actions/gosec
1
0
Fork 0
mirror of https://github.com/securego/gosec.git synced 2024-11-06 03:55:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
gosec/testutils/source.go

3567 lines
60 KiB
Go
Raw Normal View History

Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
package testutils
Handle properly the gosec module version v2 Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-01 21:18:39 +01:00
import "github.com/securego/gosec/v2"
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
// CodeSample encapsulates a snippet of source code that compiles, and how many errors should be detected
type CodeSample struct {
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
Code []string
Errors int
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
Config gosec.Config
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
}
var (
// SampleCodeG101 code snippets for hardcoded credentials
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
SampleCodeG101 = []CodeSample{
{[]string{`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
import "fmt"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
func main() {
username := "admin"
password := "f62e5bcda4fae4f82370da0c6f20697b8f8447ef"
fmt.Println("Doing something with: ", username, password)
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`}, 1, gosec.NewConfig()},
{[]string{`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
// Entropy check should not report this error by default
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
import "fmt"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
func main() {
username := "admin"
password := "secret"
fmt.Println("Doing something with: ", username, password)
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`}, 0, gosec.NewConfig()},
{[]string{`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
import "fmt"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
var password = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
func main() {
username := "admin"
fmt.Println("Doing something with: ", username, password)
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`}, 1, gosec.NewConfig()},
{[]string{`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
import "fmt"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
const password = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
func main() {
username := "admin"
fmt.Println("Doing something with: ", username, password)
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`}, 1, gosec.NewConfig()},
{[]string{`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
import "fmt"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
const (
username = "user"
password = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
func main() {
fmt.Println("Doing something with: ", username, password)
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`}, 1, gosec.NewConfig()},
{[]string{`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
var password string
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
func init() {
password = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef"
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`}, 1, gosec.NewConfig()},
{[]string{`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
const (
ATNStateSomethingElse = 1
ATNStateTokenStart = 42
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
func main() {
println(ATNStateTokenStart)
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`}, 0, gosec.NewConfig()},
{[]string{`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
const (
ATNStateTokenStart = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
func main() {
println(ATNStateTokenStart)
Enhance the hardcoded credentials rule to check the equality and non-equality of strings Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-17 14:47:27 +01:00
}`}, 1, gosec.NewConfig()},
{[]string{`
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Enhance the hardcoded credentials rule to check the equality and non-equality of strings Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-17 14:47:27 +01:00
import "fmt"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Enhance the hardcoded credentials rule to check the equality and non-equality of strings Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-17 14:47:27 +01:00
func main() {
var password string
if password == "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" {
Change naming rule from blacklist to blocklist
2020-06-29 12:21:15 +01:00
fmt.Println("password equality")
Enhance the hardcoded credentials rule to check the equality and non-equality of strings Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-17 14:47:27 +01:00
}
}`}, 1, gosec.NewConfig()},
{[]string{`
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Enhance the hardcoded credentials rule to check the equality and non-equality of strings Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-17 14:47:27 +01:00
import "fmt"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Update hardcoded_credentials.go fix: adaper equal expr which const value at left (#917) * Update hardcoded_credentials.go adaper equal expr which const value at left. ``` if "Tr0ub4dour_UPL&&LOlo" == pwd ``` * Update hardcoded_credentials.go check ident not equal nil * adapter const == key hardcoded, add testcases
2023-01-31 08:52:37 +00:00
func main() {
var password string
if "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" == password {
fmt.Println("password equality")
}
}`}, 1, gosec.NewConfig()},
{[]string{`
package main
import "fmt"
Enhance the hardcoded credentials rule to check the equality and non-equality of strings Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-17 14:47:27 +01:00
func main() {
var password string
if password != "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" {
Change naming rule from blacklist to blocklist
2020-06-29 12:21:15 +01:00
fmt.Println("password equality")
Enhance the hardcoded credentials rule to check the equality and non-equality of strings Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-17 14:47:27 +01:00
}
}`}, 1, gosec.NewConfig()},
{[]string{`
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Enhance the hardcoded credentials rule to check the equality and non-equality of strings Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-17 14:47:27 +01:00
import "fmt"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Update hardcoded_credentials.go fix: adaper equal expr which const value at left (#917) * Update hardcoded_credentials.go adaper equal expr which const value at left. ``` if "Tr0ub4dour_UPL&&LOlo" == pwd ``` * Update hardcoded_credentials.go check ident not equal nil * adapter const == key hardcoded, add testcases
2023-01-31 08:52:37 +00:00
func main() {
var password string
if "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" != password {
fmt.Println("password equality")
}
}`}, 1, gosec.NewConfig()},
{[]string{`
package main
import "fmt"
Enhance the hardcoded credentials rule to check the equality and non-equality of strings Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-17 14:47:27 +01:00
func main() {
var p string
if p != "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" {
Change naming rule from blacklist to blocklist
2020-06-29 12:21:15 +01:00
fmt.Println("password equality")
Enhance the hardcoded credentials rule to check the equality and non-equality of strings Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-17 14:47:27 +01:00
}
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`}, 0, gosec.NewConfig()},
feat: adding new keyword for hardcoded credentials (#666)
2021-07-19 10:23:39 +01:00
{[]string{`
package main
Update hardcoded_credentials.go fix: adaper equal expr which const value at left (#917) * Update hardcoded_credentials.go adaper equal expr which const value at left. ``` if "Tr0ub4dour_UPL&&LOlo" == pwd ``` * Update hardcoded_credentials.go check ident not equal nil * adapter const == key hardcoded, add testcases
2023-01-31 08:52:37 +00:00
import "fmt"
func main() {
var p string
if "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" != p {
fmt.Println("password equality")
}
}`}, 0, gosec.NewConfig()},
{[]string{`
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
feat: adding new keyword for hardcoded credentials (#666)
2021-07-19 10:23:39 +01:00
import "fmt"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
feat: adding new keyword for hardcoded credentials (#666)
2021-07-19 10:23:39 +01:00
const (
pw = "KjasdlkjapoIKLlka98098sdf012U/rL2sLdBqOHQUlt5Z6kCgKGDyCFA=="
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
feat: adding new keyword for hardcoded credentials (#666)
2021-07-19 10:23:39 +01:00
func main() {
fmt.Println(pw)
}`}, 1, gosec.NewConfig()},
{[]string{`
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
feat: adding new keyword for hardcoded credentials (#666)
2021-07-19 10:23:39 +01:00
import "fmt"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
feat: adding new keyword for hardcoded credentials (#666)
2021-07-19 10:23:39 +01:00
var (
pw string
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
feat: adding new keyword for hardcoded credentials (#666)
2021-07-19 10:23:39 +01:00
func main() {
pw = "KjasdlkjapoIKLlka98098sdf012U/rL2sLdBqOHQUlt5Z6kCgKGDyCFA=="
fmt.Println(pw)
}`}, 1, gosec.NewConfig()},
{[]string{`
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
feat: adding new keyword for hardcoded credentials (#666)
2021-07-19 10:23:39 +01:00
import "fmt"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
feat: adding new keyword for hardcoded credentials (#666)
2021-07-19 10:23:39 +01:00
const (
cred = "KjasdlkjapoIKLlka98098sdf012U/rL2sLdBqOHQUlt5Z6kCgKGDyCFA=="
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
feat: adding new keyword for hardcoded credentials (#666)
2021-07-19 10:23:39 +01:00
func main() {
fmt.Println(cred)
}`}, 1, gosec.NewConfig()},
{[]string{`
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
feat: adding new keyword for hardcoded credentials (#666)
2021-07-19 10:23:39 +01:00
import "fmt"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
feat: adding new keyword for hardcoded credentials (#666)
2021-07-19 10:23:39 +01:00
var (
cred string
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
feat: adding new keyword for hardcoded credentials (#666)
2021-07-19 10:23:39 +01:00
func main() {
cred = "KjasdlkjapoIKLlka98098sdf012U/rL2sLdBqOHQUlt5Z6kCgKGDyCFA=="
fmt.Println(cred)
}`}, 1, gosec.NewConfig()},
{[]string{`
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
feat: adding new keyword for hardcoded credentials (#666)
2021-07-19 10:23:39 +01:00
import "fmt"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
feat: adding new keyword for hardcoded credentials (#666)
2021-07-19 10:23:39 +01:00
const (
apiKey = "KjasdlkjapoIKLlka98098sdf012U"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
feat: adding new keyword for hardcoded credentials (#666)
2021-07-19 10:23:39 +01:00
func main() {
fmt.Println(apiKey)
}`}, 1, gosec.NewConfig()},
{[]string{`
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
feat: adding new keyword for hardcoded credentials (#666)
2021-07-19 10:23:39 +01:00
import "fmt"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
feat: adding new keyword for hardcoded credentials (#666)
2021-07-19 10:23:39 +01:00
var (
apiKey string
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
feat: adding new keyword for hardcoded credentials (#666)
2021-07-19 10:23:39 +01:00
func main() {
apiKey = "KjasdlkjapoIKLlka98098sdf012U"
fmt.Println(apiKey)
}`}, 1, gosec.NewConfig()},
{[]string{`
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
feat: adding new keyword for hardcoded credentials (#666)
2021-07-19 10:23:39 +01:00
import "fmt"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
feat: adding new keyword for hardcoded credentials (#666)
2021-07-19 10:23:39 +01:00
const (
bearer = "Bearer: 2lkjdfoiuwer092834kjdwf09"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
feat: adding new keyword for hardcoded credentials (#666)
2021-07-19 10:23:39 +01:00
func main() {
fmt.Println(bearer)
}`}, 1, gosec.NewConfig()},
{[]string{`
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
feat: adding new keyword for hardcoded credentials (#666)
2021-07-19 10:23:39 +01:00
import "fmt"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
feat: adding new keyword for hardcoded credentials (#666)
2021-07-19 10:23:39 +01:00
var (
bearer string
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
feat: adding new keyword for hardcoded credentials (#666)
2021-07-19 10:23:39 +01:00
func main() {
bearer = "Bearer: 2lkjdfoiuwer092834kjdwf09"
fmt.Println(bearer)
}`}, 1, gosec.NewConfig()},
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
// SampleCodeG102 code snippets for network binding
SampleCodeG102 = []CodeSample{
// Bind to all networks explicitly
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
{[]string{`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
import (
"log"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
"net"
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
func main() {
l, err := net.Listen("tcp", "0.0.0.0:2000")
if err != nil {
log.Fatal(err)
}
defer l.Close()
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
}`}, 1, gosec.NewConfig()},
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
