[GH-ISSUE #198] Crypto Go ：we are a research group to help developers build secure applications. #161

New issue

Closed

opened 2026-02-26 12:34:09 +03:00 by kerem · 1 comment

kerem commented 2026-02-26 12:34:09 +03:00

Owner

Copy link

Originally created by @passionate-wening on GitHub (Aug 28, 2022).
Original GitHub issue: https://github.com/cbeuw/Cloak/issues/198

Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector (i.e., CryptoGo) on Go language. We found your great public repository from Github, and several security issues detected by CryptoGo are shown in the following.
Note that the cryptographic algorithms are categorized with two aspects: security strength and security vulnerability based on NIST Special Publication 800-57 and other public publications. Moreover, CryptoGo defined certain rules derived from the APIs of Go cryptographic library and other popular cryptographic misuse detectors. The specific security issues we found are as follows:
Location: internal/common/crypto.go:15;
Broken rule: R-04: Constant key in AES;
We wish the above security issues could truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forward to your reply. Thanks.

Originally created by @passionate-wening on GitHub (Aug 28, 2022). Original GitHub issue: https://github.com/cbeuw/Cloak/issues/198 Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector (i.e., CryptoGo) on Go language. We found your great public repository from Github, and several security issues detected by CryptoGo are shown in the following. Note that the cryptographic algorithms are categorized with two aspects: security strength and security vulnerability based on NIST Special Publication 800-57 and other public publications. Moreover, CryptoGo defined certain rules derived from the APIs of Go cryptographic library and other popular cryptographic misuse detectors. The specific security issues we found are as follows: Location: internal/common/crypto.go:15; Broken rule: R-04: Constant key in AES; We wish the above security issues could truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forward to your reply. Thanks.

kerem closed this issue 2026-02-26 12:34:09 +03:00

kerem commented 2026-02-26 12:34:09 +03:00

Author

Owner

Copy link

@cbeuw commented on GitHub (Aug 28, 2022):

False positive. The line is in a helper function that takes key as an argument
github.com/cbeuw/Cloak@e305871d89/internal/common/crypto.go (L14-L29)

<!-- gh-comment-id:1229420194 --> @cbeuw commented on GitHub (Aug 28, 2022): False positive. The line is in a helper function that takes key as an argument https://github.com/cbeuw/Cloak/blob/e305871d8979dba7dfe01b3973065a584a0e175a/internal/common/crypto.go#L14-L29

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

renovate/go-github.com-refraction-networking-utls-vulnerability

dependabot/go_modules/golang.org/x/crypto-0.45.0

utls-1.7.0

deps-20250430

padding

docker-tests

ptspec

legacy-v1

v2.12.0

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.1-pre

v2.7.0

v2.6.1

v2.6.0

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.1

v2.4.0

v2.3.2

v2.3.1

v2.3.0

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.2

v2.0.1

v2.0.0

v1.1.2

v1.1.1

v1.1.0

v1.0.0

v0.2.0

v0.1.0

Labels

Clear labels   

pull-request

Mirrored from GitHub Pull Request

No labels

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/Cloak#161

No description provided.