Evaluating Cryptographic API Misuse Detectors for Go
For security engineers and researchers, this study provides the first systematic evaluation of cryptographic misuse detection tools in Go, highlighting gaps in coverage and prevalence of vulnerabilities.
This paper presents the first comprehensive study of cryptographic API misuse detection in Go, evaluating 4 tools across 328 open-source projects and discovering 7,473 misuses, revealing significant variations in tool coverage.
Cryptographic API misuse represents a critical vulnerability class that undermines the security foundations of modern software. Yet, it remains largely unexplored in Go despite its dominance in security-critical infrastructure. This paper presents the first comprehensive study of cryptographic API misuse detection in Go, identifying and analyzing 4 state-of-the-art tools (CodeQL, Gopher, Gosec, and Snyk Code) and establishing a consolidated taxonomy of 14 relevant misuse classes. Through an experimental evaluation of 328 security-critical open-source Go projects, we discovered 7,473 cryptographic API misuses, providing insights into the prevalence and distribution of these vulnerabilities. Our systematic comparison reveals significant variations in misuse coverage, with immediate practical implications for security engineers and long-term implications for research in this domain.