vendor: update

11 files changed, 174 insertions, 24 deletions

diff --git a/vendor/github.com/securego/gosec/v2/rules/blocklist.go b/vendor/github.com/securego/gosec/v2/rules/blocklist.go
index 5e03cf7a0..a4376b19a 100644
--- a/vendor/github.com/securego/gosec/v2/rules/blocklist.go
+++ b/vendor/github.com/securego/gosec/v2/rules/blocklist.go
@@ -93,3 +93,17 @@ func NewBlocklistedImportSHA1(id string, conf gosec.Config) (gosec.Rule, []ast.N
 		"crypto/sha1": "Blocklisted import crypto/sha1: weak cryptographic primitive",
 	})
 }
+
+// NewBlocklistedImportMD4 fails if MD4 is imported
+func NewBlocklistedImportMD4(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
+	return NewBlocklistedImports(id, conf, map[string]string{
+		"golang.org/x/crypto/md4": "Blocklisted import golang.org/x/crypto/md4: deprecated and weak cryptographic primitive",
+	})
+}
+
+// NewBlocklistedImportRIPEMD160 fails if RIPEMD160 is imported
+func NewBlocklistedImportRIPEMD160(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
+	return NewBlocklistedImports(id, conf, map[string]string{
+		"golang.org/x/crypto/ripemd160": "Blocklisted import golang.org/x/crypto/ripemd160: deprecated and weak cryptographic primitive",
+	})
+}
diff --git a/vendor/github.com/securego/gosec/v2/rules/fileperms.go b/vendor/github.com/securego/gosec/v2/rules/fileperms.go
index 5311f74c6..eb1fa2eee 100644
--- a/vendor/github.com/securego/gosec/v2/rules/fileperms.go
+++ b/vendor/github.com/securego/gosec/v2/rules/fileperms.go
@@ -61,7 +61,7 @@ func (r *filePermissions) Match(n ast.Node, c *gosec.Context) (*issue.Issue, err
 	for _, pkg := range r.pkgs {
 		if callexpr, matched := gosec.MatchCallByPackage(n, c, pkg, r.calls...); matched {
 			modeArg := callexpr.Args[len(callexpr.Args)-1]
-			if mode, err := gosec.GetInt(modeArg); err == nil && !modeIsSubset(mode, r.mode) {
+			if mode, err := gosec.GetInt(modeArg); err == nil && !modeIsSubset(mode, r.mode) || isOsPerm(modeArg) {
 				return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil
 			}
 		}
@@ -69,6 +69,18 @@ func (r *filePermissions) Match(n ast.Node, c *gosec.Context) (*issue.Issue, err
 	return nil, nil
 }
 
+// isOsPerm check if the provide ast node contains a os.PermMode symbol
+func isOsPerm(n ast.Node) bool {
+	if node, ok := n.(*ast.SelectorExpr); ok {
+		if identX, ok := node.X.(*ast.Ident); ok {
+			if identX.Name == "os" && node.Sel != nil && node.Sel.Name == "ModePerm" {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 // NewWritePerms creates a rule to detect file Writes with bad permissions.
 func NewWritePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
 	mode := getConfiguredMode(conf, id, 0o600)
diff --git a/vendor/github.com/securego/gosec/v2/rules/hardcoded_credentials.go b/vendor/github.com/securego/gosec/v2/rules/hardcoded_credentials.go
index ed1fb947d..c10d18b30 100644
--- a/vendor/github.com/securego/gosec/v2/rules/hardcoded_credentials.go
+++ b/vendor/github.com/securego/gosec/v2/rules/hardcoded_credentials.go
@@ -154,10 +154,6 @@ var secretsPatterns = [...]secretPattern{
 		regexp: regexp.MustCompile(`sk_live_[0-9a-zA-Z]{24}`),
 	},
 	{
-		name:   "Stripe API Key",
-		regexp: regexp.MustCompile(`sk_live_[0-9a-zA-Z]{24}`),
-	},
-	{
 		name:   "Stripe Restricted API Key",
 		regexp: regexp.MustCompile(`rk_live_[0-9a-zA-Z]{24}`),
 	},
diff --git a/vendor/github.com/securego/gosec/v2/rules/implicit_aliasing.go b/vendor/github.com/securego/gosec/v2/rules/implicit_aliasing.go
index a7eabb20b..75de4ed8c 100644
--- a/vendor/github.com/securego/gosec/v2/rules/implicit_aliasing.go
+++ b/vendor/github.com/securego/gosec/v2/rules/implicit_aliasing.go
@@ -47,6 +47,12 @@ func doGetIdentExpr(expr ast.Expr, hasSelector bool) (*ast.Ident, bool) {
 }
 
