gosec/call_list_test.go

package gosec_test

import (
	"go/ast"

	. "github.com/onsi/ginkgo/v2"
	. "github.com/onsi/gomega"

	"github.com/securego/gosec/v2"
	"github.com/securego/gosec/v2/testutils"
)

var _ = Describe("Call List", func() {
	var calls gosec.CallList
	BeforeEach(func() {
		calls = gosec.NewCallList()
	})

	It("should not return any matches when empty", func() {
		Expect(calls.Contains("foo", "bar")).Should(BeFalse())
	})

	It("should be possible to add a single call", func() {
		Expect(calls).Should(BeEmpty())
		calls.Add("foo", "bar")
		Expect(calls).Should(HaveLen(1))

		expected := make(map[string]bool)
		expected["bar"] = true
		actual := map[string]bool(calls["foo"])
		Expect(actual).Should(Equal(expected))
	})

	It("should be possible to add multiple calls at once", func() {
		Expect(calls).Should(BeEmpty())
		calls.AddAll("fmt", "Sprint", "Sprintf", "Printf", "Println")

		expected := map[string]bool{
			"Sprint":  true,
			"Sprintf": true,
			"Printf":  true,
			"Println": true,
		}
		actual := map[string]bool(calls["fmt"])
		Expect(actual).Should(Equal(expected))
	})

	It("should be possible to add pointer call", func() {
		Expect(calls).Should(BeEmpty())
		calls.Add("*bytes.Buffer", "WriteString")
		actual := calls.ContainsPointer("*bytes.Buffer", "WriteString")
		Expect(actual).Should(BeTrue())
	})

	It("should be possible to check pointer call", func() {
		Expect(calls).Should(BeEmpty())
		calls.Add("bytes.Buffer", "WriteString")
		actual := calls.ContainsPointer("*bytes.Buffer", "WriteString")
		Expect(actual).Should(BeTrue())
	})

	It("should not return a match if none are present", func() {
		calls.Add("ioutil", "Copy")
		Expect(calls.Contains("fmt", "Println")).Should(BeFalse())
	})

	It("should match a call based on selector and ident", func() {
		calls.Add("ioutil", "Copy")
		Expect(calls.Contains("ioutil", "Copy")).Should(BeTrue())
	})

	It("should match a package call expression", func() {
		// Create file to be scanned
		pkg := testutils.NewTestPackage()
		defer pkg.Close()
		pkg.AddFile("md5.go", testutils.SampleCodeG401[0].Code[0])

		ctx := pkg.CreateContext("md5.go")

		// Search for md5.New()
		calls.Add("crypto/md5", "New")

		// Stub out visitor and count number of matched call expr
		matched := 0
		v := testutils.NewMockVisitor()
		v.Context = ctx
		v.Callback = func(n ast.Node, ctx *gosec.Context) bool {
			if _, ok := n.(*ast.CallExpr); ok && calls.ContainsPkgCallExpr(n, ctx, false) != nil {
				matched++
			}
			return true
		}
		ast.Walk(v, ctx.Root)
		Expect(matched).Should(Equal(1))
	})

	It("should match a package call expression", func() {
		// Create file to be scanned
		pkg := testutils.NewTestPackage()
		defer pkg.Close()
		pkg.AddFile("cipher.go", testutils.SampleCodeG405[0].Code[0])

		ctx := pkg.CreateContext("cipher.go")

		// Search for des.NewCipher()
		calls.Add("crypto/des", "NewCipher")

		// Stub out visitor and count number of matched call expr
		matched := 0
		v := testutils.NewMockVisitor()
		v.Context = ctx
		v.Callback = func(n ast.Node, ctx *gosec.Context) bool {
			if _, ok := n.(*ast.CallExpr); ok && calls.ContainsPkgCallExpr(n, ctx, false) != nil {
				matched++
			}
			return true
		}
		ast.Walk(v, ctx.Root)
		Expect(matched).Should(Equal(1))
	})

	It("should match a package call expression", func() {
		// Create file to be scanned
		pkg := testutils.NewTestPackage()
		defer pkg.Close()
		pkg.AddFile("md4.go", testutils.SampleCodeG406[0].Code[0])

		ctx := pkg.CreateContext("md4.go")

		// Search for md4.New()
		calls.Add("golang.org/x/crypto/md4", "New")

		// Stub out visitor and count number of matched call expr
		matched := 0
		v := testutils.NewMockVisitor()
		v.Context = ctx
		v.Callback = func(n ast.Node, ctx *gosec.Context) bool {
			if _, ok := n.(*ast.CallExpr); ok && calls.ContainsPkgCallExpr(n, ctx, false) != nil {
				matched++
			}
			return true
		}
		ast.Walk(v, ctx.Root)
		Expect(matched).Should(Equal(1))
	})

	It("should match a call expression", func() {
		// Create file to be scanned
		pkg := testutils.NewTestPackage()
		defer pkg.Close()
		pkg.AddFile("main.go", testutils.SampleCodeG104[6].Code[0])

		ctx := pkg.CreateContext("main.go")

		calls.Add("bytes.Buffer", "WriteString")
		calls.Add("strings.Builder", "WriteString")
		calls.Add("io.Pipe", "CloseWithError")
		calls.Add("fmt", "Fprintln")

