jfrog-cli-core icon indicating copy to clipboard operation
jfrog-cli-core copied to clipboard
verified publisher icon jfrog

JGC-429 - Bump go 1.25.4

Open ehl-jf opened this issue 2 months ago • 9 comments

  • [ ] All tests passed. If this feature is not already covered by the tests, I added new tests.
  • [ ] All static analysis checks passed.
  • [ ] This pull request is on the master branch.
  • [ ] I used gofmt for formatting the code before submitting the pull request.

ehl-jf avatar Nov 06 '25 14:11 ehl-jf

🚨 Frogbot scanned this pull request and found the below:

📗 Scan Summary

  • Frogbot scanned for vulnerabilities and found 11 issues
Scan Category Status Security Issues
Software Composition Analysis ✅ Done Not Found
Contextual Analysis ✅ Done -
Static Application Security Testing (SAST) ✅ Done
11 Issues Found 3 High
5 Medium
3 Low
Secrets ✅ Done -
Infrastructure as Code (IaC) ✅ Done Not Found

github-actions[bot] avatar Nov 06 '25 17:11 github-actions[bot] 

body

at artifactory/commands/transferfiles/utils_test.go (line 213)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
high
High		 Deserializing untrusted data without validation
Full description

Vulnerability Details
Rule ID: go-unsafe-deserialization

Overview

Unsafe deserialization in Go occurs when a program deserializes untrusted data with a potentially dangerous deserializer. Deserialization is the process of converting serialized data (data that has been converted into a format that can be easily transmitted or stored) back into its original form. In some ("unsafe") serialization protocols, if an attacker is able to manipulate the serialized data, they may be able to execute arbitrary code or perform other malicious actions when the data is deserialized.

Vulnerable example

import (
    "github.com/go-yaml/yaml"
    "net/http"
)

func storeHandler(w http.ResponseWriter, r *http.Request) {
    var data map[string]interface{}
    yaml.Unmarshal([]byte(r.URL.Query().Get("data")), &data) // NOT OK
}

This code uses yaml.Unmarshal to deserialize untrusted data from the user, with a potentially dangerous deserializer.

Remediation

import (
    "github.com/go-yaml/yaml"
    "net/http"
)

func storeHandler(w http.ResponseWriter, r *http.Request) {
    var data map[string]interface{}
    yaml.UnmarshalStrict([]byte(r.URL.Query().Get("data")), &data) // SAFE
}

Using yaml.UnmarshalStrict solves the problem by ensuring a safe serialization protocol.

Code Flows
Vulnerable data flow analysis result

↘️ r.Body (at artifactory/commands/transferfiles/utils_test.go line 210)

↘️ io.ReadAll(r.Body) (at artifactory/commands/transferfiles/utils_test.go line 210)

↘️ body (at artifactory/commands/transferfiles/utils_test.go line 210)

↘️ body (at artifactory/commands/transferfiles/utils_test.go line 213)



github-actions[bot] avatar Nov 06 '25 17:11 github-actions[bot] 

transferDir

at artifactory/commands/transferfiles/transfer.go (line 465)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
high
High		 Untrusted stored input used in file paths, allowing access to unintended files.
Full description

Vulnerability Details
Rule ID: go-stored-path-traversal

Overview

Stored Path Traversal is a type of vulnerability that arises when user-controlled input, such as file names or paths, is stored by the application and later used without proper validation or sanitization to perform file operations. This can allow an attacker to traverse directories and access or overwrite sensitive files on the filesystem, potentially compromising the security and integrity of the application or system.

Vulnerable example

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = 12")
    row.Scan(&filePath)
    http.ServeFile(w, r, filePath)
}

In this example, the serveFile function serves a file based on the file query parameter provided by the user. However, in a real-world scenario, the filePath variable might be retrieved from a stored source, such as a database or configuration file, instead of being directly obtained from the request URL. The vulnerability arises if the stored filePath is not properly validated or sanitized before being used to serve files. Attackers could manipulate the stored filePath to perform directory traversal attacks, potentially accessing sensitive files outside the intended directory structure.

Remediation

To mitigate stored path traversal vulnerabilities, it is essential to validate and sanitize user-controlled input before using it to construct file paths or perform file operations. In this example, we can validate the file name to ensure it does not contain directory traversal sequences before serving the file.

