Skip to content

Add support for Golang (gocrypto)#361

Merged
n1ckl0sk0rtge merged 60 commits into
mainfrom
feature/add-go-support
Jan 24, 2026
Merged

Add support for Golang (gocrypto)#361
n1ckl0sk0rtge merged 60 commits into
mainfrom
feature/add-go-support

Conversation

@n1ckl0sk0rtge

@n1ckl0sk0rtge n1ckl0sk0rtge commented Jan 23, 2026

Copy link
Copy Markdown
Contributor

Add Golang (crypto) support to the plugin.

FYI @san-zrl

@n1ckl0sk0rtge n1ckl0sk0rtge self-assigned this Jan 23, 2026
@n1ckl0sk0rtge n1ckl0sk0rtge added the enhancement New feature or request label Jan 23, 2026
n1ckl0sk0rtge and others added 28 commits January 24, 2026 13:45
- Add GoDetectionEngine implementing IDetectionEngine<Tree, Void>
  - Handles function invocation analysis for Go code
  - Supports value resolution from literals and identifiers
  - Symbol-related methods return empty (Go API doesn't expose symbols)
- Add GoLanguageSupport implementing ILanguageSupport
  - Provides translation, detection engine, and executive creation
  - Uses no-op visitor factory (Go uses registration-based pattern)
- Register Go in LanguageSupporter via goLanguageSupporter() method
- Add comprehensive unit tests for all new classes

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update GoDetectionEngine to use org.sonar.go.symbols.Symbol type
  - Implement getAssignedSymbol() using HasSymbol interface
  - Implement getMethodInvocationParameterSymbol() with proper symbol tracking
- Update GoLanguageSupport to use Symbol type
  - Implement createMethodMatcherBasedOn() using FunctionDeclarationTree
  - Support receiver types and package names for method matching
  - Implement getEnclosingMethod() for FunctionDeclarationTree
  - Implement createSimpleEnumMatcherFor() using EnumMatcher
- Update LanguageSupporter.goLanguageSupporter() return type
- Add comprehensive tests for symbol handling and method matching

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use FunctionDeclarationTree.formalParameters() and ParameterTree
- Match parameter names between definition and invocation
- Extract corresponding argument from function invocation
- Add comprehensive tests for parameter extraction

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create GoBaseMethodVisitor extending TreeVisitor<TreeContext>
- Register handler for FunctionInvocationTree to run detection
- Update GoLanguageSupport to use GoBaseMethodVisitor::new as factory
- Apply spotless formatting fixes to Go engine classes

This aligns with the Java BaseTreeVisitor pattern for AST traversal.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add go/ module directory structure
- Create go/pom.xml with dependencies on engine, output, enricher, rules
- Register go module in parent POM

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create GoAggregator following Python module pattern
- Provides language support access and node aggregation
- Add basic tests for GoAggregator

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create GoBaseDetectionRule using Go registration pattern (InitContext)
- Create GoDetectionRules placeholder for detection rules
- Create GoTranslationProcess for translate/reorganize/enrich pipeline
- Create GoTranslator for value translation
- Create GoReorganizerRules with standard reorganizer rules

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create GoInventoryRule extending GoBaseDetectionRule
- Create GoRuleList with Go check registration
- Create GoScannerRuleDefinition for SonarQube rule registration
- Add Inventory rule metadata (json, html)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create GoCryptoAES detection rule for crypto/aes.NewCipher
- Register GoCryptoAES in GoDetectionRules
- Create GoTestBase for test infrastructure
- Add unit tests for GoCryptoAES detection rule
- Add sample Go test file demonstrating AES usage

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
…slation context

- Add `GenerateAssertsHelper` class for automatic generation of test assertions
- Create `GoCipherContextTranslator` for translating AES-related contexts
- Enhance `GoCryptoAESTest` with assertion helper integration
- Update `GoTranslator` to delegate translation to `GoCipherContextTranslator`
- Minor refactor in `GoDetectionEngine` and test utilities to improve readability and annotation usage

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
…alidation

- Remove deprecated `GenerateAssertsHelper` usage
- Add validation for `BlockCipher`, `BlockSize`, and `Oid` nodes during translation
- Simplify comments and enhance test structure for improved readability