// Bind to all networks implicitly (default if host omitted)
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
{[]string{`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
import (
"log"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
"net"
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
func main() {
l, err := net.Listen("tcp", ":2000")
if err != nil {
log.Fatal(err)
}
defer l.Close()
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
}`}, 1, gosec.NewConfig()},
Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call
2018-12-02 14:37:42 +00:00
// Bind to all networks indirectly through a parsing function
{[]string{`
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call
2018-12-02 14:37:42 +00:00
import (
"log"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
"net"
Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call
2018-12-02 14:37:42 +00:00
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call
2018-12-02 14:37:42 +00:00
func parseListenAddr(listenAddr string) (network string, addr string) {
return "", ""
}
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call
2018-12-02 14:37:42 +00:00
func main() {
addr := ":2000"
l, err := net.Listen(parseListenAddr(addr))
if err != nil {
log.Fatal(err)
}
defer l.Close()
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
}`}, 1, gosec.NewConfig()},
Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call
2018-12-02 14:37:42 +00:00
// Bind to all networks indirectly through a parsing function
{[]string{`
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call
2018-12-02 14:37:42 +00:00
import (
"log"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
"net"
Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call
2018-12-02 14:37:42 +00:00
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call
2018-12-02 14:37:42 +00:00
const addr = ":2000"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call
2018-12-02 14:37:42 +00:00
func parseListenAddr(listenAddr string) (network string, addr string) {
return "", ""
}
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call
2018-12-02 14:37:42 +00:00
func main() {
l, err := net.Listen(parseListenAddr(addr))
if err != nil {
log.Fatal(err)
}
defer l.Close()
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
}`}, 1, gosec.NewConfig()},
Extend the bind rule to handle the case when the net.Listen address in provided from a const
2018-12-02 15:28:51 +00:00
{[]string{`
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Extend the bind rule to handle the case when the net.Listen address in provided from a const
2018-12-02 15:28:51 +00:00
import (
"log"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
"net"
Extend the bind rule to handle the case when the net.Listen address in provided from a const
2018-12-02 15:28:51 +00:00
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Extend the bind rule to handle the case when the net.Listen address in provided from a const
2018-12-02 15:28:51 +00:00
const addr = "0.0.0.0:2000"
func main() {
l, err := net.Listen("tcp", addr)
if err != nil {
log.Fatal(err)
}
defer l.Close()
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
}`}, 1, gosec.NewConfig()},
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
}
// SampleCodeG103 find instances of unsafe blocks for auditing purposes
SampleCodeG103 = []CodeSample{
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
{[]string{`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
import (
"fmt"
"unsafe"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
type Fake struct{}
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
func (Fake) Good() {}
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
func main() {
unsafeM := Fake{}
unsafeM.Good()
intArray := [...]int{1, 2}
fmt.Printf("\nintArray: %v\n", intArray)
intPtr := &intArray[0]
fmt.Printf("\nintPtr=%p, *intPtr=%d.\n", intPtr, *intPtr)
addressHolder := uintptr(unsafe.Pointer(intPtr)) + unsafe.Sizeof(intArray[0])
intPtr = (*int)(unsafe.Pointer(addressHolder))
fmt.Printf("\nintPtr=%p, *intPtr=%d.\n\n", intPtr, *intPtr)
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`}, 3, gosec.NewConfig()},
}
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
// SampleCodeG104 finds errors that aren't being handled
SampleCodeG104 = []CodeSample{
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
{[]string{`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
import "fmt"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
func test() (int,error) {
return 0, nil
}
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
func main() {
v, _ := test()
fmt.Println(v)
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
}`}, 0, gosec.NewConfig()}, {[]string{`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
import (
"io/ioutil"
"os"
"fmt"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
func a() error {
return fmt.Errorf("This is an error")
}
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
func b() {
fmt.Println("b")
ioutil.WriteFile("foo.txt", []byte("bar"), os.ModeExclusive)
}
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
func c() string {
return fmt.Sprintf("This isn't anything")
}
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
func main() {
_ = a()
a()
b()
c()
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
}`}, 2, gosec.NewConfig()}, {[]string{`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
import "fmt"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
func test() error {
return nil
}
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
func main() {
e := test()
fmt.Println(e)
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
}`}, 0, gosec.NewConfig()}, {[]string{`
Build the code sample for string builder only fron Go 1.10 onwards
2018-11-11 08:41:40 +00:00
// +build go1.10
add test case for strings.Builder G104 whitelist inclusion
2018-10-18 00:13:56 +01:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
add test case for strings.Builder G104 whitelist inclusion
2018-10-18 00:13:56 +01:00
import "strings"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
add test case for strings.Builder G104 whitelist inclusion
2018-10-18 00:13:56 +01:00
func main() {
var buf strings.Builder
Fix the WriteSring test by handling the error
2018-11-10 15:39:44 +00:00
_, err := buf.WriteString("test string")
if err != nil {
panic(err)
}
Build the code sample for string builder only fron Go 1.10 onwards
2018-11-11 08:41:40 +00:00
}`, `
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Build the code sample for string builder only fron Go 1.10 onwards
2018-11-11 08:41:40 +00:00
func dummy(){}
Fix the whitelist on G104 rule and add a test Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 10:15:11 +01:00
`}, 0, gosec.NewConfig()}, {[]string{`
package main
Fix the call list info to handle selector expressions Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-15 14:42:26 +00:00
import (
"bytes"
)
type a struct {
buf *bytes.Buffer
}
func main() {
a := &a{
buf: new(bytes.Buffer),
}
a.buf.Write([]byte{0})
}
`}, 0, gosec.NewConfig()}, {[]string{`
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Fix the whitelist on G104 rule and add a test Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 10:15:11 +01:00
import (
"io/ioutil"
"os"
"fmt"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Fix the whitelist on G104 rule and add a test Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 10:15:11 +01:00
func a() {
fmt.Println("a")
ioutil.WriteFile("foo.txt", []byte("bar"), os.ModeExclusive)
}
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Fix the whitelist on G104 rule and add a test Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 10:15:11 +01:00
func main() {
a()
Fix the errors rule whitelist to work on types methods Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-01-28 13:11:00 +00:00
}`}, 0, gosec.Config{"G104": map[string]interface{}{"ioutil": []interface{}{"WriteFile"}}}}, {[]string{`
package main
import (
"bytes"
"fmt"
"io"
"os"
"strings"
)
func createBuffer() *bytes.Buffer {
return new(bytes.Buffer)
}
func main() {
new(bytes.Buffer).WriteString("*bytes.Buffer")
fmt.Fprintln(os.Stderr, "fmt")
new(strings.Builder).WriteString("*strings.Builder")
_, pw := io.Pipe()
pw.CloseWithError(io.EOF)
createBuffer().WriteString("*bytes.Buffer")
b := createBuffer()
b.WriteString("*bytes.Buffer")
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`}, 0, gosec.NewConfig()},
Fix typos in comments, vars and tests
2023-05-26 16:03:54 +01:00
} // it shouldn't return any errors because all method calls are whitelisted by default
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274) * Define more explicit the global options in the configuration * Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 11:37:40 +00:00
// SampleCodeG104Audit finds errors that aren't being handled in audit mode
SampleCodeG104Audit = []CodeSample{
{[]string{`
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274) * Define more explicit the global options in the configuration * Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 11:37:40 +00:00
import "fmt"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274) * Define more explicit the global options in the configuration * Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 11:37:40 +00:00
func test() (int,error) {
return 0, nil
}
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274) * Define more explicit the global options in the configuration * Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 11:37:40 +00:00
func main() {
v, _ := test()
fmt.Println(v)
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
}`}, 1, gosec.Config{gosec.Globals: map[gosec.GlobalOption]string{gosec.Audit: "enabled"}}}, {[]string{`
Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274) * Define more explicit the global options in the configuration * Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 11:37:40 +00:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274) * Define more explicit the global options in the configuration * Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 11:37:40 +00:00
import (
"io/ioutil"
"os"
"fmt"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274) * Define more explicit the global options in the configuration * Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 11:37:40 +00:00
func a() error {
return fmt.Errorf("This is an error")
}
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274) * Define more explicit the global options in the configuration * Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 11:37:40 +00:00
func b() {
fmt.Println("b")
ioutil.WriteFile("foo.txt", []byte("bar"), os.ModeExclusive)
}
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274) * Define more explicit the global options in the configuration * Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 11:37:40 +00:00
func c() string {
return fmt.Sprintf("This isn't anything")
}
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274) * Define more explicit the global options in the configuration * Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 11:37:40 +00:00
func main() {
_ = a()
a()
b()
c()
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
}`}, 3, gosec.Config{gosec.Globals: map[gosec.GlobalOption]string{gosec.Audit: "enabled"}}}, {[]string{`
Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274) * Define more explicit the global options in the configuration * Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 11:37:40 +00:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274) * Define more explicit the global options in the configuration * Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 11:37:40 +00:00
import "fmt"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274) * Define more explicit the global options in the configuration * Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 11:37:40 +00:00
func test() error {
return nil
}
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274) * Define more explicit the global options in the configuration * Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 11:37:40 +00:00
func main() {
e := test()
fmt.Println(e)
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
}`}, 0, gosec.Config{gosec.Globals: map[gosec.GlobalOption]string{gosec.Audit: "enabled"}}}, {[]string{`
Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274) * Define more explicit the global options in the configuration * Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 11:37:40 +00:00
// +build go1.10
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274) * Define more explicit the global options in the configuration * Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 11:37:40 +00:00
import "strings"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274) * Define more explicit the global options in the configuration * Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 11:37:40 +00:00
func main() {
var buf strings.Builder
_, err := buf.WriteString("test string")
if err != nil {
panic(err)
}
}`, `
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274) * Define more explicit the global options in the configuration * Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 11:37:40 +00:00
func dummy(){}
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
`}, 0, gosec.Config{gosec.Globals: map[gosec.GlobalOption]string{gosec.Audit: "enabled"}}},
}
Migrated old test cases.