 func (r *implicitAliasing) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) {
+	// This rule does not apply for Go 1.22, see https://tip.golang.org/doc/go1.22#language.
+	major, minor, _ := gosec.GoVersion()
+	if major >= 1 && minor >= 22 {
+		return nil, nil
+	}
+
 	switch node := n.(type) {
 	case *ast.RangeStmt:
 		// When presented with a range statement, get the underlying Object bound to
diff --git a/vendor/github.com/securego/gosec/v2/rules/rand.go b/vendor/github.com/securego/gosec/v2/rules/rand.go
index 4491fd928..fe34ca9c3 100644
--- a/vendor/github.com/securego/gosec/v2/rules/rand.go
+++ b/vendor/github.com/securego/gosec/v2/rules/rand.go
@@ -23,8 +23,7 @@ import (
 
 type weakRand struct {
 	issue.MetaData
-	funcNames   []string
-	packagePath string
+	blocklist map[string][]string
 }
 
 func (w *weakRand) ID() string {
@@ -32,8 +31,8 @@ func (w *weakRand) ID() string {
 }
 
 func (w *weakRand) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) {
-	for _, funcName := range w.funcNames {
-		if _, matched := gosec.MatchCallByPackage(n, c, w.packagePath, funcName); matched {
+	for pkg, funcs := range w.blocklist {
+		if _, matched := gosec.MatchCallByPackage(n, c, pkg, funcs...); matched {
 			return c.NewIssue(n, w.ID(), w.What, w.Severity, w.Confidence), nil
 		}
 	}
@@ -43,17 +42,22 @@ func (w *weakRand) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) {
 
 // NewWeakRandCheck detects the use of random number generator that isn't cryptographically secure
 func NewWeakRandCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node) {
+	calls := make(map[string][]string)
+	calls["math/rand"] = []string{
+		"New", "Read", "Float32", "Float64", "Int", "Int31", "Int31n",
+		"Int63", "Int63n", "Intn", "NormFloat64", "Uint32", "Uint64",
+	}
+	calls["math/rand/v2"] = []string{
+		"New", "Float32", "Float64", "Int", "Int32", "Int32N",
+		"Int64", "Int64N", "IntN", "N", "NormFloat64", "Uint32", "Uint32N", "Uint64", "Uint64N", "UintN",
+	}
 	return &weakRand{
-		funcNames: []string{
-			"New", "Read", "Float32", "Float64", "Int", "Int31",
-			"Int31n", "Int63", "Int63n", "Intn", "NormalFloat64", "Uint32", "Uint64",
-		},
-		packagePath: "math/rand",
+		blocklist: calls,
 		MetaData: issue.MetaData{
 			ID:         id,
 			Severity:   issue.High,
 			Confidence: issue.Medium,
-			What:       "Use of weak random number generator (math/rand instead of crypto/rand)",
+			What:       "Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand)",
 		},
 	}, []ast.Node{(*ast.CallExpr)(nil)}
 }
diff --git a/vendor/github.com/securego/gosec/v2/rules/readfile.go b/vendor/github.com/securego/gosec/v2/rules/readfile.go
index 7ef4bbad1..da6b9c965 100644
--- a/vendor/github.com/securego/gosec/v2/rules/readfile.go
+++ b/vendor/github.com/securego/gosec/v2/rules/readfile.go
@@ -143,6 +143,7 @@ func NewReadFile(id string, _ gosec.Config) (gosec.Rule, []ast.Node) {
 	rule.pathJoin.Add("path", "Join")
 	rule.clean.Add("path/filepath", "Clean")
 	rule.clean.Add("path/filepath", "Rel")
+	rule.clean.Add("path/filepath", "EvalSymlinks")
 	rule.Add("io/ioutil", "ReadFile")
 	rule.Add("os", "ReadFile")
 	rule.Add("os", "Open")
diff --git a/vendor/github.com/securego/gosec/v2/rules/rulelist.go b/vendor/github.com/securego/gosec/v2/rules/rulelist.go
index f9ca4f52c..13f29f71a 100644
--- a/vendor/github.com/securego/gosec/v2/rules/rulelist.go
+++ b/vendor/github.com/securego/gosec/v2/rules/rulelist.go
@@ -94,10 +94,12 @@ func Generate(trackSuppressions bool, filters ...RuleFilter) RuleList {
 		{"G307", "Poor file permissions used when creating a file with os.Create", NewOsCreatePerms},
 
