SAST Engine Pack Version 9.7.6 - Go Frameworks

Overview

CxQL version 9.7.6 introduces enhanced security analysis for Go applications with 44 new and updated queries, expanding framework support and language-specific detection capabilities. All new queries are backward compatible. Existing query implementations remain unchanged. New queries are additive only and do not modify existing detection logic. This release focuses on emerging threats, modern cryptography compliance, and support for the latest Go ecosystem frameworks.

New Framework Support

1. LDAP Framework Support (NEW)

Detection of LDAP injection vulnerabilities in Go applications using LDAP directory services.

Supported Package: ldap package

LDAP Operations Tracked:

NewAddRequest() - Adding directory entries
NewModifyRequest() - Modifying directory entries
NewDelRequest() - Deleting directory entries
Compare() - Comparing attribute values
NewSearchRequest() - Searching directory

New Queries:

LDAP_Injection (CWE-90) - Detects LDAP injection in untrusted inputs
Stored_LDAP_Injection (CWE-90) - Detects LDAP injection from stored data
Find_LDAP_Injection - Helper query for LDAP injection sources and sinks

Related Severity: High Risk

2. XPath/XML Query Support (ENHANCED)

Enhanced detection of XPath injection vulnerabilities with improved framework coverage.

Supported Packages:

xpath package - XPath query execution
xmlquery package - XML document querying

New Queries:

XPath_Injection (CWE-643) - Detects dynamic XPath injection
Stored_XPath_Injection - Detects XPath injection from stored inputs
Find_XPath_Injection_Outputs - Identifies XPath query sinks
Find_XPath_Injection_Sanitizers - Tracks XPath sanitization methods

Related Severity: Medium Threat

3. Database ORM Frameworks (EXPANDED)

Significant expansion of database framework coverage for SQL injection detection.

a) GORM (ORM Framework)

Explicit support for GORM's Query Builder and Raw SQL execution
New Queries: Find_GORM_DB_In, Find_GORM_DB_Out, Find_GORM_SQL_Injection_Sanitizers

b) Beego Framework

Enhanced ORM support with Built-in SQL execution detection
New Queries: Find_Beego_BuiltIn_SQL_Execution, Find_Beego_ORM, Find_Beego_DB_In/Out, Find_Beego_SQL_Injection_Sanitizers

c) Meddler ORM (NEW)

Full support for Meddler ORM - a lightweight database layer
Supported Methods: Insert(), Save(), Update(), QueryRow(), QueryAll()
New Queries: Find_Meddler_DB_In, Find_Meddler_DB_Out, Find_Meddler_Methods, Find_Meddler_SQL_Injection_Sanitizers

d) PostgreSQL (go-pg ORM) (ENHANCED)

Explicit PostgreSQL ORM support via go-pg package
New Queries: Find_PostGres_DB_In/Out, Find_PostGres_SQL_Injection_Sanitizers

e) Standard Go SQL Package (ENHANCED)

More explicit tracking of Go's native database/sql package
Improved data flow analysis for direct SQL execution
New Queries: Find_Std_SQL_DB_In/Out/Conn, Find_Std_SQL_Injection_Sanitizers

f) Cassandra Database (ENHANCED)

Enhanced support for Cassandra NoSQL operations
New Queries: Find_Cassandra_DB_In/Out, Find_Cassandra_SQL_Injection_Sanitizers

Total Database Frameworks Supported: 8+

Related Severity: Critical Risk, High Risk

6. Go Language Features (NEW)

a) Concurrency & Mutex Safety

New support for Go's synchronization primitives
Tracks: sync.Mutex, sync.RWMutex lock/unlock operations
Query: Improper_Locking (CWE-667) - Detects missing or improper mutex protection

b) TLS/Cryptography

Enhanced TLS configuration analysis with modern cipher suite support
Query: Insecure_TLS_Configuration ( CWE-326)
Tracks: TLS 1.2, TLS 1.3, AES-GCM, ECDHE, ChaCha20-Poly1305
Detects insecure cipher suites and protocol downgrade vulnerabilities

c) Template Injection (SSTI)

New support for Server-Side Template Injection detection
Supported Packages: html/template, text/template
Query: Server_Side_Template_Injection (QueryId: 9049, CWE-1336)
Detects unescaped user input in server-side templates

d) Plugin System

New support for Go's dynamic plugin loading
Tracks: plugin.Open() calls with untrusted plugin paths
Query: Dangerous_File_Inclusion (CWE-829)

New Security Detections

New Vulnerability Queries

Query	CWE	Category	Description
`Server_Side_Template_Injection`	1336	Critical Risk	Detects SSTI in Go templates
`LDAP_Injection`	90	High Risk	Detects LDAP directory injection
`Stored_LDAP_Injection`	90	High Risk	Detects stored LDAP injection
`Dangerous_File_Inclusion`	829	High Risk	Detects plugin path traversal
`XPath_Injection`	643	Medium Threat	Detects XPath query injection
`Stored_XPath_Injection`	643	Medium Threat	Detects stored XPath injection
`Length_Extension_Attack`	326	Medium Threat	Detects hash function vulnerabilities (MD5, SHA1, SHA256, SHA512)
`Insecure_TLS_Configuration`	326	Medium Threat	Detects weak TLS/SSL configurations
`Improper_Locking`	667	Medium Threat	Detects missing mutex protection
`Encoding_Used_Instead_of_Encryption`	327	Medium Threat	Detects misuse of encoding vs encryption
`Uncontrolled_Memory_Allocation`	770	Medium Threat	Detects potential DoS through memory exhaustion

New Low Visibility Detections

Improper_Transaction_Handling - Database transaction management
Improper_Resource_Shutdown_or_Release - Resource cleanup issues
Heap_Inspection - Memory inspection vulnerabilities
Cookie_Overly_Broad_Path - Overly permissive cookie path settings
Incorrect_Permission_Assignment_For_File_System_Resources - File permission issues
Misconfigured_X_Content_Type_Options - Missing MIME type protection headers
Missing_Framing_Policy - Missing clickjacking protection (X-Frame-Options)
Weak_Post_Quantum_Cryptography - Deprecated PQC algorithms
Off_by_One_Error - Index boundary errors
Trust_Boundary_Violation_in_Session_Variables - Session variable validation
Insufficient_Session_Expiration - Session timeout issues
Deprecated_Modules_Libraries_or_Packages - Tracking of deprecated dependencies

In this section: