gosec/rules/sql.go

// (c) Copyright 2016 Hewlett Packard Enterprise Development LP
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package rules

import (
	"go/ast"
	"regexp"

	"github.com/securego/gosec"
)

type sqlStatement struct {
	gosec.MetaData

	// Contains a list of patterns which must all match for the rule to match.
	patterns []*regexp.Regexp
}

func (s *sqlStatement) ID() string {
	return s.MetaData.ID
}

// See if the string matches the patterns for the statement.
func (s *sqlStatement) MatchPatterns(str string) bool {
	for _, pattern := range s.patterns {
		if !pattern.MatchString(str) {
			return false
		}
	}
	return true
}

type sqlStrConcat struct {
	sqlStatement
}

func (s *sqlStrConcat) ID() string {
	return s.MetaData.ID
}

// see if we can figure out what it is
func (s *sqlStrConcat) checkObject(n *ast.Ident, c *gosec.Context) bool {
	if n.Obj != nil {
		return n.Obj.Kind != ast.Var && n.Obj.Kind != ast.Fun
	}

	// Try to resolve unresolved identifiers using other files in same package
	for _, file := range c.PkgFiles {
		if node, ok := file.Scope.Objects[n.String()]; ok {
			return node.Kind != ast.Var && node.Kind != ast.Fun
		}
	}
	return false
}

// Look for "SELECT * FROM table WHERE " + " ' OR 1=1"
func (s *sqlStrConcat) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
	if node, ok := n.(*ast.BinaryExpr); ok {
		if start, ok := node.X.(*ast.BasicLit); ok {
			if str, e := gosec.GetString(start); e == nil {
				if !s.MatchPatterns(str) {
					return nil, nil
				}
				if _, ok := node.Y.(*ast.BasicLit); ok {
					return nil, nil // string cat OK
				}
				if second, ok := node.Y.(*ast.Ident); ok && s.checkObject(second, c) {
					return nil, nil
				}
				return gosec.NewIssue(c, n, s.ID(), s.What, s.Severity, s.Confidence), nil
			}
		}
	}
	return nil, nil
}

// NewSQLStrConcat looks for cases where we are building SQL strings via concatenation
func NewSQLStrConcat(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
	return &sqlStrConcat{
		sqlStatement: sqlStatement{
			patterns: []*regexp.Regexp{
				regexp.MustCompile(`(?)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE) `),
			},
			MetaData: gosec.MetaData{
				ID:         id,
				Severity:   gosec.Medium,
				Confidence: gosec.High,
				What:       "SQL string concatenation",
			},
		},
	}, []ast.Node{(*ast.BinaryExpr)(nil)}
}

type sqlStrFormat struct {
	sqlStatement
	calls         gosec.CallList
	noIssue       gosec.CallList
	noIssueQuoted gosec.CallList
}

// Looks for "fmt.Sprintf("SELECT * FROM foo where '%s', userInput)"
func (s *sqlStrFormat) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {

	// argIndex changes the function argument which gets matched to the regex
	argIndex := 0

	// TODO(gm) improve confidence if database/sql is being used
	if node := s.calls.ContainsCallExpr(n, c, false); node != nil {
		// if the function is fmt.Fprintf, search for SQL statement in Args[1] instead
		if sel, ok := node.Fun.(*ast.SelectorExpr); ok {
			if sel.Sel.Name == "Fprintf" {
				// if os.Stderr or os.Stdout is in Arg[0], mark as no issue
				if arg, ok := node.Args[0].(*ast.SelectorExpr); ok {
					if ident, ok := arg.X.(*ast.Ident); ok {
						if s.noIssue.Contains(ident.Name, arg.Sel.Name) {
							return nil, nil
						}
					}
				}
				// the function is Fprintf so set argIndex = 1
				argIndex = 1
			}
		}

