diff --git a/README.md b/README.md index 404a9d3..23e9ae1 100644 --- a/README.md +++ b/README.md @@ -14,13 +14,13 @@ | CWE | Vulnerability | Instances | Severity | |-----|--------------|-----------|----------| -| ![CWE-502](https://img.shields.io/badge/CWE--502-183760-critical?style=flat-square) | Deserialization of Untrusted Data | **166240** | 🔴 CRITICAL | -| ![CWE-79](https://img.shields.io/badge/CWE--79-49224-red?style=flat-square) | Cross-site Scripting (XSS) | **46156** | 🟠 HIGH | -| ![CWE-89](https://img.shields.io/badge/CWE--89-51840-critical?style=flat-square) | SQL Injection | **54904** | 🔴 CRITICAL | -| ![CWE-22](https://img.shields.io/badge/CWE--22-11328-red?style=flat-square) | Path Traversal | **46156** | 🟠 HIGH | -| ![CWE-78](https://img.shields.io/badge/CWE--78-74008-critical?style=flat-square) | OS Command Injection | **69164** | 🔴 CRITICAL | +| ![CWE-502](https://img.shields.io/badge/CWE--502-174436-critical?style=flat-square) | Deserialization of Untrusted Data | **166240** | 🔴 CRITICAL | +| ![CWE-79](https://img.shields.io/badge/CWE--79-48360-red?style=flat-square) | Cross-site Scripting (XSS) | **46156** | 🟠 HIGH | +| ![CWE-89](https://img.shields.io/badge/CWE--89-52592-critical?style=flat-square) | SQL Injection | **54904** | 🔴 CRITICAL | +| ![CWE-22](https://img.shields.io/badge/CWE--22-10584-red?style=flat-square) | Path Traversal | **46156** | 🟠 HIGH | +| ![CWE-78](https://img.shields.io/badge/CWE--78-70884-critical?style=flat-square) | OS Command Injection | **69164** | 🔴 CRITICAL | -**Total Impact:** ![Total Vulnerable](https://img.shields.io/badge/total_vulnerable-370160-critical?style=for-the-badge) ![Stars Affected](https://img.shields.io/badge/stars_affected-242146-blue?style=for-the-badge) +**Total Impact:** ![Total Vulnerable](https://img.shields.io/badge/total_vulnerable-356856-critical?style=for-the-badge) ![Stars Affected](https://img.shields.io/badge/stars_affected-154645-blue?style=for-the-badge) --- diff --git a/metrics/REPORT.md b/metrics/REPORT.md index 05af8d5..dbf1682 100644 --- a/metrics/REPORT.md +++ b/metrics/REPORT.md @@ -1,6 +1,6 @@ # Go Ecosystem Vulnerability Impact Report -**Generated:** 2026-02-15 00:36 UTC +**Generated:** 2026-03-08 00:34 UTC **Scanner:** [go-safeinput](https://github.com/ravisastryk/go-safeinput) **Coverage:** MITRE CWE Top 25 vulnerabilities @@ -8,54 +8,54 @@ | Metric | Value | |--------|-------| -| **Total Vulnerable Instances** | **370160** | -| Total Stars Affected | 242146 | -| Total Forks Affected | 24472 | +| **Total Vulnerable Instances** | **356856** | +| Total Stars Affected | 154645 | +| Total Forks Affected | 16431 | | CWEs Analyzed | 5 | ## Vulnerability Breakdown by CWE | CWE | Vulnerability Type | Instances | Severity | |-----|-------------------|-----------|----------| -| **CWE-502** | Deserialization of Untrusted Data | **183760** | CRITICAL | -| **CWE-79** | Cross-site Scripting (XSS) | **49224** | HIGH | -| **CWE-89** | SQL Injection | **51840** | CRITICAL | -| **CWE-22** | Path Traversal | **11328** | HIGH | -| **CWE-78** | OS Command Injection | **74008** | CRITICAL | +| **CWE-502** | Deserialization of Untrusted Data | **174436** | CRITICAL | +| **CWE-79** | Cross-site Scripting (XSS) | **48360** | HIGH | +| **CWE-89** | SQL Injection | **52592** | CRITICAL | +| **CWE-22** | Path Traversal | **10584** | HIGH | +| **CWE-78** | OS Command Injection | **70884** | CRITICAL | ## Detailed Pattern Analysis ### CWE-502: Deserialization of Untrusted Data -- **CWE-502: JSON deserialization into interface{}**: 111616 instances -- **CWE-502: YAML deserialization into interface{}**: 6880 instances -- **CWE-502: JSON decoder into interface{}**: 50816 instances -- **CWE-502: XML deserialization into interface{}**: 3904 instances -- **CWE-502: Using yaml.v2 (vulnerable to custom tags)**: 10544 instances +- **CWE-502: JSON deserialization into interface{}**: 102400 instances +- **CWE-502: YAML deserialization into interface{}**: 7748 instances +- **CWE-502: JSON decoder into interface{}**: 52352 instances +- **CWE-502: XML deserialization into interface{}**: 3760 instances +- **CWE-502: Using yaml.v2 (vulnerable to custom tags)**: 8176 instances ### CWE-79: Cross-site Scripting (XSS) -- **CWE-79: Potential XSS via HTML template rendering**: 12976 instances -- **CWE-79: Direct write to ResponseWriter (potential XSS)**: 