2017-12-28 06:54:10 +00:00
Add a rule to detect the usage of ssh InsecureIgnoreHostKey function
2018-02-06 15:56:26 +00:00
// SampleCodeG106 - ssh InsecureIgnoreHostKey
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
SampleCodeG106 = []CodeSample{{[]string{`
Add a rule to detect the usage of ssh InsecureIgnoreHostKey function
2018-02-06 15:56:26 +00:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Add a rule to detect the usage of ssh InsecureIgnoreHostKey function
2018-02-06 15:56:26 +00:00
import (
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
"golang.org/x/crypto/ssh"
Add a rule to detect the usage of ssh InsecureIgnoreHostKey function
2018-02-06 15:56:26 +00:00
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Add a rule to detect the usage of ssh InsecureIgnoreHostKey function
2018-02-06 15:56:26 +00:00
func main() {
Add some review fixes
2018-02-07 08:23:52 +00:00
_ = ssh.InsecureIgnoreHostKey()
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
}`}, 1, gosec.NewConfig()}}
G107 - SSRF (#236) * Initial SSRF Rule * Added Selector evaluation * Added source code tests * Fixed spacing issues * Fixed Spacingv2 * Removed resty test
2018-09-04 07:55:03 +01:00
// SampleCodeG107 - SSRF via http requests with variable url
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
SampleCodeG107 = []CodeSample{{[]string{`
Clarify and add new unit tests for rule G107 (#376) The existing unit tests for G107 didn't have any comments why a certain code is problematic. Other than that we need more unit tests for rule G107 for the different scenarios. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-17 11:22:43 +01:00
// Input from the std in is considered insecure
G107 - SSRF (#236) * Initial SSRF Rule * Added Selector evaluation * Added source code tests * Fixed spacing issues * Fixed Spacingv2 * Removed resty test
2018-09-04 07:55:03 +01:00
package main
import (
"net/http"
"io/ioutil"
"fmt"
"os"
Change test I thought that an example where the user inputs a URL is more realistic. Because if your operating system is already hacked then you are already screwed. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-02-13 08:52:12 +00:00
"bufio"
G107 - SSRF (#236) * Initial SSRF Rule * Added Selector evaluation * Added source code tests * Fixed spacing issues * Fixed Spacingv2 * Removed resty test
2018-09-04 07:55:03 +01:00
)
func main() {
Change test I thought that an example where the user inputs a URL is more realistic. Because if your operating system is already hacked then you are already screwed. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-02-13 08:52:12 +00:00
in := bufio.NewReader(os.Stdin)
url, err := in.ReadString('\n')
if err != nil {
panic(err)
}
G107 - SSRF (#236) * Initial SSRF Rule * Added Selector evaluation * Added source code tests * Fixed spacing issues * Fixed Spacingv2 * Removed resty test
2018-09-04 07:55:03 +01:00
resp, err := http.Get(url)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
panic(err)
}
fmt.Printf("%s", body)
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
}`}, 1, gosec.NewConfig()}, {[]string{`
Improve the SSRF rule to report an issue for package scoped variables Made also the rule to not report an issue when encountering function scoped variable which terminate in a basic literal such as a string. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-04 12:25:38 +01:00
// Variable defined a package level can be changed at any time
// regardless of the initial value
Clarify and add new unit tests for rule G107 (#376) The existing unit tests for G107 didn't have any comments why a certain code is problematic. Other than that we need more unit tests for rule G107 for the different scenarios. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-17 11:22:43 +01:00
package main
import (
"fmt"
"io/ioutil"
"net/http"
)
var url string = "https://www.google.com"
func main() {
resp, err := http.Get(url)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
panic(err)
}
fmt.Printf("%s", body)
}`}, 1, gosec.NewConfig()}, {[]string{`
// Environmental variables are not considered as secure source
package main
import (
"net/http"
"io/ioutil"
"fmt"
"os"
)
func main() {
url := os.Getenv("tainted_url")
resp, err := http.Get(url)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
panic(err)
}
fmt.Printf("%s", body)
}`}, 1, gosec.NewConfig()}, {[]string{`
Improve the SSRF rule to report an issue for package scoped variables Made also the rule to not report an issue when encountering function scoped variable which terminate in a basic literal such as a string. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-04 12:25:38 +01:00
// Constant variables or hard-coded strings are secure
G107 - SSRF (#236) * Initial SSRF Rule * Added Selector evaluation * Added source code tests * Fixed spacing issues * Fixed Spacingv2 * Removed resty test
2018-09-04 07:55:03 +01:00
package main
import (
"fmt"
"net/http"
)
const url = "http://127.0.0.1"
func main() {
resp, err := http.Get(url)
if err != nil {
fmt.Println(err)
Improve the SSRF rule to report an issue for package scoped variables Made also the rule to not report an issue when encountering function scoped variable which terminate in a basic literal such as a string. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-04 12:25:38 +01:00
}
fmt.Println(resp.Status)
}`}, 0, gosec.NewConfig()}, {[]string{`
// A variable at function scope which is initialized to
// a constant string is secure (e.g. cannot be changed concurrently)
package main
import (
"fmt"
"net/http"
)
func main() {
var url string = "http://127.0.0.1"
resp, err := http.Get(url)
if err != nil {
fmt.Println(err)
}
fmt.Println(resp.Status)
}`}, 0, gosec.NewConfig()}, {[]string{`
// A variable at function scope which is initialized to
// a constant string is secure (e.g. cannot be changed concurrently)
package main
import (
"fmt"
"net/http"
)
func main() {
url := "http://127.0.0.1"
resp, err := http.Get(url)
if err != nil {
fmt.Println(err)
}
fmt.Println(resp.Status)
}`}, 0, gosec.NewConfig()}, {[]string{`
// A variable at function scope which is initialized to
// a constant string is secure (e.g. cannot be changed concurrently)
package main
import (
"fmt"
"net/http"
)
func main() {
url1 := "test"
var url2 string = "http://127.0.0.1"
url2 = url1
resp, err := http.Get(url2)
if err != nil {
fmt.Println(err)
}
fmt.Println(resp.Status)
}`}, 0, gosec.NewConfig()}, {[]string{`
Change naming rule from blacklist to blocklist
2020-06-29 12:21:15 +01:00
// An exported variable declared a packaged scope is not secure
Improve the SSRF rule to report an issue for package scoped variables Made also the rule to not report an issue when encountering function scoped variable which terminate in a basic literal such as a string. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-04 12:25:38 +01:00
// because it can changed at any time
package main
import (
"fmt"
"net/http"
)
var Url string
func main() {
resp, err := http.Get(Url)
if err != nil {
fmt.Println(err)
}
fmt.Println(resp.Status)
}`}, 1, gosec.NewConfig()}, {[]string{`
// An url provided as a function argument is not secure
package main
import (
"fmt"
"net/http"
)
func get(url string) {
resp, err := http.Get(url)
if err != nil {
fmt.Println(err)
}
fmt.Println(resp.Status)
}
func main() {
url := "http://127.0.0.1"
get(url)
}`}, 1, gosec.NewConfig()}}
Add a rule which detects when pprof endpoint is automatically exposed Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-20 09:46:06 +01:00
// SampleCodeG108 - pprof endpoint automatically exposed
SampleCodeG108 = []CodeSample{{[]string{`
package main
import (
"fmt"
"log"
"net/http"
_ "net/http/pprof"
)
func main() {
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Hello World!")
})
log.Fatal(http.ListenAndServe(":8080", nil))
Fix the rule G108/pporf to handle the case when the pporf import has not name This is causing a crash. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-24 09:10:00 +01:00
}`}, 1, gosec.NewConfig()}, {[]string{`
package main
import (
"fmt"
"log"
"net/http"
)
func main() {
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Hello World!")
})
log.Fatal(http.ListenAndServe(":8080", nil))
}`}, 0, gosec.NewConfig()}}
Add a rule which detects when there is potential integer overflow (#422) * Add G109(Potential Integer OverFlow Detection) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com> * add CWE to G109(Potential Integer Overflow) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com> * Modify G109 to use gosec.Context Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-06 08:55:52 +00:00
// SampleCodeG109 - Potential Integer OverFlow
SampleCodeG109 = []CodeSample{
{[]string{`
package main
import (
"fmt"
"strconv"
)
func main() {
bigValue, err := strconv.Atoi("2147483648")
if err != nil {
panic(err)
}
value := int32(bigValue)
fmt.Println(value)
Fix wrong location for G109 (#829) Before this commit, G109 will report on `strconv.Atoi`. After this, it will report on the convertion like`int32(a)`.
2022-07-06 05:37:11 +01:00
}`}, 1, gosec.NewConfig()},
{[]string{`
Add a rule which detects when there is potential integer overflow (#422) * Add G109(Potential Integer OverFlow Detection) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com> * add CWE to G109(Potential Integer Overflow) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com> * Modify G109 to use gosec.Context Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-06 08:55:52 +00:00
package main
import (
"fmt"
"strconv"
)
func main() {
bigValue, err := strconv.Atoi("32768")
if err != nil {
panic(err)
}
if int16(bigValue) < 0 {
fmt.Println(bigValue)
}
Fix wrong location for G109 (#829) Before this commit, G109 will report on `strconv.Atoi`. After this, it will report on the convertion like`int32(a)`.
2022-07-06 05:37:11 +01:00
}`}, 1, gosec.NewConfig()},
{[]string{`
Add a rule which detects when there is potential integer overflow (#422) * Add G109(Potential Integer OverFlow Detection) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com> * add CWE to G109(Potential Integer Overflow) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com> * Modify G109 to use gosec.Context Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-06 08:55:52 +00:00
package main
import (
"fmt"
"strconv"
)
func main() {
bigValue, err := strconv.Atoi("2147483648")
if err != nil {
panic(err)
}
fmt.Println(bigValue)
Fix wrong location for G109 (#829) Before this commit, G109 will report on `strconv.Atoi`. After this, it will report on the convertion like`int32(a)`.
2022-07-06 05:37:11 +01:00
}`}, 0, gosec.NewConfig()},
{[]string{`
Add a rule which detects when there is potential integer overflow (#422) * Add G109(Potential Integer OverFlow Detection) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com> * add CWE to G109(Potential Integer Overflow) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com> * Modify G109 to use gosec.Context Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-06 08:55:52 +00:00
package main
import (
"fmt"
"strconv"
)
func main() {
bigValue, err := strconv.Atoi("2147483648")
if err != nil {
panic(err)
}
fmt.Println(bigValue)
test()
}
func test() {
bigValue := 30
value := int32(bigValue)
fmt.Println(value)
Fix wrong location for G109 (#829) Before this commit, G109 will report on `strconv.Atoi`. After this, it will report on the convertion like`int32(a)`.
2022-07-06 05:37:11 +01:00
}`}, 0, gosec.NewConfig()},
{[]string{`
Modify rule for integer overflow to have more acurate results (#434) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-21 09:13:12 +00:00
package main
import (
"fmt"
"strconv"
)
func main() {
value := 10
if value == 10 {
value, _ := strconv.Atoi("2147483648")
fmt.Println(value)
}
v := int32(value)
fmt.Println(v)
Fix wrong location for G109 (#829) Before this commit, G109 will report on `strconv.Atoi`. After this, it will report on the convertion like`int32(a)`.
2022-07-06 05:37:11 +01:00
}`}, 0, gosec.NewConfig()},
{[]string{`
package main
import (
"fmt"
"strconv"
)
func main() {
a, err := strconv.Atoi("a")
b := int32(a) //#nosec G109
fmt.Println(b, err)
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`}, 0, gosec.NewConfig()},
}
Add a rule which detects when there is potential integer overflow (#422) * Add G109(Potential Integer OverFlow Detection) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com> * add CWE to G109(Potential Integer Overflow) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com> * Modify G109 to use gosec.Context Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-06 08:55:52 +00:00
Add G110(Potential DoS vulnerability via decompression bomb) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-19 19:40:19 +00:00
// SampleCodeG110 - potential DoS vulnerability via decompression bomb
SampleCodeG110 = []CodeSample{
{[]string{`
package main
import (
"bytes"
"compress/zlib"
"io"
"os"
)
func main() {
buff := []byte{120, 156, 202, 72, 205, 201, 201, 215, 81, 40, 207,
47, 202, 73, 225, 2, 4, 0, 0, 255, 255, 33, 231, 4, 147}
b := bytes.NewReader(buff)
r, err := zlib.NewReader(b)
if err != nil {
panic(err)
}
Fix some typos in rules tests
2021-01-01 19:45:13 +00:00
_, err = io.Copy(os.Stdout, r)
Add io.CopyBuffer function to rule G110 Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-07-27 08:21:51 +01:00
if err != nil {
panic(err)
}
r.Close()
}`}, 1, gosec.NewConfig()}, {[]string{`
package main
import (
"bytes"
"compress/zlib"
"io"
"os"
)
Add G110(Potential DoS vulnerability via decompression bomb) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-19 19:40:19 +00:00
Add io.CopyBuffer function to rule G110 Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-07-27 08:21:51 +01:00
func main() {
buff := []byte{120, 156, 202, 72, 205, 201, 201, 215, 81, 40, 207,
47, 202, 73, 225, 2, 4, 0, 0, 255, 255, 33, 231, 4, 147}
b := bytes.NewReader(buff)
r, err := zlib.NewReader(b)
if err != nil {
panic(err)
}
buf := make([]byte, 8)
Fix some typos in rules tests
2021-01-01 19:45:13 +00:00
_, err = io.CopyBuffer(os.Stdout, r, buf)
Add io.CopyBuffer function to rule G110 Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-07-27 08:21:51 +01:00
if err != nil {
panic(err)
}
Add G110(Potential DoS vulnerability via decompression bomb) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-19 19:40:19 +00:00
r.Close()
}`}, 1, gosec.NewConfig()}, {[]string{`
package main
import (
"archive/zip"
"io"
"os"
"strconv"
)
func main() {
r, err := zip.OpenReader("tmp.zip")
if err != nil {
panic(err)
}
defer r.Close()
for i, f := range r.File {
out, err := os.OpenFile("output" + strconv.Itoa(i), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode())
if err != nil {
panic(err)
}
rc, err := f.Open()
if err != nil {
panic(err)
}
_, err = io.Copy(out, rc)
out.Close()
rc.Close()
if err != nil {
panic(err)
}
}
}`}, 1, gosec.NewConfig()}, {[]string{`
package main
import (
"io"
"os"
)
func main() {
s, err := os.Open("src")
if err != nil {
panic(err)
}
defer s.Close()
d, err := os.Create("dst")
if err != nil {
panic(err)
}
defer d.Close()
_, err = io.Copy(d, s)
if err != nil {
panic(err)
}
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`}, 0, gosec.NewConfig()},
}
Add G110(Potential DoS vulnerability via decompression bomb) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-19 19:40:19 +00:00
Adds directory traversal for Http.Dir("/")
2022-03-06 09:58:47 +00:00
// SampleCodeG111 - potential directory traversal
SampleCodeG111 = []CodeSample{
{[]string{`
package main
import (
"fmt"
"log"
"net/http"
"os"
)
func main() {
http.Handle("/bad/", http.StripPrefix("/bad/", http.FileServer(http.Dir("/"))))
http.HandleFunc("/", HelloServer)
log.Fatal(http.ListenAndServe(":"+os.Getenv("PORT"), nil))
}
func HelloServer(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Hello, %s!", r.URL.Path[1:])
}`}, 1, gosec.NewConfig()},
}
Add new rule for Slowloris Attack
2022-04-30 11:38:50 +01:00
// SampleCodeG112 - potential slowloris attack
SampleCodeG112 = []CodeSample{
{[]string{`
package main
import (
"fmt"
"net/http"
)
func main() {
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Hello, %s!", r.URL.Path[1:])
})
err := (&http.Server{
Addr: ":1234",
}).ListenAndServe()
if err != nil {
panic(err)
}
}
`}, 1, gosec.NewConfig()},
{[]string{`
package main
import (
"fmt"
"time"
"net/http"
)
func main() {
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Hello, %s!", r.URL.Path[1:])
})
server := &http.Server{
Addr: ":1234",
ReadHeaderTimeout: 3 * time.Second,
}
err := server.ListenAndServe()
if err != nil {
panic(err)
}
}
`}, 0, gosec.NewConfig()},
fix ReadTimeout for G112 rule
2022-06-23 13:58:13 +01:00
{[]string{`
package main
import (
"fmt"
"time"
"net/http"
)
func main() {
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Hello, %s!", r.URL.Path[1:])
})
server := &http.Server{
Addr: ":1234",
ReadTimeout: 1 * time.Second,
}
err := server.ListenAndServe()
if err != nil {
panic(err)
}
}
`}, 0, gosec.NewConfig()},
Add new rule for Slowloris Attack
2022-04-30 11:38:50 +01:00
}
Add check for usage of Rat.SetString in math/big with an overflow error (#819) * Add check for usage of Rat.SetString in math/big with an overflow error Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. It is the CVE-2022-23772. * Use ContainsPkgCallExpr instead of manual parsing
2022-06-02 23:19:51 +01:00
// SampleCodeG113 - Usage of Rat.SetString in math/big with an overflow
SampleCodeG113 = []CodeSample{
{[]string{
`
package main
import (
"math/big"
"fmt"
)
func main() {
r := big.Rat{}
r.SetString("13e-9223372036854775808")
fmt.Println(r)
}`,
}, 1, gosec.NewConfig()},
}
Detect use of net/http functions that have no support for setting timeouts (#842) https://blog.cloudflare.com/the-complete-guide-to-golang-net-http-timeouts/ https://blog.cloudflare.com/exposing-go-on-the-internet/ Closes https://github.com/securego/gosec/issues/833
2022-08-02 16:16:44 +01:00
// SampleCodeG114 - Use of net/http serve functions that have no support for setting timeouts
SampleCodeG114 = []CodeSample{
{[]string{
`
package main
import (
"log"
"net/http"
)
func main() {
err := http.ListenAndServe(":8080", nil)
log.Fatal(err)
}`,
}, 1, gosec.NewConfig()},
{
[]string{
`
package main
import (
"log"
"net/http"
)
func main() {
err := http.ListenAndServeTLS(":8443", "cert.pem", "key.pem", nil)
log.Fatal(err)
}`,
}, 1, gosec.NewConfig(),
},
{
[]string{
`
package main
import (
"log"
"net"
"net/http"
)
func main() {
l, err := net.Listen("tcp", ":8080")
if err != nil {
log.Fatal(err)
}
defer l.Close()
err = http.Serve(l, nil)
log.Fatal(err)
}`,
}, 1, gosec.NewConfig(),
},
{
[]string{
`
package main
import (
"log"
"net"
"net/http"
)
func main() {
l, err := net.Listen("tcp", ":8443")
if err != nil {
log.Fatal(err)
}
defer l.Close()
err = http.ServeTLS(l, nil, "cert.pem", "key.pem")
log.Fatal(err)
}`,
}, 1, gosec.NewConfig(),
},
}
Migrated old test cases.
2017-12-28 06:54:10 +00:00
// SampleCodeG201 - SQL injection via format string
SampleCodeG201 = []CodeSample{
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
{[]string{`
Migrated old test cases.
2017-12-28 06:54:10 +00:00
// Format string without proper quoting
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
import (
"database/sql"
"fmt"
"os"
)
func main(){
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
q := fmt.Sprintf("SELECT * FROM foo where name = '%s'", os.Args[1])
rows, err := db.Query(q)
if err != nil {
panic(err)
}
defer rows.Close()
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
}`}, 1, gosec.NewConfig()}, {[]string{`
Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context In addition makes pattern matching used by the rules cases insensitive. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-25 13:19:00 +01:00
// Format string without proper quoting case insensitive
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context In addition makes pattern matching used by the rules cases insensitive. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-25 13:19:00 +01:00
import (
"database/sql"
"fmt"
"os"
)
func main(){
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
q := fmt.Sprintf("select * from foo where name = '%s'", os.Args[1])
rows, err := db.Query(q)
if err != nil {
panic(err)
}
defer rows.Close()
}`}, 1, gosec.NewConfig()}, {[]string{`
// Format string without proper quoting with context
package main
import (
"context"
"database/sql"
"fmt"
"os"
)
func main(){
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
q := fmt.Sprintf("select * from foo where name = '%s'", os.Args[1])
rows, err := db.QueryContext(context.Background(), q)
if err != nil {
panic(err)
}
defer rows.Close()
}`}, 1, gosec.NewConfig()}, {[]string{`
Fix typos, Go Report link and Gofmt
2021-05-07 17:04:01 +01:00
// Format string without proper quoting with transaction
Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context In addition makes pattern matching used by the rules cases insensitive. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-25 13:19:00 +01:00
package main
import (
"context"
"database/sql"
"fmt"
"os"
)
func main(){
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
tx, err := db.Begin()
if err != nil {
panic(err)
}
defer tx.Rollback()
q := fmt.Sprintf("select * from foo where name = '%s'", os.Args[1])
rows, err := tx.QueryContext(context.Background(), q)
if err != nil {
panic(err)
}
defer rows.Close()
if err := tx.Commit(); err != nil {
panic(err)
}
}`}, 1, gosec.NewConfig()}, {[]string{`
Rebase to master
2018-01-22 18:45:07 +00:00
// Format string false positive, safe string spec.
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Rebase to master
2018-01-22 18:45:07 +00:00
import (
"database/sql"
"fmt"
"os"
)
func main(){
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
q := fmt.Sprintf("SELECT * FROM foo where id = %d", os.Args[1])
rows, err := db.Query(q)
if err != nil {
panic(err)
}
defer rows.Close()
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
}`}, 0, gosec.NewConfig()}, {[]string{`
Migrated old test cases.
2017-12-28 06:54:10 +00:00
// Format string false positive
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
import (
"database/sql"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
const staticQuery = "SELECT * FROM foo WHERE age < 32"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
func main(){
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
panic(err)
Migrated old test cases.
2017-12-28 06:54:10 +00:00
}
rows, err := db.Query(staticQuery)
if err != nil {
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
panic(err)
Migrated old test cases.
2017-12-28 06:54:10 +00:00
}
defer rows.Close()
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
}`}, 0, gosec.NewConfig()}, {[]string{`
Allow quoted strings to be used to format SQL queries (#240) * Support stripping vendor paths when matching calls * Factor out matching of formatter string * Quoted strings are safe to use with SQL str formatted strings * Add test for allowing quoted strings with string formatters * Install the pq package for tests to pass
2018-09-25 08:40:05 +01:00
// Format string false positive, quoted formatter argument.
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Allow quoted strings to be used to format SQL queries (#240) * Support stripping vendor paths when matching calls * Factor out matching of formatter string * Quoted strings are safe to use with SQL str formatted strings * Add test for allowing quoted strings with string formatters * Install the pq package for tests to pass
2018-09-25 08:40:05 +01:00
import (
"database/sql"
"fmt"
"os"
"github.com/lib/pq"
)
func main(){
db, err := sql.Open("postgres", "localhost")
if err != nil {
panic(err)
}
q := fmt.Sprintf("SELECT * FROM %s where id = 1", pq.QuoteIdentifier(os.Args[1]))
rows, err := db.Query(q)
if err != nil {
panic(err)
}
defer rows.Close()
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
}`}, 0, gosec.NewConfig()}, {[]string{`
One approach for fixing the false positive identified in #325.
2019-06-12 20:53:17 +01:00
// false positive
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
One approach for fixing the false positive identified in #325.
2019-06-12 20:53:17 +01:00
import (
"database/sql"
"fmt"
)
const Table = "foo"
func main(){
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
q := fmt.Sprintf("SELECT * FROM %s where id = 1", Table)
rows, err := db.Query(q)
if err != nil {
panic(err)
}
defer rows.Close()
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
}`}, 0, gosec.NewConfig()}, {[]string{`
Make G201 ignore CallExpr with no args (#262)
2018-11-05 08:28:47 +00:00
package main
import (
"fmt"
)
func main(){
fmt.Sprintln()
Fix false negatives for SQL injection in multi-line queries
2022-01-05 11:05:53 +00:00
}`}, 0, gosec.NewConfig()}, {[]string{`
// Format string with \n\r
package main
import (
"database/sql"
"fmt"
"os"
)
func main(){
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
q := fmt.Sprintf("SELECT * FROM foo where\n name = '%s'", os.Args[1])
rows, err := db.Query(q)
if err != nil {
panic(err)
}
defer rows.Close()
Fix false negative for SQL injection when using DB.QueryRow.Scan() (#759)
2022-01-12 15:33:39 +00:00
}`}, 1, gosec.NewConfig()}, {[]string{`
// Format string with \n\r
package main
import (
"database/sql"
"fmt"
"os"
)
func main(){
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
q := fmt.Sprintf("SELECT * FROM foo where\nname = '%s'", os.Args[1])
rows, err := db.Query(q)
if err != nil {
panic(err)
}
defer rows.Close()
}`}, 1, gosec.NewConfig()}, {[]string{`
// SQLI by db.Query(some).Scan(&other)
package main
import (
"database/sql"
"fmt"
"os"
)
func main() {
var name string
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
q := fmt.Sprintf("SELECT name FROM users where id = '%s'", os.Args[1])
row := db.QueryRow(q)
err = row.Scan(&name)
if err != nil {
panic(err)
}
defer db.Close()
}`}, 1, gosec.NewConfig()}, {[]string{`
// SQLI by db.Query(some).Scan(&other)
package main
import (
"database/sql"
"fmt"
"os"
)
func main() {
var name string
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
q := fmt.Sprintf("SELECT name FROM users where id = '%s'", os.Args[1])
err = db.QueryRow(q).Scan(&name)
if err != nil {
panic(err)
}
defer db.Close()
Add db.Exec and db.Prepare to the sql rule (#763) * Add db.Exec and db.Prepare to the sql rule * add test cases for G201,G202
2022-01-17 12:50:37 +00:00
}`}, 1, gosec.NewConfig()}, {[]string{`
// SQLI by db.Prepare(some)
package main
import (
"database/sql"
"fmt"
"log"
"os"
)
const Table = "foo"
func main() {
var album string
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
q := fmt.Sprintf("SELECT name FROM users where '%s' = ?", os.Args[1])
stmt, err := db.Prepare(q)
if err != nil {
log.Fatal(err)
}
stmt.QueryRow(fmt.Sprintf("%s", os.Args[2])).Scan(&album)
if err != nil {
if err == sql.ErrNoRows {
log.Fatal(err)
}
}
defer stmt.Close()
}
`}, 1, gosec.NewConfig()}, {[]string{`
// SQLI by db.PrepareContext(some)
package main
import (
"context"
"database/sql"
"fmt"
"log"
"os"
)
const Table = "foo"
func main() {
var album string
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
q := fmt.Sprintf("SELECT name FROM users where '%s' = ?", os.Args[1])
stmt, err := db.PrepareContext(context.Background(), q)
if err != nil {
log.Fatal(err)
}
stmt.QueryRow(fmt.Sprintf("%s", os.Args[2])).Scan(&album)
if err != nil {
if err == sql.ErrNoRows {
log.Fatal(err)
}
}
defer stmt.Close()
}
`}, 1, gosec.NewConfig()}, {[]string{`
// false positive
package main
import (
"database/sql"
"fmt"
"log"
"os"
)
const Table = "foo"
func main() {
var album string
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
stmt, err := db.Prepare("SELECT * FROM album WHERE id = ?")
