diff --git a/README.md b/README.md index 23e9ae1..2857fc7 100644 --- a/README.md +++ b/README.md @@ -14,13 +14,13 @@ | CWE | Vulnerability | Instances | Severity | |-----|--------------|-----------|----------| -| ![CWE-502](https://img.shields.io/badge/CWE--502-174436-critical?style=flat-square) | Deserialization of Untrusted Data | **166240** | 🔴 CRITICAL | -| ![CWE-79](https://img.shields.io/badge/CWE--79-48360-red?style=flat-square) | Cross-site Scripting (XSS) | **46156** | 🟠 HIGH | -| ![CWE-89](https://img.shields.io/badge/CWE--89-52592-critical?style=flat-square) | SQL Injection | **54904** | 🔴 CRITICAL | -| ![CWE-22](https://img.shields.io/badge/CWE--22-10584-red?style=flat-square) | Path Traversal | **46156** | 🟠 HIGH | -| ![CWE-78](https://img.shields.io/badge/CWE--78-70884-critical?style=flat-square) | OS Command Injection | **69164** | 🔴 CRITICAL | +| ![CWE-502](https://img.shields.io/badge/CWE--502-187304-critical?style=flat-square) | Deserialization of Untrusted Data | **166240** | 🔴 CRITICAL | +| ![CWE-79](https://img.shields.io/badge/CWE--79-52776-red?style=flat-square) | Cross-site Scripting (XSS) | **46156** | 🟠 HIGH | +| ![CWE-89](https://img.shields.io/badge/CWE--89-65736-critical?style=flat-square) | SQL Injection | **54904** | 🔴 CRITICAL | +| ![CWE-22](https://img.shields.io/badge/CWE--22-13348-red?style=flat-square) | Path Traversal | **46156** | 🟠 HIGH | +| ![CWE-78](https://img.shields.io/badge/CWE--78-82764-critical?style=flat-square) | OS Command Injection | **69164** | 🔴 CRITICAL | -**Total Impact:** ![Total Vulnerable](https://img.shields.io/badge/total_vulnerable-356856-critical?style=for-the-badge) ![Stars Affected](https://img.shields.io/badge/stars_affected-154645-blue?style=for-the-badge) +**Total Impact:** ![Total Vulnerable](https://img.shields.io/badge/total_vulnerable-401928-critical?style=for-the-badge) ![Stars Affected](https://img.shields.io/badge/stars_affected-260537-blue?style=for-the-badge) --- diff --git a/metrics/REPORT.md b/metrics/REPORT.md index dbf1682..1c9615a 100644 --- a/metrics/REPORT.md +++ b/metrics/REPORT.md @@ -1,6 +1,6 @@ # Go Ecosystem Vulnerability Impact Report -**Generated:** 2026-03-08 00:34 UTC +**Generated:** 2026-03-29 00:39 UTC **Scanner:** [go-safeinput](https://github.com/ravisastryk/go-safeinput) **Coverage:** MITRE CWE Top 25 vulnerabilities @@ -8,54 +8,54 @@ | Metric | Value | |--------|-------| -| **Total Vulnerable Instances** | **356856** | -| Total Stars Affected | 154645 | -| Total Forks Affected | 16431 | +| **Total Vulnerable Instances** | **401928** | +| Total Stars Affected | 260537 | +| Total Forks Affected | 23978 | | CWEs Analyzed | 5 | ## Vulnerability Breakdown by CWE | CWE | Vulnerability Type | Instances | Severity | |-----|-------------------|-----------|----------| -| **CWE-502** | Deserialization of Untrusted Data | **174436** | CRITICAL | -| **CWE-79** | Cross-site Scripting (XSS) | **48360** | HIGH | -| **CWE-89** | SQL Injection | **52592** | CRITICAL | -| **CWE-22** | Path Traversal | **10584** | HIGH | -| **CWE-78** | OS Command Injection | **70884** | CRITICAL | +| **CWE-502** | Deserialization of Untrusted Data | **187304** | CRITICAL | +| **CWE-79** | Cross-site Scripting (XSS) | **52776** | HIGH | +| **CWE-89** | SQL Injection | **65736** | CRITICAL | +| **CWE-22** | Path Traversal | **13348** | HIGH | +| **CWE-78** | OS Command Injection | **82764** | CRITICAL | ## Detailed Pattern Analysis ### CWE-502: Deserialization of Untrusted Data -- **CWE-502: JSON deserialization into interface{}**: 102400 instances -- **CWE-502: YAML deserialization into interface{}**: 7748 instances -- **CWE-502: JSON decoder into interface{}**: 52352 instances -- **CWE-502: XML deserialization into interface{}**: 3760 instances -- **CWE-502: Using yaml.v2 (vulnerable to custom tags)**: 8176 instances +- **CWE-502: JSON deserialization into interface{}**: 113152 instances +- **CWE-502: YAML deserialization into interface{}**: 7908 instances +- **CWE-502: JSON decoder into interface{}**: 55168 instances +- **CWE-502: XML deserialization into interface{}**: 3808 instances +- **CWE-502: Using yaml.v2 (vulnerable to custom tags)**: 7268 instances ### CWE-79: Cross-site Scripting (XSS) -- **CWE-79: Potential XSS via HTML template rendering**: 13368 instances -- **CWE-79: Direct write to ResponseWriter (potential XSS)**: 