		// Stub out visitor and count number of matched call expr
		matched := 0
		v := testutils.NewMockVisitor()
		v.Context = ctx
		v.Callback = func(n ast.Node, ctx *gosec.Context) bool {
			if _, ok := n.(*ast.CallExpr); ok && calls.ContainsCallExpr(n, ctx) != nil {
				matched++
			}
			return true
		}
		ast.Walk(v, ctx.Root)
		Expect(matched).Should(Equal(5))
	})
})
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`package gosec_test`
Extend helpers and call list - Update call list to work directly with call expression - Add call list test cases - Extend helpers to add GetCallInfo to resolve call name and package or type if it's a var. - Add test cases to ensure correct behaviour 2016-11-18 17:57:34 +00:00
			`import (`
			`"go/ast"`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00
Update to ginkgo v2 (#753) 2022-01-03 17:11:35 +00:00			`. "github.com/onsi/ginkgo/v2"`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`. "github.com/onsi/gomega"`
correct gci linter (#946) Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com> 2023-03-30 08:31:24 +01:00
Handle properly the gosec module version v2 Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-04-01 21:18:39 +01:00			`"github.com/securego/gosec/v2"`
			`"github.com/securego/gosec/v2/testutils"`
Extend helpers and call list - Update call list to work directly with call expression - Add call list test cases - Extend helpers to add GetCallInfo to resolve call name and package or type if it's a var. - Add test cases to ensure correct behaviour 2016-11-18 17:57:34 +00:00			`)`

Add tests to cover the import tracker from file Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2019-04-29 17:32:39 +01:00			`var _ = Describe("Call List", func() {`
Fix lint and fail on error in the ci build 2021-05-31 09:44:12 +01:00			`var calls gosec.CallList`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`BeforeEach(func() {`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`calls = gosec.NewCallList()`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`})`

			`It("should not return any matches when empty", func() {`
			`Expect(calls.Contains("foo", "bar")).Should(BeFalse())`
			`})`

			`It("should be possible to add a single call", func() {`
enable ginkgolinter linter (#948) Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com> 2023-04-04 07:52:59 +01:00			`Expect(calls).Should(BeEmpty())`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`calls.Add("foo", "bar")`
			`Expect(calls).Should(HaveLen(1))`

			`expected := make(map[string]bool)`
			`expected["bar"] = true`
			`actual := map[string]bool(calls["foo"])`
			`Expect(actual).Should(Equal(expected))`
			`})`

			`It("should be possible to add multiple calls at once", func() {`
enable ginkgolinter linter (#948) Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com> 2023-04-04 07:52:59 +01:00			`Expect(calls).Should(BeEmpty())`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`calls.AddAll("fmt", "Sprint", "Sprintf", "Printf", "Println")`

			`expected := map[string]bool{`
			`"Sprint": true,`
			`"Sprintf": true,`
			`"Printf": true,`
			`"Println": true,`
			`}`
			`actual := map[string]bool(calls["fmt"])`
			`Expect(actual).Should(Equal(expected))`
			`})`

Fix the errors rule whitelist to work on types methods Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-01-28 13:11:00 +00:00			`It("should be possible to add pointer call", func() {`
enable ginkgolinter linter (#948) Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com> 2023-04-04 07:52:59 +01:00			`Expect(calls).Should(BeEmpty())`
Fix the errors rule whitelist to work on types methods Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-01-28 13:11:00 +00:00			`calls.Add("*bytes.Buffer", "WriteString")`
			`actual := calls.ContainsPointer("*bytes.Buffer", "WriteString")`
			`Expect(actual).Should(BeTrue())`
			`})`

			`It("should be possible to check pointer call", func() {`
enable ginkgolinter linter (#948) Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com> 2023-04-04 07:52:59 +01:00			`Expect(calls).Should(BeEmpty())`
Fix the errors rule whitelist to work on types methods Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-01-28 13:11:00 +00:00			`calls.Add("bytes.Buffer", "WriteString")`
			`actual := calls.ContainsPointer("*bytes.Buffer", "WriteString")`
			`Expect(actual).Should(BeTrue())`
			`})`

Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`It("should not return a match if none are present", func() {`
			`calls.Add("ioutil", "Copy")`
			`Expect(calls.Contains("fmt", "Println")).Should(BeFalse())`
			`})`

			`It("should match a call based on selector and ident", func() {`
			`calls.Add("ioutil", "Copy")`
			`Expect(calls.Contains("ioutil", "Copy")).Should(BeTrue())`
			`})`

Fix the errors rule whitelist to work on types methods Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-01-28 13:11:00 +00:00			`It("should match a package call expression", func() {`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`// Create file to be scanned`
			`pkg := testutils.NewTestPackage()`
			`defer pkg.Close()`
Refactor the test code sample to support multiple files per sample 2018-09-28 09:42:25 +01:00			`pkg.AddFile("md5.go", testutils.SampleCodeG401[0].Code[0])`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00
			`ctx := pkg.CreateContext("md5.go")`