 		// crypto
-		{"G401", "Detect the usage of DES, RC4, MD5 or SHA1", NewUsesWeakCryptography},
+		{"G401", "Detect the usage of MD5 or SHA1", NewUsesWeakCryptographyHash},
 		{"G402", "Look for bad TLS connection settings", NewIntermediateTLSCheck},
 		{"G403", "Ensure minimum RSA key length of 2048 bits", NewWeakKeyStrength},
 		{"G404", "Insecure random number source (rand)", NewWeakRandCheck},
+		{"G405", "Detect the usage of DES or RC4", NewUsesWeakCryptographyEncryption},
+		{"G406", "Detect the usage of deprecated MD4 or RIPEMD160", NewUsesWeakDeprecatedCryptographyHash},
 
 		// blocklist
 		{"G501", "Import blocklist: crypto/md5", NewBlocklistedImportMD5},
@@ -105,6 +107,8 @@ func Generate(trackSuppressions bool, filters ...RuleFilter) RuleList {
 		{"G503", "Import blocklist: crypto/rc4", NewBlocklistedImportRC4},
 		{"G504", "Import blocklist: net/http/cgi", NewBlocklistedImportCGI},
 		{"G505", "Import blocklist: crypto/sha1", NewBlocklistedImportSHA1},
+		{"G506", "Import blocklist: golang.org/x/crypto/md4", NewBlocklistedImportMD4},
+		{"G507", "Import blocklist: golang.org/x/crypto/ripemd160", NewBlocklistedImportRIPEMD160},
 
 		// memory safety
 		{"G601", "Implicit memory aliasing in RangeStmt", NewImplicitAliasing},
diff --git a/vendor/github.com/securego/gosec/v2/rules/templates.go b/vendor/github.com/securego/gosec/v2/rules/templates.go
index 728766f45..3d5f9a977 100644
--- a/vendor/github.com/securego/gosec/v2/rules/templates.go
+++ b/vendor/github.com/securego/gosec/v2/rules/templates.go
@@ -45,9 +45,12 @@ func (t *templateCheck) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error
 // find use of templates where HTML/JS escaping is not being used
 func NewTemplateCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node) {
 	calls := gosec.NewCallList()
+	calls.Add("html/template", "CSS")
 	calls.Add("html/template", "HTML")
 	calls.Add("html/template", "HTMLAttr")
 	calls.Add("html/template", "JS")
+	calls.Add("html/template", "JSStr")
+	calls.Add("html/template", "Srcset")
 	calls.Add("html/template", "URL")
 	return &templateCheck{
 		calls: calls,
diff --git a/vendor/github.com/securego/gosec/v2/rules/weakcrypto.go b/vendor/github.com/securego/gosec/v2/rules/weakcrypto.go
index 4f2ab11d1..143f67d4e 100644
--- a/vendor/github.com/securego/gosec/v2/rules/weakcrypto.go
+++ b/vendor/github.com/securego/gosec/v2/rules/weakcrypto.go
@@ -21,16 +21,16 @@ import (
 	"github.com/securego/gosec/v2/issue"
 )
 
-type usesWeakCryptography struct {
+type usesWeakCryptographyEncryption struct {
 	issue.MetaData
 	blocklist map[string][]string
 }
 
-func (r *usesWeakCryptography) ID() string {
+func (r *usesWeakCryptographyEncryption) ID() string {
 	return r.MetaData.ID
 }
 
-func (r *usesWeakCryptography) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) {
+func (r *usesWeakCryptographyEncryption) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) {
 	for pkg, funcs := range r.blocklist {
 		if _, matched := gosec.MatchCallByPackage(n, c, pkg, funcs...); matched {
 			return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil
@@ -39,14 +39,12 @@ func (r *usesWeakCryptography) Match(n ast.Node, c *gosec.Context) (*issue.Issue
 	return nil, nil
 }
 
