diff --git a/README.md b/README.md index 29fe8e5..9496022 100644 --- a/README.md +++ b/README.md @@ -14,13 +14,13 @@ | CWE | Vulnerability | Instances | Severity | |-----|--------------|-----------|----------| -| ![CWE-502](https://img.shields.io/badge/CWE--502-195116-critical?style=flat-square) | Deserialization of Untrusted Data | **166240** | 🔴 CRITICAL | -| ![CWE-79](https://img.shields.io/badge/CWE--79-48176-red?style=flat-square) | Cross-site Scripting (XSS) | **46156** | 🟠 HIGH | -| ![CWE-89](https://img.shields.io/badge/CWE--89-68872-critical?style=flat-square) | SQL Injection | **54904** | 🔴 CRITICAL | -| ![CWE-22](https://img.shields.io/badge/CWE--22-15128-red?style=flat-square) | Path Traversal | **46156** | 🟠 HIGH | -| ![CWE-78](https://img.shields.io/badge/CWE--78-84360-critical?style=flat-square) | OS Command Injection | **69164** | 🔴 CRITICAL | +| ![CWE-502](https://img.shields.io/badge/CWE--502-198436-critical?style=flat-square) | Deserialization of Untrusted Data | **166240** | 🔴 CRITICAL | +| ![CWE-79](https://img.shields.io/badge/CWE--79-50008-red?style=flat-square) | Cross-site Scripting (XSS) | **46156** | 🟠 HIGH | +| ![CWE-89](https://img.shields.io/badge/CWE--89-59176-critical?style=flat-square) | SQL Injection | **54904** | 🔴 CRITICAL | +| ![CWE-22](https://img.shields.io/badge/CWE--22-14664-red?style=flat-square) | Path Traversal | **46156** | 🟠 HIGH | +| ![CWE-78](https://img.shields.io/badge/CWE--78-84784-critical?style=flat-square) | OS Command Injection | **69164** | 🔴 CRITICAL | -**Total Impact:** ![Total Vulnerable](https://img.shields.io/badge/total_vulnerable-411652-critical?style=for-the-badge) ![Stars Affected](https://img.shields.io/badge/stars_affected-172529-blue?style=for-the-badge) +**Total Impact:** ![Total Vulnerable](https://img.shields.io/badge/total_vulnerable-407068-critical?style=for-the-badge) ![Stars Affected](https://img.shields.io/badge/stars_affected-164163-blue?style=for-the-badge) --- diff --git a/metrics/REPORT.md b/metrics/REPORT.md index 6c93355..a01e6cb 100644 --- a/metrics/REPORT.md +++ b/metrics/REPORT.md @@ -1,6 +1,6 @@ # Go Ecosystem Vulnerability Impact Report -**Generated:** 2026-04-12 00:41 UTC +**Generated:** 2026-05-03 00:49 UTC **Scanner:** [go-safeinput](https://github.com/ravisastryk/go-safeinput) **Coverage:** MITRE CWE Top 25 vulnerabilities @@ -8,54 +8,54 @@ | Metric | Value | |--------|-------| -| **Total Vulnerable Instances** | **411652** | -| Total Stars Affected | 172529 | -| Total Forks Affected | 16671 | +| **Total Vulnerable Instances** | **407068** | +| Total Stars Affected | 164163 | +| Total Forks Affected | 15584 | | CWEs Analyzed | 5 | ## Vulnerability Breakdown by CWE | CWE | Vulnerability Type | Instances | Severity | |-----|-------------------|-----------|----------| -| **CWE-502** | Deserialization of Untrusted Data | **195116** | CRITICAL | -| **CWE-79** | Cross-site Scripting (XSS) | **48176** | HIGH | -| **CWE-89** | SQL Injection | **68872** | CRITICAL | -| **CWE-22** | Path Traversal | **15128** | HIGH | -| **CWE-78** | OS Command Injection | **84360** | CRITICAL | +| **CWE-502** | Deserialization of Untrusted Data | **198436** | CRITICAL | +| **CWE-79** | Cross-site Scripting (XSS) | **50008** | HIGH | +| **CWE-89** | SQL Injection | **59176** | CRITICAL | +| **CWE-22** | Path Traversal | **14664** | HIGH | +| **CWE-78** | OS Command Injection | **84784** | CRITICAL | ## Detailed Pattern Analysis ### CWE-502: Deserialization of Untrusted Data -- **CWE-502: JSON deserialization into interface{}**: 121600 instances -- **CWE-502: YAML deserialization into interface{}**: 6428 instances -- **CWE-502: JSON decoder into interface{}**: 55296 instances -- **CWE-502: XML deserialization into interface{}**: 3520 instances -- **CWE-502: Using yaml.v2 (vulnerable to custom tags)**: 8272 instances +- **CWE-502: JSON deserialization into interface{}**: 120576 instances +- **CWE-502: YAML deserialization into interface{}**: 6300 instances +- **CWE-502: JSON decoder into interface{}**: 58368 instances +- **CWE-502: XML deserialization into interface{}**: 2864 instances +- **CWE-502: Using yaml.v2 (vulnerable to custom tags)**: 10328 instances ### CWE-79: Cross-site Scripting (XSS) -- **CWE-79: Potential XSS via HTML template rendering**: 9968 instances -- **CWE-79: Direct write to ResponseWriter (potential XSS)**: 35200 instances -- **CWE-79: Using template.JS (bypasses escaping)**: 3008 instances +- **CWE-79: Potential XSS via HTML template rendering**: 10152 instances +- **CWE-79: Direct write to ResponseWriter (potential XSS)**: 36800 instances +- **CWE-79: Using template.JS (bypasses escaping)**: 3056 instances ### CWE-89: SQL Injection -- **CWE-89: SQL query with string concatenation**: 11688 instances -- **CWE-89: SQL exec with string concatenation**: 32160 instances -- **CWE-89: Raw SQL with string interpolation**: 25024 instances +- **CWE-89: SQL query with string concatenation**: 10856 instances +- **CWE-89: SQL exec with string concatenation**: 26688 instances +- **CWE-89: Raw SQL with string interpolation**: 21632 instances ### CWE-22: Path Traversal -- **CWE-22: filepath.Join with user input**: 4624 instances -- **CWE-22: os.Open with user-controlled path**: 1144 instances -- **CWE-22: File read with constructed path**: 9360 instances +- **CWE-22: filepath.Join with user input**: 5872 instances +- **CWE-22: os.Open with user-controlled path**: 1184 instances +- **CWE-22: File read with constructed path**: 7608 instances ### CWE-78: OS Command Injection -- **CWE-78: exec.Command with user input**: 968 instances -- **CWE-78: exec.Command with string formatting**: 46272 instances -- **CWE-78: Shell command execution**: 37120 instances +- **CWE-78: exec.Command with user input**: 1072 instances +- **CWE-78: exec.Command with string formatting**: 45568 instances +- **CWE-78: Shell command execution**: 38144 instances ## Fix with go-safeinput diff --git a/metrics/scan_20260503.json b/metrics/scan_20260503.json new file mode 100644 index 0000000..42ffec4 --- /dev/null +++ b/metrics/scan_20260503.json @@ -0,0 +1,1404 @@ +{ + "generated_at": "2026-05-03T00:47:18Z", + "scanner": "go-safeinput-scanner", + "scanner_repo": "https://github.com/ravisastryk/go-safeinput", + "total_vulnerable": 407068, + "total_stars": 164163, + "total_forks": 15584, + "results": [ + { + "pattern": { + "name": "cwe502-json-unmarshal-interface", + "query": "language:go \"json.Unmarshal\" \"interface{}\"", + "severity": "CRITICAL", + "description": "CWE-502: JSON deserialization into interface{}" + }, + "count": 120576, + "top_repos": [ + { + "name": "zserge/lorca", + "stars": 8200, + "forks": 541, + "url": "https://github.com/zserge/lorca", + "file": "ui.go" + }, + { + "name": "mattn/go-v8", + "stars": 267, + "forks": 37, + "url": "https://github.com/mattn/go-v8", + "file": "v8.go" + }, + { + "name": "scipipe/scipipe", + "stars": 1116, + "forks": 73, + "url": "https://github.com/scipipe/scipipe", + "file": "ip.go" + }, + { + "name": "manyminds/api2go", + "stars": 720, + "forks": 96, + "url": "https://github.com/manyminds/api2go", + "file": "api.go" + }, + { + "name": "mailgun/holster", + "stars": 297, + "forks": 32, + "url": "https://github.com/mailgun/holster", + "file": "election/rpc.go" + }, + { + "name": "ardanlabs/kit", + "stars": 247, + "forks": 57, + "url": "https://github.com/ardanlabs/kit", + "file": "mapstructure/doc.go" + }, + { + "name": "iopred/bruxism", + "stars": 147, + "forks": 20, + "url": "https://github.com/iopred/bruxism", + "file": "bot.go" + }, + { + "name": "mix-go/mix", + "stars": 855, + "forks": 71, + "url": "https://github.com/mix-go/mix", + "file": "src/xsql/db.go" + }, + { + "name": "dunlinplugin/dunlin-cni", + "stars": 7, + "forks": 1, + "url": "https://github.com/dunlinplugin/dunlin-cni", + "file": "cni.go" + }, + { + "name": "kazuhitoyokoi/node-red-wasm", + "stars": 14, + "forks": 3, + "url": "https://github.com/kazuhitoyokoi/node-red-wasm", + "file": "red.go" + } + ], + "searched_at": "2026-05-03T00:47:18Z" + }, + { + "pattern": { + "name": "cwe502-yaml-unmarshal-interface", + "query": "language:go \"yaml.Unmarshal\" \"interface{}\"", + "severity": "CRITICAL", + "description": "CWE-502: YAML deserialization into interface{}" + }, + "count": 6300, + "top_repos": [ + { + "name": "vektra/tachyon", + "stars": 280, + "forks": 27, + "url": "https://github.com/vektra/tachyon", + "file": "util.go" + }, + { + "name": "helmfile/vals", + "stars": 747, + "forks": 99, + "url": "https://github.com/helmfile/vals", + "file": "vals.go" + }, + { + "name": "MarioCarrion/videos", + "stars": 133, + "forks": 54, + "url": "https://github.com/MarioCarrion/videos", + "file": "2022/09/16/thirdpartylib/main.go" + }, + { + "name": "koding/multiconfig", + "stars": 