		// no formatter
		if len(node.Args) == 0 {
			return nil, nil
		}

		var formatter string

		// concats callexpr arg strings together if needed before regex evaluation
		if argExpr, ok := node.Args[argIndex].(*ast.BinaryExpr); ok {
			if fullStr, ok := gosec.ConcatString(argExpr); ok {
				formatter = fullStr
			}
		} else if arg, e := gosec.GetString(node.Args[argIndex]); e == nil {
			formatter = arg
		}
		if len(formatter) <= 0 {
			return nil, nil
		}

		// If all formatter args are quoted, then the SQL construction is safe
		if argIndex+1 < len(node.Args) {
			allQuoted := true
			for _, arg := range node.Args[argIndex+1:] {
				if n := s.noIssueQuoted.ContainsCallExpr(arg, c, true); n == nil {
					allQuoted = false
					break
				}
			}
			if allQuoted {
				return nil, nil
			}
		}
		if s.MatchPatterns(formatter) {
			return gosec.NewIssue(c, n, s.ID(), s.What, s.Severity, s.Confidence), nil
		}
	}
	return nil, nil
}

// NewSQLStrFormat looks for cases where we're building SQL query strings using format strings
func NewSQLStrFormat(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
	rule := &sqlStrFormat{
		calls:         gosec.NewCallList(),
		noIssue:       gosec.NewCallList(),
		noIssueQuoted: gosec.NewCallList(),
		sqlStatement: sqlStatement{
			patterns: []*regexp.Regexp{
				regexp.MustCompile("(?)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE) "),
				regexp.MustCompile("%[^bdoxXfFp]"),
			},
			MetaData: gosec.MetaData{
				ID:         id,
				Severity:   gosec.Medium,
				Confidence: gosec.High,
				What:       "SQL string formatting",
			},
		},
	}
	rule.calls.AddAll("fmt", "Sprint", "Sprintf", "Sprintln", "Fprintf")
	rule.noIssue.AddAll("os", "Stdout", "Stderr")
	rule.noIssueQuoted.Add("github.com/lib/pq", "QuoteIdentifier")
	return rule, []ast.Node{(*ast.CallExpr)(nil)}
}
Initial public release 2016-07-20 11:02:01 +01:00			`// (c) Copyright 2016 Hewlett Packard Enterprise Development LP`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package rules`

			`import (`
			`"go/ast"`
			`"regexp"`
Better SQLi testing This prevents the string concat tests flagging a false positive if joining two literal strings (eg "SELECT * FROM " + " table" ... ) or with a constant (eg const tab = "name"; "SELECT * from " + tab) 2016-07-27 14:59:10 +01:00
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`"github.com/securego/gosec"`
Initial public release 2016-07-20 11:02:01 +01:00			`)`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`type sqlStatement struct {`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`gosec.MetaData`
Adjust SQL format-string rules to ignore inherently safe formats 2017-10-05 17:24:29 +01:00
			`// Contains a list of patterns which must all match for the rule to match.`
			`patterns []*regexp.Regexp`
			`}`

Build improvments (#179) * Add a semantic version to the usage text * Add a comment to the version function * Inject the version, git tag and build date as build variables * Update README * Fix lint warnings * Update README * Manage dependencies with dep tool instead of godep * Add a Makefile for common build tasks * Update the build file to use the make tool * Update Dockerfile * Add docker entry point in to make the passing of arguments easy * Update README * Add missing tools to the build * Drop 1.7 support and add 1.10 * Fix Go 1.10 according with the travis guidelines https://docs.travis-ci.com/user/languages/go/ * Update the tls-observatory package * Fix lint warnings * Change the output of the tests to be more verbose * Check if the are build errors before executing the rule test 2018-03-12 22:57:10 +00:00			`func (s *sqlStatement) ID() string {`
			`return s.MetaData.ID`
Add support for #excluding specific rules 2017-10-05 22:32:03 +01:00			`}`

Adjust SQL format-string rules to ignore inherently safe formats 2017-10-05 17:24:29 +01:00			`// See if the string matches the patterns for the statement.`
Build improvments (#179) * Add a semantic version to the usage text * Add a comment to the version function * Inject the version, git tag and build date as build variables * Update README * Fix lint warnings * Update README * Manage dependencies with dep tool instead of godep * Add a Makefile for common build tasks * Update the build file to use the make tool * Update Dockerfile * Add docker entry point in to make the passing of arguments easy * Update README * Add missing tools to the build * Drop 1.7 support and add 1.10 * Fix Go 1.10 according with the travis guidelines https://docs.travis-ci.com/user/languages/go/ * Update the tls-observatory package * Fix lint warnings * Change the output of the tests to be more verbose * Check if the are build errors before executing the rule test 2018-03-12 22:57:10 +00:00			`func (s *sqlStatement) MatchPatterns(str string) bool {`
Adjust SQL format-string rules to ignore inherently safe formats 2017-10-05 17:24:29 +01:00			`for _, pattern := range s.patterns {`
			`if !pattern.MatchString(str) {`
			`return false`
			`}`
			`}`
			`return true`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`type sqlStrConcat struct {`
			`sqlStatement`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

Build improvments (#179) * Add a semantic version to the usage text * Add a comment to the version function * Inject the version, git tag and build date as build variables * Update README * Fix lint warnings * Update README * Manage dependencies with dep tool instead of godep * Add a Makefile for common build tasks * Update the build file to use the make tool * Update Dockerfile * Add docker entry point in to make the passing of arguments easy * Update README * Add missing tools to the build * Drop 1.7 support and add 1.10 * Fix Go 1.10 according with the travis guidelines https://docs.travis-ci.com/user/languages/go/ * Update the tls-observatory package * Fix lint warnings * Change the output of the tests to be more verbose * Check if the are build errors before executing the rule test 2018-03-12 22:57:10 +00:00			`func (s *sqlStrConcat) ID() string {`
			`return s.MetaData.ID`
Add support for #excluding specific rules 2017-10-05 22:32:03 +01:00			`}`

Address go vet failure in SQL rule 2016-11-03 00:12:23 +00:00			`// see if we can figure out what it is`
Fix false positives for SQL string concatenation with constants from another file (#247) * Allow for SQL concatenation of nodes that resolve to literals If node.Y resolves to a literal, it will not be considered as an issue. * Fix typo in comment. * Go through all files in package to resolve that identifier * Refactor code and added comments. * Changed checking to not var or func. * Allow for supporting code for test cases. * Resolve merge conflict changes. 2018-09-28 08:46:59 +01:00			`func (s sqlStrConcat) checkObject(n ast.Ident, c *gosec.Context) bool {`
Better SQLi testing This prevents the string concat tests flagging a false positive if joining two literal strings (eg "SELECT * FROM " + " table" ... ) or with a constant (eg const tab = "name"; "SELECT * from " + tab) 2016-07-27 14:59:10 +01:00			`if n.Obj != nil {`
Address go vet failure in SQL rule 2016-11-03 00:12:23 +00:00			`return n.Obj.Kind != ast.Var && n.Obj.Kind != ast.Fun`
Better SQLi testing This prevents the string concat tests flagging a false positive if joining two literal strings (eg "SELECT * FROM " + " table" ... ) or with a constant (eg const tab = "name"; "SELECT * from " + tab) 2016-07-27 14:59:10 +01:00			`}`
Fix false positives for SQL string concatenation with constants from another file (#247) * Allow for SQL concatenation of nodes that resolve to literals If node.Y resolves to a literal, it will not be considered as an issue. * Fix typo in comment. * Go through all files in package to resolve that identifier * Refactor code and added comments. * Changed checking to not var or func. * Allow for supporting code for test cases. * Resolve merge conflict changes. 2018-09-28 08:46:59 +01:00
			`// Try to resolve unresolved identifiers using other files in same package`
			`for _, file := range c.PkgFiles {`
			`if node, ok := file.Scope.Objects[n.String()]; ok {`
			`return node.Kind != ast.Var && node.Kind != ast.Fun`
			`}`
			`}`
Better SQLi testing This prevents the string concat tests flagging a false positive if joining two literal strings (eg "SELECT * FROM " + " table" ... ) or with a constant (eg const tab = "name"; "SELECT * from " + tab) 2016-07-27 14:59:10 +01:00			`return false`
			`}`

