Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
GitHub Actions
Go
HTML
Java
JavaScript
JSON
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Rust
Scala
Shell
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML
YAML

Go static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your GO code

Tags

Impact

Clean code attribute

File existence checks followed by file creation should use atomic operations
Vulnerability
Busy waiting loops should use proper synchronization
Bug
Context should not be stored in struct fields
Code Smell
Context parameters should be reused instead of creating new background contexts
Code Smell
Package imports should be consistent and avoid redundancy
Code Smell
Variables should be used
Code Smell
Consecutive function parameters with the same type should be grouped
Code Smell
HTTP response bodies should be closed to prevent resource leaks
Bug
Deprecated "InterfaceData" method should not be used
Bug
Named types should be used instead of anonymous structs for complex nested structures
Code Smell
Use "bytes.Equal" instead of "bytes.Compare" for equality checks
Code Smell
Single-method interface names should follow Go naming conventions
Code Smell
Variables in if short statements should be used beyond just the condition
Code Smell
Context cancellation functions should be deferred
Code Smell
Blank imports should be documented to explain their purpose
Code Smell
Semicolons should not be used unnecessarily
Code Smell
Database transactions should be properly handled with rollback mechanisms
Bug
Test functions should not call "t.Fatal" from separate goroutines
Bug
Import statements should be factored into a single block
Code Smell
Credentials should not be hard-coded
Vulnerability
Hard-coded secrets are security-sensitive
Security Hotspot
Constructing arguments of system commands from user input is security-sensitive
Security Hotspot
Extracting archives should not lead to zip slip vulnerabilities
Vulnerability
JWT should be signed and verified with strong cipher algorithms
Vulnerability
Cipher algorithms should be robust
Vulnerability
Encryption algorithms should be used with secure mode and padding scheme
Vulnerability
Server hostnames should be verified during SSL/TLS connections
Vulnerability
Insecure temporary file creation methods should not be used
Vulnerability
Using publicly writable directories is security-sensitive
Security Hotspot
Passwords should not be stored in plaintext or with a fast hashing algorithm
Vulnerability
Using clear-text protocols is security-sensitive
Security Hotspot
HTTP request redirections should not be open to forging attacks
Vulnerability
Logging should not be vulnerable to injection attacks
Vulnerability
Server-side requests should not be vulnerable to forging attacks
Vulnerability
Server certificates should be verified during SSL/TLS connections
Vulnerability
Using weak hashing algorithms is security-sensitive
Security Hotspot
Multi-line comments should not be empty
Code Smell
Delivering code in production with debug features activated is security-sensitive
Security Hotspot
Cryptographic keys should be robust
Vulnerability
Weak SSL/TLS protocols should not be used
Vulnerability
Functions should not have identical implementations
Code Smell
Searching OS commands in PATH is security-sensitive
Security Hotspot
All branches in a conditional structure should not have exactly the same implementation
Bug
Cognitive Complexity of functions should not be too high
Code Smell
Database queries should not be vulnerable to injection attacks
Vulnerability
Creating cookies without the "HttpOnly" flag is security-sensitive
Security Hotspot
Cipher Block Chaining IVs should be unpredictable
Vulnerability
Non-existent operators like "=+" should not be used
Bug
Setting loose POSIX file permissions is security-sensitive
Security Hotspot
Go parser failure
Code Smell
Go parser failure
Code Smell
Using pseudorandom number generators (PRNGs) is security-sensitive
Security Hotspot
Creating cookies without the "secure" flag is security-sensitive
Security Hotspot
XPath expressions should not be vulnerable to injection attacks
Vulnerability
I/O function calls should not be vulnerable to path injection attacks
Vulnerability
Formatting SQL queries is security-sensitive
Security Hotspot
OS commands should not be vulnerable to command injection attacks
Vulnerability
Hard-coded credentials are security-sensitive
Security Hotspot
Password hashing functions should use an unpredictable salt
Vulnerability
Boolean checks should not be inverted
Code Smell
Two branches in a conditional structure should not have exactly the same implementation
Code Smell
Related "if/else if" statements should not have the same condition
Bug
"switch" statements should not be nested
Code Smell
Identical expressions should not be used on both sides of a binary operator
Bug
All code should be reachable
Bug
Variables should not be self-assigned
Bug
"switch" statements should not have too many "case" clauses
Code Smell
Track lack of copyright and license headers
Code Smell
Functions and methods should not have too many lines
Code Smell
Control flow statements "if", "for" and "switch" should not be nested too deeply
Code Smell
Octal values should not be used
Code Smell
Using hardcoded IP addresses is security-sensitive
Security Hotspot
"switch" statements should have "default" clauses
Code Smell
"if ... else if" constructs should end with "else" clauses
Code Smell
Statements should be on separate lines
Code Smell
String literals should not be duplicated
Code Smell
Functions should not be empty
Code Smell
Unused function parameters should be removed
Code Smell
Local variable and function parameter names should comply with a naming convention
Code Smell
"switch case" clauses should not have too many lines
Code Smell
Useless "if(true) {...}" and "if(false){...}" blocks should be removed
Bug
Track uses of "TODO" tags
Code Smell
Track uses of "FIXME" tags
Code Smell
Boolean literals should not be redundant
Code Smell
Empty statements should be removed
Code Smell
Redundant pairs of parentheses should be removed
Code Smell
Nested blocks of code should not be left empty
Code Smell
Functions should not have too many parameters
Code Smell
Expressions should not be too complex
Code Smell
Files should not have too many lines of code
Code Smell
Lines should not be too long
Code Smell
Function names should comply with a naming convention
Code Smell

