | go/pam-auth-bypass | PAM authorization bypass due to incorrect usage |
| CWE-664 | Go | go/improper-ldap-auth | Improper LDAP Authentication |
| CWE-664 | Go | go/parse-jwt-with-hardcoded-key | Decoding JWT with hardcoded key |
| CWE-664 | Go | go/uncontrolled-file-decompression | Uncontrolled file decompression |
| CWE-664 | Go | go/sensitive-condition-bypass | User-controlled bypassing of sensitive action |
| CWE-664 | Go | go/ssrf | Uncontrolled data used in network request |
| CWE-664 | Go | go/cors-misconfiguration | CORS misconfiguration |
| CWE-665 | Go | go/uncontrolled-allocation-size | Slice memory allocation with excessive size value |
| CWE-668 | Go | go/path-injection | Uncontrolled data used in path expression |
| CWE-668 | Go | go/unsafe-unzip-symlink | Arbitrary file write extracting an archive containing symbolic links |
| CWE-668 | Go | go/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
| CWE-668 | Go | go/stack-trace-exposure | Information exposure through a stack trace |
| CWE-668 | Go | go/clear-text-logging | Clear-text logging of sensitive information |
| CWE-668 | Go | go/timing-attack | Timing attacks due to comparison of sensitive secrets |
| CWE-668 | Go | go/cors-misconfiguration | CORS misconfiguration |
| CWE-670 | Go | go/whitespace-contradicts-precedence | Whitespace contradicts operator precedence |
| CWE-670 | Go | go/useless-expression | Expression has no effect |
| CWE-670 | Go | go/redundant-operation | Identical operands |
| CWE-670 | Go | go/redundant-assignment | Self assignment |
| CWE-671 | Go | go/hardcoded-credentials | Hard-coded credentials |
| CWE-671 | Go | go/parse-jwt-with-hardcoded-key | Decoding JWT with hardcoded key |
| CWE-681 | Go | go/shift-out-of-range | Shift out of range |
| CWE-681 | Go | go/incorrect-integer-conversion | Incorrect conversion between integer types |
| CWE-682 | Go | go/index-out-of-bounds | Off-by-one comparison against length |
| CWE-682 | Go | go/allocation-size-overflow | Size computation for allocation may overflow |
| CWE-682 | Go | go/incorrect-integer-conversion | Incorrect conversion between integer types |
| CWE-682 | Go | go/divide-by-zero | Divide by zero |
| CWE-691 | Go | go/inconsistent-loop-direction | Inconsistent direction of for loop |
| CWE-691 | Go | go/whitespace-contradicts-precedence | Whitespace contradicts operator precedence |
| CWE-691 | Go | go/useless-expression | Expression has no effect |
| CWE-691 | Go | go/redundant-operation | Identical operands |
| CWE-691 | Go | go/redundant-assignment | Self assignment |
| CWE-691 | Go | go/unsafe-quoting | Potentially unsafe quoting |
| CWE-693 | Go | go/count-untrusted-data-external-api | Frequency counts for external APIs that are used with untrusted data |
| CWE-693 | Go | go/incomplete-hostname-regexp | Incomplete regular expression for hostnames |
| CWE-693 | Go | go/incomplete-url-scheme-check | Incomplete URL scheme check |
| CWE-693 | Go | go/regex/missing-regexp-anchor | Missing regular expression anchor |
| CWE-693 | Go | go/suspicious-character-in-regex | Suspicious characters in a regular expression |
| CWE-693 | Go | go/untrusted-data-to-external-api | Untrusted data passed to external API |
| CWE-693 | Go | go/untrusted-data-to-unknown-external-api | Untrusted data passed to unknown external API |
| CWE-693 | Go | go/disabled-certificate-check | Disabled TLS certificate check |
| CWE-693 | Go | go/clear-text-logging | Clear-text logging of sensitive information |
| CWE-693 | Go | go/insecure-hostkeycallback | Use of insecure HostKeyCallback implementation |
| CWE-693 | Go | go/weak-crypto-key | Use of a weak cryptographic key |
| CWE-693 | Go | go/insecure-tls | Insecure TLS configuration |
| CWE-693 | Go | go/missing-jwt-signature-check | Missing JWT signature check |
| CWE-693 | Go | go/constant-oauth2-state | Use of constant state value in OAuth 2.0 URL |
| CWE-693 | Go | go/email-injection | Email content injection |
| CWE-693 | Go | go/hardcoded-credentials | Hard-coded credentials |
| CWE-693 | Go | go/pam-auth-bypass | PAM authorization bypass due to incorrect usage |
| CWE-693 | Go | go/improper-ldap-auth | Improper LDAP Authentication |
| CWE-693 | Go | go/parse-jwt-with-hardcoded-key | Decoding JWT with hardcoded key |
| CWE-693 | Go | go/weak-crypto-algorithm | Use of a weak cryptographic algorithm |
| CWE-693 | Go | go/sensitive-condition-bypass | User-controlled bypassing of sensitive action |