Initial public release 2016-07-20 11:02:01 +01:00			`// Look for "SELECT * FROM table WHERE " + " ' OR 1=1"`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`func (s sqlStrConcat) Match(n ast.Node, c gosec.Context) (*gosec.Issue, error) {`
Better SQLi testing This prevents the string concat tests flagging a false positive if joining two literal strings (eg "SELECT * FROM " + " table" ... ) or with a constant (eg const tab = "name"; "SELECT * from " + tab) 2016-07-27 14:59:10 +01:00			`if node, ok := n.(*ast.BinaryExpr); ok {`
			`if start, ok := node.X.(*ast.BasicLit); ok {`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`if str, e := gosec.GetString(start); e == nil {`
Rebase to master 2018-01-22 18:45:07 +00:00			`if !s.MatchPatterns(str) {`
Adjust SQL format-string rules to ignore inherently safe formats 2017-10-05 17:24:29 +01:00			`return nil, nil`
			`}`
Better SQLi testing This prevents the string concat tests flagging a false positive if joining two literal strings (eg "SELECT * FROM " + " table" ... ) or with a constant (eg const tab = "name"; "SELECT * from " + tab) 2016-07-27 14:59:10 +01:00			`if _, ok := node.Y.(*ast.BasicLit); ok {`
			`return nil, nil // string cat OK`
			`}`
Fix false positives for SQL string concatenation with constants from another file (#247) * Allow for SQL concatenation of nodes that resolve to literals If node.Y resolves to a literal, it will not be considered as an issue. * Fix typo in comment. * Go through all files in package to resolve that identifier * Refactor code and added comments. * Changed checking to not var or func. * Allow for supporting code for test cases. * Resolve merge conflict changes. 2018-09-28 08:46:59 +01:00			`if second, ok := node.Y.(*ast.Ident); ok && s.checkObject(second, c) {`
Better SQLi testing This prevents the string concat tests flagging a false positive if joining two literal strings (eg "SELECT * FROM " + " table" ... ) or with a constant (eg const tab = "name"; "SELECT * from " + tab) 2016-07-27 14:59:10 +01:00			`return nil, nil`
			`}`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`return gosec.NewIssue(c, n, s.ID(), s.What, s.Severity, s.Confidence), nil`
Better SQLi testing This prevents the string concat tests flagging a false positive if joining two literal strings (eg "SELECT * FROM " + " table" ... ) or with a constant (eg const tab = "name"; "SELECT * from " + tab) 2016-07-27 14:59:10 +01:00			`}`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
			`}`
			`return nil, nil`
			`}`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`// NewSQLStrConcat looks for cases where we are building SQL strings via concatenation`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`func NewSQLStrConcat(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {`
Rebase to master 2018-01-22 18:45:07 +00:00			`return &sqlStrConcat{`
			`sqlStatement: sqlStatement{`
Adjust SQL format-string rules to ignore inherently safe formats 2017-10-05 17:24:29 +01:00			`patterns: []*regexp.Regexp{`
			regexp.MustCompile(`(?)(SELECT\|DELETE\|INSERT\|UPDATE\|INTO\|FROM\|WHERE) `),
			`},`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`MetaData: gosec.MetaData{`
Add support for #excluding specific rules 2017-10-05 22:32:03 +01:00			`ID: id,`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`Severity: gosec.Medium,`
			`Confidence: gosec.High,`
Initial public release 2016-07-20 11:02:01 +01:00			`What: "SQL string concatenation",`
			`},`
			`},`
Allow rules to register against multiple ast nodes Update the AddRule interface to allow rules to register interest in multiple ast.Nodes. Adds more flexibility to how rules can work, and was needed to fix the hard coded credentials test specifically. 2016-11-13 20:55:31 +00:00			`}, []ast.Node{(*ast.BinaryExpr)(nil)}`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`type sqlStrFormat struct {`
			`sqlStatement`
Allow quoted strings to be used to format SQL queries (#240) * Support stripping vendor paths when matching calls * Factor out matching of formatter string * Quoted strings are safe to use with SQL str formatted strings * Add test for allowing quoted strings with string formatters * Install the pq package for tests to pass 2018-09-25 08:40:05 +01:00			`calls gosec.CallList`
			`noIssue gosec.CallList`
			`noIssueQuoted gosec.CallList`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