Using hardcoded IP addresses is security-sensitive

responsibility - trustworthy

security

Security Hotspot

Hardcoding IP addresses is security-sensitive. It has led in the past to the following vulnerabilities:

CVE-2006-5901
CVE-2005-3725

Today’s services have an ever-changing architecture due to their scaling and redundancy needs. It is a mistake to think that a service will always have the same IP address. When it does change, the hardcoded IP will have to be modified too. This will have an impact on the product development, delivery, and deployment:

The developers will have to do a rapid fix every time this happens, instead of having an operation team change a configuration file.
It misleads to use the same address in every environment (dev, sys, qa, prod).

Last but not least it has an effect on application security. Attackers might be able to decompile the code and thereby discover a potentially sensitive address. They can perform a Denial of Service attack on the service, try to get access to the system, or try to spoof the IP address to bypass security checks. Such attacks can always be possible, but in the case of a hardcoded IP address solving the issue will take more time, which will increase an attack’s impact.

Ask Yourself Whether

The disclosed IP address is sensitive, e.g.:

Can give information to an attacker about the network topology.
It’s a personal (assigned to an identifiable person) IP address.

There is a risk if you answered yes to any of these questions.

Recommended Secure Coding Practices

Don’t hard-code the IP address in the source code, instead make it configurable with environment variables, configuration files, or a similar approach. Alternatively, if confidentially is not required a domain name can be used since it allows to change the destination quickly without having to rebuild the software.

Sensitive Code Example

var (
  ip   = "192.168.12.42"
  port = 3333
)

SocketClient(ip, port)

Compliant Solution

config, err := ReadConfig("properties.ini")

ip := config["ip"]
port := config["ip"]

SocketClient(ip, port)

Exceptions

No issue is reported for the following cases because they are not considered sensitive:

Loopback addresses 127.0.0.0/8 in CIDR notation (from 127.0.0.0 to 127.255.255.255)
Broadcast address 255.255.255.255
Non-routable address 0.0.0.0
Strings of the form 2.5.<number>.<number> as they often match Object Identifiers (OID)
Addresses in the ranges 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, reserved for documentation purposes by RFC 5737
Addresses in the range 2001:db8::/32, reserved for documentation purposes by RFC 3849

See

OWASP - Top 10 2021 Category A1 - Broken Access Control
OWASP - Top 10 2017 Category A3 - Sensitive Data Exposure

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

Available Since
9.1

Analyze code in your
on-premise CI

Developer Edition
Available Since
9.1

In-IDE

SaaS

Self-Hosted