gosec/rulelist.go

// (c) Copyright 2016 Hewlett Packard Enterprise Development LP
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package main

import (
	"go/ast"

	gas "github.com/GoASTScanner/gas/core"
	"github.com/GoASTScanner/gas/rules"
)

type RuleInfo struct {
	description string
	build       func(map[string]interface{}) (gas.Rule, ast.Node)
}

// GetFullRuleList get the full list of all rules available to GAS
func GetFullRuleList() map[string]RuleInfo {
	return map[string]RuleInfo{
		// misc
		"G101": RuleInfo{"Look for hardcoded credentials", rules.NewHardcodedCredentials},
		"G102": RuleInfo{"Bind to all interfaces", rules.NewBindsToAllNetworkInterfaces},
		"G103": RuleInfo{"Audit the use of unsafe block", rules.NewUsingUnsafe},
		"G104": RuleInfo{"Audit errors not checked", rules.NewNoErrorCheck},

		// injection
		"G201": RuleInfo{"SQL query construction using format string", rules.NewSqlStrFormat},
		"G202": RuleInfo{"SQL query construction using string concatenation", rules.NewSqlStrConcat},
		"G203": RuleInfo{"Use of unescaped data in HTML templates", rules.NewTemplateCheck},
		"G204": RuleInfo{"Audit use of command execution", rules.NewSubproc},

		// filesystem
		"G301": RuleInfo{"Poor file permissions used when creating a directory", rules.NewMkdirPerms},
		"G302": RuleInfo{"Poor file permisions used when creation file or using chmod", rules.NewFilePerms},
		"G303": RuleInfo{"Creating tempfile using a predictable path", rules.NewBadTempFile},

		// crypto
		"G401": RuleInfo{"Detect the usage of DES, RC4, or MD5", rules.NewUsesWeakCryptography},
		"G402": RuleInfo{"Look for bad TLS connection settings", rules.NewIntermediateTlsCheck},
		"G403": RuleInfo{"Ensure minimum RSA key length of 2048 bits", rules.NewWeakKeyStrength},
		"G404": RuleInfo{"Insecure random number source (rand)", rules.NewWeakRandCheck},

		// blacklist
		"G501": RuleInfo{"Import blacklist: crypto/md5", rules.NewBlacklist_crypto_md5},
		"G502": RuleInfo{"Import blacklist: crypto/des", rules.NewBlacklist_crypto_des},
		"G503": RuleInfo{"Import blacklist: crypto/rc4", rules.NewBlacklist_crypto_rc4},
		"G504": RuleInfo{"Import blacklist: net/http/cgi", rules.NewBlacklist_net_http_cgi},
	}
}

func AddRules(analyzer *gas.Analyzer, conf map[string]interface{}) {
	var all map[string]RuleInfo

	inc := conf["include"].([]string)
	exc := conf["exclude"].([]string)

	// add included rules
	if len(inc) == 0 {
		all = GetFullRuleList()
	} else {
		all = map[string]RuleInfo{}
		tmp := GetFullRuleList()
		for _, v := range inc {
			if val, ok := tmp[v]; ok {
				all[v] = val
			}
		}
	}

	// remove excluded rules
	for _, v := range exc {
		delete(all, v)
	}

	for _, v := range all {
		analyzer.AddRule(v.build(conf))
	}
}
Initial public release 2016-07-20 11:02:01 +01:00			`// (c) Copyright 2016 Hewlett Packard Enterprise Development LP`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package main`

			`import (`
			`"go/ast"`

Updated imports to new repository location. 2016-11-02 23:54:20 +00:00			`gas "github.com/GoASTScanner/gas/core"`
			`"github.com/GoASTScanner/gas/rules"`
Initial public release 2016-07-20 11:02:01 +01:00			`)`

Rule selection rules This makes the following changes: - riles are identified by an ID - include / exclude list now work - rules are selected based on these lists - blacklist rules are broken out into methods - rule constructors now take the config map - config file can be used to select rules - CLI options embelish config selection options 2016-08-10 12:51:03 +01:00			`type RuleInfo struct {`
			`description string`
			`build func(map[string]interface{}) (gas.Rule, ast.Node)`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