32448 instances -- **CWE-79: Using template.JS (bypasses escaping)**: 2544 instances +- **CWE-79: Potential XSS via HTML template rendering**: 13024 instances +- **CWE-79: Direct write to ResponseWriter (potential XSS)**: 36992 instances +- **CWE-79: Using template.JS (bypasses escaping)**: 2760 instances ### CWE-89: SQL Injection -- **CWE-89: SQL query with string concatenation**: 8160 instances -- **CWE-89: SQL exec with string concatenation**: 24128 instances -- **CWE-89: Raw SQL with string interpolation**: 20304 instances +- **CWE-89: SQL query with string concatenation**: 13128 instances +- **CWE-89: SQL exec with string concatenation**: 29312 instances +- **CWE-89: Raw SQL with string interpolation**: 23296 instances ### CWE-22: Path Traversal -- **CWE-22: filepath.Join with user input**: 3688 instances -- **CWE-22: os.Open with user-controlled path**: 968 instances -- **CWE-22: File read with constructed path**: 5928 instances +- **CWE-22: filepath.Join with user input**: 4272 instances +- **CWE-22: os.Open with user-controlled path**: 996 instances +- **CWE-22: File read with constructed path**: 8080 instances ### CWE-78: OS Command Injection -- **CWE-78: exec.Command with user input**: 932 instances -- **CWE-78: exec.Command with string formatting**: 36672 instances -- **CWE-78: Shell command execution**: 33280 instances +- **CWE-78: exec.Command with user input**: 1036 instances +- **CWE-78: exec.Command with string formatting**: 46144 instances +- **CWE-78: Shell command execution**: 35584 instances ## Fix with go-safeinput diff --git a/metrics/scan_20260329.json b/metrics/scan_20260329.json new file mode 100644 index 0000000..6588cca --- /dev/null +++ b/metrics/scan_20260329.json @@ -0,0 +1,1404 @@ +{ + "generated_at": "2026-03-29T00:36:40Z", + "scanner": "go-safeinput-scanner", + "scanner_repo": "https://github.com/ravisastryk/go-safeinput", + "total_vulnerable": 401928, + "total_stars": 260537, + "total_forks": 23978, + "results": [ + { + "pattern": { + "name": "cwe502-json-unmarshal-interface", + "query": "language:go \"json.Unmarshal\" \"interface{}\"", + "severity": "CRITICAL", + "description": "CWE-502: JSON deserialization into interface{}" + }, + "count": 113152, + "top_repos": [ + { + "name": "zserge/lorca", + "stars": 8197, + "forks": 543, + "url": "https://github.com/zserge/lorca", + "file": "ui.go" + }, + { + "name": "mattn/go-v8", + "stars": 267, + "forks": 38, + "url": "https://github.com/mattn/go-v8", + "file": "v8.go" + }, + { + "name": "scipipe/scipipe", + "stars": 1116, + "forks": 74, + "url": "https://github.com/scipipe/scipipe", + "file": "ip.go" + }, + { + "name": "manyminds/api2go", + "stars": 720, + "forks": 96, + "url": "https://github.com/manyminds/api2go", + "file": "api.go" + }, + { + "name": "mailgun/holster", + "stars": 297, + "forks": 32, + "url": "https://github.com/mailgun/holster", + "file": "election/rpc.go" + }, + { + "name": "ardanlabs/kit", + "stars": 245, + "forks": 57, + "url": "https://github.com/ardanlabs/kit", + "file": "mapstructure/doc.go" + }, + { + "name": "iopred/bruxism", + "stars": 147, + "forks": 20, + "url": "https://github.com/iopred/bruxism", + "file": "bot.go" + }, + { + "name": "mix-go/mix", + "stars": 857, + "forks": 71, + "url": "https://github.com/mix-go/mix", + "file": "src/xsql/db.go" + }, + { + "name": "didi/collection", + "stars": 126, + "forks": 22, + "url": "https://github.com/didi/collection", + "file": "mix.go" + }, + { + "name": "dunlinplugin/dunlin-cni", + "stars": 7, + "forks": 1, + "url": "https://github.com/dunlinplugin/dunlin-cni", + "file": "cni.go" + } + ], + "searched_at": "2026-03-29T00:36:40Z" + }, + { + "pattern": { + "name": "cwe502-yaml-unmarshal-interface", + "query": "language:go \"yaml.Unmarshal\" \"interface{}\"", + "severity": "CRITICAL", + "description": "CWE-502: YAML deserialization into interface{}" + }, + "count": 7908, + "top_repos": [ + { + "name": "vektra/tachyon", + "stars": 279, + "forks": 27, + "url": "https://github.com/vektra/tachyon", + "file": "util.go" + }, + { + "name": "helmfile/vals", + "stars": 748, + "forks": 99, + "url": "https://github.com/helmfile/vals", + "file": "vals.go" + }, + { + "name": "codeskyblue/gohttpserver", + "stars": 2824, + "forks": 571, + "url": "https://github.com/codeskyblue/gohttpserver", + "file": "main.go" + }, + { + "name": "koding/multiconfig", + "stars": 