33664 instances -- **CWE-79: Using template.JS (bypasses escaping)**: 2584 instances +- **CWE-79: Potential XSS via HTML template rendering**: 13368 instances +- **CWE-79: Direct write to ResponseWriter (potential XSS)**: 32448 instances +- **CWE-79: Using template.JS (bypasses escaping)**: 2544 instances ### CWE-89: SQL Injection -- **CWE-89: SQL query with string concatenation**: 8512 instances -- **CWE-89: SQL exec with string concatenation**: 23552 instances -- **CWE-89: Raw SQL with string interpolation**: 19776 instances +- **CWE-89: SQL query with string concatenation**: 8160 instances +- **CWE-89: SQL exec with string concatenation**: 24128 instances +- **CWE-89: Raw SQL with string interpolation**: 20304 instances ### CWE-22: Path Traversal -- **CWE-22: filepath.Join with user input**: 3152 instances -- **CWE-22: os.Open with user-controlled path**: 1080 instances -- **CWE-22: File read with constructed path**: 7096 instances +- **CWE-22: filepath.Join with user input**: 3688 instances +- **CWE-22: os.Open with user-controlled path**: 968 instances +- **CWE-22: File read with constructed path**: 5928 instances ### CWE-78: OS Command Injection -- **CWE-78: exec.Command with user input**: 920 instances -- **CWE-78: exec.Command with string formatting**: 40128 instances -- **CWE-78: Shell command execution**: 32960 instances +- **CWE-78: exec.Command with user input**: 932 instances +- **CWE-78: exec.Command with string formatting**: 36672 instances +- **CWE-78: Shell command execution**: 33280 instances ## Fix with go-safeinput diff --git a/metrics/scan_20260308.json b/metrics/scan_20260308.json new file mode 100644 index 0000000..813ec25 --- /dev/null +++ b/metrics/scan_20260308.json @@ -0,0 +1,1404 @@ +{ + "generated_at": "2026-03-08T00:31:25Z", + "scanner": "go-safeinput-scanner", + "scanner_repo": "https://github.com/ravisastryk/go-safeinput", + "total_vulnerable": 356856, + "total_stars": 154645, + "total_forks": 16431, + "results": [ + { + "pattern": { + "name": "cwe502-json-unmarshal-interface", + "query": "language:go \"json.Unmarshal\" \"interface{}\"", + "severity": "CRITICAL", + "description": "CWE-502: JSON deserialization into interface{}" + }, + "count": 102400, + "top_repos": [ + { + "name": "zserge/lorca", + "stars": 8195, + "forks": 546, + "url": "https://github.com/zserge/lorca", + "file": "ui.go" + }, + { + "name": "mattn/go-v8", + "stars": 267, + "forks": 38, + "url": "https://github.com/mattn/go-v8", + "file": "v8.go" + }, + { + "name": "scipipe/scipipe", + "stars": 1117, + "forks": 74, + "url": "https://github.com/scipipe/scipipe", + "file": "ip.go" + }, + { + "name": "manyminds/api2go", + "stars": 719, + "forks": 96, + "url": "https://github.com/manyminds/api2go", + "file": "api.go" + }, + { + "name": "mailgun/holster", + "stars": 297, + "forks": 32, + "url": "https://github.com/mailgun/holster", + "file": "election/rpc.go" + }, + { + "name": "iopred/bruxism", + "stars": 147, + "forks": 20, + "url": "https://github.com/iopred/bruxism", + "file": "bot.go" + }, + { + "name": "mix-go/mix", + "stars": 860, + "forks": 71, + "url": "https://github.com/mix-go/mix", + "file": "src/xsql/db.go" + }, + { + "name": "didi/collection", + "stars": 126, + "forks": 23, + "url": "https://github.com/didi/collection", + "file": "mix.go" + }, + { + "name": "dunlinplugin/dunlin-cni", + "stars": 7, + "forks": 1, + "url": "https://github.com/dunlinplugin/dunlin-cni", + "file": "cni.go" + }, + { + "name": "kazuhitoyokoi/node-red-wasm", + "stars": 14, + "forks": 3, + "url": "https://github.com/kazuhitoyokoi/node-red-wasm", + "file": "red.go" + } + ], + "searched_at": "2026-03-08T00:31:25Z" + }, + { + "pattern": { + "name": "cwe502-yaml-unmarshal-interface", + "query": "language:go \"yaml.Unmarshal\" \"interface{}\"", + "severity": "CRITICAL", + "description": "CWE-502: YAML deserialization into interface{}" + }, + "count": 7748, + "top_repos": [ + { + "name": "vektra/tachyon", + "stars": 279, + "forks": 27, + "url": "https://github.com/vektra/tachyon", + "file": "util.go" + }, + { + "name": "MarioCarrion/videos", + "stars": 133, + "forks": 54, + "url": "https://github.com/MarioCarrion/videos", + "file": "2022/09/16/thirdpartylib/main.go" + }, + { + "name": "ovh/configstore", + "stars": 76, + "forks": 13, + "url": "https://github.com/ovh/configstore", + "file": "item.go" + }, + { + "name": "rsc/web", + "stars": 154, + "forks": 9, + "url": "https://github.com/rsc/web", + "file": "tmpl.go" + }, + { + "name": "kkkgo/PaoPaoGateWay", + "stars": 503, + "forks": 47, + "url": "https://github.com/kkkgo/PaoPaoGateWay", + "file": "ppgw.go" + }, + { + "name": "martingallagher/gawp", + "stars": 124, + "forks": 10, + "url": "https://github.com/martingallagher/gawp", + "file": "gawp.go" + }, + { + "name": "dmachard/CoreDNS-GSLB", + "stars": 35, + "forks": 6, + "url": "https://github.com/dmachard/CoreDNS-GSLB", + "file": "api.go" + }, + { + "name": "CMGS/levi", + "stars": 13, + "forks": 0, + "url": "https://github.com/CMGS/levi", + "file": "env.go" + }, + { + "name": "romanyx/polluter", + "stars": 177, + "forks": 16, + "url": "https://github.com/romanyx/polluter", + "file": "yaml.go" + }, + { + "name": "efimovalex/gomake", + "stars": 15, + "forks": 1, + "url": "https://github.com/efimovalex/gomake", + "file": "file.go" + } + ], + "searched_at": "2026-03-08T00:31:35Z" + }, + { + "pattern": { + "name": "cwe502-json-decoder-interface", + "query": "language:go \"json.NewDecoder\" \"interface{}\"", + "severity": "CRITICAL", + "description": "CWE-502: JSON decoder into interface{}" + }, + "count": 52352, + "top_repos": [ + { + "name": "astaxie/bat", + "stars": 2565, + "forks": 222, + "url": "https://github.com/astaxie/bat", + "file": "bat.go" + }, + { + "name": "staticbackendhq/core", + "stars": 717, + "forks": 70, + "url": "https://github.com/staticbackendhq/core", + "file": "db.go" + }, + { + "name": "jmespath/jp", + "stars": 783, + "forks": 48, + "url": "https://github.com/jmespath/jp", + "file": "jp.go" + }, + { + "name": "piqoni/hn-text", + "stars": 511, + "forks": 11, + "url": "https://github.com/piqoni/hn-text", + "file": "web.go" + }, + { + "name": "manishrjain/gocrud", + "stars": 306, + "forks": 23, + "url": "https://github.com/manishrjain/gocrud", + "file": "x/x.go" + }, + { + "name": "go-validator/validator", + "stars": 1334, + "forks": 127, + "url": "https://github.com/go-validator/validator", + "file": "doc.go" + }, + { + "name": "InkProject/ink", + "stars": 1089, + "forks": 117, + "url": "https://github.com/InkProject/ink", + "file": "api.go" + }, + { + "name": "wish/eventmaster", + "stars": 11, + "forks": 6, + "url": "https://github.com/wish/eventmaster", + "file": "dcs.go" + }, + { + "name": "kkyr/fig", + "stars": 384, + "forks": 33, + "url": "https://github.com/kkyr/fig", + "file": "fig.go" + }, + { + "name": "caltechlibrary/datatools", + "stars": 80, + "forks": 9, + "url": "https://github.com/caltechlibrary/datatools", + "file": "csv.go" + } + ], + "searched_at": "2026-03-08T00:31:45Z" + }, + { + "pattern": { + "name": "cwe502-xml-unmarshal-interface", + "query": "language:go \"xml.Unmarshal\" \"interface{}\"", + "severity": "CRITICAL", + "description": "CWE-502: XML deserialization into interface{}" + }, + "count": 3760, + "top_repos": [ + { + "name": "eatmoreapple/openwechat", + "stars": 5478, + "forks": 1011, + "url": "https://github.com/eatmoreapple/openwechat", + "file": "message.go" + }, + { + "name": "devfeel/dotweb", + "stars": 1384, + "forks": 180, + "url": "https://github.com/devfeel/dotweb", + "file": "bind.go" + }, + { + "name": "esap/wechat", + "stars": 483, + "forks": 93, + "url": "https://github.com/esap/wechat", + "file": "server.go" + }, + { + "name": "xormplus/xorm", + "stars": 1560, + "forks": 221, + "url": "https://github.com/xormplus/xorm", + "file": "sqlmap.go" + }, + { + "name": "jotform/jotform-api-go", + "stars": 3, + "forks": 8, + "url": "https://github.com/jotform/jotform-api-go", + "file": "JotForm.go" + }, + { + "name": "xendit/xendit-go", + "stars": 156, + "forks": 59, + "url": "https://github.com/xendit/xendit-go", + "file": "client.go" + }, + { + "name": "fwhezfwhez/tcpx", + "stars": 235, + "forks": 45, + "url": "https://github.com/fwhezfwhez/tcpx", + "file": "pack-type.go" + }, + { + "name": "go-baa/baa", + "stars": 155, + "forks": 27, + "url": "https://github.com/go-baa/baa", + "file": "context.go" + }, + { + "name": "yosida95/golang-jenkins", + "stars": 130, + "forks": 87, + "url": "https://github.com/yosida95/golang-jenkins", + "file": "jenkins.go" + }, + { + "name": "huin/goupnp", + "stars": 461, + "forks": 87, + "url": "https://github.com/huin/goupnp", + "file": "soap/soap.go" + } + ], + "searched_at": "2026-03-08T00:31:55Z" + }, + { + "pattern": { + "name": "cwe502-yaml-v2-import", + "query": "language:go \"gopkg.in/yaml.v2\"", + "severity": "HIGH", + "description": "CWE-502: Using yaml.v2 (vulnerable to custom tags)" + }, + "count": 8176, + "top_repos": [ + { + "name": "nwidger/nintengo", + "stars": 1299, + "forks": 52, + "url": "https://github.com/nwidger/nintengo", + "file": "main.go" + }, + { + "name": "koding/multiconfig", + "stars": 451, + "forks": 62, + "url": "https://github.com/koding/multiconfig", + "file": "file.go" + }, + { + "name": "uber-go/config", + "stars": 472, + "forks": 41, + "url": "https://github.com/uber-go/config", + "file": "doc.go" + }, + { + "name": "estafette/estafette-ci-manifest", + "stars": 3, + "forks": 0, + "url": "https://github.com/estafette/estafette-ci-manifest", + "file": "bot.go" + }, + { + "name": "vividvilla/consul-cfg", + "stars": 17, + "forks": 5, + "url": "https://github.com/vividvilla/consul-cfg", + "file": "tmpl.go" + }, + { + "name": "dustin-decker/testViper", + "stars": 0, + "forks": 0, + "url": "https://github.com/dustin-decker/testViper", + "file": "tv.go" + }, + { + "name": "mutantmonkey/golinx", + "stars": 7, + "forks": 0, + "url": "https://github.com/mutantmonkey/golinx", + "file": "linx.go" + }, + { + "name": "make-the-journey-io/map", + "stars": 1, + "forks": 0, + "url": "https://github.com/make-the-journey-io/map", + "file": "map.go" + }, + { + "name": "honeyvig/godlp", + "stars": 0, + "forks": 0, + "url": "https://github.com/honeyvig/godlp", + "file": "sdk.go" + }, + { + "name": "saas-templates/go-svelte", + "stars": 43, + "forks": 4, + "url": "https://github.com/saas-templates/go-svelte", + "file": "cli.go" + } + ], + "searched_at": "2026-03-08T00:32:05Z" + }, + { + "pattern": { + "name": "cwe79-html-template-unescaped", + "query": "language:go \"html/template\" HTML", + "severity": "HIGH", + "description": "CWE-79: Potential XSS via HTML template rendering" + }, + "count": 13368, + "top_repos": [ + { + "name": "subspacecloud/subspace", + "stars": 2596, + "forks": 454, + "url": "https://github.com/subspacecloud/subspace", + "file": "web.go" + }, + { + "name": "choonkeat/dom-go", + "stars": 2, + "forks": 0, + "url": "https://github.com/choonkeat/dom-go", + "file": "dom.go" + }, + { + "name": "darkhelmet/ForrestFire", + "stars": 95, + "forks": 7, + "url": "https://github.com/darkhelmet/ForrestFire", + "file": "app.go" + }, + { + "name": "yahoo/webseclab", + "stars": 908, + "forks": 66, + "url": "https://github.com/yahoo/webseclab", + "file": "ctx.go" + }, + { + "name": "RajaSunrise/xyra-go", + "stars": 0, + "forks": 0, + "url": "https://github.com/RajaSunrise/xyra-go", + "file": "res.go" + }, + { + "name": "denniselite/iris-fixed", + "stars": 1, + "forks": 0, + "url": "https://github.com/denniselite/iris-fixed", + "file": "doc.go" + }, + { + "name": "zevweiss/honk", + "stars": 2, + "forks": 0, + "url": "https://github.com/zevweiss/honk", + "file": "fun.go" + }, + { + "name": "1055373165/myweb", + "stars": 0, + "forks": 0, + "url": "https://github.com/1055373165/myweb", + "file": "main.go" + }, + { + "name": "mehlium/go-auth", + "stars": 3, + "forks": 0, + "url": "https://github.com/mehlium/go-auth", + "file": "api.go" + }, + { + "name": "JanikGilzer/ZooRheine", + "stars": 0, + "forks": 0, + "url": "https://github.com/JanikGilzer/ZooRheine", + "file": "main.go" + } + ], + "searched_at": "2026-03-08T00:32:15Z" + }, + { + "pattern": { + "name": "cwe79-writer-write-user-input", + "query": "language:go \"fmt.Fprintf\" \"w http.ResponseWriter\"", + "severity": "HIGH", + "description": "CWE-79: Direct write to ResponseWriter (potential XSS)" + }, + "count": 32448, + "top_repos": [ + { + "name": "subspacecloud/subspace", + "stars": 2596, + "forks": 454, + "url": "https://github.com/subspacecloud/subspace", + "file": "web.go" + }, + { + "name": "tenox7/wrp", + "stars": 1236, + "forks": 60, + "url": "https://github.com/tenox7/wrp", + "file": "wrp.go" + }, + { + "name": "furkansenharputlu/f-license", + "stars": 823, + "forks": 77, + "url": "https://github.com/furkansenharputlu/f-license", + "file": "api.go" + }, + { + "name": "dailymotion/oplog", + "stars": 110, + "forks": 13, + "url": "https://github.com/dailymotion/oplog", + "file": "sse.go" + }, + { + "name": "lonnc/golang-nw", + "stars": 191, + "forks": 26, + "url": "https://github.com/lonnc/golang-nw", + "file": "doc.go" + }, + { + "name": "moneymanagerex/general-reports", + "stars": 83, + "forks": 50, + "url": "https://github.com/moneymanagerex/general-reports", + "file": "grm.go" + }, + { + "name": "rs/xmux", + "stars": 100, + "forks": 11, + "url": "https://github.com/rs/xmux", + "file": "mux.go" + }, + { + "name": "writeas/htmlhouse", + "stars": 103, + "forks": 24, + "url": "https://github.com/writeas/htmlhouse", + "file": "app.go" + }, + { + "name": "soundscapecloud/soundscape", + "stars": 747, + "forks": 46, + "url": "https://github.com/soundscapecloud/soundscape", + "file": "web.go" + }, + { + "name": "lastlogin-net/obligator", + "stars": 830, + "forks": 24, + "url": "https://github.com/lastlogin-net/obligator", + "file": "qr.go" + } + ], + "searched_at": "2026-03-08T00:32:25Z" + }, + { + "pattern": { + "name": "cwe79-template-js", + "query": "language:go template.JS", + "severity": "HIGH", + "description": "CWE-79: Using template.JS (bypasses escaping)" + }, + "count": 2544, + "top_repos": [ + { + "name": "leanote/leanote", + "stars": 11719, + "forks": 2453, + "url": "https://github.com/leanote/leanote", + "file": "app/init.go" + }, + { + "name": "schollz/find", + "stars": 5089, + "forks": 369, + "url": "https://github.com/schollz/find", + "file": "routes.go" + }, + { + "name": "GoAdminGroup/go-admin", + "stars": 8940, + "forks": 1405, + "url": "https://github.com/GoAdminGroup/go-admin", + "file": "template/login/login.go" + }, + { + "name": "fullstorydev/grpcui", + "stars": 5841, + "forks": 419, + "url": "https://github.com/fullstorydev/grpcui", + "file": "webform.go" + }, + { + "name": "divan/gobenchui", + "stars": 528, + "forks": 28, + "url": "https://github.com/divan/gobenchui", + "file": "web.go" + }, + { + "name": "swaggo/http-swagger", + "stars": 560, + "forks": 85, + "url": "https://github.com/swaggo/http-swagger", + "file": "swagger.go" + }, + { + "name": "roblaszczak/vgt", + "stars": 357, + "forks": 3, + "url": "https://github.com/roblaszczak/vgt", + "file": "html.go" + }, + { + "name": "nccgroup/singularity", + "stars": 1266, + "forks": 158, + "url": "https://github.com/nccgroup/singularity", + "file": "singularity.go" + }, + { + "name": "philippta/flyscrape", + "stars": 1335, + "forks": 40, + "url": "https://github.com/philippta/flyscrape", + "file": "js.go" + }, + { + "name": "remind101/emp", + "stars": 35, + "forks": 7, + "url": "https://github.com/remind101/emp", + "file": "help.go" + } + ], + "searched_at": "2026-03-08T00:32:34Z" + }, + { + "pattern": { + "name": "cwe89-sql-query-concat", + "query": "language:go \"db.Query\" \"fmt.Sprintf\"", + "severity": "CRITICAL", + "description": "CWE-89: SQL query with string concatenation" + }, + "count": 8160, + "top_repos": [ + { + "name": "haxpax/gosms", + "stars": 1473, + "forks": 150, + "url": "https://github.com/haxpax/gosms", + "file": "db.go" + }, + { + "name": "LunaNode/lobster", + "stars": 84, + "forks": 24, + "url": "https://github.com/LunaNode/lobster", + "file": "vm.go" + }, + { + "name": "nao1215/filesql", + "stars": 350, + "forks": 9, + "url": "https://github.com/nao1215/filesql", + "file": "ach.go" + }, + { + "name": "coocood/qbs", + "stars": 543, + "forks": 97, + "url": "https://github.com/coocood/qbs", + "file": "qbs.go" + }, + { + "name": "CCob/gookies", + "stars": 46, + "forks": 8, + "url": "https://github.com/CCob/gookies", + "file": "main.go" + }, + { + "name": "spy16/fabric", + "stars": 198, + "forks": 6, + "url": "https://github.com/spy16/fabric", + "file": "sql.go" + }, + { + "name": "xyproto/simplehstore", + "stars": 54, + "forks": 3, + "url": "https://github.com/xyproto/simplehstore", + "file": "set.go" + }, + { + "name": "mevdschee/go-crud-api", + "stars": 16, + "forks": 5, + "url": "https://github.com/mevdschee/go-crud-api", + "file": "api.go" + }, + { + "name": "robdelacruz/newsboard", + "stars": 29, + "forks": 7, + "url": "https://github.com/robdelacruz/newsboard", + "file": "nb.go" + }, + { + "name": "ekzhu/josie", + "stars": 19, + "forks": 5, + "url": "https://github.com/ekzhu/josie", + "file": "io.go" + } + ], + "searched_at": "2026-03-08T00:32:43Z" + }, + { + "pattern": { + "name": "cwe89-sql-exec-concat", + "query": "language:go \"db.Exec\" \"+\" ", + "severity": "CRITICAL", + "description": "CWE-89: SQL exec with string concatenation" + }, + "count": 24128, + "top_repos": [ + { + "name": "go-pg/pg", + "stars": 5789, + "forks": 416, + "url": "https://github.com/go-pg/pg", + "file": "tx.go" + }, + { + "name": "QLeelulu/goku", + "stars": 273, + "forks": 65, + "url": "https://github.com/QLeelulu/goku", + "file": "db.go" + }, + { + "name": "mattn/qq", + "stars": 166, + "forks": 5, + "url": "https://github.com/mattn/qq", + "file": "qq.go" + }, + { + "name": "coocood/qbs", + "stars": 543, + "forks": 97, + "url": "https://github.com/coocood/qbs", + "file": "qbs.go" + }, + { + "name": "LunaNode/lobster", + "stars": 84, + "forks": 24, + "url": "https://github.com/LunaNode/lobster", + "file": "vm.go" + }, + { + "name": "kwf2030/hiprice-chatbot", + "stars": 88, + "forks": 10, + "url": "https://github.com/kwf2030/hiprice-chatbot", + "file": "msg.go" + }, + { + "name": "TritonHo/demo", + "stars": 154, + "forks": 27, + "url": "https://github.com/TritonHo/demo", + "file": "cat.go" + }, + { + "name": "donuts-are-good/shhhbb", + "stars": 166, + "forks": 6, + "url": "https://github.com/donuts-are-good/shhhbb", + "file": "api.go" + }, + { + "name": "metal-stack/go-ipam", + "stars": 151, + "forks": 43, + "url": "https://github.com/metal-stack/go-ipam", + "file": "sql.go" + }, + { + "name": "johnlui/DIYSearchEngine", + "stars": 699, + "forks": 97, + "url": "https://github.com/johnlui/DIYSearchEngine", + "file": "cron.go" + } + ], + "searched_at": "2026-03-08T00:32:52Z" + }, + { + "pattern": { + "name": "cwe89-raw-sql-interpolation", + "query": "language:go \"database/sql\" fmt.Sprintf SELECT", + "severity": "CRITICAL", + "description": "CWE-89: Raw SQL with string interpolation" + }, + "count": 20304, + "top_repos": [ + { + "name": "go-gorp/gorp", + "stars": 3755, + "forks": 374, + "url": "https://github.com/go-gorp/gorp", + "file": "db.go" + }, + { + "name": "gernest/orange", + "stars": 22, + "forks": 4, + "url": "https://github.com/gernest/orange", + "file": "sql.go" + }, + { + "name": "QLeelulu/goku", + "stars": 273, + "forks": 65, + "url": "https://github.com/QLeelulu/goku", + "file": "db.go" + }, + { + "name": "arp242/zdb", + "stars": 14, + "forks": 1, + "url": "https://github.com/arp242/zdb", + "file": "zdb.go" + }, + { + "name": "ysugimoto/gqb", + "stars": 5, + "forks": 1, + "url": "https://github.com/ysugimoto/gqb", + "file": "gqb.go" + }, + { + "name": "gadp22/crema", + "stars": 1, + "forks": 0, + "url": "https://github.com/gadp22/crema", + "file": "dao.go" + }, + { + "name": "fabregas/protosql", + "stars": 2, + "forks": 1, + "url": "https://github.com/fabregas/protosql", + "file": "repo.go" + }, + { + "name": "wibu-gaptek/qix", + "stars": 3, + "forks": 1, + "url": "https://github.com/wibu-gaptek/qix", + "file": "qix.go" + }, + { + "name": "angrysine/ponderada5mod9", + "stars": 0, + "forks": 0, + "url": "https://github.com/angrysine/ponderada5mod9", + "file": "main.go" + }, + { + "name": "ruhulfbr/golang-basic", + "stars": 0, + "forks": 0, + "url": "https://github.com/ruhulfbr/golang-basic", + "file": "qb.go" + } + ], + "searched_at": "2026-03-08T00:33:03Z" + }, + { + "pattern": { + "name": "cwe22-filepath-join-user-input", + "query": "language:go \"filepath.Join\" \"r.URL.Query\"", + "severity": "HIGH", + "description": "CWE-22: filepath.Join with user input" + }, + "count": 3688, + "top_repos": [ + { + "name": "kelseyhightower/coreos-ipxe-server", + "stars": 220, + "forks": 50, + "url": "https://github.com/kelseyhightower/coreos-ipxe-server", + "file": "api.go" + }, + { + "name": "pldubouilh/gossa", + "stars": 1077, + "forks": 80, + "url": "https://github.com/pldubouilh/gossa", + "file": "gossa.go" + }, + { + "name": "k1LoW/deck", + "stars": 1184, + "forks": 35, + "url": "https://github.com/k1LoW/deck", + "file": "client.go" + }, + { + "name": "esell/deb-simple", + "stars": 241, + "forks": 19, + "url": "https://github.com/esell/deb-simple", + "file": "http.go" + }, + { + "name": "Illusionna/LocalTransfer", + "stars": 507, + "forks": 14, + "url": "https://github.com/Illusionna/LocalTransfer", + "file": "handler.go" + }, + { + "name": "sgreben/http-file-server", + "stars": 234, + "forks": 39, + "url": "https://github.com/sgreben/http-file-server", + "file": "server.go" + }, + { + "name": "Monibuca/plugin-record", + "stars": 42, + "forks": 39, + "url": "https://github.com/Monibuca/plugin-record", + "file": "vod.go" + }, + { + "name": "moul-co/moul", + "stars": 253, + "forks": 