			`// Looks for "fmt.Sprintf("SELECT * FROM foo where '%s', userInput)"`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`func (s sqlStrFormat) Match(n ast.Node, c gosec.Context) (*gosec.Issue, error) {`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00
Add Fprintf to Rule G201 2018-08-21 08:31:38 +01:00			`// argIndex changes the function argument which gets matched to the regex`
			`argIndex := 0`

Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`// TODO(gm) improve confidence if database/sql is being used`
Allow quoted strings to be used to format SQL queries (#240) * Support stripping vendor paths when matching calls * Factor out matching of formatter string * Quoted strings are safe to use with SQL str formatted strings * Add test for allowing quoted strings with string formatters * Install the pq package for tests to pass 2018-09-25 08:40:05 +01:00			`if node := s.calls.ContainsCallExpr(n, c, false); node != nil {`
Add Fprintf to Rule G201 2018-08-21 08:31:38 +01:00			`// if the function is fmt.Fprintf, search for SQL statement in Args[1] instead`
			`if sel, ok := node.Fun.(*ast.SelectorExpr); ok {`
			`if sel.Sel.Name == "Fprintf" {`
			`// if os.Stderr or os.Stdout is in Arg[0], mark as no issue`
			`if arg, ok := node.Args[0].(*ast.SelectorExpr); ok {`
			`if ident, ok := arg.X.(*ast.Ident); ok {`
			`if s.noIssue.Contains(ident.Name, arg.Sel.Name) {`
			`return nil, nil`
			`}`
			`}`
			`}`
			`// the function is Fprintf so set argIndex = 1`
			`argIndex = 1`
			`}`
			`}`
Allow quoted strings to be used to format SQL queries (#240) * Support stripping vendor paths when matching calls * Factor out matching of formatter string * Quoted strings are safe to use with SQL str formatted strings * Add test for allowing quoted strings with string formatters * Install the pq package for tests to pass 2018-09-25 08:40:05 +01:00
Make G201 ignore CallExpr with no args (#262) 2018-11-05 08:28:47 +00:00			`// no formatter`
			`if len(node.Args) == 0 {`
			`return nil, nil`
			`}`

Allow quoted strings to be used to format SQL queries (#240) * Support stripping vendor paths when matching calls * Factor out matching of formatter string * Quoted strings are safe to use with SQL str formatted strings * Add test for allowing quoted strings with string formatters * Install the pq package for tests to pass 2018-09-25 08:40:05 +01:00			`var formatter string`

Small update to G201 and added ConcatString Function (#228) 2018-08-19 18:57:36 +01:00			`// concats callexpr arg strings together if needed before regex evaluation`
Add Fprintf to Rule G201 2018-08-21 08:31:38 +01:00			`if argExpr, ok := node.Args[argIndex].(*ast.BinaryExpr); ok {`
Small update to G201 and added ConcatString Function (#228) 2018-08-19 18:57:36 +01:00			`if fullStr, ok := gosec.ConcatString(argExpr); ok {`
Allow quoted strings to be used to format SQL queries (#240) * Support stripping vendor paths when matching calls * Factor out matching of formatter string * Quoted strings are safe to use with SQL str formatted strings * Add test for allowing quoted strings with string formatters * Install the pq package for tests to pass 2018-09-25 08:40:05 +01:00			`formatter = fullStr`
Small update to G201 and added ConcatString Function (#228) 2018-08-19 18:57:36 +01:00			`}`
Allow quoted strings to be used to format SQL queries (#240) * Support stripping vendor paths when matching calls * Factor out matching of formatter string * Quoted strings are safe to use with SQL str formatted strings * Add test for allowing quoted strings with string formatters * Install the pq package for tests to pass 2018-09-25 08:40:05 +01:00			`} else if arg, e := gosec.GetString(node.Args[argIndex]); e == nil {`
			`formatter = arg`
			`}`
			`if len(formatter) <= 0 {`
			`return nil, nil`
Small update to G201 and added ConcatString Function (#228) 2018-08-19 18:57:36 +01:00			`}`