450, + "forks": 62, + "url": "https://github.com/koding/multiconfig", + "file": "file.go" + }, + { + "name": "kkkgo/PaoPaoGateWay", + "stars": 507, + "forks": 48, + "url": "https://github.com/kkkgo/PaoPaoGateWay", + "file": "ppgw.go" + }, + { + "name": "tsg/gotpl", + "stars": 94, + "forks": 36, + "url": "https://github.com/tsg/gotpl", + "file": "tpl.go" + }, + { + "name": "wk8/go-ordered-map", + "stars": 667, + "forks": 52, + "url": "https://github.com/wk8/go-ordered-map", + "file": "yaml.go" + }, + { + "name": "kufu-ai/gocat", + "stars": 11, + "forks": 7, + "url": "https://github.com/kufu-ai/gocat", + "file": "git.go" + }, + { + "name": "juju/charm", + "stars": 18, + "forks": 57, + "url": "https://github.com/juju/charm", + "file": "meta.go" + }, + { + "name": "martingallagher/gawp", + "stars": 124, + "forks": 10, + "url": "https://github.com/martingallagher/gawp", + "file": "gawp.go" + } + ], + "searched_at": "2026-03-29T00:36:49Z" + }, + { + "pattern": { + "name": "cwe502-json-decoder-interface", + "query": "language:go \"json.NewDecoder\" \"interface{}\"", + "severity": "CRITICAL", + "description": "CWE-502: JSON decoder into interface{}" + }, + "count": 55168, + "top_repos": [ + { + "name": "astaxie/bat", + "stars": 2565, + "forks": 221, + "url": "https://github.com/astaxie/bat", + "file": "bat.go" + }, + { + "name": "Shopify/toxiproxy", + "stars": 11927, + "forks": 496, + "url": "https://github.com/Shopify/toxiproxy", + "file": "api.go" + }, + { + "name": "staticbackendhq/core", + "stars": 717, + "forks": 70, + "url": "https://github.com/staticbackendhq/core", + "file": "db.go" + }, + { + "name": "jmespath/jp", + "stars": 782, + "forks": 48, + "url": "https://github.com/jmespath/jp", + "file": "jp.go" + }, + { + "name": "piqoni/hn-text", + "stars": 512, + "forks": 11, + "url": "https://github.com/piqoni/hn-text", + "file": "web.go" + }, + { + "name": "manishrjain/gocrud", + "stars": 306, + "forks": 23, + "url": "https://github.com/manishrjain/gocrud", + "file": "x/x.go" + }, + { + "name": "shurcooL/githubv4", + "stars": 1186, + "forks": 94, + "url": "https://github.com/shurcooL/githubv4", + "file": "gen.go" + }, + { + "name": "go-validator/validator", + "stars": 1334, + "forks": 125, + "url": "https://github.com/go-validator/validator", + "file": "doc.go" + }, + { + "name": "wish/eventmaster", + "stars": 11, + "forks": 6, + "url": "https://github.com/wish/eventmaster", + "file": "dcs.go" + }, + { + "name": "kkyr/fig", + "stars": 384, + "forks": 33, + "url": "https://github.com/kkyr/fig", + "file": "fig.go" + } + ], + "searched_at": "2026-03-29T00:36:59Z" + }, + { + "pattern": { + "name": "cwe502-xml-unmarshal-interface", + "query": "language:go \"xml.Unmarshal\" \"interface{}\"", + "severity": "CRITICAL", + "description": "CWE-502: XML deserialization into interface{}" + }, + "count": 3808, + "top_repos": [ + { + "name": "eatmoreapple/openwechat", + "stars": 5485, + "forks": 1011, + "url": "https://github.com/eatmoreapple/openwechat", + "file": "message.go" + }, + { + "name": "qax-os/excelize", + "stars": 20432, + "forks": 1882, + "url": "https://github.com/qax-os/excelize", + "file": "vml.go" + }, + { + "name": "devfeel/dotweb", + "stars": 1381, + "forks": 180, + "url": "https://github.com/devfeel/dotweb", + "file": "bind.go" + }, + { + "name": "saltbo/zpan", + "stars": 2001, + "forks": 253, + "url": "https://github.com/saltbo/zpan", + "file": "pkg/obs/util.go" + }, + { + "name": "aliyun/aliyun-oss-go-sdk", + "stars": 984, + "forks": 229, + "url": "https://github.com/aliyun/aliyun-oss-go-sdk", + "file": "oss/conn.go" + }, + { + "name": "esap/wechat", + "stars": 483, + "forks": 93, + "url": "https://github.com/esap/wechat", + "file": "server.go" + }, + { + "name": "xormplus/xorm", + "stars": 1558, + "forks": 221, + "url": "https://github.com/xormplus/xorm", + "file": "sqlmap.go" + }, + { + "name": "alecthomas/chroma", + "stars": 4887, + "forks": 469, + "url": "https://github.com/alecthomas/chroma", + "file": "serialise.go" + }, + { + "name": "jotform/jotform-api-go", + "stars": 3, + "forks": 8, + "url": "https://github.com/jotform/jotform-api-go", + "file": "JotForm.go" + }, + { + "name": "xendit/xendit-go", + "stars": 157, + "forks": 59, + "url": "https://github.com/xendit/xendit-go", + "file": "client.go" + } + ], + "searched_at": "2026-03-29T00:37:09Z" + }, + { + "pattern": { + "name": "cwe502-yaml-v2-import", + "query": "language:go \"gopkg.in/yaml.v2\"", + "severity": "HIGH", + "description": "CWE-502: Using yaml.v2 (vulnerable to custom tags)" + }, + "count": 7268, + "top_repos": [ + { + "name": "nwidger/nintengo", + "stars": 1297, + "forks": 52, + "url": "https://github.com/nwidger/nintengo", + "file": "main.go" + }, + { + "name": "koding/multiconfig", + "stars": 450, + "forks": 62, + "url": "https://github.com/koding/multiconfig", + "file": "file.go" + }, + { + "name": "uber-go/config", + "stars": 471, + "forks": 41, + "url": "https://github.com/uber-go/config", + "file": "doc.go" + }, + { + "name": "optiopay/klar", + "stars": 503, + "forks": 136, + "url": "https://github.com/optiopay/klar", + "file": "klar.go" + }, + { + "name": "toukii/httpvf", + "stars": 3, + "forks": 0, + "url": "https://github.com/toukii/httpvf", + "file": "req.go" + }, + { + "name": "ziplineeci/ziplinee-ci-manifest", + "stars": 0, + "forks": 0, + "url": "https://github.com/ziplineeci/ziplinee-ci-manifest", + "file": "bot.go" + }, + { + "name": "dubter/config", + "stars": 0, + "forks": 0, + "url": "https://github.com/dubter/config", + "file": "load.go" + }, + { + "name": "InkProject/ink", + "stars": 1089, + "forks": 116, + "url": "https://github.com/InkProject/ink", + "file": "main.go" + }, + { + "name": "ekara-platform/model", + "stars": 1, + "forks": 3, + "url": "https://github.com/ekara-platform/model", + "file": "url.go" + }, + { + "name": "maleblond/communautowatcher", + "stars": 1, + "forks": 1, + "url": "https://github.com/maleblond/communautowatcher", + "file": "api.go" + } + ], + "searched_at": "2026-03-29T00:37:18Z" + }, + { + "pattern": { + "name": "cwe79-html-template-unescaped", + "query": "language:go \"html/template\" HTML", + "severity": "HIGH", + "description": "CWE-79: Potential XSS via HTML template rendering" + }, + "count": 13024, + "top_repos": [ + { + "name": "subspacecloud/subspace", + "stars": 2595, + "forks": 452, + "url": "https://github.com/subspacecloud/subspace", + "file": "web.go" + }, + { + "name": "choonkeat/dom-go", + "stars": 2, + "forks": 0, + "url": "https://github.com/choonkeat/dom-go", + "file": "dom.go" + }, + { + "name": "viewscreen/viewscreen", + "stars": 231, + "forks": 28, + "url": "https://github.com/viewscreen/viewscreen", + "file": "web.go" + }, + { + "name": "xataz/gobrowser", + "stars": 112, + "forks": 15, + "url": "https://github.com/xataz/gobrowser", + "file": "app.go" + }, + { + "name": "robfig/soy", + "stars": 177, + "forks": 41, + "url": "https://github.com/robfig/soy", + "file": "doc.go" + }, + { + "name": "jeremieweldin/GoMinewrap", + "stars": 0, + "forks": 0, + "url": "https://github.com/jeremieweldin/GoMinewrap", + "file": "mcs.go" + }, + { + "name": "deltegui/owl", + "stars": 1, + "forks": 0, + "url": "https://github.com/deltegui/owl", + "file": "vm.go" + }, + { + "name": "theshubhamy/go-htmx-chat", + "stars": 0, + "forks": 0, + "url": "https://github.com/theshubhamy/go-htmx-chat", + "file": "hub.go" + }, + { + "name": "cameronelliott/limebcast", + "stars": 0, + "forks": 0, + "url": "https://github.com/cameronelliott/limebcast", + "file": "web.go" + }, + { + "name": "wadewegner/simple-go-web-app", + "stars": 0, + "forks": 0, + "url": "https://github.com/wadewegner/simple-go-web-app", + "file": "app.go" + } + ], + "searched_at": "2026-03-29T00:37:28Z" + }, + { + "pattern": { + "name": "cwe79-writer-write-user-input", + "query": "language:go \"fmt.Fprintf\" \"w http.ResponseWriter\"", + "severity": "HIGH", + "description": "CWE-79: Direct write to ResponseWriter (potential XSS)" + }, + "count": 36992, + "top_repos": [ + { + "name": "subspacecloud/subspace", + "stars": 2595, + "forks": 452, + "url": "https://github.com/subspacecloud/subspace", + "file": "web.go" + }, + { + "name": "auth0/go-jwt-middleware", + "stars": 1192, + "forks": 208, + "url": "https://github.com/auth0/go-jwt-middleware", + "file": "doc.go" + }, + { + "name": "h2non/imaginary", + "stars": 6031, + "forks": 493, + "url": "https://github.com/h2non/imaginary", + "file": "log.go" + }, + { + "name": "tenox7/wrp", + "stars": 1240, + "forks": 62, + "url": "https://github.com/tenox7/wrp", + "file": "wrp.go" + }, + { + "name": "furkansenharputlu/f-license", + "stars": 822, + "forks": 77, + "url": "https://github.com/furkansenharputlu/f-license", + "file": "api.go" + }, + { + "name": "dailymotion/oplog", + "stars": 110, + "forks": 13, + "url": "https://github.com/dailymotion/oplog", + "file": "sse.go" + }, + { + "name": "traefik/whoami", + "stars": 1356, + "forks": 247, + "url": "https://github.com/traefik/whoami", + "file": "app.go" + }, + { + "name": "moneymanagerex/general-reports", + "stars": 83, + "forks": 50, + "url": "https://github.com/moneymanagerex/general-reports", + "file": "grm.go" + }, + { + "name": "rs/xmux", + "stars": 100, + "forks": 11, + "url": "https://github.com/rs/xmux", + "file": "mux.go" + }, + { + "name": "andybalholm/redwood", + "stars": 247, + "forks": 37, + "url": "https://github.com/andybalholm/redwood", + "file": "pac.go" + } + ], + "searched_at": "2026-03-29T00:37:38Z" + }, + { + "pattern": { + "name": "cwe79-template-js", + "query": "language:go template.JS", + "severity": "HIGH", + "description": "CWE-79: Using template.JS (bypasses escaping)" + }, + "count": 2760, + "top_repos": [ + { + "name": "leanote/leanote", + "stars": 11712, + "forks": 2449, + "url": "https://github.com/leanote/leanote", + "file": "app/init.go" + }, + { + "name": "schollz/find", + "stars": 5089, + "forks": 369, + "url": "https://github.com/schollz/find", + "file": "routes.go" + }, + { + "name": "fullstorydev/grpcui", + "stars": 5871, + "forks": 420, + "url": "https://github.com/fullstorydev/grpcui", + "file": "webform.go" + }, + { + "name": "selinuxG/Golin", + "stars": 1773, + "forks": 257, + "url": "https://github.com/selinuxG/Golin", + "file": "scan/end.go" + }, + { + "name": "divan/gobenchui", + "stars": 527, + "forks": 28, + "url": "https://github.com/divan/gobenchui", + "file": "web.go" + }, + { + "name": "srl-labs/containerlab", + "stars": 2488, + "forks": 429, + "url": "https://github.com/srl-labs/containerlab", + "file": "cmd/graph.go" + }, + { + "name": "writefreely/writefreely", + "stars": 5114, + "forks": 371, + "url": "https://github.com/writefreely/writefreely", + "file": "collections.go" + }, + { + "name": "swaggo/http-swagger", + "stars": 562, + "forks": 85, + "url": "https://github.com/swaggo/http-swagger", + "file": "swagger.go" + }, + { + "name": "roblaszczak/vgt", + "stars": 358, + "forks": 3, + "url": "https://github.com/roblaszczak/vgt", + "file": "html.go" + }, + { + "name": "philippta/flyscrape", + "stars": 1337, + "forks": 41, + "url": "https://github.com/philippta/flyscrape", + "file": "js.go" + } + ], + "searched_at": "2026-03-29T00:37:48Z" + }, + { + "pattern": { + "name": "cwe89-sql-query-concat", + "query": "language:go \"db.Query\" \"fmt.Sprintf\"", + "severity": "CRITICAL", + "description": "CWE-89: SQL query with string concatenation" + }, + "count": 13128, + "top_repos": [ + { + "name": "haxpax/gosms", + "stars": 1471, + "forks": 149, + "url": "https://github.com/haxpax/gosms", + "file": "db.go" + }, + { + "name": "LunaNode/lobster", + "stars": 84, + "forks": 24, + "url": "https://github.com/LunaNode/lobster", + "file": "vm.go" + }, + { + "name": "nao1215/filesql", + "stars": 369, + "forks": 9, + "url": "https://github.com/nao1215/filesql", + "file": "ach.go" + }, + { + "name": "coocood/qbs", + "stars": 543, + "forks": 96, + "url": "https://github.com/coocood/qbs", + "file": "qbs.go" + }, + { + "name": "ekzhu/josie", + "stars": 19, + "forks": 5, + "url": "https://github.com/ekzhu/josie", + "file": "io.go" + }, + { + "name": "spy16/fabric", + "stars": 199, + "forks": 6, + "url": "https://github.com/spy16/fabric", + "file": "sql.go" + }, + { + "name": "canonical/lxd-demo-server", + "stars": 71, + "forks": 25, + "url": "https://github.com/canonical/lxd-demo-server", + "file": "db.go" + }, + { + "name": "mevdschee/go-crud-api", + "stars": 16, + "forks": 5, + "url": "https://github.com/mevdschee/go-crud-api", + "file": "api.go" + }, + { + "name": "cristosal/orm", + "stars": 0, + "forks": 0, + "url": "https://github.com/cristosal/orm", + "file": "orm.go" + }, + { + "name": "mattn/qq", + "stars": 166, + "forks": 5, + "url": "https://github.com/mattn/qq", + "file": "qq.go" + } + ], + "searched_at": "2026-03-29T00:37:57Z" + }, + { + "pattern": { + "name": "cwe89-sql-exec-concat", + "query": "language:go \"db.Exec\" \"+\" ", + "severity": "CRITICAL", + "description": "CWE-89: SQL exec with string concatenation" + }, + "count": 29312, + "top_repos": [ + { + "name": "writefreely/writefreely", + "stars": 5114, + "forks": 