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = ?", r.URL.Query().Get("id"))
    row.Scan(&filePath)
+    // Validate file path to prevent directory traversal
+    if strings.Contains(filePath, "..") {
+        http.Error(w, "Invalid file path", http.StatusBadRequest)
+        return
+    }
    http.ServeFile(w, r, filePath)
}
Code Flows
Vulnerable data flow analysis result

↘️ os.Getenv(HomeDir) (at utils/coreutils/utils.go line 312)

↘️ return os.Getenv(HomeDir), nil (at utils/coreutils/utils.go line 312)

↘️ (string, error) (at utils/coreutils/utils.go line 310)

↘️ GetJfrogHomeDir() (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 593)

↘️ filepath.Join(homeDir, JfrogTransferDirName) (at utils/coreutils/utils.go line 593)

↘️ return filepath.Join(homeDir, JfrogTransferDirName), nil (at utils/coreutils/utils.go line 593)

↘️ (string, error) (at utils/coreutils/utils.go line 588)

↘️ coreutils.GetJfrogTransferDir() (at artifactory/commands/transferfiles/transfer.go line 451)

↘️ transferDir (at artifactory/commands/transferfiles/transfer.go line 451)

↘️ transferDir (at artifactory/commands/transferfiles/transfer.go line 465)



github-actions[bot] avatar Nov 06 '25 17:11 github-actions[bot] 

transferDir

at artifactory/commands/transferfiles/transfer.go (line 461)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored input used in file paths, allowing access to unintended files.
Full description

Vulnerability Details
Rule ID: go-stored-path-traversal

Overview

Stored Path Traversal is a type of vulnerability that arises when user-controlled input, such as file names or paths, is stored by the application and later used without proper validation or sanitization to perform file operations. This can allow an attacker to traverse directories and access or overwrite sensitive files on the filesystem, potentially compromising the security and integrity of the application or system.

Vulnerable example

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = 12")
    row.Scan(&filePath)
    http.ServeFile(w, r, filePath)
}

In this example, the serveFile function serves a file based on the file query parameter provided by the user. However, in a real-world scenario, the filePath variable might be retrieved from a stored source, such as a database or configuration file, instead of being directly obtained from the request URL. The vulnerability arises if the stored filePath is not properly validated or sanitized before being used to serve files. Attackers could manipulate the stored filePath to perform directory traversal attacks, potentially accessing sensitive files outside the intended directory structure.

Remediation

To mitigate stored path traversal vulnerabilities, it is essential to validate and sanitize user-controlled input before using it to construct file paths or perform file operations. In this example, we can validate the file name to ensure it does not contain directory traversal sequences before serving the file.

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = ?", r.URL.Query().Get("id"))
    row.Scan(&filePath)
+    // Validate file path to prevent directory traversal
+    if strings.Contains(filePath, "..") {
+        http.Error(w, "Invalid file path", http.StatusBadRequest)
+        return
+    }
    http.ServeFile(w, r, filePath)
}
Code Flows
Vulnerable data flow analysis result

↘️ os.Getenv(HomeDir) (at utils/coreutils/utils.go line 312)

↘️ return os.Getenv(HomeDir), nil (at utils/coreutils/utils.go line 312)

↘️ (string, error) (at utils/coreutils/utils.go line 310)

↘️ GetJfrogHomeDir() (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 593)

↘️ filepath.Join(homeDir, JfrogTransferDirName) (at utils/coreutils/utils.go line 593)

↘️ return filepath.Join(homeDir, JfrogTransferDirName), nil (at utils/coreutils/utils.go line 593)

↘️ (string, error) (at utils/coreutils/utils.go line 588)

↘️ coreutils.GetJfrogTransferDir() (at artifactory/commands/transferfiles/transfer.go line 451)

↘️ transferDir (at artifactory/commands/transferfiles/transfer.go line 451)

↘️ transferDir (at artifactory/commands/transferfiles/transfer.go line 461)



github-actions[bot] avatar Nov 06 '25 17:11 github-actions[bot] 

transferDir

at artifactory/commands/transferfiles/transfer.go (line 739)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored input used in file paths, allowing access to unintended files.
Full description

Vulnerability Details
Rule ID: go-stored-path-traversal

Overview

Stored Path Traversal is a type of vulnerability that arises when user-controlled input, such as file names or paths, is stored by the application and later used without proper validation or sanitization to perform file operations. This can allow an attacker to traverse directories and access or overwrite sensitive files on the filesystem, potentially compromising the security and integrity of the application or system.

