This study addresses the critical yet underexplored issue of cryptographic API misuse in Go, which poses significant risks to security-critical systems. To systematically investigate this problem, the authors propose the first unified taxonomy encompassing 14 distinct misuse categories and conduct a large-scale empirical evaluation across 328 open-source projects using four mainstream static analysis tools—CodeQL, Gopher, Gosec, and Snyk Code. The findings reveal substantial disparities among these tools in their coverage of cryptographic misuses, collectively identifying 7,473 genuine instances of misuse. This work not only fills a notable gap in the literature on Go-specific cryptographic vulnerability detection but also provides actionable insights for improving secure development practices and enhancing the effectiveness of static analysis tools.

Cryptographic API misuse represents a critical vulnerability class that undermines the security foundations of modern software. Yet, it remains largely unexplored in Go despite its dominance in security-critical infrastructure. This paper presents the first comprehensive study of cryptographic API misuse detection in Go, identifying and analyzing 4 state-of-the-art tools (CodeQL, Gopher, Gosec, and Snyk Code) and establishing a consolidated taxonomy of 14 relevant misuse classes. Through an experimental evaluation of 328 security-critical open-source Go projects, we discovered 7,473 cryptographic API misuses, providing insights into the prevalence and distribution of these vulnerabilities. Our systematic comparison reveals significant variations in misuse coverage, with immediate practical implications for security engineers and long-term implications for research in this domain.