GoX509

crypto/x509 package. Certificate.Verify() is the TLS chain validation entry point. Skipping verification or using empty VerifyOptions is a finding.

1 source1 sink

Taint flow1 source → 1 sink

Sources — untrusted input

.ParseCertificate()Parses DER-encoded certificate

→

taint

Sinks — dangerous call

.Verify()Verifies certificate chain

Sources

— user-controlled input enters here

.ParseCertificate()Source

Signature

ParseCertificate(asn1Data []byte) (*Certificate, error)

Parses DER-encoded certificate. Source of cert data from network input.

— dangerous functions taint must not reach

.Verify()Sink

Signature

Verify(opts VerifyOptions) ([][]*Certificate, error)

Verifies certificate chain. Finding when opts is empty (no root CA check).

tracks:0

FQN	Field
crypto/x509	fqns[0]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

go.mod

// standard library — no go.mod entry required

rule.py

from codepathfinder.go_rule import GoX509