			`// Search for md5.New()`
Use explicit packages in call lists By allowing partial matches of selectors there are chances of collisions such as those in issue #145, this removes it to expect explicit packages for each rule. Closes #145 2018-01-05 13:05:53 +00:00			`calls.Add("crypto/md5", "New")`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00
			`// Stub out visitor and count number of matched call expr`
			`matched := 0`
			`v := testutils.NewMockVisitor()`
			`v.Context = ctx`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`v.Callback = func(n ast.Node, ctx *gosec.Context) bool {`
Fix the errors rule whitelist to work on types methods Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-01-28 13:11:00 +00:00			`if _, ok := n.(*ast.CallExpr); ok && calls.ContainsPkgCallExpr(n, ctx, false) != nil {`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`matched++`
			`}`
			`return true`
			`}`
			`ast.Walk(v, ctx.Root)`
			`Expect(matched).Should(Equal(1))`
			`})`

Split the G401 rule into two separate ones Now the G401 rule is split into hashing and encryption algorithms. G401 is responsible for checking the usage of MD5 and SHA1, with corresponding CWE of 328. And G405(New rule) is responsible for checking the usege of DES and RC4, with corresponding CWE of 327. 2024-06-20 12:02:59 +01:00			`It("should match a package call expression", func() {`
			`// Create file to be scanned`
			`pkg := testutils.NewTestPackage()`
			`defer pkg.Close()`
			`pkg.AddFile("cipher.go", testutils.SampleCodeG405[0].Code[0])`

			`ctx := pkg.CreateContext("cipher.go")`

			`// Search for des.NewCipher()`
			`calls.Add("crypto/des", "NewCipher")`

			`// Stub out visitor and count number of matched call expr`
			`matched := 0`
			`v := testutils.NewMockVisitor()`
			`v.Context = ctx`
Added more rules * Rule G406 responsible for the usage of deprecated MD4 and RIPEMD160 added. * Rules G506, G507 responsible for tracking the usage of the already mentioned libraries added. * Slight changes in the Makefile(`make clean` wasn't removing all expected files) * Added license to `analyzer_test.go` 2024-06-24 18:16:32 +01:00			`v.Callback = func(n ast.Node, ctx *gosec.Context) bool {`
			`if _, ok := n.(*ast.CallExpr); ok && calls.ContainsPkgCallExpr(n, ctx, false) != nil {`
			`matched++`
			`}`
			`return true`
			`}`
			`ast.Walk(v, ctx.Root)`
			`Expect(matched).Should(Equal(1))`
			`})`

			`It("should match a package call expression", func() {`
			`// Create file to be scanned`
			`pkg := testutils.NewTestPackage()`
			`defer pkg.Close()`
			`pkg.AddFile("md4.go", testutils.SampleCodeG406[0].Code[0])`

			`ctx := pkg.CreateContext("md4.go")`

			`// Search for md4.New()`
			`calls.Add("golang.org/x/crypto/md4", "New")`

			`// Stub out visitor and count number of matched call expr`
			`matched := 0`
			`v := testutils.NewMockVisitor()`
			`v.Context = ctx`
Split the G401 rule into two separate ones Now the G401 rule is split into hashing and encryption algorithms. G401 is responsible for checking the usage of MD5 and SHA1, with corresponding CWE of 328. And G405(New rule) is responsible for checking the usege of DES and RC4, with corresponding CWE of 327. 2024-06-20 12:02:59 +01:00			`v.Callback = func(n ast.Node, ctx *gosec.Context) bool {`
			`if _, ok := n.(*ast.CallExpr); ok && calls.ContainsPkgCallExpr(n, ctx, false) != nil {`
			`matched++`
			`}`
			`return true`
			`}`
			`ast.Walk(v, ctx.Root)`
			`Expect(matched).Should(Equal(1))`
			`})`

Fix the errors rule whitelist to work on types methods Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-01-28 13:11:00 +00:00			`It("should match a call expression", func() {`
			`// Create file to be scanned`
			`pkg := testutils.NewTestPackage()`
			`defer pkg.Close()`
Fix the call list info to handle selector expressions Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-03-15 14:42:26 +00:00			`pkg.AddFile("main.go", testutils.SampleCodeG104[6].Code[0])`
Fix the errors rule whitelist to work on types methods Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-01-28 13:11:00 +00:00
			`ctx := pkg.CreateContext("main.go")`

			`calls.Add("bytes.Buffer", "WriteString")`
			`calls.Add("strings.Builder", "WriteString")`
			`calls.Add("io.Pipe", "CloseWithError")`
			`calls.Add("fmt", "Fprintln")`

			`// Stub out visitor and count number of matched call expr`
			`matched := 0`
			`v := testutils.NewMockVisitor()`
			`v.Context = ctx`
			`v.Callback = func(n ast.Node, ctx *gosec.Context) bool {`
			`if _, ok := n.(*ast.CallExpr); ok && calls.ContainsCallExpr(n, ctx) != nil {`
			`matched++`
			`}`
			`return true`
			`}`
			`ast.Walk(v, ctx.Root)`
			`Expect(matched).Should(Equal(5))`
			`})`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`})`