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
…ection logic

- Remove obsolete `GoDetectionEngineTest` class and associated tests
- Refactor `GoDetectionEngine` to improve nested value resolution and tree traversal
- Update `resolveValues` to support complex usages, function calls, and member selection
- Enhance `GoTranslator` and `GoCryptoAES` with additional imports for key size detection

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
…tree resolution

- Add support for detecting AES key sizes and updating translation logic
- Extend GoCryptoAESTest with validations for KeySize, KeyLength, and BlockCipher nodes
- Refactor GoDetectionEngine to resolve `make()` arguments for array size extraction
- Update expected outputs in GoCryptoAESTestFile and adjust test cases accordingly

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
…ware invocation

- Add `FunctionInvocationWithIdentifiersTree` to represent invocations with associated identifiers
- Enhance `GoCryptoAES` to detect GCM mode and add dependent detection rules
- Update `GoDetectionEngine` to process block-scoped function invocations and variable initializers
- Refactor `GoCryptoAESTest` to validate detection of GCM mode and extended AES attributes
- Add `GCM` support to `GoCipherContextTranslator` for mode translation

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
… context and improve validation

- Replace `BlockCipher` with `AuthenticatedEncryption` validation
- Adjust test logic for `GCM` mode and key length verification
- Update expected test outputs in `GoCryptoAESTestFile`

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
Implement detection rules for crypto/md5, crypto/sha1, crypto/sha256,
crypto/sha512, crypto/hmac, crypto/rand, crypto/rsa, crypto/elliptic,
and crypto/ecdsa packages. Add cipher mode support (CBC, CFB, CTR) to
existing AES detection.

New context translators:
- GoDigestContextTranslator for hash algorithms
- GoMacContextTranslator for HMAC
- GoPRNGContextTranslator for crypto/rand
- GoKeyContextTranslator for key generation
- GoSignatureContextTranslator for signing operations

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Enable RSA test (crypto/rsa IS embedded in sonar-go-to-slang binary)
- Fix expected test output: RSA-2048 instead of RSA
- Update @disabled annotations with accurate explanation: the binary has
  embedded gc export data for crypto/aes, cipher, des, dsa, md5, rand,
  rc4, rsa, sha1, sha256, sha512, tls, x509 but NOT for hmac, elliptic,
  or ecdsa

Tests: 10 passing, 3 skipped (hmac, elliptic, ecdsa due to binary limits)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…g Go modules

- Add `GoConverter` supporting Go module parsing with maximum file size validation
- Implement `GoParseWithExistingBinaryCommand` to enable testing with prebuilt sonar-go-to-slang binaries
- Update `GoVerifier` to leverage the new converter for enhanced test validation
- Replace deprecated Go parser invocation in GoCryptoHMACTest

Tests: all passing, except for skipped HMAC due to binary limitations
Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
- Implement comprehensive rules for detecting hash algorithms, HMAC, RSA, and SHA-based patterns.
- Refactor GoDetectionEngine to handle member select trees for function references.
- Extend detection and translation support for cryptographic functions passed as parameters.
- Update tests to validate HMAC and SHA-related structures and outputs.

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
Document Go crypto standard library support in the language table and
add instructions for rebuilding sonar-go-to-slang with additional
package export data for crypto packages like hmac, elliptic, and ecdsa.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
n1ckl0sk0rtge and others added 21 commits January 24, 2026 13:45
…ules

- Modify detection rules to replace "CSPRNG" with "NATIVEPRNG" for Go's crypto/rand package.
- Add a new detection rule for the `crypto/rand.Reader` constructor in `GoCryptoRand`.
- Update translators for PRNG contexts and reorganize imports for consistency.
- Refine test cases to include `NATIVEPRNG` validations and enhance crypto/rand-specific testing logic.

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
…ling

- Update detection rules for `crypto/ecdsa` by refining `SignASN1` and `VerifyASN1` context handling with `SignatureAction`.
- Introduce specific method parameter validations and dependent detection rules for key generation (`GenerateKey`).
- Extend test cases to validate ECDSA context, including elliptic curve, PRNG, and signature verification logic.
- Refactor imports and reorganize code for better readability and maintainability.

