gosec/issue.go

// (c) Copyright 2016 Hewlett Packard Enterprise Development LP
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package gosec

import (
	"bufio"
	"bytes"
	"encoding/json"
	"fmt"
	"go/ast"
	"go/token"
	"os"
	"strconv"
)

// Score type used by severity and confidence values
type Score int

const (
	// Low severity or confidence
	Low Score = iota
	// Medium severity or confidence
	Medium
	// High severity or confidence
	High
)

// SnippetOffset defines the number of lines captured before
// the beginning and after the end of a code snippet
const SnippetOffset = 1

// Cwe id and url
type Cwe struct {
	ID  string
	URL string
}

// GetCwe creates a cwe object for a given RuleID
func GetCwe(id string) Cwe {
	return Cwe{ID: id, URL: fmt.Sprintf("https://cwe.mitre.org/data/definitions/%s.html", id)}
}

// IssueToCWE maps gosec rules to CWEs
var IssueToCWE = map[string]Cwe{
	"G101": GetCwe("798"),
	"G102": GetCwe("200"),
	"G103": GetCwe("242"),
	"G104": GetCwe("703"),
	"G106": GetCwe("322"),
	"G107": GetCwe("88"),
	"G108": GetCwe("200"),
	"G109": GetCwe("190"),
	"G110": GetCwe("409"),
	"G201": GetCwe("89"),
	"G202": GetCwe("89"),
	"G203": GetCwe("79"),
	"G204": GetCwe("78"),
	"G301": GetCwe("276"),
	"G302": GetCwe("276"),
	"G303": GetCwe("377"),
	"G304": GetCwe("22"),
	"G305": GetCwe("22"),
	"G306": GetCwe("276"),
	"G307": GetCwe("703"),
	"G401": GetCwe("326"),
	"G402": GetCwe("295"),
	"G403": GetCwe("310"),
	"G404": GetCwe("338"),
	"G501": GetCwe("327"),
	"G502": GetCwe("327"),
	"G503": GetCwe("327"),
	"G504": GetCwe("327"),
	"G505": GetCwe("327"),
	"G601": GetCwe("118"),
}

// Issue is returned by a gosec rule if it discovers an issue with the scanned code.
type Issue struct {
	Severity   Score  `json:"severity"`   // issue severity (how problematic it is)
	Confidence Score  `json:"confidence"` // issue confidence (how sure we are we found it)
	Cwe        Cwe    `json:"cwe"`        // Cwe associated with RuleID
	RuleID     string `json:"rule_id"`    // Human readable explanation
	What       string `json:"details"`    // Human readable explanation
	File       string `json:"file"`       // File name we found it in
	Code       string `json:"code"`       // Impacted code line
	Line       string `json:"line"`       // Line number in file
	Col        string `json:"column"`     // Column number in line
}

// FileLocation point out the file path and line number in file
func (i Issue) FileLocation() string {
	return fmt.Sprintf("%s:%s", i.File, i.Line)
}

// MetaData is embedded in all gosec rules. The Severity, Confidence and What message
// will be passed through to reported issues.
type MetaData struct {
	ID         string
	Severity   Score
	Confidence Score
	What       string
}

// MarshalJSON is used convert a Score object into a JSON representation
func (c Score) MarshalJSON() ([]byte, error) {
	return json.Marshal(c.String())
}

// String converts a Score into a string
func (c Score) String() string {
	switch c {
	case High:
		return "HIGH"
	case Medium:
		return "MEDIUM"
	case Low:
		return "LOW"
	}
	return "UNDEFINED"
}

// codeSnippet extracts a code snippet based on the ast reference
func codeSnippet(file *os.File, start int64, end int64, n ast.Node) (string, error) {
	if n == nil {
		return "", fmt.Errorf("invalid AST node provided")
	}
	var pos int64
	var buf bytes.Buffer
	scanner := bufio.NewScanner(file)
	scanner.Split(bufio.ScanLines)
	for scanner.Scan() {
		pos++
		if pos > end {
			break
		} else if pos >= start && pos <= end {
			code := fmt.Sprintf("%d: %s\n", pos, scanner.Text())
			buf.WriteString(code)
		}
	}
	return buf.String(), nil
}

func codeSnippetStartLine(node ast.Node, fobj *token.File) int64 {
	s := (int64)(fobj.Line(node.Pos()))
	if s-SnippetOffset > 0 {
		return s - SnippetOffset
	}
	return s
}

func codeSnippetEndLine(node ast.Node, fobj *token.File) int64 {
	e := (int64)(fobj.Line(node.End()))
	return e + SnippetOffset
}