Allow quoted strings to be used to format SQL queries (#240) * Support stripping vendor paths when matching calls * Factor out matching of formatter string * Quoted strings are safe to use with SQL str formatted strings * Add test for allowing quoted strings with string formatters * Install the pq package for tests to pass 2018-09-25 08:40:05 +01:00			`// If all formatter args are quoted, then the SQL construction is safe`
			`if argIndex+1 < len(node.Args) {`
			`allQuoted := true`
			`for _, arg := range node.Args[argIndex+1:] {`
			`if n := s.noIssueQuoted.ContainsCallExpr(arg, c, true); n == nil {`
			`allQuoted = false`
			`break`
			`}`
			`}`
			`if allQuoted {`
			`return nil, nil`
			`}`
			`}`
			`if s.MatchPatterns(formatter) {`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`return gosec.NewIssue(c, n, s.ID(), s.What, s.Severity, s.Confidence), nil`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
			`}`
			`return nil, nil`
			`}`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`// NewSQLStrFormat looks for cases where we're building SQL query strings using format strings`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`func NewSQLStrFormat(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {`
fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`rule := &sqlStrFormat{`
Allow quoted strings to be used to format SQL queries (#240) * Support stripping vendor paths when matching calls * Factor out matching of formatter string * Quoted strings are safe to use with SQL str formatted strings * Add test for allowing quoted strings with string formatters * Install the pq package for tests to pass 2018-09-25 08:40:05 +01:00			`calls: gosec.NewCallList(),`
			`noIssue: gosec.NewCallList(),`
			`noIssueQuoted: gosec.NewCallList(),`
fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`sqlStatement: sqlStatement{`
Adjust SQL format-string rules to ignore inherently safe formats 2017-10-05 17:24:29 +01:00			`patterns: []*regexp.Regexp{`
			`regexp.MustCompile("(?)(SELECT\|DELETE\|INSERT\|UPDATE\|INTO\|FROM\|WHERE) "),`
			`regexp.MustCompile("%[^bdoxXfFp]"),`
			`},`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`MetaData: gosec.MetaData{`
Add support for #excluding specific rules 2017-10-05 22:32:03 +01:00			`ID: id,`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`Severity: gosec.Medium,`
			`Confidence: gosec.High,`
Initial public release 2016-07-20 11:02:01 +01:00			`What: "SQL string formatting",`
			`},`
			`},`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`}`
Add Fprintf to Rule G201 2018-08-21 08:31:38 +01:00			`rule.calls.AddAll("fmt", "Sprint", "Sprintf", "Sprintln", "Fprintf")`
			`rule.noIssue.AddAll("os", "Stdout", "Stderr")`
Allow quoted strings to be used to format SQL queries (#240) * Support stripping vendor paths when matching calls * Factor out matching of formatter string * Quoted strings are safe to use with SQL str formatted strings * Add test for allowing quoted strings with string formatters * Install the pq package for tests to pass 2018-09-25 08:40:05 +01:00			`rule.noIssueQuoted.Add("github.com/lib/pq", "QuoteIdentifier")`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`return rule, []ast.Node{(*ast.CallExpr)(nil)}`
Initial public release 2016-07-20 11:02:01 +01:00			`}`