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
…mproved handling

- Refine detection rules for `crypto/ecdsa` by introducing dependent detection for `GenerateKey`.
- Replace `ValueActionFactory` with `SignatureActionFactory` for `Sign` and `Verify` operations.
- Enhance parameter handling for better context validation.

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
…d improved handling

Use SignatureActionFactory for Sign/Verify/VerifyWithOptions methods,
add dependent detection rules linking back to key generation, and use
specific parameter types instead of wildcards. Restructure tests to
separately verify key generation, signing, and verification with full
enriched translation assertions.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Extend `GoKeyContextTranslator` to detect and handle `SaltSize` in addition to existing parameter types.
- Modify test logic in `GoCryptoHKDFTest` to validate detection and translation of `SaltSize`, `KeySize`, and related components.
- Update test files to reflect enriched translations, including `KeyDerivationFunction` details like `HKDF-SHA256`.

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
- Implement `GoCryptoHKDFExpandTest` to validate detection and translation of HKDF key expansion with enriched assertions.
- Expand detection rules in `GoCryptoHKDF` to include method parameter checks and dependent rules for better context validation.
- Refactor test logic and update test files to support new HKDF details.

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
- Introduce `GoCryptoKEMMapper` to map ML-KEM algorithm names to internal model classes.
- Add `GoCryptoMLKEM` with detection rules for key encapsulation and decapsulation operations, supporting ML-KEM-768 and ML-KEM-1024.
- Implement test cases to validate detection and enriched translation of ML-KEM functionalities.
- Include rules for operations like `GenerateKey`, `EncapsulationKey`, and `Decapsulate` with dependency linking for enhanced handling.

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
…psulation actions

- Introduce `GoCryptoKEMMapper` for ML-KEM mappings with encapsulation/decapsulation support in `GoKeyContextTranslator`.
- Expand `KeyAction` to include encapsulation and decapsulation actions.
- Update HKDF detection rules to include dependencies for enriched context handling, such as message digest and salt length.
- Refactor and update test cases to validate improved translations (`HKDF-SHA256`) and new KEM-related functionalities.
- Add `GoCryptoMLKEM` to integrate KEM detection rules and enhance coverage for cryptographic patterns.

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
…ration handling

- Introduce detection rules for PBKDF2 in Go's standard library (`crypto/pbkdf2`) and extend existing support for legacy implementations.
- Enhance `GoKeyContextTranslator` with `IterationCount` and enrich translation logic to include iterations, key size, salt size, and hash function details.
- Refactor test cases to validate detection and translation for PBKDF2 (`PBKDF2-SHA256`) with fully enriched assertions.
- Add `IterationCount` model and factory for precise iteration handling and improved context validation.

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
- Introduce `GoCryptoRC4` detection rules for identifying usage of RC4 cipher operations, including `NewCipher` and `XORKeyStream`.
- Update `GoDetectionRules` to integrate RC4 rules for Go crypto detection.
- Extend `GoCipherContextTranslator` to support `RC4` cipher algorithm with detection and context translation.
- Add unit tests in `GoCryptoRC4Test` to validate detection and translation logic.
- Include test files to illustrate noncompliance for RC4 cipher usage in Go code.

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
- Introduce detection rules for RSA encryption (`EncryptOAEP`, `EncryptPKCS1v15`) and signing (`SignPKCS1v15`, `SignPSS`) in Go's crypto package.
- Extend `GoCryptoRSA` mapper to handle RSA-specific detection and enrich translations, including padding, key length, and OID details.
- Add corresponding test classes and files to validate detection (`GoCryptoRSAEncryptOAEPTest`, `GoCryptoRSAEncryptPKCS1v15Test`, `GoCryptoRSASignPKCS1v15Test`, `GoCryptoRSASignPSSTest`) with enriched context assertions.
- Update test files to illustrate noncompliant cases for RSA operations, such as unsupported key lengths and padding schemes.