// NewIssue creates a new Issue
func NewIssue(ctx *Context, node ast.Node, ruleID, desc string, severity Score, confidence Score) *Issue {
	fobj := ctx.FileSet.File(node.Pos())
	name := fobj.Name()
	start, end := fobj.Line(node.Pos()), fobj.Line(node.End())
	line := strconv.Itoa(start)
	if start != end {
		line = fmt.Sprintf("%d-%d", start, end)
	}
	col := strconv.Itoa(fobj.Position(node.Pos()).Column)

	var code string
	if file, err := os.Open(fobj.Name()); err == nil {
		defer file.Close() // #nosec
		s := codeSnippetStartLine(node, fobj)
		e := codeSnippetEndLine(node, fobj)
		code, err = codeSnippet(file, s, e, node)
		if err != nil {
			code = err.Error()
		}
	}

	return &Issue{
		File:       name,
		Line:       line,
		Col:        col,
		RuleID:     ruleID,
		What:       desc,
		Confidence: confidence,
		Severity:   severity,
		Code:       code,
		Cwe:        IssueToCWE[ruleID],
	}
}
Initial public release 2016-07-20 11:02:01 +01:00			`// (c) Copyright 2016 Hewlett Packard Enterprise Development LP`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`
fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`package gosec`
Initial public release 2016-07-20 11:02:01 +01:00
			`import (`
Extend the code snippet included in the issue and refactored how the code snippet is printed Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-06-25 14:21:23 +01:00			`"bufio"`
			`"bytes"`
Use encoding/json for -fmt json output 2016-07-26 00:39:55 +01:00			`"encoding/json"`
Initial public release 2016-07-20 11:02:01 +01:00			`"fmt"`
			`"go/ast"`
Extend the code snippet included in the issue and refactored how the code snippet is printed Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-06-25 14:21:23 +01:00			`"go/token"`
Initial public release 2016-07-20 11:02:01 +01:00			`"os"`
Add test cases 2017-09-16 01:12:27 +01:00			`"strconv"`
Initial public release 2016-07-20 11:02:01 +01:00			`)`

Adding some inline documentation for godoc 2016-08-12 14:17:28 +01:00			`// Score type used by severity and confidence values`
Initial public release 2016-07-20 11:02:01 +01:00			`type Score int`

			`const (`
fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`// Low severity or confidence`
			`Low Score = iota`
			`// Medium severity or confidence`
			`Medium`
			`// High severity or confidence`
			`High`
Initial public release 2016-07-20 11:02:01 +01:00			`)`

Extend the code snippet included in the issue and refactored how the code snippet is printed Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-06-25 14:21:23 +01:00			`// SnippetOffset defines the number of lines captured before`
			`// the beginning and after the end of a code snippet`
			`const SnippetOffset = 1`

Add CWE rule mappings (#405) * added mappings * added cwe to template * link in function to template * moved mappings and added test cases * wording * cleanup 2019-10-31 08:22:38 +00:00			`// Cwe id and url`
			`type Cwe struct {`
			`ID string`
			`URL string`
			`}`

			`// GetCwe creates a cwe object for a given RuleID`
			`func GetCwe(id string) Cwe {`
			`return Cwe{ID: id, URL: fmt.Sprintf("https://cwe.mitre.org/data/definitions/%s.html", id)}`
			`}`