| CWE-693 | Go | go/cors-misconfiguration | CORS misconfiguration |
| CWE-697 | Go | go/cors-misconfiguration | CORS misconfiguration |
| CWE-703 | Go | go/stack-trace-exposure | Information exposure through a stack trace |
| CWE-704 | Go | go/shift-out-of-range | Shift out of range |
| CWE-704 | Go | go/incorrect-integer-conversion | Incorrect conversion between integer types |
| CWE-706 | Go | go/path-injection | Uncontrolled data used in path expression |
| CWE-706 | Go | go/unsafe-unzip-symlink | Arbitrary file write extracting an archive containing symbolic links |
| CWE-706 | Go | go/zipslip | Arbitrary file access during archive extraction ("Zip Slip") |
| CWE-707 | Go | go/path-injection | Uncontrolled data used in path expression |
| CWE-707 | Go | go/command-injection | Command built from user-controlled sources |
| CWE-707 | Go | go/stored-command | Command built from stored data |
| CWE-707 | Go | go/reflected-xss | Reflected cross-site scripting |
| CWE-707 | Go | go/stored-xss | Stored cross-site scripting |
| CWE-707 | Go | go/sql-injection | Database query built from user-controlled sources |
| CWE-707 | Go | go/unsafe-quoting | Potentially unsafe quoting |
| CWE-707 | Go | go/log-injection | Log entries created from user input |
| CWE-707 | Go | go/xml/xpath-injection | XPath injection |
| CWE-707 | Go | go/ldap-injection | LDAP query built from user-controlled sources |
| CWE-707 | Go | go/dsn-injection | SQL Data-source URI built from user-controlled sources |
| CWE-707 | Go | go/dsn-injection-local | SQL Data-source URI built from local user-controlled sources |
| CWE-707 | Go | go/html-template-escaping-passthrough | HTML template escaping passthrough |
| CWE-710 | Go | go/comparison-of-identical-expressions | Comparison of identical values |
| CWE-710 | Go | go/useless-assignment-to-field | Useless assignment to field |
| CWE-710 | Go | go/useless-assignment-to-local | Useless assignment to local variable |
| CWE-710 | Go | go/duplicate-branches | Duplicate 'if' branches |
| CWE-710 | Go | go/duplicate-condition | Duplicate 'if' condition |
| CWE-710 | Go | go/duplicate-switch-case | Duplicate switch case |
| CWE-710 | Go | go/useless-expression | Expression has no effect |
| CWE-710 | Go | go/redundant-operation | Identical operands |
| CWE-710 | Go | go/redundant-assignment | Self assignment |
| CWE-710 | Go | go/unreachable-statement | Unreachable statement |
| CWE-710 | Go | go/hardcoded-credentials | Hard-coded credentials |
| CWE-710 | Go | go/pam-auth-bypass | PAM authorization bypass due to incorrect usage |
| CWE-710 | Go | go/parse-jwt-with-hardcoded-key | Decoding JWT with hardcoded key |
| CWE-755 | Go | go/stack-trace-exposure | Information exposure through a stack trace |
| CWE-770 | Go | go/uncontrolled-allocation-size | Slice memory allocation with excessive size value |
| CWE-783 | Go | go/whitespace-contradicts-precedence | Whitespace contradicts operator precedence |
| CWE-788 | Go | go/wrong-usage-of-unsafe | Wrong usage of package unsafe |
| CWE-798 | Go | go/hardcoded-credentials | Hard-coded credentials |
| CWE-798 | Go | go/parse-jwt-with-hardcoded-key | Decoding JWT with hardcoded key |
| CWE-807 | Go | go/sensitive-condition-bypass | User-controlled bypassing of sensitive action |
| CWE-834 | Go | go/inconsistent-loop-direction | Inconsistent direction of for loop |
| CWE-835 | Go | go/inconsistent-loop-direction | Inconsistent direction of for loop |
| CWE-913 | Go | go/unsafe-quoting | Potentially unsafe quoting |
| CWE-918 | Go | go/request-forgery | Uncontrolled data used in network request |
| CWE-918 | Go | go/ssrf | Uncontrolled data used in network request |
| CWE-922 | Go | go/clear-text-logging | Clear-text logging of sensitive information |
| CWE-923 | Go | go/insecure-hostkeycallback | Use of insecure HostKeyCallback implementation |
| CWE-923 | Go | go/sensitive-condition-bypass | User-controlled bypassing of sensitive action |
| CWE-942 | Go | go/cors-misconfiguration | CORS misconfiguration |
| CWE-943 | Go | go/sql-injection | Database query built from user-controlled sources |
| CWE-943 | Go | go/unsafe-quoting | Potentially unsafe quoting |
| CWE-943 | Go | go/xml/xpath-injection | XPath injection |
| CWE-943 | Go | go/ldap-injection | LDAP query built from user-controlled sources |
| CWE-1004 | Go | go/cookie-httponly-not-set | 'HttpOnly' attribute is not set to true |