28, + "url": "https://github.com/moul-co/moul", + "file": "cmd/root.go" + }, + { + "name": "Quiq/webauthn_proxy", + "stars": 143, + "forks": 17, + "url": "https://github.com/Quiq/webauthn_proxy", + "file": "main.go" + }, + { + "name": "nielsAD/autoindex", + "stars": 41, + "forks": 8, + "url": "https://github.com/nielsAD/autoindex", + "file": "fs.go" + } + ], + "searched_at": "2026-03-08T00:33:16Z" + }, + { + "pattern": { + "name": "cwe22-os-open-user-input", + "query": "language:go \"os.Open\" \"r.FormValue\"", + "severity": "HIGH", + "description": "CWE-22: os.Open with user-controlled path" + }, + "count": 968, + "top_repos": [ + { + "name": "google/codesearch", + "stars": 3927, + "forks": 396, + "url": "https://github.com/google/codesearch", + "file": "cmd/csweb/web.go" + }, + { + "name": "ondrajz/go-callvis", + "stars": 6454, + "forks": 432, + "url": "https://github.com/ondrajz/go-callvis", + "file": "analysis.go" + }, + { + "name": "tenox7/wrp", + "stars": 1236, + "forks": 60, + "url": "https://github.com/tenox7/wrp", + "file": "wrp.go" + }, + { + "name": "sausheong/invadersapp", + "stars": 196, + "forks": 23, + "url": "https://github.com/sausheong/invadersapp", + "file": "main.go" + }, + { + "name": "wizsk/goshare", + "stars": 45, + "forks": 4, + "url": "https://github.com/wizsk/goshare", + "file": "upload.go" + }, + { + "name": "cloud66-oss/starter", + "stars": 313, + "forks": 55, + "url": "https://github.com/cloud66-oss/starter", + "file": "api.go" + }, + { + "name": "wizjin/weixin", + "stars": 190, + "forks": 76, + "url": "https://github.com/wizjin/weixin", + "file": "weixin.go" + }, + { + "name": "lightninglabs/lightning-faucet", + "stars": 80, + "forks": 31, + "url": "https://github.com/lightninglabs/lightning-faucet", + "file": "faucet.go" + }, + { + "name": "aerth/cosgo", + "stars": 6, + "forks": 1, + "url": "https://github.com/aerth/cosgo", + "file": "02-internal.go" + }, + { + "name": "tenny1225/webui", + "stars": 4, + "forks": 1, + "url": "https://github.com/tenny1225/webui", + "file": "window.go" + } + ], + "searched_at": "2026-03-08T00:33:26Z" + }, + { + "pattern": { + "name": "cwe22-ioutil-readfile-param", + "query": "language:go \"ioutil.ReadFile\" \"filepath.Join\"", + "severity": "HIGH", + "description": "CWE-22: File read with constructed path" + }, + "count": 5928, + "top_repos": [ + { + "name": "utkusen/urlhunter", + "stars": 1664, + "forks": 117, + "url": "https://github.com/utkusen/urlhunter", + "file": "main.go" + }, + { + "name": "mailgun/godebug", + "stars": 2484, + "forks": 102, + "url": "https://github.com/mailgun/godebug", + "file": "cmd.go" + }, + { + "name": "nlf/dlite", + "stars": 2327, + "forks": 52, + "url": "https://github.com/nlf/dlite", + "file": "ssh.go" + }, + { + "name": "vwxyzjn/portwarden", + "stars": 632, + "forks": 36, + "url": "https://github.com/vwxyzjn/portwarden", + "file": "core.go" + }, + { + "name": "zserge/zs", + "stars": 100, + "forks": 15, + "url": "https://github.com/zserge/zs", + "file": "zs.go" + }, + { + "name": "revel/revel", + "stars": 13251, + "forks": 1366, + "url": "https://github.com/revel/revel", + "file": "util.go" + }, + { + "name": "hajimehoshi/asobiba", + "stars": 73, + "forks": 9, + "url": "https://github.com/hajimehoshi/asobiba", + "file": "gen.go" + }, + { + "name": "git-hooks/git-hooks", + "stars": 416, + "forks": 41, + "url": "https://github.com/git-hooks/git-hooks", + "file": "dir.go" + }, + { + "name": "tidwall/wal", + "stars": 712, + "forks": 75, + "url": "https://github.com/tidwall/wal", + "file": "wal.go" + }, + { + "name": "geekr-dev/gpt-engineer", + "stars": 51, + "forks": 5, + "url": "https://github.com/geekr-dev/gpt-engineer", + "file": "db.go" + } + ], + "searched_at": "2026-03-08T00:33:38Z" + }, + { + "pattern": { + "name": "cwe78-exec-command-user-input", + "query": "language:go \"exec.Command\" \"r.FormValue\"", + "severity": "CRITICAL", + "description": "CWE-78: exec.Command with user input" + }, + "count": 932, + "top_repos": [ + { + "name": "gokrazy/gokrazy", + "stars": 3443, + "forks": 133, + "url": "https://github.com/gokrazy/gokrazy", + "file": "update.go" + }, + { + "name": "remind101/empire", + "stars": 2681, + "forks": 156, + "url": "https://github.com/remind101/empire", + "file": "cmd/emp/auth.go" + }, + { + "name": "gengo/goship", + "stars": 704, + "forks": 42, + "url": "https://github.com/gengo/goship", + "file": "deploy_handler.go" + }, + { + "name": "apex/up-examples", + "stars": 