			`// IssueToCWE maps gosec rules to CWEs`
			`var IssueToCWE = map[string]Cwe{`
			`"G101": GetCwe("798"),`
			`"G102": GetCwe("200"),`
			`"G103": GetCwe("242"),`
			`"G104": GetCwe("703"),`
			`"G106": GetCwe("322"),`
			`"G107": GetCwe("88"),`
Make sure all rules are mapped to CWE numbers Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-05-25 15:12:01 +01:00			`"G108": GetCwe("200"),`
Add a rule which detects when there is potential integer overflow (#422) * Add G109(Potential Integer OverFlow Detection) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com> * add CWE to G109(Potential Integer Overflow) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com> * Modify G109 to use gosec.Context Signed-off-by: Hiroki Suezawa <suezawa@gmail.com> 2020-01-06 08:55:52 +00:00			`"G109": GetCwe("190"),`
Add G110(Potential DoS vulnerability via decompression bomb) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com> 2020-01-19 19:40:19 +00:00			`"G110": GetCwe("409"),`
Add CWE rule mappings (#405) * added mappings * added cwe to template * link in function to template * moved mappings and added test cases * wording * cleanup 2019-10-31 08:22:38 +00:00			`"G201": GetCwe("89"),`
			`"G202": GetCwe("89"),`
			`"G203": GetCwe("79"),`
			`"G204": GetCwe("78"),`
			`"G301": GetCwe("276"),`
			`"G302": GetCwe("276"),`
			`"G303": GetCwe("377"),`
			`"G304": GetCwe("22"),`
			`"G305": GetCwe("22"),`
Make sure all rules are mapped to CWE numbers Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-05-25 15:12:01 +01:00			`"G306": GetCwe("276"),`
			`"G307": GetCwe("703"),`
Add CWE rule mappings (#405) * added mappings * added cwe to template * link in function to template * moved mappings and added test cases * wording * cleanup 2019-10-31 08:22:38 +00:00			`"G401": GetCwe("326"),`
			`"G402": GetCwe("295"),`
			`"G403": GetCwe("310"),`
			`"G404": GetCwe("338"),`
			`"G501": GetCwe("327"),`
			`"G502": GetCwe("327"),`
			`"G503": GetCwe("327"),`
			`"G504": GetCwe("327"),`
			`"G505": GetCwe("327"),`
Make sure all rules are mapped to CWE numbers Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-05-25 15:12:01 +01:00			`"G601": GetCwe("118"),`
Add CWE rule mappings (#405) * added mappings * added cwe to template * link in function to template * moved mappings and added test cases * wording * cleanup 2019-10-31 08:22:38 +00:00			`}`

Fix typos in comments and rulelist (#256) 2018-10-11 13:45:31 +01:00			`// Issue is returned by a gosec rule if it discovers an issue with the scanned code.`
Initial public release 2016-07-20 11:02:01 +01:00			`type Issue struct {`
Adding some inline documentation for godoc 2016-08-12 14:17:28 +01:00			Severity Score `json:"severity"` // issue severity (how problematic it is)
			Confidence Score `json:"confidence"` // issue confidence (how sure we are we found it)
Add CWE rule mappings (#405) * added mappings * added cwe to template * link in function to template * moved mappings and added test cases * wording * cleanup 2019-10-31 08:22:38 +00:00			Cwe Cwe `json:"cwe"` // Cwe associated with RuleID
Add the rule ID to issues (#188) 2018-03-12 08:18:44 +00:00			RuleID string `json:"rule_id"` // Human readable explanation
Adding some inline documentation for godoc 2016-08-12 14:17:28 +01:00			What string `json:"details"` // Human readable explanation
			File string `json:"file"` // File name we found it in
			Code string `json:"code"` // Impacted code line
Add test cases 2017-09-16 01:12:27 +01:00			Line string `json:"line"` // Line number in file
Add golint format to output format (#428) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com> 2020-01-03 09:56:21 +00:00			Col string `json:"column"` // Column number in line
Initial public release 2016-07-20 11:02:01 +01:00			`}`

feature(formatter/text): Add color option on text format (#460) * feature(issue): Add function to return file path and line number * docs(formatter/CreateReport): Update formats accepted * feature(formatter): Add color output for text format Basic color support for text format. For now, only the "Summary" title and "Issues" section has color * feature(formatter): Highlight issues based on severity Given an issue, the file path is painted based on its severity. We're using the following rules: high is red, medium is yellow and low is simple black & white * feature(main): Add color flag It's only valid for text format * refactor(formatter): Passing color flag forward 2020-04-14 08:50:02 +01:00			`// FileLocation point out the file path and line number in file`
			`func (i Issue) FileLocation() string {`
			`return fmt.Sprintf("%s:%s", i.File, i.Line)`
			`}`

Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`// MetaData is embedded in all gosec rules. The Severity, Confidence and What message`
Fix typos in comments and rulelist (#256) 2018-10-11 13:45:31 +01:00			`// will be passed through to reported issues.`
Initial public release 2016-07-20 11:02:01 +01:00			`type MetaData struct {`
Add support for #excluding specific rules 2017-10-05 22:32:03 +01:00			`ID string`
Initial public release 2016-07-20 11:02:01 +01:00			`Severity Score`
			`Confidence Score`
			`What string`
			`}`

Adding some inline documentation for godoc 2016-08-12 14:17:28 +01:00			`// MarshalJSON is used convert a Score object into a JSON representation`
Use encoding/json for -fmt json output 2016-07-26 00:39:55 +01:00			`func (c Score) MarshalJSON() ([]byte, error) {`
			`return json.Marshal(c.String())`
			`}`

