gosec
gosec copied to clipboard
cosmos
Adds the ability for us to test on all of Go1.17,1.18,1.19
### Summary ```golang for s, _ := range snm.senders { orderedSenders.Set(s, s) } ``` Results in ``` Check failure on line 87 in types/mempool/sender_nonce.go GitHub Actions / golangci-lint File is...
I've seen this error ```shell [/go/src/github.com/cosmos/cosmos-sdk/crypto/hd/hdpath.go:269] - G703 (CWE-): Returned error is not propagated up the stack. (Confidence: HIGH, Severity: LOW) 268: // sha512 does not err > 269: _,...
time.Now() uses local clocks that unfortunately when used in distributed consensus introduce lots of skew and can be exploited in vulnerabilities. Instead there is consensus aware clock whose timestamp is...
It would be helpful to check for instances of precision loss when devs divide before using multiplication. Doing so in the context of cryptocurrencies can lead to loss of funds....
### Summary If we look at this cosmos-sdk issue https://github.com/cosmos/cosmos-sdk/issues/7766 we can see that it was fixed by https://github.com/cosmos/cosmos-sdk/pull/8719 and one of the root causes was this code ```go sort.Slice(balances,...
The install.sh script seems to have been copied from the main gosec project. Trying to use it according to the instructions in the README does not work. The script itself...
Requested in #1 by @ebuchman saying >panics in Begin/EndBlock (these are allowed in tx handling, since they're handled by the SDK, but not in the Begin/EndBlock)
### Summary There is this cosmos-sdk bug https://github.com/cosmos/cosmos-sdk/issues/5621 in which an sdk.Dec value was cast from an interface{} value, thus can be nil. We really should be able to detect...
Things to check for: - sensitive imports (unsafe, reflect, runtime, rand, etc.) - errors are properly propagated (we don't ignore err != nil) - integer casting/type conversions - sources of...