if err != nil {
log.Fatal(err)
}
stmt.QueryRow(fmt.Sprintf("%s", os.Args[1])).Scan(&album)
if err != nil {
if err == sql.ErrNoRows {
log.Fatal(err)
}
}
defer stmt.Close()
}
`}, 0, gosec.NewConfig()},
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}
Migrated old test cases.
2017-12-28 06:54:10 +00:00
// SampleCodeG202 - SQL query string building via string concatenation
SampleCodeG202 = []CodeSample{
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
{[]string{`
Migrated old test cases.
2017-12-28 06:54:10 +00:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
import (
"database/sql"
"os"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
func main(){
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
rows, err := db.Query("SELECT * FROM foo WHERE name = " + os.Args[1])
if err != nil {
panic(err)
}
defer rows.Close()
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
}`}, 1, gosec.NewConfig()}, {[]string{`
Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context In addition makes pattern matching used by the rules cases insensitive. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-25 13:19:00 +01:00
// case insensitive match
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context In addition makes pattern matching used by the rules cases insensitive. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-25 13:19:00 +01:00
import (
"database/sql"
"os"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context In addition makes pattern matching used by the rules cases insensitive. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-25 13:19:00 +01:00
func main(){
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
rows, err := db.Query("select * from foo where name = " + os.Args[1])
if err != nil {
panic(err)
}
defer rows.Close()
}`}, 1, gosec.NewConfig()}, {[]string{`
// context match
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context In addition makes pattern matching used by the rules cases insensitive. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-25 13:19:00 +01:00
import (
"context"
"database/sql"
"os"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context In addition makes pattern matching used by the rules cases insensitive. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-25 13:19:00 +01:00
func main(){
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
rows, err := db.QueryContext(context.Background(), "select * from foo where name = " + os.Args[1])
if err != nil {
panic(err)
}
defer rows.Close()
}`}, 1, gosec.NewConfig()}, {[]string{`
Fix typos, Go Report link and Gofmt
2021-05-07 17:04:01 +01:00
// DB transaction check
Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context In addition makes pattern matching used by the rules cases insensitive. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-25 13:19:00 +01:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context In addition makes pattern matching used by the rules cases insensitive. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-25 13:19:00 +01:00
import (
"context"
"database/sql"
"os"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context In addition makes pattern matching used by the rules cases insensitive. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-25 13:19:00 +01:00
func main(){
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
tx, err := db.Begin()
if err != nil {
panic(err)
}
defer tx.Rollback()
rows, err := tx.QueryContext(context.Background(), "select * from foo where name = " + os.Args[1])
if err != nil {
panic(err)
}
defer rows.Close()
if err := tx.Commit(); err != nil {
panic(err)
}
}`}, 1, gosec.NewConfig()}, {[]string{`
Improve the SQL strings concat rules to handle multiple string concatenation Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-25 14:42:43 +01:00
// multiple string concatenation
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Improve the SQL strings concat rules to handle multiple string concatenation Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-25 14:42:43 +01:00
import (
"database/sql"
"os"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Improve the SQL strings concat rules to handle multiple string concatenation Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-25 14:42:43 +01:00
func main(){
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
rows, err := db.Query("SELECT * FROM foo" + "WHERE name = " + os.Args[1])
if err != nil {
panic(err)
}
defer rows.Close()
}`}, 1, gosec.NewConfig()}, {[]string{`
Migrated old test cases.
2017-12-28 06:54:10 +00:00
// false positive
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
import (
"database/sql"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
var staticQuery = "SELECT * FROM foo WHERE age < "
func main(){
db, err := sql.Open("sqlite3", ":memory:")
Fix false positives for SQL string concatenation with constants from another file (#247) * Allow for SQL concatenation of nodes that resolve to literals If node.Y resolves to a literal, it will not be considered as an issue. * Fix typo in comment. * Go through all files in package to resolve that identifier * Refactor code and added comments. * Changed checking to not var or func. * Allow for supporting code for test cases. * Resolve merge conflict changes.
2018-09-28 08:46:59 +01:00
if err != nil {
Migrated old test cases.
2017-12-28 06:54:10 +00:00
panic(err)
}
rows, err := db.Query(staticQuery + "32")
if err != nil {
panic(err)
}
Fix false positives for SQL string concatenation with constants from another file (#247) * Allow for SQL concatenation of nodes that resolve to literals If node.Y resolves to a literal, it will not be considered as an issue. * Fix typo in comment. * Go through all files in package to resolve that identifier * Refactor code and added comments. * Changed checking to not var or func. * Allow for supporting code for test cases. * Resolve merge conflict changes.
2018-09-28 08:46:59 +01:00
defer rows.Close()
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
}`}, 0, gosec.NewConfig()}, {[]string{`
Migrated old test cases.
2017-12-28 06:54:10 +00:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
import (
"database/sql"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
const age = "32"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
var staticQuery = "SELECT * FROM foo WHERE age < "
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
func main(){
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
rows, err := db.Query(staticQuery + age)
if err != nil {
panic(err)
}
defer rows.Close()
}
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
`}, 0, gosec.NewConfig()}, {[]string{`
Fix false positives for SQL string concatenation with constants from another file (#247) * Allow for SQL concatenation of nodes that resolve to literals If node.Y resolves to a literal, it will not be considered as an issue. * Fix typo in comment. * Go through all files in package to resolve that identifier * Refactor code and added comments. * Changed checking to not var or func. * Allow for supporting code for test cases. * Resolve merge conflict changes.
2018-09-28 08:46:59 +01:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Fix false positives for SQL string concatenation with constants from another file (#247) * Allow for SQL concatenation of nodes that resolve to literals If node.Y resolves to a literal, it will not be considered as an issue. * Fix typo in comment. * Go through all files in package to resolve that identifier * Refactor code and added comments. * Changed checking to not var or func. * Allow for supporting code for test cases. * Resolve merge conflict changes.
2018-09-28 08:46:59 +01:00
const gender = "M"
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
`, `
Fix false positives for SQL string concatenation with constants from another file (#247) * Allow for SQL concatenation of nodes that resolve to literals If node.Y resolves to a literal, it will not be considered as an issue. * Fix typo in comment. * Go through all files in package to resolve that identifier * Refactor code and added comments. * Changed checking to not var or func. * Allow for supporting code for test cases. * Resolve merge conflict changes.
2018-09-28 08:46:59 +01:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Fix false positives for SQL string concatenation with constants from another file (#247) * Allow for SQL concatenation of nodes that resolve to literals If node.Y resolves to a literal, it will not be considered as an issue. * Fix typo in comment. * Go through all files in package to resolve that identifier * Refactor code and added comments. * Changed checking to not var or func. * Allow for supporting code for test cases. * Resolve merge conflict changes.
2018-09-28 08:46:59 +01:00
import (
"database/sql"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Fix false positives for SQL string concatenation with constants from another file (#247) * Allow for SQL concatenation of nodes that resolve to literals If node.Y resolves to a literal, it will not be considered as an issue. * Fix typo in comment. * Go through all files in package to resolve that identifier * Refactor code and added comments. * Changed checking to not var or func. * Allow for supporting code for test cases. * Resolve merge conflict changes.
2018-09-28 08:46:59 +01:00
const age = "32"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Fix false positives for SQL string concatenation with constants from another file (#247) * Allow for SQL concatenation of nodes that resolve to literals If node.Y resolves to a literal, it will not be considered as an issue. * Fix typo in comment. * Go through all files in package to resolve that identifier * Refactor code and added comments. * Changed checking to not var or func. * Allow for supporting code for test cases. * Resolve merge conflict changes.
2018-09-28 08:46:59 +01:00
var staticQuery = "SELECT * FROM foo WHERE age < "
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Fix false positives for SQL string concatenation with constants from another file (#247) * Allow for SQL concatenation of nodes that resolve to literals If node.Y resolves to a literal, it will not be considered as an issue. * Fix typo in comment. * Go through all files in package to resolve that identifier * Refactor code and added comments. * Changed checking to not var or func. * Allow for supporting code for test cases. * Resolve merge conflict changes.
2018-09-28 08:46:59 +01:00
func main(){
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
rows, err := db.Query("SELECT * FROM foo WHERE gender = " + gender)
if err != nil {
panic(err)
}
defer rows.Close()
}
Add db.Exec and db.Prepare to the sql rule (#763) * Add db.Exec and db.Prepare to the sql rule * add test cases for G201,G202
2022-01-17 12:50:37 +00:00
`}, 0, gosec.NewConfig()}, {[]string{`
// ExecContext match
package main
import (
"context"
"database/sql"
"fmt"
"os"
)
func main() {
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
result, err := db.ExecContext(context.Background(), "select * from foo where name = "+os.Args[1])
if err != nil {
panic(err)
}
fmt.Println(result)
}`}, 1, gosec.NewConfig()}, {[]string{`
// Exec match
package main
import (
"database/sql"
"fmt"
"os"
)
func main() {
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
result, err := db.Exec("select * from foo where name = " + os.Args[1])
if err != nil {
panic(err)
}
fmt.Println(result)
}`}, 1, gosec.NewConfig()}, {[]string{`
package main
import (
"database/sql"
"fmt"
)
const gender = "M"
const age = "32"
var staticQuery = "SELECT * FROM foo WHERE age < "
func main() {
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
result, err := db.Exec("SELECT * FROM foo WHERE gender = " + gender)
if err != nil {
panic(err)
}
fmt.Println(result)
}
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
`}, 0, gosec.NewConfig()},
}
Migrated old test cases.
2017-12-28 06:54:10 +00:00
// SampleCodeG203 - Template checks
SampleCodeG203 = []CodeSample{
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
{[]string{`
Migrated old test cases.
2017-12-28 06:54:10 +00:00
// We assume that hardcoded template strings are safe as the programmer would
// need to be explicitly shooting themselves in the foot (as below)
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
import (
"html/template"
"os"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
const tmpl = ""
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
func main() {
t := template.Must(template.New("ex").Parse(tmpl))
v := map[string]interface{}{
"Title": "Test <b>World</b>",
"Body": template.HTML("<script>alert(1)</script>"),
}
t.Execute(os.Stdout, v)
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
}`}, 0, gosec.NewConfig()}, {[]string{
Migrated old test cases.
2017-12-28 06:54:10 +00:00
`
// Using a variable to initialize could potentially be dangerous. Under the
// current model this will likely produce some false positives.
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
import (
"html/template"
"os"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
const tmpl = ""
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
func main() {
a := "something from another place"
t := template.Must(template.New("ex").Parse(tmpl))
v := map[string]interface{}{
"Title": "Test <b>World</b>",
"Body": template.HTML(a),
}
t.Execute(os.Stdout, v)
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`,
}, 1, gosec.NewConfig()}, {[]string{
Migrated old test cases.
2017-12-28 06:54:10 +00:00
`
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
import (
"html/template"
"os"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
const tmpl = ""
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
func main() {
a := "something from another place"
t := template.Must(template.New("ex").Parse(tmpl))
v := map[string]interface{}{
"Title": "Test <b>World</b>",
"Body": template.JS(a),
}
t.Execute(os.Stdout, v)
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`,
}, 1, gosec.NewConfig()}, {[]string{
Migrated old test cases.
2017-12-28 06:54:10 +00:00
`
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
import (
"html/template"
"os"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
const tmpl = ""
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
func main() {
a := "something from another place"
t := template.Must(template.New("ex").Parse(tmpl))
v := map[string]interface{}{
"Title": "Test <b>World</b>",
"Body": template.URL(a),
}
t.Execute(os.Stdout, v)
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`,
}, 1, gosec.NewConfig()},
}
Migrated old test cases.
2017-12-28 06:54:10 +00:00
// SampleCodeG204 - Subprocess auditing
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
SampleCodeG204 = []CodeSample{
{[]string{`
Migrated old test cases.
2017-12-28 06:54:10 +00:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
import (
"log"
"os/exec"
Change rule G204 to be less restrictive (#339) Currently, rule G204 warns you about every single use of the functions syscall.Exec, os.exec.CommandContext and os.Exec.Command. This can create false positives and it's not accurate because you can use those functions with perfectly secure arguments like hardcoded strings for example. With this change, G204 will warn you in 3 cases when passing arguments to a function which starts a new process the arguments: 1) are variables initialized by calling another function 2) are functions 3) are command-line arguments or environmental variables Closes: https://github.com/securego/gosec/issues/338 Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-16 15:15:06 +01:00
"context"
Migrated old test cases.
2017-12-28 06:54:10 +00:00
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
func main() {
Fix typos in comments, vars and tests
2023-05-26 16:03:54 +01:00
err := exec.CommandContext(context.Background(), "git", "rev-parse", "--show-toplevel").Run()
Migrated old test cases.
2017-12-28 06:54:10 +00:00
if err != nil {
log.Fatal(err)
}
log.Printf("Command finished with error: %v", err)
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`}, 0, gosec.NewConfig()},
{[]string{`
Change rule G204 to be less restrictive (#339) Currently, rule G204 warns you about every single use of the functions syscall.Exec, os.exec.CommandContext and os.Exec.Command. This can create false positives and it's not accurate because you can use those functions with perfectly secure arguments like hardcoded strings for example. With this change, G204 will warn you in 3 cases when passing arguments to a function which starts a new process the arguments: 1) are variables initialized by calling another function 2) are functions 3) are command-line arguments or environmental variables Closes: https://github.com/securego/gosec/issues/338 Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-16 15:15:06 +01:00
// Calling any function which starts a new process with using
// command line arguments as it's arguments is considered dangerous
Migrated old test cases.
2017-12-28 06:54:10 +00:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
add CommandContext as subprocess launcher
2018-06-03 22:43:28 +01:00
import (
Fix some typos in rules tests
2021-01-01 19:45:13 +00:00
"context"
add CommandContext as subprocess launcher
2018-06-03 22:43:28 +01:00
"log"
Change rule G204 to be less restrictive (#339) Currently, rule G204 warns you about every single use of the functions syscall.Exec, os.exec.CommandContext and os.Exec.Command. This can create false positives and it's not accurate because you can use those functions with perfectly secure arguments like hardcoded strings for example. With this change, G204 will warn you in 3 cases when passing arguments to a function which starts a new process the arguments: 1) are variables initialized by calling another function 2) are functions 3) are command-line arguments or environmental variables Closes: https://github.com/securego/gosec/issues/338 Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-16 15:15:06 +01:00
"os"
add CommandContext as subprocess launcher
2018-06-03 22:43:28 +01:00
"os/exec"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
add CommandContext as subprocess launcher
2018-06-03 22:43:28 +01:00
func main() {
Fix the subproc rule to handle correctly the CommandContext check In this case, we need to skip the first argument because it is the context. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-11 14:18:38 +00:00
err := exec.CommandContext(context.Background(), os.Args[0], "5").Run()
Change rule G204 to be less restrictive (#339) Currently, rule G204 warns you about every single use of the functions syscall.Exec, os.exec.CommandContext and os.Exec.Command. This can create false positives and it's not accurate because you can use those functions with perfectly secure arguments like hardcoded strings for example. With this change, G204 will warn you in 3 cases when passing arguments to a function which starts a new process the arguments: 1) are variables initialized by calling another function 2) are functions 3) are command-line arguments or environmental variables Closes: https://github.com/securego/gosec/issues/338 Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-16 15:15:06 +01:00
if err != nil {
add CommandContext as subprocess launcher
2018-06-03 22:43:28 +01:00
log.Fatal(err)
}
Change rule G204 to be less restrictive (#339) Currently, rule G204 warns you about every single use of the functions syscall.Exec, os.exec.CommandContext and os.Exec.Command. This can create false positives and it's not accurate because you can use those functions with perfectly secure arguments like hardcoded strings for example. With this change, G204 will warn you in 3 cases when passing arguments to a function which starts a new process the arguments: 1) are variables initialized by calling another function 2) are functions 3) are command-line arguments or environmental variables Closes: https://github.com/securego/gosec/issues/338 Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-16 15:15:06 +01:00
log.Printf("Command finished with error: %v", err)
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`}, 1, gosec.NewConfig()},
{[]string{`
Change rule G204 to be less restrictive (#339) Currently, rule G204 warns you about every single use of the functions syscall.Exec, os.exec.CommandContext and os.Exec.Command. This can create false positives and it's not accurate because you can use those functions with perfectly secure arguments like hardcoded strings for example. With this change, G204 will warn you in 3 cases when passing arguments to a function which starts a new process the arguments: 1) are variables initialized by calling another function 2) are functions 3) are command-line arguments or environmental variables Closes: https://github.com/securego/gosec/issues/338 Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-16 15:15:06 +01:00
// Initializing a local variable using a environmental
// variable is consider as a dangerous user input
add CommandContext as subprocess launcher
2018-06-03 22:43:28 +01:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
import (
"log"
"os"
"os/exec"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
func main() {
run := "sleep" + os.Getenv("SOMETHING")
cmd := exec.Command(run, "5")
err := cmd.Start()
if err != nil {
log.Fatal(err)
}
log.Printf("Waiting for command to finish...")
err = cmd.Wait()
log.Printf("Command finished with error: %v", err)
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`}, 1, gosec.NewConfig()},
{[]string{`
Change rule G204 to be less restrictive (#339) Currently, rule G204 warns you about every single use of the functions syscall.Exec, os.exec.CommandContext and os.Exec.Command. This can create false positives and it's not accurate because you can use those functions with perfectly secure arguments like hardcoded strings for example. With this change, G204 will warn you in 3 cases when passing arguments to a function which starts a new process the arguments: 1) are variables initialized by calling another function 2) are functions 3) are command-line arguments or environmental variables Closes: https://github.com/securego/gosec/issues/338 Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-16 15:15:06 +01:00
// gosec doesn't have enough context to decide that the
Fix typos in comments, vars and tests
2023-05-26 16:03:54 +01:00
// command argument of the RunCmd function is hardcoded string
Change rule G204 to be less restrictive (#339) Currently, rule G204 warns you about every single use of the functions syscall.Exec, os.exec.CommandContext and os.Exec.Command. This can create false positives and it's not accurate because you can use those functions with perfectly secure arguments like hardcoded strings for example. With this change, G204 will warn you in 3 cases when passing arguments to a function which starts a new process the arguments: 1) are variables initialized by calling another function 2) are functions 3) are command-line arguments or environmental variables Closes: https://github.com/securego/gosec/issues/338 Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-16 15:15:06 +01:00
// and that's why it's better to warn the user so he can audit it
package main
import (
"log"
"os/exec"
)
func RunCmd(command string) {
cmd := exec.Command(command, "5")
err := cmd.Start()
if err != nil {
log.Fatal(err)
}
log.Printf("Waiting for command to finish...")
err = cmd.Wait()
}
func main() {
RunCmd("sleep")
fix: add more rules for G204 (#677) * fix: add more rules for G204 * fix: add extra test and comment
2021-08-16 10:31:51 +01:00
}`}, 0, gosec.NewConfig()},
{[]string{`
package main
import (
"log"
"os/exec"
)
func RunCmd(a string, c string) {
cmd := exec.Command(c)
err := cmd.Start()
if err != nil {
log.Fatal(err)
}
log.Printf("Waiting for command to finish...")
err = cmd.Wait()
cmd = exec.Command(a)
err = cmd.Start()
if err != nil {
log.Fatal(err)
}
log.Printf("Waiting for command to finish...")
err = cmd.Wait()
}
func main() {
RunCmd("ll", "ls")
}`}, 0, gosec.NewConfig()},
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
{[]string{`
Fix typos in comments, vars and tests
2023-05-26 16:03:54 +01:00
// syscall.Exec function called with hardcoded arguments
Change rule G204 to be less restrictive (#339) Currently, rule G204 warns you about every single use of the functions syscall.Exec, os.exec.CommandContext and os.Exec.Command. This can create false positives and it's not accurate because you can use those functions with perfectly secure arguments like hardcoded strings for example. With this change, G204 will warn you in 3 cases when passing arguments to a function which starts a new process the arguments: 1) are variables initialized by calling another function 2) are functions 3) are command-line arguments or environmental variables Closes: https://github.com/securego/gosec/issues/338 Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-16 15:15:06 +01:00
// shouldn't be consider as a command injection
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Change rule G204 to be less restrictive (#339) Currently, rule G204 warns you about every single use of the functions syscall.Exec, os.exec.CommandContext and os.Exec.Command. This can create false positives and it's not accurate because you can use those functions with perfectly secure arguments like hardcoded strings for example. With this change, G204 will warn you in 3 cases when passing arguments to a function which starts a new process the arguments: 1) are variables initialized by calling another function 2) are functions 3) are command-line arguments or environmental variables Closes: https://github.com/securego/gosec/issues/338 Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-16 15:15:06 +01:00
import (
"fmt"
"syscall"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Change rule G204 to be less restrictive (#339) Currently, rule G204 warns you about every single use of the functions syscall.Exec, os.exec.CommandContext and os.Exec.Command. This can create false positives and it's not accurate because you can use those functions with perfectly secure arguments like hardcoded strings for example. With this change, G204 will warn you in 3 cases when passing arguments to a function which starts a new process the arguments: 1) are variables initialized by calling another function 2) are functions 3) are command-line arguments or environmental variables Closes: https://github.com/securego/gosec/issues/338 Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-16 15:15:06 +01:00
func main() {
err := syscall.Exec("/bin/cat", []string{"/etc/passwd"}, nil)
if err != nil {
fmt.Printf("Error: %v\n", err)
}
}`}, 0, gosec.NewConfig()},
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
{
[]string{`
Update the subproc rule to detect the syscall.ForkExec and syscall.StartProces calls Also add the corresponding tests for this. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-11 13:00:30 +00:00
package main
import (
"fmt"
"syscall"
)
func RunCmd(command string) {
_, err := syscall.ForkExec(command, []string{}, nil)
if err != nil {
fmt.Printf("Error: %v\n", err)
}
}
func main() {
RunCmd("sleep")
}`}, 1, gosec.NewConfig(),
},
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
{
[]string{`
Update the subproc rule to detect the syscall.ForkExec and syscall.StartProces calls Also add the corresponding tests for this. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-11 13:00:30 +00:00
package main
import (
"fmt"
"syscall"
)
func RunCmd(command string) {
Fix some typos in rules tests
2021-01-01 19:45:13 +00:00
_, _, err := syscall.StartProcess(command, []string{}, nil)
Update the subproc rule to detect the syscall.ForkExec and syscall.StartProces calls Also add the corresponding tests for this. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-11 13:00:30 +00:00
if err != nil {
fmt.Printf("Error: %v\n", err)
}
}
func main() {
RunCmd("sleep")
}`}, 1, gosec.NewConfig(),
},
{[]string{`
Change rule G204 to be less restrictive (#339) Currently, rule G204 warns you about every single use of the functions syscall.Exec, os.exec.CommandContext and os.Exec.Command. This can create false positives and it's not accurate because you can use those functions with perfectly secure arguments like hardcoded strings for example. With this change, G204 will warn you in 3 cases when passing arguments to a function which starts a new process the arguments: 1) are variables initialized by calling another function 2) are functions 3) are command-line arguments or environmental variables Closes: https://github.com/securego/gosec/issues/338 Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-16 15:15:06 +01:00
// starting a process with a variable as an argument
// even if not constant is not considered as dangerous
Fix typos in comments, vars and tests
2023-05-26 16:03:54 +01:00
// because it has hardcoded value
Change rule G204 to be less restrictive (#339) Currently, rule G204 warns you about every single use of the functions syscall.Exec, os.exec.CommandContext and os.Exec.Command. This can create false positives and it's not accurate because you can use those functions with perfectly secure arguments like hardcoded strings for example. With this change, G204 will warn you in 3 cases when passing arguments to a function which starts a new process the arguments: 1) are variables initialized by calling another function 2) are functions 3) are command-line arguments or environmental variables Closes: https://github.com/securego/gosec/issues/338 Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-16 15:15:06 +01:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Change rule G204 to be less restrictive (#339) Currently, rule G204 warns you about every single use of the functions syscall.Exec, os.exec.CommandContext and os.Exec.Command. This can create false positives and it's not accurate because you can use those functions with perfectly secure arguments like hardcoded strings for example. With this change, G204 will warn you in 3 cases when passing arguments to a function which starts a new process the arguments: 1) are variables initialized by calling another function 2) are functions 3) are command-line arguments or environmental variables Closes: https://github.com/securego/gosec/issues/338 Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-16 15:15:06 +01:00
import (
"log"
"os/exec"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Change rule G204 to be less restrictive (#339) Currently, rule G204 warns you about every single use of the functions syscall.Exec, os.exec.CommandContext and os.Exec.Command. This can create false positives and it's not accurate because you can use those functions with perfectly secure arguments like hardcoded strings for example. With this change, G204 will warn you in 3 cases when passing arguments to a function which starts a new process the arguments: 1) are variables initialized by calling another function 2) are functions 3) are command-line arguments or environmental variables Closes: https://github.com/securego/gosec/issues/338 Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-16 15:15:06 +01:00
func main() {
run := "sleep"
cmd := exec.Command(run, "5")
err := cmd.Start()
if err != nil {
log.Fatal(err)
}
log.Printf("Waiting for command to finish...")
err = cmd.Wait()
log.Printf("Command finished with error: %v", err)
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`}, 0, gosec.NewConfig()},
Add G204 rule for sys/execabs (#660) * Add G204 rule for sys/execabs * syntax error in testutils/sources.go
2021-07-01 16:43:25 +01:00
{[]string{`
// exec.Command from supplemental package sys/execabs
// using variable arguments
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Add G204 rule for sys/execabs (#660) * Add G204 rule for sys/execabs * syntax error in testutils/sources.go
2021-07-01 16:43:25 +01:00
import (
"context"
"log"
"os"
exec "golang.org/x/sys/execabs"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Add G204 rule for sys/execabs (#660) * Add G204 rule for sys/execabs * syntax error in testutils/sources.go
2021-07-01 16:43:25 +01:00
func main() {
err := exec.CommandContext(context.Background(), os.Args[0], "5").Run()
if err != nil {
log.Fatal(err)
}
log.Printf("Command finished with error: %v", err)
}
`}, 1, gosec.NewConfig()},
fix G204 bugs (#835) Signed-off-by: Ziqi Zhao <zhaoziqi9146@gmail.com>
2022-07-26 10:08:43 +01:00
{[]string{`
// Initializing a local variable using a environmental
// variable is consider as a dangerous user input
package main
import (
"log"
"os"
"os/exec"
)
func main() {
var run = "sleep" + os.Getenv("SOMETHING")
cmd := exec.Command(run, "5")
err := cmd.Start()
if err != nil {
log.Fatal(err)
}
log.Printf("Waiting for command to finish...")
err = cmd.Wait()
log.Printf("Command finished with error: %v", err)
}`}, 1, gosec.NewConfig()},
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}
Migrated old test cases.
2017-12-28 06:54:10 +00:00
// SampleCodeG301 - mkdir permission check
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
SampleCodeG301 = []CodeSample{{[]string{`
Migrated old test cases.
2017-12-28 06:54:10 +00:00
package main
Change unit tests to check for one thing (#381) The unit tests should check for a single thing at a time. This was not true for some the tests. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-24 09:15:56 +01:00
import (
"fmt"
"os"
)
func main() {
err := os.Mkdir("/tmp/mydir", 0777)
if err != nil {
fmt.Println("Error when creating a directory!")
return
}
}`}, 1, gosec.NewConfig()}, {[]string{`
package main
import (
"fmt"
"os"
)
func main() {
err := os.MkdirAll("/tmp/mydir", 0777)
if err != nil {
fmt.Println("Error when creating a directory!")
return
}
}`}, 1, gosec.NewConfig()}, {[]string{`
package main
import (
"fmt"
"os"
)
Migrated old test cases.
2017-12-28 06:54:10 +00:00
func main() {
Change unit tests to check for one thing (#381) The unit tests should check for a single thing at a time. This was not true for some the tests. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-24 09:15:56 +01:00
err := os.Mkdir("/tmp/mydir", 0600)
if err != nil {
fmt.Println("Error when creating a directory!")
return
}
}`}, 0, gosec.NewConfig()}}
Migrated old test cases.
2017-12-28 06:54:10 +00:00
// SampleCodeG302 - file create / chmod permissions check
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
SampleCodeG302 = []CodeSample{{[]string{`
Migrated old test cases.
2017-12-28 06:54:10 +00:00
package main
Change unit tests to check for one thing (#381) The unit tests should check for a single thing at a time. This was not true for some the tests. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-24 09:15:56 +01:00
import (
"fmt"
"os"
)
func main() {
err := os.Chmod("/tmp/somefile", 0777)
if err != nil {
fmt.Println("Error when changing file permissions!")
return
}
}`}, 1, gosec.NewConfig()}, {[]string{`
package main
import (
"fmt"
"os"
)
func main() {
_, err := os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0666)
if err != nil {
fmt.Println("Error opening a file!")
return
}
}`}, 1, gosec.NewConfig()}, {[]string{`
package main
import (
"fmt"
"os"
)
func main() {
err := os.Chmod("/tmp/mydir", 0400)
if err != nil {
fmt.Println("Error")
return
}
}`}, 0, gosec.NewConfig()}, {[]string{`
package main
import (
"fmt"
"os"
)
Migrated old test cases.
2017-12-28 06:54:10 +00:00
func main() {
Change unit tests to check for one thing (#381) The unit tests should check for a single thing at a time. This was not true for some the tests. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-24 09:15:56 +01:00
_, err := os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0600)
if err != nil {
fmt.Println("Error opening a file!")
return
}
}
`}, 0, gosec.NewConfig()}}
Migrated old test cases.
2017-12-28 06:54:10 +00:00
// SampleCodeG303 - bad tempfile permissions & hardcoded shared path
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
SampleCodeG303 = []CodeSample{{[]string{`
Migrated old test cases.
2017-12-28 06:54:10 +00:00
package samples
Change unit tests to check for one thing (#381) The unit tests should check for a single thing at a time. This was not true for some the tests. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-24 09:15:56 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
import (
Change unit tests to check for one thing (#381) The unit tests should check for a single thing at a time. This was not true for some the tests. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-24 09:15:56 +01:00
"fmt"
Migrated old test cases.
2017-12-28 06:54:10 +00:00
"io/ioutil"
G303: catch with os.WriteFile, add os.Create test case (#718) * Add G303 os.Create test case * Catch G303 with os.WriteFile too
2021-11-09 20:13:45 +00:00
"os"
Find more tempdirs * Find G303 in string concatenations, with os.TempDir, and in path.Join args * Find G303 with /usr/tmp, too /usr/tmp is commonly found e.g. on Solaris.
2022-01-03 20:58:25 +00:00
"path"
Find G303 with filepath.Join'd temp dirs (#754)
2022-01-04 13:48:02 +00:00
"path/filepath"
Migrated old test cases.
2017-12-28 06:54:10 +00:00
)
Change unit tests to check for one thing (#381) The unit tests should check for a single thing at a time. This was not true for some the tests. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-24 09:15:56 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
func main() {
Change unit tests to check for one thing (#381) The unit tests should check for a single thing at a time. This was not true for some the tests. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-24 09:15:56 +01:00
err := ioutil.WriteFile("/tmp/demo2", []byte("This is some data"), 0644)
if err != nil {
fmt.Println("Error while writing!")
}
G303: catch with os.WriteFile, add os.Create test case (#718) * Add G303 os.Create test case * Catch G303 with os.WriteFile too
2021-11-09 20:13:45 +00:00
f, err := os.Create("/tmp/demo2")
if err != nil {
fmt.Println("Error while writing!")
} else if err = f.Close(); err != nil {
fmt.Println("Error while closing!")
}
err = os.WriteFile("/tmp/demo2", []byte("This is some data"), 0644)
if err != nil {
fmt.Println("Error while writing!")
}
Find more tempdirs * Find G303 in string concatenations, with os.TempDir, and in path.Join args * Find G303 with /usr/tmp, too /usr/tmp is commonly found e.g. on Solaris.
2022-01-03 20:58:25 +00:00
err = os.WriteFile("/usr/tmp/demo2", []byte("This is some data"), 0644)
if err != nil {
fmt.Println("Error while writing!")
}
err = os.WriteFile("/tmp/" + "demo2", []byte("This is some data"), 0644)
if err != nil {
fmt.Println("Error while writing!")
}
err = os.WriteFile(os.TempDir() + "/demo2", []byte("This is some data"), 0644)
if err != nil {
fmt.Println("Error while writing!")
}
err = os.WriteFile(path.Join("/var/tmp", "demo2"), []byte("This is some data"), 0644)
if err != nil {
fmt.Println("Error while writing!")
}
err = os.WriteFile(path.Join(os.TempDir(), "demo2"), []byte("This is some data"), 0644)
if err != nil {
fmt.Println("Error while writing!")