-// NewUsesWeakCryptography detects uses of des.* md5.* or rc4.*
-func NewUsesWeakCryptography(id string, _ gosec.Config) (gosec.Rule, []ast.Node) {
+// NewUsesWeakCryptographyEncryption detects uses of des.*, rc4.*
+func NewUsesWeakCryptographyEncryption(id string, _ gosec.Config) (gosec.Rule, []ast.Node) {
 	calls := make(map[string][]string)
 	calls["crypto/des"] = []string{"NewCipher", "NewTripleDESCipher"}
-	calls["crypto/md5"] = []string{"New", "Sum"}
-	calls["crypto/sha1"] = []string{"New", "Sum"}
 	calls["crypto/rc4"] = []string{"NewCipher"}
-	rule := &usesWeakCryptography{
+	rule := &usesWeakCryptographyEncryption{
 		blocklist: calls,
 		MetaData: issue.MetaData{
 			ID:         id,
diff --git a/vendor/github.com/securego/gosec/v2/rules/weakcryptohash.go b/vendor/github.com/securego/gosec/v2/rules/weakcryptohash.go
new file mode 100644
index 000000000..298555de1
--- /dev/null
+++ b/vendor/github.com/securego/gosec/v2/rules/weakcryptohash.go
@@ -0,0 +1,55 @@
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package rules
+
+import (
+	"go/ast"
+
+	"github.com/securego/gosec/v2"
+	"github.com/securego/gosec/v2/issue"
+)
+
+type usesWeakCryptographyHash struct {
+	issue.MetaData
+	blocklist map[string][]string
+}
+
+func (r *usesWeakCryptographyHash) ID() string {
+	return r.MetaData.ID
+}
+
+func (r *usesWeakCryptographyHash) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) {
+	for pkg, funcs := range r.blocklist {
+		if _, matched := gosec.MatchCallByPackage(n, c, pkg, funcs...); matched {
+			return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil
+		}
+	}
+	return nil, nil
+}
+
+// NewUsesWeakCryptographyHash detects uses of md5.*, sha1.*
+func NewUsesWeakCryptographyHash(id string, _ gosec.Config) (gosec.Rule, []ast.Node) {
+	calls := make(map[string][]string)
+	calls["crypto/md5"] = []string{"New", "Sum"}
+	calls["crypto/sha1"] = []string{"New", "Sum"}
+	rule := &usesWeakCryptographyHash{
+		blocklist: calls,
+		MetaData: issue.MetaData{
+			ID:         id,
+			Severity:   issue.Medium,
+			Confidence: issue.High,
+			What:       "Use of weak cryptographic primitive",
+		},
+	}
+	return rule, []ast.Node{(*ast.CallExpr)(nil)}
+}
diff --git a/vendor/github.com/securego/gosec/v2/rules/weakdepricatedcryptohash.go b/vendor/github.com/securego/gosec/v2/rules/weakdepricatedcryptohash.go
new file mode 100644
index 000000000..68297355c
--- /dev/null
+++ b/vendor/github.com/securego/gosec/v2/rules/weakdepricatedcryptohash.go
@@ -0,0 +1,57 @@
+// (c) Copyright 2024 Mercedes-Benz Tech Innovation GmbH
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package rules
+
+import (
+	"go/ast"
+
+	"github.com/securego/gosec/v2"
+	"github.com/securego/gosec/v2/issue"
+)
+
+type usesWeakDeprecatedCryptographyHash struct {
+	issue.MetaData
+	blocklist map[string][]string
+}
+
+func (r *usesWeakDeprecatedCryptographyHash) ID() string {
+	return r.MetaData.ID
+}
+
+func (r *usesWeakDeprecatedCryptographyHash) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) {
+	for pkg, funcs := range r.blocklist {
+		if _, matched := gosec.MatchCallByPackage(n, c, pkg, funcs...); matched {
+			return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil
+		}
+	}
+	return nil, nil
+}
+
+// NewUsesWeakCryptographyHash detects uses of md4.New, ripemd160.New
+func NewUsesWeakDeprecatedCryptographyHash(id string, _ gosec.Config) (gosec.Rule, []ast.Node) {
+	calls := make(map[string][]string)
+	calls["golang.org/x/crypto/md4"] = []string{"New"}
+	calls["golang.org/x/crypto/ripemd160"] = []string{"New"}
+	rule := &usesWeakDeprecatedCryptographyHash{
+		blocklist: calls,
+		MetaData: issue.MetaData{
+			ID:         id,
+			Severity:   issue.Medium,
+			Confidence: issue.High,
+			What:       "Use of deprecated weak cryptographic primitive",
+		},
+	}
+	return rule, []ast.Node{(*ast.CallExpr)(nil)}
+}