Linter: gosec, Rule: G504 - Import blocklist: net/http/cgi. Should we enable it?

[zak-pawel]

Use Case

This issue starts discussion about enabling:

• linter: gosec - Inspects source code for security problems by scanning the Go AST.
• rule: G504- Import blocklist: net/http/cgi

Rule is mapped to CWE-327: Use of a Broken or Risky Cryptographic Algorithm.

Expected behavior

Decision if rule should be enabled or not.

Actual behavior

For this rule following findings were found in current code:

plugins/inputs/phpfpm/child.go:15:2  gosec  G504: Blocklisted import net/http/cgi: Go versions < 1.6.3 are vulnerable to Httpoxy attack: (CVE-2016-5386)

Additional info

For this rule no additional configuration can be provided.

[powersj]

+1

[srebhan]

No opinion on this one. Especially due to the fact that only ancient go-versions are affected.

[zak-pawel]

@srebhan Right!

Bug was fixed for in Go 1.6.3 and Go 1.7rc2:
https://groups.google.com/g/golang-announce/c/7jZDOQ8f8tM/m/eWRWHnc8CgAJ

Since Telegraf requires Go version >= 1.20, I believe we don't want to enable this one.
Closing as not planned.

(similar case as for #12900)