Vulnerable example

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = 12")
    row.Scan(&filePath)
    http.ServeFile(w, r, filePath)
}

In this example, the serveFile function serves a file based on the file query parameter provided by the user. However, in a real-world scenario, the filePath variable might be retrieved from a stored source, such as a database or configuration file, instead of being directly obtained from the request URL. The vulnerability arises if the stored filePath is not properly validated or sanitized before being used to serve files. Attackers could manipulate the stored filePath to perform directory traversal attacks, potentially accessing sensitive files outside the intended directory structure.

Remediation

To mitigate stored path traversal vulnerabilities, it is essential to validate and sanitize user-controlled input before using it to construct file paths or perform file operations. In this example, we can validate the file name to ensure it does not contain directory traversal sequences before serving the file.

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = ?", r.URL.Query().Get("id"))
    row.Scan(&filePath)
+    // Validate file path to prevent directory traversal
+    if strings.Contains(filePath, "..") {
+        http.Error(w, "Invalid file path", http.StatusBadRequest)
+        return
+    }
    http.ServeFile(w, r, filePath)
}
Code Flows
Vulnerable data flow analysis result

↘️ os.Getenv(HomeDir) (at utils/coreutils/utils.go line 312)

↘️ return os.Getenv(HomeDir), nil (at utils/coreutils/utils.go line 312)

↘️ (string, error) (at utils/coreutils/utils.go line 310)

↘️ GetJfrogHomeDir() (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 593)

↘️ filepath.Join(homeDir, JfrogTransferDirName) (at utils/coreutils/utils.go line 593)

↘️ return filepath.Join(homeDir, JfrogTransferDirName), nil (at utils/coreutils/utils.go line 593)

↘️ (string, error) (at utils/coreutils/utils.go line 588)

↘️ coreutils.GetJfrogTransferDir() (at artifactory/commands/transferfiles/transfer.go line 734)

↘️ transferDir (at artifactory/commands/transferfiles/transfer.go line 734)

↘️ transferDir (at artifactory/commands/transferfiles/transfer.go line 739)



github-actions[bot] avatar Nov 06 '25 17:11 github-actions[bot] 

transferDir

at artifactory/commands/transferfiles/transfer.go (line 747)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored input used in file paths, allowing access to unintended files.
Full description

Vulnerability Details
Rule ID: go-stored-path-traversal

Overview

Stored Path Traversal is a type of vulnerability that arises when user-controlled input, such as file names or paths, is stored by the application and later used without proper validation or sanitization to perform file operations. This can allow an attacker to traverse directories and access or overwrite sensitive files on the filesystem, potentially compromising the security and integrity of the application or system.

Vulnerable example

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = 12")
    row.Scan(&filePath)
    http.ServeFile(w, r, filePath)
}

In this example, the serveFile function serves a file based on the file query parameter provided by the user. However, in a real-world scenario, the filePath variable might be retrieved from a stored source, such as a database or configuration file, instead of being directly obtained from the request URL. The vulnerability arises if the stored filePath is not properly validated or sanitized before being used to serve files. Attackers could manipulate the stored filePath to perform directory traversal attacks, potentially accessing sensitive files outside the intended directory structure.

Remediation

To mitigate stored path traversal vulnerabilities, it is essential to validate and sanitize user-controlled input before using it to construct file paths or perform file operations. In this example, we can validate the file name to ensure it does not contain directory traversal sequences before serving the file.

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = ?", r.URL.Query().Get("id"))
    row.Scan(&filePath)
+    // Validate file path to prevent directory traversal
+    if strings.Contains(filePath, "..") {
+        http.Error(w, "Invalid file path", http.StatusBadRequest)
+        return
+    }
    http.ServeFile(w, r, filePath)
}
Code Flows
Vulnerable data flow analysis result

↘️ os.Getenv(HomeDir) (at utils/coreutils/utils.go line 312)

↘️ return os.Getenv(HomeDir), nil (at utils/coreutils/utils.go line 312)

↘️ (string, error) (at utils/coreutils/utils.go line 310)

↘️ GetJfrogHomeDir() (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 593)

↘️ filepath.Join(homeDir, JfrogTransferDirName) (at utils/coreutils/utils.go line 593)

↘️ return filepath.Join(homeDir, JfrogTransferDirName), nil (at utils/coreutils/utils.go line 593)

↘️ (string, error) (at utils/coreutils/utils.go line 588)

↘️ coreutils.GetJfrogTransferDir() (at artifactory/commands/transferfiles/transfer.go line 734)

↘️ transferDir (at artifactory/commands/transferfiles/transfer.go line 734)

↘️ transferDir (at artifactory/commands/transferfiles/transfer.go line 747)



github-actions[bot] avatar Nov 06 '25 17:11 github-actions[bot] 

snapshotDir

at artifactory/commands/transferfiles/state/statemanager.go (line 480)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored input used in file paths, allowing access to unintended files.
Full description

Vulnerability Details
Rule ID: go-stored-path-traversal

Overview

Stored Path Traversal is a type of vulnerability that arises when user-controlled input, such as file names or paths, is stored by the application and later used without proper validation or sanitization to perform file operations. This can allow an attacker to traverse directories and access or overwrite sensitive files on the filesystem, potentially compromising the security and integrity of the application or system.

Vulnerable example

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = 12")
    row.Scan(&filePath)
    http.ServeFile(w, r, filePath)
}

In this example, the serveFile function serves a file based on the file query parameter provided by the user. However, in a real-world scenario, the filePath variable might be retrieved from a stored source, such as a database or configuration file, instead of being directly obtained from the request URL. The vulnerability arises if the stored filePath is not properly validated or sanitized before being used to serve files. Attackers could manipulate the stored filePath to perform directory traversal attacks, potentially accessing sensitive files outside the intended directory structure.

Remediation

To mitigate stored path traversal vulnerabilities, it is essential to validate and sanitize user-controlled input before using it to construct file paths or perform file operations. In this example, we can validate the file name to ensure it does not contain directory traversal sequences before serving the file.

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = ?", r.URL.Query().Get("id"))
    row.Scan(&filePath)
+    // Validate file path to prevent directory traversal
+    if strings.Contains(filePath, "..") {
+        http.Error(w, "Invalid file path", http.StatusBadRequest)
+        return
+    }
    http.ServeFile(w, r, filePath)
}
Code Flows
Vulnerable data flow analysis result

↘️ os.Getenv(HomeDir) (at utils/coreutils/utils.go line 312)

↘️ return os.Getenv(HomeDir), nil (at utils/coreutils/utils.go line 312)

↘️ (string, error) (at utils/coreutils/utils.go line 310)

↘️ GetJfrogHomeDir() (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 589)

↘️ homeDir (at utils/coreutils/utils.go line 593)

↘️ filepath.Join(homeDir, JfrogTransferDirName) (at utils/coreutils/utils.go line 593)

↘️ return filepath.Join(homeDir, JfrogTransferDirName), nil (at utils/coreutils/utils.go line 593)

↘️ (string, error) (at utils/coreutils/utils.go line 588)

↘️ GetJfrogTransferDir() (at utils/coreutils/utils.go line 458)

↘️ transferDir (at utils/coreutils/utils.go line 458)

↘️ transferDir (at utils/coreutils/utils.go line 462)

↘️ filepath.Join(transferDir, JfrogTransferRepositoriesDirName) (at utils/coreutils/utils.go line 462)

↘️ return filepath.Join(transferDir, JfrogTransferRepositoriesDirName), nil (at utils/coreutils/utils.go line 462)

↘️ (string, error) (at utils/coreutils/utils.go line 457)

↘️ coreutils.GetJfrogTransferRepositoriesDir() (at artifactory/commands/transferfiles/state/utils.go line 84)

↘️ reposDir (at artifactory/commands/transferfiles/state/utils.go line 84)

↘️ reposDir (at artifactory/commands/transferfiles/state/utils.go line 93)

↘️ filepath.Join(reposDir, repoHash) (at artifactory/commands/transferfiles/state/utils.go line 93)

↘️ repoDir (at artifactory/commands/transferfiles/state/utils.go line 99)

↘️ return repoDir, nil (at artifactory/commands/transferfiles/state/utils.go line 99)

↘️ (string, error) (at artifactory/commands/transferfiles/state/utils.go line 83)

↘️ GetRepositoryTransferDir(repoKey) (at artifactory/commands/transferfiles/state/utils.go line 111)

↘️ transferDir (at artifactory/commands/transferfiles/state/utils.go line 111)

↘️ transferDir (at artifactory/commands/transferfiles/state/utils.go line 115)

↘️ filepath.Join(transferDir, subDirName) (at artifactory/commands/transferfiles/state/utils.go line 115)

↘️ return filepath.Join(transferDir, subDirName), nil (at artifactory/commands/transferfiles/state/utils.go line 115)

↘️ (string, error) (at artifactory/commands/transferfiles/state/utils.go line 110)

↘️ GetJfrogTransferRepoSubDir(repoKey, coreutils.JfrogTransferSnapshotDirName) (at artifactory/commands/transferfiles/state/statemanager.go line 468)

↘️ (string, error) (at artifactory/commands/transferfiles/state/statemanager.go line 467)

↘️ GetJfrogTransferRepoSnapshotDir(repoKey) (at artifactory/commands/transferfiles/state/statemanager.go line 472)

↘️ snapshotDir (at artifactory/commands/transferfiles/state/statemanager.go line 472)

↘️ snapshotDir (at artifactory/commands/transferfiles/state/statemanager.go line 480)



github-actions[bot] avatar Nov 06 '25 17:11 github-actions[bot] 

os.Setenv("JENKINS_URL", "http://jenkins.test")

at common/commands/metrics_collector_test.go (line 631)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
low
Low		 Detected usage of communication methods lacking encryption.
Full description

Vulnerability Details
Rule ID: go-insecure-protocol

Overview

Using insecure protocols—such as HTTP, FTP, or LDAP—can expose sensitive data during transmission, making it vulnerable to eavesdropping and man-in-the-middle attacks. Secure protocols like HTTPS and FTPS should be used to ensure data encryption during communication.

Vulnerable example

In this example, the application uses insecure protocols to communicate, taking the protocol type from hardcoded strings.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "http://", // Insecure protocol
        InsecureFtpProtocol:  "ftp://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this vulnerable example, the ConnectToFrogService method uses hardcoded insecure protocols (HTTP and FTP) to connect, making communications susceptible to attacks.

Remediation

To mitigate the use of insecure protocols, replace them with secure alternatives such as HTTPS or FTPS.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "https://", // Insecure protocol
        InsecureFtpProtocol:  "ftps://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this remediated example, the ConnectToFrogService method utilizes secure protocols (HTTPS and FTPS) to ensure that communications are encrypted, thereby protecting sensitive data.


github-actions[bot] avatar Nov 06 '25 17:11 github-actions[bot] 

{"Jenkins", "JENKINS_URL", "http://jenkins.example.com", "jenkins"}

at common/commands/metrics_collector_test.go (line 213)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
low
Low		 Detected usage of communication methods lacking encryption.
Full description

Vulnerability Details
Rule ID: go-insecure-protocol

Overview

Using insecure protocols—such as HTTP, FTP, or LDAP—can expose sensitive data during transmission, making it vulnerable to eavesdropping and man-in-the-middle attacks. Secure protocols like HTTPS and FTPS should be used to ensure data encryption during communication.

Vulnerable example

In this example, the application uses insecure protocols to communicate, taking the protocol type from hardcoded strings.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "http://", // Insecure protocol
        InsecureFtpProtocol:  "ftp://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this vulnerable example, the ConnectToFrogService method uses hardcoded insecure protocols (HTTP and FTP) to connect, making communications susceptible to attacks.

Remediation

To mitigate the use of insecure protocols, replace them with secure alternatives such as HTTPS or FTPS.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "https://", // Insecure protocol
        InsecureFtpProtocol:  "ftps://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this remediated example, the ConnectToFrogService method utilizes secure protocols (HTTPS and FTPS) to ensure that communications are encrypted, thereby protecting sensitive data.


github-actions[bot] avatar Nov 06 '25 17:11 github-actions[bot]