450, + "forks": 62, + "url": "https://github.com/koding/multiconfig", + "file": "file.go" + }, + { + "name": "GroundSix/asink", + "stars": 25, + "forks": 0, + "url": "https://github.com/GroundSix/asink", + "file": "yaml.go" + }, + { + "name": "tsg/gotpl", + "stars": 94, + "forks": 36, + "url": "https://github.com/tsg/gotpl", + "file": "tpl.go" + }, + { + "name": "CMGS/levi", + "stars": 13, + "forks": 0, + "url": "https://github.com/CMGS/levi", + "file": "env.go" + }, + { + "name": "stelligent/yq", + "stars": 3, + "forks": 2, + "url": "https://github.com/stelligent/yq", + "file": "yq.go" + }, + { + "name": "PremiereGlobal/mkdocs-generator", + "stars": 2, + "forks": 1, + "url": "https://github.com/PremiereGlobal/mkdocs-generator", + "file": "nav.go" + }, + { + "name": "KompiTech/rmap", + "stars": 3, + "forks": 1, + "url": "https://github.com/KompiTech/rmap", + "file": "rmap.go" + } + ], + "searched_at": "2026-05-03T00:47:28Z" + }, + { + "pattern": { + "name": "cwe502-json-decoder-interface", + "query": "language:go \"json.NewDecoder\" \"interface{}\"", + "severity": "CRITICAL", + "description": "CWE-502: JSON decoder into interface{}" + }, + "count": 58368, + "top_repos": [ + { + "name": "astaxie/bat", + "stars": 2563, + "forks": 218, + "url": "https://github.com/astaxie/bat", + "file": "bat.go" + }, + { + "name": "Shopify/toxiproxy", + "stars": 12003, + "forks": 499, + "url": "https://github.com/Shopify/toxiproxy", + "file": "api.go" + }, + { + "name": "jmespath/jp", + "stars": 783, + "forks": 48, + "url": "https://github.com/jmespath/jp", + "file": "jp.go" + }, + { + "name": "piqoni/hn-text", + "stars": 510, + "forks": 11, + "url": "https://github.com/piqoni/hn-text", + "file": "web.go" + }, + { + "name": "manishrjain/gocrud", + "stars": 307, + "forks": 23, + "url": "https://github.com/manishrjain/gocrud", + "file": "x/x.go" + }, + { + "name": "shurcooL/githubv4", + "stars": 1186, + "forks": 95, + "url": "https://github.com/shurcooL/githubv4", + "file": "gen.go" + }, + { + "name": "wish/eventmaster", + "stars": 11, + "forks": 6, + "url": "https://github.com/wish/eventmaster", + "file": "dcs.go" + }, + { + "name": "kkyr/fig", + "stars": 384, + "forks": 33, + "url": "https://github.com/kkyr/fig", + "file": "fig.go" + }, + { + "name": "caltechlibrary/datatools", + "stars": 80, + "forks": 9, + "url": "https://github.com/caltechlibrary/datatools", + "file": "csv.go" + }, + { + "name": "mattn/go-v8", + "stars": 267, + "forks": 37, + "url": "https://github.com/mattn/go-v8", + "file": "v8.go" + } + ], + "searched_at": "2026-05-03T00:47:37Z" + }, + { + "pattern": { + "name": "cwe502-xml-unmarshal-interface", + "query": "language:go \"xml.Unmarshal\" \"interface{}\"", + "severity": "CRITICAL", + "description": "CWE-502: XML deserialization into interface{}" + }, + "count": 2864, + "top_repos": [ + { + "name": "eatmoreapple/openwechat", + "stars": 5478, + "forks": 1006, + "url": "https://github.com/eatmoreapple/openwechat", + "file": "message.go" + }, + { + "name": "devfeel/dotweb", + "stars": 1382, + "forks": 179, + "url": "https://github.com/devfeel/dotweb", + "file": "bind.go" + }, + { + "name": "aliyun/aliyun-oss-go-sdk", + "stars": 983, + "forks": 229, + "url": "https://github.com/aliyun/aliyun-oss-go-sdk", + "file": "oss/conn.go" + }, + { + "name": "esap/wechat", + "stars": 482, + "forks": 93, + "url": "https://github.com/esap/wechat", + "file": "server.go" + }, + { + "name": "xormplus/xorm", + "stars": 1557, + "forks": 220, + "url": "https://github.com/xormplus/xorm", + "file": "sqlmap.go" + }, + { + "name": "jotform/jotform-api-go", + "stars": 3, + "forks": 8, + "url": "https://github.com/jotform/jotform-api-go", + "file": "JotForm.go" + }, + { + "name": "xteve-project/xTeVe", + "stars": 2227, + "forks": 257, + "url": "https://github.com/xteve-project/xTeVe", + "file": "src/xepg.go" + }, + { + "name": "xendit/xendit-go", + "stars": 157, + "forks": 59, + "url": "https://github.com/xendit/xendit-go", + "file": "client.go" + }, + { + "name": "fwhezfwhez/tcpx", + "stars": 235, + "forks": 45, + "url": "https://github.com/fwhezfwhez/tcpx", + "file": "pack-type.go" + }, + { + "name": "Apress/network-prog-with-go", + "stars": 112, + "forks": 44, + "url": "https://github.com/Apress/network-prog-with-go", + "file": "Ch15/XML.go" + } + ], + "searched_at": "2026-05-03T00:47:46Z" + }, + { + "pattern": { + "name": "cwe502-yaml-v2-import", + "query": "language:go \"gopkg.in/yaml.v2\"", + "severity": "HIGH", + "description": "CWE-502: Using yaml.v2 (vulnerable to custom tags)" + }, + "count": 10328, + "top_repos": [ + { + "name": "nwidger/nintengo", + "stars": 1297, + "forks": 52, + "url": "https://github.com/nwidger/nintengo", + "file": "main.go" + }, + { + "name": "koding/multiconfig", + "stars": 450, + "forks": 62, + "url": "https://github.com/koding/multiconfig", + "file": "file.go" + }, + { + "name": "kwf2030/hiprice-chatbot", + "stars": 88, + "forks": 10, + "url": "https://github.com/kwf2030/hiprice-chatbot", + "file": "conf.go" + }, + { + "name": "estafette/estafette-ci-manifest", + "stars": 3, + "forks": 0, + "url": "https://github.com/estafette/estafette-ci-manifest", + "file": "bot.go" + }, + { + "name": "latonaio/microservice-monitor", + "stars": 10, + "forks": 0, + "url": "https://github.com/latonaio/microservice-monitor", + "file": "env.go" + }, + { + "name": "kyosu-1/batcha", + "stars": 7, + "forks": 0, + "url": "https://github.com/kyosu-1/batcha", + "file": "init.go" + }, + { + "name": "samthor/nicehttp", + "stars": 4, + "forks": 0, + "url": "https://github.com/samthor/nicehttp", + "file": "gae.go" + }, + { + "name": "coryschwartz/tgbridge", + "stars": 0, + "forks": 0, + "url": "https://github.com/coryschwartz/tgbridge", + "file": "git.go" + }, + { + "name": "moul/pipotron", + "stars": 11, + "forks": 4, + "url": "https://github.com/moul/pipotron", + "file": "main.go" + }, + { + "name": "babarot/github-labeler", + "stars": 77, + "forks": 8, + "url": "https://github.com/babarot/github-labeler", + "file": "cli.go" + } + ], + "searched_at": "2026-05-03T00:47:55Z" + }, + { + "pattern": { + "name": "cwe79-html-template-unescaped", + "query": "language:go \"html/template\" HTML", + "severity": "HIGH", + "description": "CWE-79: Potential XSS via HTML template rendering" + }, + "count": 10152, + "top_repos": [ + { + "name": "subspacecloud/subspace", + "stars": 2597, + "forks": 450, + "url": "https://github.com/subspacecloud/subspace", + "file": "web.go" + }, + { + "name": "choonkeat/dom-go", + "stars": 2, + "forks": 0, + "url": "https://github.com/choonkeat/dom-go", + "file": "dom.go" + }, + { + "name": "darkhelmet/ForrestFire", + "stars": 95, + "forks": 7, + "url": "https://github.com/darkhelmet/ForrestFire", + "file": "app.go" + }, + { + "name": "yahoo/webseclab", + "stars": 908, + "forks": 66, + "url": "https://github.com/yahoo/webseclab", + "file": "ctx.go" + }, + { + "name": "SSLMate/dcv-inspector", + "stars": 22, + "forks": 3, + "url": "https://github.com/SSLMate/dcv-inspector", + "file": "bgp.go" + }, + { + "name": "acsellers/multitemplate", + "stars": 16, + "forks": 1, + "url": "https://github.com/acsellers/multitemplate", + "file": "doc.go" + }, + { + "name": "chuckha/julia-playground", + "stars": 2, + "forks": 0, + "url": "https://github.com/chuckha/julia-playground", + "file": "web.go" + }, + { + "name": "godwhoa/todo", + "stars": 0, + "forks": 0, + "url": "https://github.com/godwhoa/todo", + "file": "main.go" + }, + { + "name": "ametis70/hellbot", + "stars": 0, + "forks": 0, + "url": "https://github.com/ametis70/hellbot", + "file": "db.go" + }, + { + "name": "cls1991/xls2db-go", + "stars": 24, + "forks": 14, + "url": "https://github.com/cls1991/xls2db-go", + "file": "app.go" + } + ], + "searched_at": "2026-05-03T00:48:03Z" + }, + { + "pattern": { + "name": "cwe79-writer-write-user-input", + "query": "language:go \"fmt.Fprintf\" \"w http.ResponseWriter\"", + "severity": "HIGH", + "description": "CWE-79: Direct write to ResponseWriter (potential XSS)" + }, + "count": 36800, + "top_repos": [ + { + "name": "subspacecloud/subspace", + "stars": 2597, + "forks": 450, + "url": "https://github.com/subspacecloud/subspace", + "file": "web.go" + }, + { + "name": "h2non/imaginary", + "stars": 6047, + "forks": 494, + "url": "https://github.com/h2non/imaginary", + "file": "log.go" + }, + { + "name": "boringproxy/boringproxy", + "stars": 1371, + "forks": 133, + "url": "https://github.com/boringproxy/boringproxy", + "file": "api.go" + }, + { + "name": "dailymotion/oplog", + "stars": 111, + "forks": 13, + "url": "https://github.com/dailymotion/oplog", + "file": "sse.go" + }, + { + "name": "lonnc/golang-nw", + "stars": 192, + "forks": 26, + "url": "https://github.com/lonnc/golang-nw", + "file": "doc.go" + }, + { + "name": "moneymanagerex/general-reports", + "stars": 83, + "forks": 50, + "url": "https://github.com/moneymanagerex/general-reports", + "file": "grm.go" + }, + { + "name": "rs/xmux", + "stars": 100, + "forks": 11, + "url": "https://github.com/rs/xmux", + "file": "mux.go" + }, + { + "name": "andybalholm/redwood", + "stars": 251, + "forks": 37, + "url": "https://github.com/andybalholm/redwood", + "file": "pac.go" + }, + { + "name": "soundscapecloud/soundscape", + "stars": 748, + "forks": 46, + "url": "https://github.com/soundscapecloud/soundscape", + "file": "web.go" + }, + { + "name": "gsvaldevieso/go-dream-architecture", + "stars": 71, + "forks": 9, + "url": "https://github.com/gsvaldevieso/go-dream-architecture", + "file": "app.go" + } + ], + "searched_at": "2026-05-03T00:48:12Z" + }, + { + "pattern": { + "name": "cwe79-template-js", + "query": "language:go template.JS", + "severity": "HIGH", + "description": "CWE-79: Using template.JS (bypasses escaping)" + }, + "count": 3056, + "top_repos": [ + { + "name": "leanote/leanote", + "stars": 11702, + "forks": 2445, + "url": "https://github.com/leanote/leanote", + "file": "app/init.go" + }, + { + "name": "schollz/find", + "stars": 5091, + "forks": 369, + "url": "https://github.com/schollz/find", + "file": "routes.go" + }, + { + "name": "fullstorydev/grpcui", + "stars": 5889, + "forks": 423, + "url": "https://github.com/fullstorydev/grpcui", + "file": "webform.go" + }, + { + "name": "selinuxG/Golin", + "stars": 1790, + "forks": 259, + "url": "https://github.com/selinuxG/Golin", + "file": "scan/end.go" + }, + { + "name": "divan/gobenchui", + "stars": 527, + "forks": 28, + "url": "https://github.com/divan/gobenchui", + "file": "web.go" + }, + { + "name": "swaggo/http-swagger", + "stars": 565, + "forks": 86, + "url": "https://github.com/swaggo/http-swagger", + "file": "swagger.go" + }, + { + "name": "roblaszczak/vgt", + "stars": 363, + "forks": 3, + "url": "https://github.com/roblaszczak/vgt", + "file": "html.go" + }, + { + "name": "philippta/flyscrape", + "stars": 1342, + "forks": 43, + "url": "https://github.com/philippta/flyscrape", + "file": "js.go" + }, + { + "name": "remind101/emp", + "stars": 36, + "forks": 7, + "url": "https://github.com/remind101/emp", + "file": "help.go" + }, + { + "name": "shima-park/agollo", + "stars": 289, + "forks": 53, + "url": "https://github.com/shima-park/agollo", + "file": "string.go" + } + ], + "searched_at": "2026-05-03T00:48:20Z" + }, + { + "pattern": { + "name": "cwe89-sql-query-concat", + "query": "language:go \"db.Query\" \"fmt.Sprintf\"", + "severity": "CRITICAL", + "description": "CWE-89: SQL query with string concatenation" + }, + "count": 10856, + "top_repos": [ + { + "name": "haxpax/gosms", + "stars": 1470, + "forks": 150, + "url": "https://github.com/haxpax/gosms", + "file": "db.go" + }, + { + "name": "LunaNode/lobster", + "stars": 84, + "forks": 24, + "url": "https://github.com/LunaNode/lobster", + "file": "vm.go" + }, + { + "name": "nao1215/filesql", + "stars": 371, + "forks": 10, + "url": "https://github.com/nao1215/filesql", + "file": "ach.go" + }, + { + "name": "ekzhu/josie", + "stars": 19, + "forks": 5, + "url": "https://github.com/ekzhu/josie", + "file": "io.go" + }, + { + "name": "kanatohodets/carbonsearch", + "stars": 23, + "forks": 4, + "url": "https://github.com/kanatohodets/carbonsearch", + "file": "main.go" + }, + { + "name": "canonical/lxd-demo-server", + "stars": 71, + "forks": 25, + "url": "https://github.com/canonical/lxd-demo-server", + "file": "db.go" + }, + { + "name": "IonRh/TGBot_RSS", + "stars": 425, + "forks": 24, + "url": "https://github.com/IonRh/TGBot_RSS", + "file": "TGRSSBot/rss.go" + }, + { + "name": "faisaltheparttimecoder/mock-data", + "stars": 136, + "forks": 33, + "url": "https://github.com/faisaltheparttimecoder/mock-data", + "file": "sql.go" + }, + { + "name": "cristosal/orm", + "stars": 0, + "forks": 0, + "url": "https://github.com/cristosal/orm", + "file": "orm.go" + }, + { + "name": "mattn/qq", + "stars": 166, + "forks": 4, + "url": "https://github.com/mattn/qq", + "file": "qq.go" + } + ], + "searched_at": "2026-05-03T00:48:28Z" + }, + { + "pattern": { + "name": "cwe89-sql-exec-concat", + "query": "language:go \"db.Exec\" \"+\" ", + "severity": "CRITICAL", + "description": "CWE-89: SQL exec with string concatenation" + }, + "count": 26688, + "top_repos": [ + { + "name": "go-pg/pg", + "stars": 5783, + "forks": 413, + "url": "https://github.com/go-pg/pg", + "file": "tx.go" + }, + { + "name": "mattn/qq", + "stars": 166, + "forks": 4, + "url": "https://github.com/mattn/qq", + "file": "qq.go" + }, + { + "name": "uadmin/uadmin", + "stars": 355, + "forks": 62, + "url": "https://github.com/uadmin/uadmin", + "file": "db.go" + }, + { + "name": "coocood/qbs", + "stars": 544, + "forks": 96, + "url": "https://github.com/coocood/qbs", + "file": "qbs.go" + }, + { + "name": "LunaNode/lobster", + "stars": 84, + "forks": 24, + "url": "https://github.com/LunaNode/lobster", + "file": "vm.go" + }, + { + "name": "kwf2030/hiprice-chatbot", + "stars": 88, + "forks": 10, + "url": "https://github.com/kwf2030/hiprice-chatbot", + "file": "msg.go" + }, + { + "name": "TritonHo/demo", + "stars": 154, + "forks": 27, + "url": "https://github.com/TritonHo/demo", + "file": "cat.go" + }, + { + "name": "johnlui/DIYSearchEngine", + "stars": 700, + "forks": 98, + "url": "https://github.com/johnlui/DIYSearchEngine", + "file": "art.go" + }, + { + "name": "stumpyfr/yubikey-server", + "stars": 128, + "forks": 16, + "url": "https://github.com/stumpyfr/yubikey-server", + "file": "dal.go" + }, + { + "name": "osuripple/hanayo", + "stars": 11, + "forks": 52, + "url": "https://github.com/osuripple/hanayo", + "file": "dev.go" + } + ], + "searched_at": "2026-05-03T00:48:37Z" + }, + { + "pattern": { + "name": "cwe89-raw-sql-interpolation", + "query": "language:go \"database/sql\" fmt.Sprintf SELECT", + "severity": "CRITICAL", + "description": "CWE-89: Raw SQL with string interpolation" + }, + "count": 21632, + "top_repos": [ + { + "name": "go-gorm/gen", + "stars": 2548, + "forks": 356, + "url": "https://github.com/go-gorm/gen", + "file": "do.go" + }, + { + "name": "QLeelulu/goku", + "stars": 273, + "forks": 65, + "url": "https://github.com/QLeelulu/goku", + "file": "db.go" + }, + { + "name": "gernest/orange", + "stars": 22, + "forks": 4, + "url": "https://github.com/gernest/orange", + "file": "sql.go" + }, + { + "name": "arp242/zdb", + "stars": 14, + "forks": 1, + "url": "https://github.com/arp242/zdb", + "file": "zdb.go" + }, + { + "name": "ysugimoto/gqb", + "stars": 5, + "forks": 1, + "url": "https://github.com/ysugimoto/gqb", + "file": "gqb.go" + }, + { + "name": "rsc/dbstore", + "stars": 48, + "forks": 3, + "url": "https://github.com/rsc/dbstore", + "file": "db.go" + }, + { + "name": "gadp22/crema", + "stars": 1, + "forks": 0, + "url": "https://github.com/gadp22/crema", + "file": "dao.go" + }, + { + "name": "rpadovani/sqlx-v2", + "stars": 2, + "forks": 0, + "url": "https://github.com/rpadovani/sqlx-v2", + "file": "tx.go" + }, + { + "name": "wibu-gaptek/qix", + "stars": 3, + "forks": 1, + "url": "https://github.com/wibu-gaptek/qix", + "file": "qix.go" + }, + { + "name": "ruhulfbr/golang-basic", + "stars": 0, + "forks": 0, + "url": "https://github.com/ruhulfbr/golang-basic", + "file": "qb.go" + } + ], + "searched_at": "2026-05-03T00:48:45Z" + }, + { + "pattern": { + "name": "cwe22-filepath-join-user-input", + "query": "language:go \"filepath.Join\" \"r.URL.Query\"", + "severity": "HIGH", + "description": "CWE-22: filepath.Join with user input" + }, + "count": 5872, + "top_repos": [ + { + "name": "kelseyhightower/coreos-ipxe-server", + "stars": 221, + "forks": 49, + "url": "https://github.com/kelseyhightower/coreos-ipxe-server", + "file": "api.go" + }, + { + "name": "pldubouilh/gossa", + "stars": 1081, + "forks": 80, + "url": "https://github.com/pldubouilh/gossa", + "file": "gossa.go" + }, + { + "name": "esell/deb-simple", + "stars": 242, + "forks": 19, + "url": "https://github.com/esell/deb-simple", + "file": "http.go" + }, + { + "name": "sgreben/http-file-server", + "stars": 231, + "forks": 39, + "url": "https://github.com/sgreben/http-file-server", + "file": "server.go" + }, + { + "name": "Monibuca/plugin-record", + "stars": 41, + "forks": 39, + "url": "https://github.com/Monibuca/plugin-record", + "file": "vod.go" + }, + { + "name": "p1d3er/RemoteWebScreen", + "stars": 467, + "forks": 63, + "url": "https://github.com/p1d3er/RemoteWebScreen", + "file": "main.go" + }, + { + "name": "nielsAD/autoindex", + "stars": 41, + "forks": 8, + "url": "https://github.com/nielsAD/autoindex", + "file": "fs.go" + }, + { + "name": "picosh/git-pr", + "stars": 356, + "forks": 8, + "url": "https://github.com/picosh/git-pr", + "file": "web.go" + }, + { + "name": "tanaikech/ggsrun", + "stars": 