Summary
Go crypto/x509 support is missing from the Go rule registry. GoDetectionRules.java currently ends with GoCryptoTLS.rules().stream() and a TODO for GoCryptoX509, so X.509-related certificate/key usage can be silently missed in CBOM output.
Impact
crypto/x509 is core to TLS, mTLS, certificate pinning, custom trust stores, certificate parsing/generation, CSR handling, and public/private key parsing. Without these rules, Go scans may detect RSA, SHA, TLS, etc., but miss certificate-related cryptographic assets.
Proposed fix
Create:
go/src/main/java/com/ibm/plugin/rules/detection/gocrypto/GoCryptoX509.java
Register it in:
go/src/main/java/com/ibm/plugin/rules/detection/GoDetectionRules.java
by importing GoCryptoX509 and adding GoCryptoX509.rules().stream() to the registry.
Suggested initial rules
Detect key crypto/x509 APIs such as:
x509.ParseCertificatex509.ParseCertificatesx509.CreateCertificatex509.ParseCertificateRequestx509.CreateCertificateRequestx509.ParsePKIXPublicKeyx509.MarshalPKIXPublicKeyx509.ParsePKCS1PrivateKeyx509.MarshalPKCS1PrivateKeyx509.ParsePKCS8PrivateKeyx509.MarshalPKCS8PrivateKeyx509.ParseECPrivateKeyx509.MarshalECPrivateKey
Existing contexts should be enough: KeyContext, PublicKeyContext, PrivateKeyContext, and SignatureContext.
Priority
Critical, because X.509 is fundamental to certificate and PKI usage in Go applications.
Summary
Go
crypto/x509support is missing from the Go rule registry.GoDetectionRules.javacurrently ends withGoCryptoTLS.rules().stream()and a TODO forGoCryptoX509, so X.509-related certificate/key usage can be silently missed in CBOM output.Impact
crypto/x509is core to TLS, mTLS, certificate pinning, custom trust stores, certificate parsing/generation, CSR handling, and public/private key parsing. Without these rules, Go scans may detect RSA, SHA, TLS, etc., but miss certificate-related cryptographic assets.Proposed fix
Create:
Register it in:
by importing
GoCryptoX509and addingGoCryptoX509.rules().stream()to the registry.Suggested initial rules
Detect key
crypto/x509APIs such as:x509.ParseCertificatex509.ParseCertificatesx509.CreateCertificatex509.ParseCertificateRequestx509.CreateCertificateRequestx509.ParsePKIXPublicKeyx509.MarshalPKIXPublicKeyx509.ParsePKCS1PrivateKeyx509.MarshalPKCS1PrivateKeyx509.ParsePKCS8PrivateKeyx509.MarshalPKCS8PrivateKeyx509.ParseECPrivateKeyx509.MarshalECPrivateKeyExisting contexts should be enough:
KeyContext,PublicKeyContext,PrivateKeyContext, andSignatureContext.Priority
Critical, because X.509 is fundamental to certificate and PKI usage in Go applications.