371, + "url": "https://github.com/writefreely/writefreely", + "file": "app.go" + }, + { + "name": "go-pg/pg", + "stars": 5786, + "forks": 415, + "url": "https://github.com/go-pg/pg", + "file": "tx.go" + }, + { + "name": "mattn/qq", + "stars": 166, + "forks": 5, + "url": "https://github.com/mattn/qq", + "file": "qq.go" + }, + { + "name": "uadmin/uadmin", + "stars": 355, + "forks": 61, + "url": "https://github.com/uadmin/uadmin", + "file": "db.go" + }, + { + "name": "coocood/qbs", + "stars": 543, + "forks": 96, + "url": "https://github.com/coocood/qbs", + "file": "qbs.go" + }, + { + "name": "LunaNode/lobster", + "stars": 84, + "forks": 24, + "url": "https://github.com/LunaNode/lobster", + "file": "vm.go" + }, + { + "name": "kwf2030/hiprice-chatbot", + "stars": 88, + "forks": 10, + "url": "https://github.com/kwf2030/hiprice-chatbot", + "file": "msg.go" + }, + { + "name": "TritonHo/demo", + "stars": 155, + "forks": 27, + "url": "https://github.com/TritonHo/demo", + "file": "cat.go" + }, + { + "name": "arp242/goatcounter", + "stars": 5592, + "forks": 253, + "url": "https://github.com/arp242/goatcounter", + "file": "hit.go" + }, + { + "name": "metal-stack/go-ipam", + "stars": 152, + "forks": 43, + "url": "https://github.com/metal-stack/go-ipam", + "file": "sql.go" + } + ], + "searched_at": "2026-03-29T00:38:07Z" + }, + { + "pattern": { + "name": "cwe89-raw-sql-interpolation", + "query": "language:go \"database/sql\" fmt.Sprintf SELECT", + "severity": "CRITICAL", + "description": "CWE-89: Raw SQL with string interpolation" + }, + "count": 23296, + "top_repos": [ + { + "name": "go-gorp/gorp", + "stars": 3755, + "forks": 375, + "url": "https://github.com/go-gorp/gorp", + "file": "db.go" + }, + { + "name": "go-gorm/gen", + "stars": 2542, + "forks": 354, + "url": "https://github.com/go-gorm/gen", + "file": "do.go" + }, + { + "name": "gernest/orange", + "stars": 22, + "forks": 4, + "url": "https://github.com/gernest/orange", + "file": "sql.go" + }, + { + "name": "QLeelulu/goku", + "stars": 273, + "forks": 65, + "url": "https://github.com/QLeelulu/goku", + "file": "db.go" + }, + { + "name": "arp242/zdb", + "stars": 14, + "forks": 1, + "url": "https://github.com/arp242/zdb", + "file": "zdb.go" + }, + { + "name": "ysugimoto/gqb", + "stars": 5, + "forks": 1, + "url": "https://github.com/ysugimoto/gqb", + "file": "gqb.go" + }, + { + "name": "gadp22/crema", + "stars": 1, + "forks": 0, + "url": "https://github.com/gadp22/crema", + "file": "dao.go" + }, + { + "name": "rpadovani/sqlx-v2", + "stars": 2, + "forks": 0, + "url": "https://github.com/rpadovani/sqlx-v2", + "file": "tx.go" + }, + { + "name": "wibu-gaptek/qix", + "stars": 3, + "forks": 1, + "url": "https://github.com/wibu-gaptek/qix", + "file": "qix.go" + }, + { + "name": "ruhulfbr/golang-basic", + "stars": 0, + "forks": 0, + "url": "https://github.com/ruhulfbr/golang-basic", + "file": "qb.go" + } + ], + "searched_at": "2026-03-29T00:38:16Z" + }, + { + "pattern": { + "name": "cwe22-filepath-join-user-input", + "query": "language:go \"filepath.Join\" \"r.URL.Query\"", + "severity": "HIGH", + "description": "CWE-22: filepath.Join with user input" + }, + "count": 4272, + "top_repos": [ + { + "name": "kelseyhightower/coreos-ipxe-server", + "stars": 220, + "forks": 50, + "url": "https://github.com/kelseyhightower/coreos-ipxe-server", + "file": "api.go" + }, + { + "name": "boyter/cs", + "stars": 913, + "forks": 16, + "url": "https://github.com/boyter/cs", + "file": "http.go" + }, + { + "name": "pldubouilh/gossa", + "stars": 1078, + "forks": 78, + "url": "https://github.com/pldubouilh/gossa", + "file": "gossa.go" + }, + { + "name": "k1LoW/deck", + "stars": 1201, + "forks": 35, + "url": "https://github.com/k1LoW/deck", + "file": "client.go" + }, + { + "name": "Illusionna/LocalTransfer", + "stars": 506, + "forks": 14, + "url": "https://github.com/Illusionna/LocalTransfer", + "file": "handler.go" + }, + { + "name": "sgreben/http-file-server", + "stars": 234, + "forks": 39, + "url": "https://github.com/sgreben/http-file-server", + "file": "server.go" + }, + { + "name": "tailscale/golink", + "stars": 1833, + "forks": 128, + "url": "https://github.com/tailscale/golink", + "file": "golink.go" + }, + { + "name": "Monibuca/plugin-record", + "stars": 42, + "forks": 39, + "url": "https://github.com/Monibuca/plugin-record", + "file": "vod.go" + }, + { + "name": "p1d3er/RemoteWebScreen", + "stars": 461, + "forks": 63, + "url": "https://github.com/p1d3er/RemoteWebScreen", + "file": "main.go" + }, + { + "name": "nielsAD/autoindex", + "stars": 41, + "forks": 8, + "url": "https://github.com/nielsAD/autoindex", + "file": "fs.go" + } + ], + "searched_at": "2026-03-29T00:38:26Z" + }, + { + "pattern": { + "name": "cwe22-os-open-user-input", + "query": "language:go \"os.Open\" \"r.FormValue\"", + "severity": "HIGH", + "description": "CWE-22: os.Open with user-controlled path" + }, + "count": 996, + "top_repos": [ + { + "name": "screego/server", + "stars": 10326, + "forks": 706, + "url": "https://github.com/screego/server", + "file": "auth/auth.go" + }, + { + "name": "wallix/awless", + "stars": 4984, + "forks": 259, + "url": "https://github.com/wallix/awless", + "file": "web/web.go" + }, + { + "name": "canonical/lxd", + "stars": 4717, + "forks": 1000, + "url": "https://github.com/canonical/lxd", + "file": "lxd/images.go" + }, + { + "name": "LukeSmithxyz/shadowchat", + "stars": 131, + "forks": 20, + "url": "https://github.com/LukeSmithxyz/shadowchat", + "file": "main.go" + }, + { + "name": "jamra/gocleo", + "stars": 86, + "forks": 10, + "url": "https://github.com/jamra/gocleo", + "file": "cleo.go" + }, + { + "name": "anvie/Anscdn", + "stars": 42, + "forks": 10, + "url": "https://github.com/anvie/Anscdn", + "file": "anscdn.go" + }, + { + "name": "ondrajz/go-callvis", + "stars": 6463, + "forks": 433, + "url": "https://github.com/ondrajz/go-callvis", + "file": "analysis.go" + }, + { + "name": "jmhodges/howsmyssl", + "stars": 351, + "forks": 58, + "url": "https://github.com/jmhodges/howsmyssl", + "file": "allow.go" + }, + { + "name": "Lihu-PR/File-Rocket", + "stars": 200, + "forks": 19, + "url": "https://github.com/Lihu-PR/File-Rocket", + "file": "server.go" + }, + { + "name": "tenox7/wrp", + "stars": 1240, + "forks": 62, + "url": "https://github.com/tenox7/wrp", + "file": "wrp.go" + } + ], + "searched_at": "2026-03-29T00:38:35Z" + }, + { + "pattern": { + "name": "cwe22-ioutil-readfile-param", + "query": "language:go \"ioutil.ReadFile\" \"filepath.Join\"", + "severity": "HIGH", + "description": "CWE-22: File read with constructed path" + }, + "count": 8080, + "top_repos": [ + { + "name": "utkusen/urlhunter", + "stars": 1662, + "forks": 117, + "url": "https://github.com/utkusen/urlhunter", + "file": "main.go" + }, + { + "name": "mailgun/godebug", + "stars": 2481, + "forks": 102, + "url": "https://github.com/mailgun/godebug", + "file": "cmd.go" + }, + { + "name": "nlf/dlite", + "stars": 2326, + "forks": 52, + "url": "https://github.com/nlf/dlite", + "file": "ssh.go" + }, + { + "name": "golang101/golang101", + "stars": 5010, + "forks": 458, + "url": "https://github.com/golang101/golang101", + "file": "gen.go" + }, + { + "name": "vwxyzjn/portwarden", + "stars": 632, + "forks": 35, + "url": "https://github.com/vwxyzjn/portwarden", + "file": "core.go" + }, + { + "name": "zerotier/zerotier-systemd-manager", + "stars": 72, + "forks": 8, + "url": "https://github.com/zerotier/zerotier-systemd-manager", + "file": "mgr.go" + }, + { + "name": "cloud66-oss/starter", + "stars": 313, + "forks": 55, + "url": "https://github.com/cloud66-oss/starter", + "file": "api.go" + }, + { + "name": "storj-archived/gospace", + "stars": 3, + "forks": 0, + "url": "https://github.com/storj-archived/gospace", + "file": "mod.go" + }, + { + "name": "sariina/mina", + "stars": 44, + "forks": 3, + "url": "https://github.com/sariina/mina", + "file": "mina.go" + }, + { + "name": "flexera-public/right_st", + "stars": 12, + "forks": 1, + "url": "https://github.com/flexera-public/right_st", + "file": "mci.go" + } + ], + "searched_at": "2026-03-29T00:38:44Z" + }, + { + "pattern": { + "name": "cwe78-exec-command-user-input", + "query": "language:go \"exec.Command\" \"r.FormValue\"", + "severity": "CRITICAL", + "description": "CWE-78: exec.Command with user input" + }, + "count": 1036, + "top_repos": [ + { + "name": "kevoreilly/CAPEv2", + "stars": 3096, + "forks": 545, + "url": "https://github.com/kevoreilly/CAPEv2", + "file": "agent/go/main.go" + }, + { + "name": "gokrazy/gokrazy", + "stars": 3450, + "forks": 134, + "url": "https://github.com/gokrazy/gokrazy", + "file": "update.go" + }, + { + "name": "remind101/empire", + "stars": 2680, + "forks": 156, + "url": "https://github.com/remind101/empire", + "file": "cmd/emp/auth.go" + }, + { + "name": "canonical/lxd", + "stars": 4717, + "forks": 1000, + "url": "https://github.com/canonical/lxd", + "file": "lxd-agent/exec.go" + }, + { + "name": "gengo/goship", + "stars": 704, + "forks": 43, + "url": "https://github.com/gengo/goship", + "file": "deploy_handler.go" + }, + { + "name": "perkeep/perkeep", + "stars": 7112, + "forks": 482, + "url": "https://github.com/perkeep/perkeep", + "file": "pkg/server/app/app.go" + }, + { + "name": "iuroc/bilidown", + "stars": 1387, + "forks": 165, + "url": "https://github.com/iuroc/bilidown", + "file": "server/router/task.go" + }, + { + "name": "skycoin/skywire-testnet", + "stars": 162, + "forks": 64, + "url": "https://github.com/skycoin/skywire-testnet", + "file": "pkg/node/api/api.go" + }, + { + "name": "schollz/musicsaur", + "stars": 283, + "forks": 14, + "url": "https://github.com/schollz/musicsaur", + "file": "controls.go" + }, + { + "name": "grant/go-diagram", + "stars": 177, + "forks": 20, + "url": "https://github.com/grant/go-diagram", + "file": "server.go" + } + ], + "searched_at": "2026-03-29T00:38:53Z" + }, + { + "pattern": { + "name": "cwe78-exec-command-concat", + "query": "language:go \"exec.Command\" \"fmt.Sprintf\"", + "severity": "CRITICAL", + "description": "CWE-78: exec.Command with string formatting" + }, + "count": 46144, + "top_repos": [ + { + "name": "ondrajz/go-callvis", + "stars": 6463, + "forks": 433, + "url": "https://github.com/ondrajz/go-callvis", + "file": "dot.go" + }, + { + "name": "gokcehan/lf", + "stars": 9174, + "forks": 363, + "url": "https://github.com/gokcehan/lf", + "file": "os.go" + }, + { + "name": "nlf/dlite", + "stars": 2326, + "forks": 52, + "url": "https://github.com/nlf/dlite", + "file": "ssh.go" + }, + { + "name": "shunfei/cronsun", + "stars": 2921, + "forks": 457, + "url": "https://github.com/shunfei/cronsun", + "file": "job.go" + }, + { + "name": "go-python/gopy", + "stars": 2299, + "forks": 132, + "url": "https://github.com/go-python/gopy", + "file": "gen.go" + }, + { + "name": "pressly/sup", + "stars": 2516, + "forks": 182, + "url": "https://github.com/pressly/sup", + "file": "tar.go" + }, + { + "name": "sajari/docconv", + "stars": 1775, + "forks": 244, + "url": "https://github.com/sajari/docconv", + "file": "doc.go" + }, + { + "name": "noisetorch/NoiseTorch", + "stars": 10172, + "forks": 244, + "url": "https://github.com/noisetorch/NoiseTorch", + "file": "ui.go" + }, + { + "name": "x-motemen/ghq", + "stars": 3535, + "forks": 200, + "url": "https://github.com/x-motemen/ghq", + "file": "vcs.go" + }, + { + "name": "containers/ocicrypt", + "stars": 179, + "forks": 39, + "url": "https://github.com/containers/ocicrypt", + "file": "gpg.go" + } + ], + "searched_at": "2026-03-29T00:39:03Z" + }, + { + "pattern": { + "name": "cwe78-shell-exec", + "query": "language:go exec.Command \"sh\" \"-c\"", + "severity": "CRITICAL", + "description": "CWE-78: Shell command execution" + }, + "count": 35584, + "top_repos": [ + { + "name": "appuio/acme-tiny", + "stars": 0, + "forks": 0, + "url": "https://github.com/appuio/acme-tiny", + "file": "docker/sh.go" + }, + { + "name": "otm/blade", + "stars": 68, + "forks": 1, + "url": "https://github.com/otm/blade", + "file": "lua.go" + }, + { + "name": "Shopify/go-lua", + "stars": 3426, + "forks": 207, + "url": "https://github.com/Shopify/go-lua", + "file": "os.go" + }, + { + "name": "apex/up", + "stars": 8808, + "forks": 389, + "url": "https://github.com/apex/up", + "file": "up.go" + }, + { + "name": "julz/just", + "stars": 0, + "forks": 0, + "url": "https://github.com/julz/just", + "file": "cmd.go" + }, + { + "name": "codeskyblue/go-sh", + "stars": 1133, + "forks": 137, + "url": "https://github.com/codeskyblue/go-sh", + "file": "sh.go" + }, + { + "name": "scipipe/scipipe", + "stars": 1116, + "forks": 74, + "url": "https://github.com/scipipe/scipipe", + "file": "ip.go" + }, + { + "name": "kayac/sqsjkr", + "stars": 13, + "forks": 1, + "url": "https://github.com/kayac/sqsjkr", + "file": "job.go" + }, + { + "name": "gokrazy/breakglass", + "stars": 81, + "forks": 12, + "url": "https://github.com/gokrazy/breakglass", + "file": "ssh.go" + }, + { + "name": "lianhong2758/kokomi-plugin", + "stars": 28, + "forks": 7, + "url": "https://github.com/lianhong2758/kokomi-plugin", + "file": "shu.go" + } + ], + "searched_at": "2026-03-29T00:39:12Z" + } + ] +} \ No newline at end of file