Skip to content

fix: Updated MissingMinVersionTLS query to check go version #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mschwager merged 2 commits into from
Dec 18, 2025
Merged

fix: Updated MissingMinVersionTLS query to check go version #29

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d881241
fix: Updated MissingMinVersionTLS query to check go version
Apostlex0 Dec 8, 2025
65fcd82
code fixes
Apostlex0 Dec 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 21 additions & 3 deletions go/src/docs/security/MissingMinVersionTLS/MissingMinVersionTLS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,20 @@
# Missing MinVersion in tls.Config
Golang's `tls.Config` struct accepts `MinVersion` parameter that sets minimum accepted TLS version. If the parameter is not provided, default value is used: TLS1.2 for clients, and TLS1.0 for servers. TLS1.0 is considered deprecated and should not be used.
Golang's `tls.Config` struct accepts `MinVersion` parameter that sets minimum accepted TLS version. If the parameter is not provided, the default depends on the Go version in use:

- Since **Go 1.18**, clients default to TLS 1.2 (previously TLS 1.0)
- Since **Go 1.22**, servers also default to TLS 1.2 (previously TLS 1.0)

For projects that support older Go versions, leaving `MinVersion` unset may still permit TLS 1.0 or 1.1, which are deprecated and should not be used.

This query flags `tls.Config` values where `MinVersion` is never set explicitly and the project's `go.mod` declares support for:
- **Go < 1.18** for client-side configs (when client default is TLS 1.0)
- **Go < 1.22** for server-side configs (when server default is TLS 1.0)

## Recommendation
Explicitly set tls version to an up-to-date one.
Explicitly set the TLS version to TLS 1.2 or higher:
- For projects using Go < 1.18: Set `MinVersion` for both clients and servers
- For projects using Go 1.18-1.21: Set `MinVersion` for servers
- For projects using Go >= 1.22: Defaults are secure, but explicit setting is still recommended


## Example
Expand Down Expand Up @@ -50,8 +61,15 @@ func main() {
}

```
In this example, the `http.Server` may be set with TLS configuration created by either `test1` or `test2` functions. The `test1` result will be highlighted by this query, as it fails to explicitly set minimum supported TLS version. The `test2` result will not be marked, even that it also uses the default value for minimum version. That is because the `test2` is explicit, and this query assumes that developers knew what they are doing.
In this example, the `http.Server` may be set with TLS configuration created by either `test1` or `test2` functions. For projects with `go` directive < 1.22, the `test1` result will be highlighted by this query, as it fails to explicitly set minimum supported TLS version. The `test2` result will not be marked, even though it also uses the default value for minimum version. That is because the `test2` is explicit, and this query assumes that developers knew what they are doing.

Note: The query behavior depends on the `go` directive in `go.mod`:
- **Go < 1.18**: Both client and server configs without MinVersion are flagged
- **Go 1.18-1.21**: Only server configs without MinVersion are flagged
- **Go >= 1.22**: No configs are flagged (both defaults are secure)


## References
* [tls.Config specification](https://pkg.go.dev/crypto/tls#Config)
* [Go 1.18 Release Notes - TLS 1.0 and 1.1 disabled by default client-side](https://tip.golang.org/doc/go1.18#tls10)
* [Go 1.22 Release Notes - TLS 1.2 default for servers](https://tip.golang.org/doc/go1.22#minor_library_changes)
42 changes: 35 additions & 7 deletions go/src/security/MissingMinVersionTLS/MissingMinVersionTLS.qhelp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,29 +4,57 @@
<qhelp>
<overview>
<p>
Golang's <code>tls.Config</code> struct accepts <code>MinVersion</code> parameter that sets minimum accepted TLS version.
If the parameter is not provided, default value is used: TLS1.2 for clients, and TLS1.0 for servers.
TLS1.0 is considered deprecated and should not be used.
Golang's <code>tls.Config</code> struct accepts a <code>MinVersion</code> parameter that sets the minimum accepted TLS version.
If the parameter is not provided, the default depends on the Go version in use. Since Go 1.18, <code>crypto/tls</code> clients default to TLS 1.2 (previously TLS 1.0).
Since Go 1.22, <code>crypto/tls</code> servers also default to TLS 1.2 (previously TLS 1.0).
</p>
<p>
This query flags <code>tls.Config</code> values where <code>MinVersion</code> is never set explicitly and the project's
<code>go.mod</code> declares support for a Go version where the defaults are insecure:
</p>
<ul>
<li>Go &lt; 1.18 for client-side configs (when client default is TLS 1.0)</li>
<li>Go &lt; 1.22 for server-side configs (when server default is TLS 1.0)</li>
</ul>
<p>
TLS 1.0 and 1.1 are deprecated and should not be used.
</p>

</overview>
<recommendation>
<p>Explicitly set tls version to an up-to-date one.</p>
<p>Explicitly set the TLS version to TLS 1.2 or higher:</p>
<ul>
<li>For projects using Go &lt; 1.18: Set <code>MinVersion</code> for both clients and servers</li>
<li>For projects using Go 1.18-1.21: Set <code>MinVersion</code> for servers</li>
<li>For projects using Go &gt;= 1.22: Defaults are secure, but explicit setting is still recommended</li>
</ul>

</recommendation>
<example>
<sample src="MissingMinVersionTLS.go" />

<p>In this example, the <code>http.Server</code> may be set with TLS configuration created by either <code>test1</code> or <code>test2</code> functions.
The <code>test1</code> result will be highlighted by this query, as it fails to explicitly set minimum supported TLS version.
The <code>test2</code> result will not be marked, even that it also uses the default value for minimum version.
That is because the <code>test2</code> is explicit, and this query assumes that developers knew what they are doing.
For projects with a <code>go</code> directive &lt; 1.22, the <code>test1</code> result will be highlighted by this query, as it fails to explicitly set minimum supported TLS version.
The <code>test2</code> result will not be marked, even though it also uses the default value for minimum version.
That is because the <code>test2</code> is explicit, and this query assumes that developers knew what they are doing.
</p>
<p>Note: The query behavior depends on the <code>go</code> directive in <code>go.mod</code>:</p>
<ul>
<li>Go &lt; 1.18: Both client and server configs without MinVersion are flagged</li>
<li>Go 1.18-1.21: Only server configs without MinVersion are flagged</li>
<li>Go &gt;= 1.22: No configs are flagged (both defaults are secure)</li>
</ul>

</example>
<references>
<li>
<a href="https://pkg.go.dev/crypto/tls#Config">tls.Config specification</a>
</li>
<li>
<a href="https://tip.golang.org/doc/go1.18#tls10">Go 1.18 Release Notes - TLS 1.0 and 1.1 disabled by default client-side</a>
</li>
<li>
<a href="https://tip.golang.org/doc/go1.22#minor_library_changes">Go 1.22 Release Notes - TLS 1.2 default for servers</a>
</li>
</references>
</qhelp>
Loading