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
… handling

- Implement detection rules for key TLS operations in Go's `crypto/tls`, including `Dial`, `DialWithDialer`, `Listen`, `Server`, and `Client`.
- Introduce dependent detection rules for cipher suites (`GoCryptoTLSCipherSuites`) and TLS versions (`GoCryptoTLSVersions`) to handle `*tls.Config` parameters.
- Add test cases (`GoCryptoTLSTest`) and test files to validate detection of TLS connections, configurations, and associated noncompliance scenarios.
- Extend the detection model to map cipher suite and version details for enriched context validation.

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
…arameter processing logic

- Simplify internal methods by eliminating the unused `traceSymbol` parameter across the detection logic.
- Consolidate parameter processing into a reusable `processParameter` method to reduce duplication and improve maintainability.
- Introduce `emitDetectionAndGetRule` for streamlined initial method detection and rule retrieval.
- Enhance the structure of parameter handling with support for nested expressions and dependent detection rules

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
- Remove `GoCryptoTLSCipherSuites` and `GoCryptoTLSVersions` detection rules.
- Introduce `GoCryptoTLSVersionMapper` for streamlined version parsing and mapping.
- Simplify test case structure in `GoCryptoTLSTestFile.go` by removing unused TLS configurations.
- Add `CipherSuiteReorganizer` rule to enhance the handling of TLS configurations.

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
…tion merging

- Add enriched context assertions in `GoCryptoTLSTest` for TLS protocol and cipher suite validations.
- Replace `MergeableCollection` with `AbstractAssetCollection` to generalize asset collection merging.
- Implement `createMerged` in collection classes for streamlined merging logic.
- Update test files to reflect consistent handling of TLS versions and cipher suites.

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
…r for future work in Go detection rules

- Deleted `.junie/guidelines.md` as it is no longer relevant or required.
- Added a placeholder comment for GoCryptoX509 detection rules in `GoDetectionRules.java`.

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
…ndencies

- Deleted Go language support test classes (`GoLanguageSupportTest`, `GoLanguageTranslationTest`, `GoScanContextTest`, `LanguageSupporterGoTest`).
- Removed redundant test-related imports and static assertions from `GoCryptoTLSTest`.
- Updated `pom.xml` to exclude obsolete test dependencies.

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
…s in Sonar plugin

- Implement new `CryptoGoSensor` for Go language to perform cryptography detection rules.
- Update `pom.xml` to include Go language in `requiredForLanguages`.
- Remove unused Go dependency entries from `pom.xml`.
- Register `CryptoGoSensor` in `CryptographyPlugin` for sonar-go integration.
- Include Go nodes in `ScannerManager` node aggregation.
- Update Docker Compose SonarQube version to `26.1.0.118079-community`.

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
… handling

- Removed `filterOutFilesFromCache`, `writeHashToCache`, and associated cache logic.
- Simplified tree handling by eliminating intermediate `CacheEntry` abstraction.
- Refactored file processing and visitor logic to streamline analysis flow.
- Added `@Nonnull` annotations for improved null safety and clarity.
- Updated exception handling to include `IOException` where applicable.

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
- Implement detection rule for AES-GCM encryption in Go's crypto package.
- Add `GoCryptoAESGCMEncryptTest` and corresponding test file to validate detection of AES-GCM usage.
- Update `GoDetectionEngine` to exclude parameters from constant resolution.

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
All crypto standard library packages except crypto/x509 are now covered.
Added golang.org/x/crypto as a separate entry with partial coverage
(hkdf, pbkdf2, sha3).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@n1ckl0sk0rtge n1ckl0sk0rtge force-pushed the feature/add-go-support branch from c891a28 to bd46e69 Compare January 24, 2026 12:45
@n1ckl0sk0rtge n1ckl0sk0rtge marked this pull request as ready for review January 24, 2026 12:45
@n1ckl0sk0rtge n1ckl0sk0rtge requested a review from a team as a code owner January 24, 2026 12:45
…urposes

Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
Signed-off-by: Nicklas Körtge <Nicklas.Koertge1@ibm.com>
@n1ckl0sk0rtge n1ckl0sk0rtge merged commit 363f3de into main Jan 24, 2026
1 of 2 checks passed
@n1ckl0sk0rtge n1ckl0sk0rtge deleted the feature/add-go-support branch January 24, 2026 13:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant