Search papers, labs, and topics across Lattice.
This paper benchmarks four static analysis tools (CodeQL, Gopher, Gosec, and Snyk Code) for detecting cryptographic API misuse in Go, using a novel taxonomy of 14 misuse classes. The evaluation, performed on 328 open-source Go projects, uncovered 7,473 instances of cryptographic API misuse. The study highlights significant performance differences between the tools in terms of coverage and precision, offering actionable insights for practitioners.
Go's security-critical infrastructure is riddled with thousands of cryptographic API misuses, and your favorite static analysis tool might be missing them.
Cryptographic API misuse represents a critical vulnerability class that undermines the security foundations of modern software. Yet, it remains largely unexplored in Go despite its dominance in security-critical infrastructure. This paper presents the first comprehensive study of cryptographic API misuse detection in Go, identifying and analyzing 4 state-of-the-art tools (CodeQL, Gopher, Gosec, and Snyk Code) and establishing a consolidated taxonomy of 14 relevant misuse classes. Through an experimental evaluation of 328 security-critical open-source Go projects, we discovered 7,473 cryptographic API misuses, providing insights into the prevalence and distribution of these vulnerabilities. Our systematic comparison reveals significant variations in misuse coverage, with immediate practical implications for security engineers and long-term implications for research in this domain.