393, + "forks": 44, + "url": "https://github.com/apex/up-examples", + "file": "oss/golang-shell/main.go" + }, + { + "name": "skycoin/skywire-testnet", + "stars": 162, + "forks": 64, + "url": "https://github.com/skycoin/skywire-testnet", + "file": "pkg/node/api/api.go" + }, + { + "name": "schollz/musicsaur", + "stars": 283, + "forks": 14, + "url": "https://github.com/schollz/musicsaur", + "file": "controls.go" + }, + { + "name": "golang/playground", + "stars": 797, + "forks": 206, + "url": "https://github.com/golang/playground", + "file": "sandbox.go" + }, + { + "name": "jingkaihe/koderunr", + "stars": 43, + "forks": 15, + "url": "https://github.com/jingkaihe/koderunr", + "file": "server/server.go" + }, + { + "name": "0x09AL/Browser-C2", + "stars": 103, + "forks": 28, + "url": "https://github.com/0x09AL/Browser-C2", + "file": "agent/agent.go" + }, + { + "name": "mehlium/g-wiki", + "stars": 117, + "forks": 16, + "url": "https://github.com/mehlium/g-wiki", + "file": "wiki.go" + } + ], + "searched_at": "2026-03-08T00:33:47Z" + }, + { + "pattern": { + "name": "cwe78-exec-command-concat", + "query": "language:go \"exec.Command\" \"fmt.Sprintf\"", + "severity": "CRITICAL", + "description": "CWE-78: exec.Command with string formatting" + }, + "count": 36672, + "top_repos": [ + { + "name": "ondrajz/go-callvis", + "stars": 6454, + "forks": 432, + "url": "https://github.com/ondrajz/go-callvis", + "file": "dot.go" + }, + { + "name": "nlf/dlite", + "stars": 2327, + "forks": 52, + "url": "https://github.com/nlf/dlite", + "file": "ssh.go" + }, + { + "name": "shunfei/cronsun", + "stars": 2923, + "forks": 458, + "url": "https://github.com/shunfei/cronsun", + "file": "job.go" + }, + { + "name": "go-python/gopy", + "stars": 2297, + "forks": 130, + "url": "https://github.com/go-python/gopy", + "file": "gen.go" + }, + { + "name": "sajari/docconv", + "stars": 1771, + "forks": 245, + "url": "https://github.com/sajari/docconv", + "file": "doc.go" + }, + { + "name": "johnlauer/serial-port-json-server", + "stars": 360, + "forks": 170, + "url": "https://github.com/johnlauer/serial-port-json-server", + "file": "hub.go" + }, + { + "name": "scipipe/scipipe", + "stars": 1117, + "forks": 74, + "url": "https://github.com/scipipe/scipipe", + "file": "ip.go" + }, + { + "name": "syncore/qclauncher", + "stars": 59, + "forks": 3, + "url": "https://github.com/syncore/qclauncher", + "file": "fp.go" + }, + { + "name": "Songmu/tagpr", + "stars": 282, + "forks": 35, + "url": "https://github.com/Songmu/tagpr", + "file": "git.go" + }, + { + "name": "ivpusic/rerun", + "stars": 165, + "forks": 11, + "url": "https://github.com/ivpusic/rerun", + "file": "pm.go" + } + ], + "searched_at": "2026-03-08T00:33:57Z" + }, + { + "pattern": { + "name": "cwe78-shell-exec", + "query": "language:go exec.Command \"sh\" \"-c\"", + "severity": "CRITICAL", + "description": "CWE-78: Shell command execution" + }, + "count": 33280, + "top_repos": [ + { + "name": "appuio/acme-tiny", + "stars": 0, + "forks": 0, + "url": "https://github.com/appuio/acme-tiny", + "file": "docker/sh.go" + }, + { + "name": "otm/blade", + "stars": 68, + "forks": 1, + "url": "https://github.com/otm/blade", + "file": "lua.go" + }, + { + "name": "apex/up", + "stars": 8812, + "forks": 388, + "url": "https://github.com/apex/up", + "file": "up.go" + }, + { + "name": "julz/just", + "stars": 0, + "forks": 0, + "url": "https://github.com/julz/just", + "file": "cmd.go" + }, + { + "name": "codeskyblue/go-sh", + "stars": 1131, + "forks": 137, + "url": "https://github.com/codeskyblue/go-sh", + "file": "sh.go" + }, + { + "name": "scipipe/scipipe", + "stars": 1117, + "forks": 74, + "url": "https://github.com/scipipe/scipipe", + "file": "ip.go" + }, + { + "name": "kayac/sqsjkr", + "stars": 13, + "forks": 1, + "url": "https://github.com/kayac/sqsjkr", + "file": "job.go" + }, + { + "name": "NietThijmen/ShoppingCart", + "stars": 4, + "forks": 0, + "url": "https://github.com/NietThijmen/ShoppingCart", + "file": "ssh.go" + }, + { + "name": "lianhong2758/kokomi-plugin", + "stars": 28, + "forks": 7, + "url": "https://github.com/lianhong2758/kokomi-plugin", + "file": "shu.go" + }, + { + "name": "88250/gulu", + "stars": 163, + "forks": 36, + "url": "https://github.com/88250/gulu", + "file": "os.go" + } + ], + "searched_at": "2026-03-08T00:34:07Z" + } + ] +} \ No newline at end of file