161, + "forks": 18, + "url": "https://github.com/tanaikech/ggsrun", + "file": "oauth.go" + }, + { + "name": "phonkee/gopypi", + "stars": 76, + "forks": 5, + "url": "https://github.com/phonkee/gopypi", + "file": "views.go" + } + ], + "searched_at": "2026-05-03T00:48:54Z" + }, + { + "pattern": { + "name": "cwe22-os-open-user-input", + "query": "language:go \"os.Open\" \"r.FormValue\"", + "severity": "HIGH", + "description": "CWE-22: os.Open with user-controlled path" + }, + "count": 1184, + "top_repos": [ + { + "name": "wallix/awless", + "stars": 4967, + "forks": 258, + "url": "https://github.com/wallix/awless", + "file": "web/web.go" + }, + { + "name": "porjo/youtubeuploader", + "stars": 873, + "forks": 112, + "url": "https://github.com/porjo/youtubeuploader", + "file": "oauth.go" + }, + { + "name": "tinygo-org/playground", + "stars": 36, + "forks": 9, + "url": "https://github.com/tinygo-org/playground", + "file": "main.go" + }, + { + "name": "cloud66-oss/starter", + "stars": 312, + "forks": 55, + "url": "https://github.com/cloud66-oss/starter", + "file": "api.go" + }, + { + "name": "ptt/pttweb", + "stars": 218, + "forks": 31, + "url": "https://github.com/ptt/pttweb", + "file": "pttweb.go" + }, + { + "name": "wizjin/weixin", + "stars": 190, + "forks": 76, + "url": "https://github.com/wizjin/weixin", + "file": "weixin.go" + }, + { + "name": "subutai-io/cdn", + "stars": 19, + "forks": 13, + "url": "https://github.com/subutai-io/cdn", + "file": "apt/apt.go" + }, + { + "name": "cookieY/yee", + "stars": 74, + "forks": 25, + "url": "https://github.com/cookieY/yee", + "file": "context.go" + }, + { + "name": "gerow/sbserv", + "stars": 9, + "forks": 1, + "url": "https://github.com/gerow/sbserv", + "file": "sbserv.go" + }, + { + "name": "jamra/gocleo", + "stars": 87, + "forks": 10, + "url": "https://github.com/jamra/gocleo", + "file": "cleo.go" + } + ], + "searched_at": "2026-05-03T00:49:03Z" + }, + { + "pattern": { + "name": "cwe22-ioutil-readfile-param", + "query": "language:go \"ioutil.ReadFile\" \"filepath.Join\"", + "severity": "HIGH", + "description": "CWE-22: File read with constructed path" + }, + "count": 7608, + "top_repos": [ + { + "name": "utkusen/urlhunter", + "stars": 1677, + "forks": 116, + "url": "https://github.com/utkusen/urlhunter", + "file": "main.go" + }, + { + "name": "mailgun/godebug", + "stars": 2483, + "forks": 102, + "url": "https://github.com/mailgun/godebug", + "file": "cmd.go" + }, + { + "name": "nlf/dlite", + "stars": 2325, + "forks": 53, + "url": "https://github.com/nlf/dlite", + "file": "ssh.go" + }, + { + "name": "golang101/golang101", + "stars": 5011, + "forks": 459, + "url": "https://github.com/golang101/golang101", + "file": "gen.go" + }, + { + "name": "vwxyzjn/portwarden", + "stars": 634, + "forks": 35, + "url": "https://github.com/vwxyzjn/portwarden", + "file": "core.go" + }, + { + "name": "fragmenta/fragmenta", + "stars": 295, + "forks": 39, + "url": "https://github.com/fragmenta/fragmenta", + "file": "new.go" + }, + { + "name": "zerotier/zerotier-systemd-manager", + "stars": 72, + "forks": 8, + "url": "https://github.com/zerotier/zerotier-systemd-manager", + "file": "mgr.go" + }, + { + "name": "cloud66-oss/starter", + "stars": 312, + "forks": 55, + "url": "https://github.com/cloud66-oss/starter", + "file": "api.go" + }, + { + "name": "cpuguy83/containerd-shim-systemd-v1", + "stars": 63, + "forks": 2, + "url": "https://github.com/cpuguy83/containerd-shim-systemd-v1", + "file": "pty.go" + }, + { + "name": "git-hooks/git-hooks", + "stars": 417, + "forks": 41, + "url": "https://github.com/git-hooks/git-hooks", + "file": "cli.go" + } + ], + "searched_at": "2026-05-03T00:49:11Z" + }, + { + "pattern": { + "name": "cwe78-exec-command-user-input", + "query": "language:go \"exec.Command\" \"r.FormValue\"", + "severity": "CRITICAL", + "description": "CWE-78: exec.Command with user input" + }, + "count": 1072, + "top_repos": [ + { + "name": "remind101/empire", + "stars": 2680, + "forks": 155, + "url": "https://github.com/remind101/empire", + "file": "cmd/emp/auth.go" + }, + { + "name": "gengo/goship", + "stars": 704, + "forks": 43, + "url": "https://github.com/gengo/goship", + "file": "deploy_handler.go" + }, + { + "name": "perkeep/perkeep", + "stars": 7120, + "forks": 482, + "url": "https://github.com/perkeep/perkeep", + "file": "pkg/server/app/app.go" + }, + { + "name": "apex/up-examples", + "stars": 392, + "forks": 45, + "url": "https://github.com/apex/up-examples", + "file": "oss/golang-shell/main.go" + }, + { + "name": "skycoin/skywire-testnet", + "stars": 160, + "forks": 63, + "url": "https://github.com/skycoin/skywire-testnet", + "file": "pkg/node/api/api.go" + }, + { + "name": "schollz/musicsaur", + "stars": 282, + "forks": 14, + "url": "https://github.com/schollz/musicsaur", + "file": "controls.go" + }, + { + "name": "golang/playground", + "stars": 799, + "forks": 205, + "url": "https://github.com/golang/playground", + "file": "sandbox.go" + }, + { + "name": "jingkaihe/koderunr", + "stars": 43, + "forks": 15, + "url": "https://github.com/jingkaihe/koderunr", + "file": "server/server.go" + }, + { + "name": "0x09AL/Browser-C2", + "stars": 103, + "forks": 28, + "url": "https://github.com/0x09AL/Browser-C2", + "file": "agent/agent.go" + }, + { + "name": "mehlium/g-wiki", + "stars": 117, + "forks": 16, + "url": "https://github.com/mehlium/g-wiki", + "file": "wiki.go" + } + ], + "searched_at": "2026-05-03T00:49:20Z" + }, + { + "pattern": { + "name": "cwe78-exec-command-concat", + "query": "language:go \"exec.Command\" \"fmt.Sprintf\"", + "severity": "CRITICAL", + "description": "CWE-78: exec.Command with string formatting" + }, + "count": 45568, + "top_repos": [ + { + "name": "nlf/dlite", + "stars": 2325, + "forks": 53, + "url": "https://github.com/nlf/dlite", + "file": "ssh.go" + }, + { + "name": "shunfei/cronsun", + "stars": 2921, + "forks": 457, + "url": "https://github.com/shunfei/cronsun", + "file": "job.go" + }, + { + "name": "pressly/sup", + "stars": 2517, + "forks": 184, + "url": "https://github.com/pressly/sup", + "file": "tar.go" + }, + { + "name": "noisetorch/NoiseTorch", + "stars": 10243, + "forks": 250, + "url": "https://github.com/noisetorch/NoiseTorch", + "file": "ui.go" + }, + { + "name": "x-motemen/ghq", + "stars": 3608, + "forks": 205, + "url": "https://github.com/x-motemen/ghq", + "file": "vcs.go" + }, + { + "name": "johnlauer/serial-port-json-server", + "stars": 361, + "forks": 168, + "url": "https://github.com/johnlauer/serial-port-json-server", + "file": "hub.go" + }, + { + "name": "codeskyblue/go-sh", + "stars": 1134, + "forks": 137, + "url": "https://github.com/codeskyblue/go-sh", + "file": "sh.go" + }, + { + "name": "costela/docker-volume-hetzner", + "stars": 118, + "forks": 16, + "url": "https://github.com/costela/docker-volume-hetzner", + "file": "os.go" + }, + { + "name": "divan/gobenchui", + "stars": 527, + "forks": 28, + "url": "https://github.com/divan/gobenchui", + "file": "cmd.go" + }, + { + "name": "uw-labs/strongbox", + "stars": 113, + "forks": 12, + "url": "https://github.com/uw-labs/strongbox", + "file": "age.go" + } + ], + "searched_at": "2026-05-03T00:49:28Z" + }, + { + "pattern": { + "name": "cwe78-shell-exec", + "query": "language:go exec.Command \"sh\" \"-c\"", + "severity": "CRITICAL", + "description": "CWE-78: Shell command execution" + }, + "count": 38144, + "top_repos": [ + { + "name": "appuio/acme-tiny", + "stars": 0, + "forks": 0, + "url": "https://github.com/appuio/acme-tiny", + "file": "docker/sh.go" + }, + { + "name": "otm/blade", + "stars": 68, + "forks": 1, + "url": "https://github.com/otm/blade", + "file": "lua.go" + }, + { + "name": "apex/up", + "stars": 8806, + "forks": 388, + "url": "https://github.com/apex/up", + "file": "up.go" + }, + { + "name": "julz/just", + "stars": 0, + "forks": 0, + "url": "https://github.com/julz/just", + "file": "cmd.go" + }, + { + "name": "codeskyblue/go-sh", + "stars": 1134, + "forks": 137, + "url": "https://github.com/codeskyblue/go-sh", + "file": "sh.go" + }, + { + "name": "scipipe/scipipe", + "stars": 1116, + "forks": 73, + "url": "https://github.com/scipipe/scipipe", + "file": "ip.go" + }, + { + "name": "kayac/sqsjkr", + "stars": 13, + "forks": 1, + "url": "https://github.com/kayac/sqsjkr", + "file": "job.go" + }, + { + "name": "NietThijmen/ShoppingCart", + "stars": 4, + "forks": 0, + "url": "https://github.com/NietThijmen/ShoppingCart", + "file": "ssh.go" + }, + { + "name": "lianhong2758/kokomi-plugin", + "stars": 28, + "forks": 7, + "url": "https://github.com/lianhong2758/kokomi-plugin", + "file": "shu.go" + }, + { + "name": "pressly/sup", + "stars": 2517, + "forks": 184, + "url": "https://github.com/pressly/sup", + "file": "tar.go" + } + ], + "searched_at": "2026-05-03T00:49:37Z" + } + ] +} \ No newline at end of file