Adding some inline documentation for godoc 2016-08-12 14:17:28 +01:00			`// String converts a Score into a string`
Initial public release 2016-07-20 11:02:01 +01:00			`func (c Score) String() string {`
			`switch c {`
			`case High:`
			`return "HIGH"`
			`case Medium:`
			`return "MEDIUM"`
			`case Low:`
			`return "LOW"`
			`}`
			`return "UNDEFINED"`
			`}`

Add some comments Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-06-25 16:03:25 +01:00			`// codeSnippet extracts a code snippet based on the ast reference`
Initial public release 2016-07-20 11:02:01 +01:00			`func codeSnippet(file *os.File, start int64, end int64, n ast.Node) (string, error) {`
			`if n == nil {`
Extend the code snippet included in the issue and refactored how the code snippet is printed Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-06-25 14:21:23 +01:00			`return "", fmt.Errorf("invalid AST node provided")`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
Extend the code snippet included in the issue and refactored how the code snippet is printed Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-06-25 14:21:23 +01:00			`var pos int64`
			`var buf bytes.Buffer`
			`scanner := bufio.NewScanner(file)`
			`scanner.Split(bufio.ScanLines)`
			`for scanner.Scan() {`
			`pos++`
			`if pos > end {`
			`break`
			`} else if pos >= start && pos <= end {`
			`code := fmt.Sprintf("%d: %s\n", pos, scanner.Text())`
			`buf.WriteString(code)`
			`}`
Fix some lint warnings Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2019-04-30 10:32:06 +01:00			`}`
Extend the code snippet included in the issue and refactored how the code snippet is printed Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-06-25 14:21:23 +01:00			`return buf.String(), nil`
			`}`
Initial public release 2016-07-20 11:02:01 +01:00
Extend the code snippet included in the issue and refactored how the code snippet is printed Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-06-25 14:21:23 +01:00			`func codeSnippetStartLine(node ast.Node, fobj *token.File) int64 {`
			`s := (int64)(fobj.Line(node.Pos()))`
			`if s-SnippetOffset > 0 {`
			`return s - SnippetOffset`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
Extend the code snippet included in the issue and refactored how the code snippet is printed Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-06-25 14:21:23 +01:00			`return s`
			`}`

			`func codeSnippetEndLine(node ast.Node, fobj *token.File) int64 {`
			`e := (int64)(fobj.Line(node.End()))`
			`return e + SnippetOffset`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

Adding some inline documentation for godoc 2016-08-12 14:17:28 +01:00			`// NewIssue creates a new Issue`
Add the rule ID to issues (#188) 2018-03-12 08:18:44 +00:00			`func NewIssue(ctx Context, node ast.Node, ruleID, desc string, severity Score, confidence Score) Issue {`
Initial public release 2016-07-20 11:02:01 +01:00			`fobj := ctx.FileSet.File(node.Pos())`
			`name := fobj.Name()`
Add test cases 2017-09-16 01:12:27 +01:00			`start, end := fobj.Line(node.Pos()), fobj.Line(node.End())`
			`line := strconv.Itoa(start)`
			`if start != end {`
			`line = fmt.Sprintf("%d-%d", start, end)`
			`}`
Add golint format to output format (#428) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com> 2020-01-03 09:56:21 +00:00			`col := strconv.Itoa(fobj.Position(node.Pos()).Column)`

Extend the code snippet included in the issue and refactored how the code snippet is printed Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-06-25 14:21:23 +01:00			`var code string`
Initial public release 2016-07-20 11:02:01 +01:00			`if file, err := os.Open(fobj.Name()); err == nil {`
Extend the code snippet included in the issue and refactored how the code snippet is printed Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-06-25 14:21:23 +01:00			`defer file.Close() // #nosec`
			`s := codeSnippetStartLine(node, fobj)`
			`e := codeSnippetEndLine(node, fobj)`
Initial public release 2016-07-20 11:02:01 +01:00			`code, err = codeSnippet(file, s, e, node)`
			`if err != nil {`
			`code = err.Error()`
			`}`
			`}`

			`return &Issue{`
			`File: name,`
			`Line: line,`
Add golint format to output format (#428) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com> 2020-01-03 09:56:21 +00:00			`Col: col,`
Add the rule ID to issues (#188) 2018-03-12 08:18:44 +00:00			`RuleID: ruleID,`
Initial public release 2016-07-20 11:02:01 +01:00			`What: desc,`
			`Confidence: confidence,`
			`Severity: severity,`
			`Code: code,`
Add CWE rule mappings (#405) * added mappings * added cwe to template * link in function to template * moved mappings and added test cases * wording * cleanup 2019-10-31 08:22:38 +00:00			`Cwe: IssueToCWE[ruleID],`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
			`}`