Rule selection rules This makes the following changes: - riles are identified by an ID - include / exclude list now work - rules are selected based on these lists - blacklist rules are broken out into methods - rule constructors now take the config map - config file can be used to select rules - CLI options embelish config selection options 2016-08-10 12:51:03 +01:00			`// GetFullRuleList get the full list of all rules available to GAS`
			`func GetFullRuleList() map[string]RuleInfo {`
			`return map[string]RuleInfo{`
			`// misc`
Fix usage information Mostly a tidy up. Fixed a couple of spelling errors as well. 2016-08-11 13:14:19 +01:00			`"G101": RuleInfo{"Look for hardcoded credentials", rules.NewHardcodedCredentials},`
			`"G102": RuleInfo{"Bind to all interfaces", rules.NewBindsToAllNetworkInterfaces},`
			`"G103": RuleInfo{"Audit the use of unsafe block", rules.NewUsingUnsafe},`
Incorrect rule mapping in rulelist 2016-11-08 16:48:45 +00:00			`"G104": RuleInfo{"Audit errors not checked", rules.NewNoErrorCheck},`
Initial public release 2016-07-20 11:02:01 +01:00
Rule selection rules This makes the following changes: - riles are identified by an ID - include / exclude list now work - rules are selected based on these lists - blacklist rules are broken out into methods - rule constructors now take the config map - config file can be used to select rules - CLI options embelish config selection options 2016-08-10 12:51:03 +01:00			`// injection`
Fix usage information Mostly a tidy up. Fixed a couple of spelling errors as well. 2016-08-11 13:14:19 +01:00			`"G201": RuleInfo{"SQL query construction using format string", rules.NewSqlStrFormat},`
			`"G202": RuleInfo{"SQL query construction using string concatenation", rules.NewSqlStrConcat},`
			`"G203": RuleInfo{"Use of unescaped data in HTML templates", rules.NewTemplateCheck},`
			`"G204": RuleInfo{"Audit use of command execution", rules.NewSubproc},`
Initial public release 2016-07-20 11:02:01 +01:00
Rule selection rules This makes the following changes: - riles are identified by an ID - include / exclude list now work - rules are selected based on these lists - blacklist rules are broken out into methods - rule constructors now take the config map - config file can be used to select rules - CLI options embelish config selection options 2016-08-10 12:51:03 +01:00			`// filesystem`
Fix usage information Mostly a tidy up. Fixed a couple of spelling errors as well. 2016-08-11 13:14:19 +01:00			`"G301": RuleInfo{"Poor file permissions used when creating a directory", rules.NewMkdirPerms},`
Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53 2016-11-13 01:57:20 +00:00			`"G302": RuleInfo{"Poor file permisions used when creation file or using chmod", rules.NewFilePerms},`
Fix usage information Mostly a tidy up. Fixed a couple of spelling errors as well. 2016-08-11 13:14:19 +01:00			`"G303": RuleInfo{"Creating tempfile using a predictable path", rules.NewBadTempFile},`
Initial public release 2016-07-20 11:02:01 +01:00
Rule selection rules This makes the following changes: - riles are identified by an ID - include / exclude list now work - rules are selected based on these lists - blacklist rules are broken out into methods - rule constructors now take the config map - config file can be used to select rules - CLI options embelish config selection options 2016-08-10 12:51:03 +01:00			`// crypto`
Fix usage information Mostly a tidy up. Fixed a couple of spelling errors as well. 2016-08-11 13:14:19 +01:00			`"G401": RuleInfo{"Detect the usage of DES, RC4, or MD5", rules.NewUsesWeakCryptography},`
			`"G402": RuleInfo{"Look for bad TLS connection settings", rules.NewIntermediateTlsCheck},`
			`"G403": RuleInfo{"Ensure minimum RSA key length of 2048 bits", rules.NewWeakKeyStrength},`
			`"G404": RuleInfo{"Insecure random number source (rand)", rules.NewWeakRandCheck},`
Initial public release 2016-07-20 11:02:01 +01:00
Rule selection rules This makes the following changes: - riles are identified by an ID - include / exclude list now work - rules are selected based on these lists - blacklist rules are broken out into methods - rule constructors now take the config map - config file can be used to select rules - CLI options embelish config selection options 2016-08-10 12:51:03 +01:00			`// blacklist`
Fix usage information Mostly a tidy up. Fixed a couple of spelling errors as well. 2016-08-11 13:14:19 +01:00			`"G501": RuleInfo{"Import blacklist: crypto/md5", rules.NewBlacklist_crypto_md5},`
			`"G502": RuleInfo{"Import blacklist: crypto/des", rules.NewBlacklist_crypto_des},`
			`"G503": RuleInfo{"Import blacklist: crypto/rc4", rules.NewBlacklist_crypto_rc4},`
			`"G504": RuleInfo{"Import blacklist: net/http/cgi", rules.NewBlacklist_net_http_cgi},`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
			`}`

Rule selection rules This makes the following changes: - riles are identified by an ID - include / exclude list now work - rules are selected based on these lists - blacklist rules are broken out into methods - rule constructors now take the config map - config file can be used to select rules - CLI options embelish config selection options 2016-08-10 12:51:03 +01:00			`func AddRules(analyzer *gas.Analyzer, conf map[string]interface{}) {`
			`var all map[string]RuleInfo`

			`inc := conf["include"].([]string)`
			`exc := conf["exclude"].([]string)`

			`// add included rules`
			`if len(inc) == 0 {`
			`all = GetFullRuleList()`
			`} else {`
			`all = map[string]RuleInfo{}`
			`tmp := GetFullRuleList()`
			`for _, v := range inc {`
			`if val, ok := tmp[v]; ok {`
			`all[v] = val`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
			`}`
			`}`

Rule selection rules This makes the following changes: - riles are identified by an ID - include / exclude list now work - rules are selected based on these lists - blacklist rules are broken out into methods - rule constructors now take the config map - config file can be used to select rules - CLI options embelish config selection options 2016-08-10 12:51:03 +01:00			`// remove excluded rules`
			`for _, v := range exc {`
			`delete(all, v)`
			`}`
Initial public release 2016-07-20 11:02:01 +01:00
Rule selection rules This makes the following changes: - riles are identified by an ID - include / exclude list now work - rules are selected based on these lists - blacklist rules are broken out into methods - rule constructors now take the config map - config file can be used to select rules - CLI options embelish config selection options 2016-08-10 12:51:03 +01:00			`for _, v := range all {`
			`analyzer.AddRule(v.build(conf))`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
			`}`