}
Find G303 with filepath.Join'd temp dirs (#754)
2022-01-04 13:48:02 +00:00
err = os.WriteFile(filepath.Join(os.TempDir(), "demo2"), []byte("This is some data"), 0644)
if err != nil {
fmt.Println("Error while writing!")
}
}`}, 9, gosec.NewConfig()}}
Migrated old test cases.
2017-12-28 06:54:10 +00:00
New Rule Tainted file (#183) * Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178) * Add a tool which generates the TLS rule configuration from Mozilla server side TLS configuration * Update README * Remove trailing space in README * Update dependencies * Fix the commends of the generated functions * Add nil pointer check to rule. (#181) TypeOf returns the type of expression e, or nil if not found. We are calling .String() on a value that may be nil in this clause. Relates to #174 * Add support for YAML output format (#177) * Add YAML output format * Update README * added rule to check for tainted file path * added #nosec to main/issue.go * updated test case import
2018-03-08 23:23:27 +00:00
// SampleCodeG304 - potential file inclusion vulnerability
Add os.Create to the readfile rule (#761)
2022-01-12 18:33:17 +00:00
SampleCodeG304 = []CodeSample{
{[]string{`
New Rule Tainted file (#183) * Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178) * Add a tool which generates the TLS rule configuration from Mozilla server side TLS configuration * Update README * Remove trailing space in README * Update dependencies * Fix the commends of the generated functions * Add nil pointer check to rule. (#181) TypeOf returns the type of expression e, or nil if not found. We are calling .String() on a value that may be nil in this clause. Relates to #174 * Add support for YAML output format (#177) * Add YAML output format * Update README * added rule to check for tainted file path * added #nosec to main/issue.go * updated test case import
2018-03-08 23:23:27 +00:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
New Rule Tainted file (#183) * Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178) * Add a tool which generates the TLS rule configuration from Mozilla server side TLS configuration * Update README * Remove trailing space in README * Update dependencies * Fix the commends of the generated functions * Add nil pointer check to rule. (#181) TypeOf returns the type of expression e, or nil if not found. We are calling .String() on a value that may be nil in this clause. Relates to #174 * Add support for YAML output format (#177) * Add YAML output format * Update README * added rule to check for tainted file path * added #nosec to main/issue.go * updated test case import
2018-03-08 23:23:27 +00:00
import (
"os"
"io/ioutil"
"log"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
New Rule Tainted file (#183) * Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178) * Add a tool which generates the TLS rule configuration from Mozilla server side TLS configuration * Update README * Remove trailing space in README * Update dependencies * Fix the commends of the generated functions * Add nil pointer check to rule. (#181) TypeOf returns the type of expression e, or nil if not found. We are calling .String() on a value that may be nil in this clause. Relates to #174 * Add support for YAML output format (#177) * Add YAML output format * Update README * added rule to check for tainted file path * added #nosec to main/issue.go * updated test case import
2018-03-08 23:23:27 +00:00
func main() {
Change unit tests to check for one thing (#381) The unit tests should check for a single thing at a time. This was not true for some the tests. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-24 09:15:56 +01:00
f := os.Getenv("tainted_file")
body, err := ioutil.ReadFile(f)
if err != nil {
log.Printf("Error: %v\n", err)
}
log.Print(body)
New Rule Tainted file (#183) * Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178) * Add a tool which generates the TLS rule configuration from Mozilla server side TLS configuration * Update README * Remove trailing space in README * Update dependencies * Fix the commends of the generated functions * Add nil pointer check to rule. (#181) TypeOf returns the type of expression e, or nil if not found. We are calling .String() on a value that may be nil in this clause. Relates to #174 * Add support for YAML output format (#177) * Add YAML output format * Update README * added rule to check for tainted file path * added #nosec to main/issue.go * updated test case import
2018-03-08 23:23:27 +00:00
Check nil pointer when variable is declared in a different file
2023-03-08 13:42:45 +00:00
}`}, 1, gosec.NewConfig()},
{[]string{`
New Rule Tainted file (#183) * Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178) * Add a tool which generates the TLS rule configuration from Mozilla server side TLS configuration * Update README * Remove trailing space in README * Update dependencies * Fix the commends of the generated functions * Add nil pointer check to rule. (#181) TypeOf returns the type of expression e, or nil if not found. We are calling .String() on a value that may be nil in this clause. Relates to #174 * Add support for YAML output format (#177) * Add YAML output format * Update README * added rule to check for tainted file path * added #nosec to main/issue.go * updated test case import
2018-03-08 23:23:27 +00:00
package main
feat: add os.ReadFile to G304 (#706) In Go 1.16 or higher, the `io/ioutil` has been deprecated and the `ioutil.ReadFile` function now calls `os.ReadFile`. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2021-10-14 08:53:26 +01:00
import (
"os"
"log"
)
func main() {
f := os.Getenv("tainted_file")
body, err := os.ReadFile(f)
if err != nil {
log.Printf("Error: %v\n", err)
}
log.Print(body)
Check nil pointer when variable is declared in a different file
2023-03-08 13:42:45 +00:00
}`}, 1, gosec.NewConfig()},
{[]string{`
feat: add os.ReadFile to G304 (#706) In Go 1.16 or higher, the `io/ioutil` has been deprecated and the `ioutil.ReadFile` function now calls `os.ReadFile`. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2021-10-14 08:53:26 +01:00
package main
New Rule Tainted file (#183) * Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178) * Add a tool which generates the TLS rule configuration from Mozilla server side TLS configuration * Update README * Remove trailing space in README * Update dependencies * Fix the commends of the generated functions * Add nil pointer check to rule. (#181) TypeOf returns the type of expression e, or nil if not found. We are calling .String() on a value that may be nil in this clause. Relates to #174 * Add support for YAML output format (#177) * Add YAML output format * Update README * added rule to check for tainted file path * added #nosec to main/issue.go * updated test case import
2018-03-08 23:23:27 +00:00
import (
"fmt"
"log"
"net/http"
"os"
)
func main() {
http.HandleFunc("/bar", func(w http.ResponseWriter, r *http.Request) {
update to G304 which adds binary expressions and file joining (#233) * Added features to G304 * Linted * Added path selectors * Used better solution * removed debugging lines * fixed comments * Added test code * fixed a spacing change
2018-08-28 05:34:07 +01:00
title := r.URL.Query().Get("title")
New Rule Tainted file (#183) * Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178) * Add a tool which generates the TLS rule configuration from Mozilla server side TLS configuration * Update README * Remove trailing space in README * Update dependencies * Fix the commends of the generated functions * Add nil pointer check to rule. (#181) TypeOf returns the type of expression e, or nil if not found. We are calling .String() on a value that may be nil in this clause. Relates to #174 * Add support for YAML output format (#177) * Add YAML output format * Update README * added rule to check for tainted file path * added #nosec to main/issue.go * updated test case import
2018-03-08 23:23:27 +00:00
f, err := os.Open(title)
if err != nil {
fmt.Printf("Error: %v\n", err)
}
body := make([]byte, 5)
Cleanup test output
2018-03-09 05:28:56 +00:00
if _, err = f.Read(body); err != nil {
New Rule Tainted file (#183) * Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178) * Add a tool which generates the TLS rule configuration from Mozilla server side TLS configuration * Update README * Remove trailing space in README * Update dependencies * Fix the commends of the generated functions * Add nil pointer check to rule. (#181) TypeOf returns the type of expression e, or nil if not found. We are calling .String() on a value that may be nil in this clause. Relates to #174 * Add support for YAML output format (#177) * Add YAML output format * Update README * added rule to check for tainted file path * added #nosec to main/issue.go * updated test case import
2018-03-08 23:23:27 +00:00
fmt.Printf("Error: %v\n", err)
}
fmt.Fprintf(w, "%s", body)
})
log.Fatal(http.ListenAndServe(":3000", nil))
Check nil pointer when variable is declared in a different file
2023-03-08 13:42:45 +00:00
}`}, 1, gosec.NewConfig()},
{[]string{`
update to G304 which adds binary expressions and file joining (#233) * Added features to G304 * Linted * Added path selectors * Used better solution * removed debugging lines * fixed comments * Added test code * fixed a spacing change
2018-08-28 05:34:07 +01:00
package main
Extend the rule G304 with os.OpenFile and add a test to cover it Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-16 12:29:03 +01:00
import (
"fmt"
"log"
"net/http"
"os"
)
func main() {
http.HandleFunc("/bar", func(w http.ResponseWriter, r *http.Request) {
title := r.URL.Query().Get("title")
f, err := os.OpenFile(title, os.O_RDWR|os.O_CREATE, 0755)
if err != nil {
fmt.Printf("Error: %v\n", err)
}
body := make([]byte, 5)
if _, err = f.Read(body); err != nil {
fmt.Printf("Error: %v\n", err)
}
fmt.Fprintf(w, "%s", body)
})
log.Fatal(http.ListenAndServe(":3000", nil))
Check nil pointer when variable is declared in a different file
2023-03-08 13:42:45 +00:00
}`}, 1, gosec.NewConfig()},
{[]string{`
Extend the rule G304 with os.OpenFile and add a test to cover it Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-16 12:29:03 +01:00
package main
update to G304 which adds binary expressions and file joining (#233) * Added features to G304 * Linted * Added path selectors * Used better solution * removed debugging lines * fixed comments * Added test code * fixed a spacing change
2018-08-28 05:34:07 +01:00
import (
"log"
"os"
"io/ioutil"
)
func main() {
f2 := os.Getenv("tainted_file2")
body, err := ioutil.ReadFile("/tmp/" + f2)
if err != nil {
log.Printf("Error: %v\n", err)
}
log.Print(body)
Check nil pointer when variable is declared in a different file
2023-03-08 13:42:45 +00:00
}`}, 1, gosec.NewConfig()},
{[]string{`
update to G304 which adds binary expressions and file joining (#233) * Added features to G304 * Linted * Added path selectors * Used better solution * removed debugging lines * fixed comments * Added test code * fixed a spacing change
2018-08-28 05:34:07 +01:00
package main
import (
"bufio"
"fmt"
"os"
"path/filepath"
)
func main() {
reader := bufio.NewReader(os.Stdin)
fmt.Print("Please enter file to read: ")
file, _ := reader.ReadString('\n')
file = file[:len(file)-1]
f, err := os.Open(filepath.Join("/tmp/service/", file))
if err != nil {
fmt.Printf("Error: %v\n", err)
}
contents := make([]byte, 15)
if _, err = f.Read(contents); err != nil {
fmt.Printf("Error: %v\n", err)
}
fmt.Println(string(contents))
Check nil pointer when variable is declared in a different file
2023-03-08 13:42:45 +00:00
}`}, 1, gosec.NewConfig()},
{[]string{`
update to G304 which adds binary expressions and file joining (#233) * Added features to G304 * Linted * Added path selectors * Used better solution * removed debugging lines * fixed comments * Added test code * fixed a spacing change
2018-08-28 05:34:07 +01:00
package main
import (
"log"
"os"
"io/ioutil"
"path/filepath"
)
func main() {
dir := os.Getenv("server_root")
f3 := os.Getenv("tainted_file3")
// edge case where both a binary expression and file Join are used.
body, err := ioutil.ReadFile(filepath.Join("/var/"+dir, f3))
if err != nil {
log.Printf("Error: %v\n", err)
}
log.Print(body)
Check nil pointer when variable is declared in a different file
2023-03-08 13:42:45 +00:00
}`}, 1, gosec.NewConfig()},
{[]string{`
Fix the rule G304 to handle the case when the input is cleaned as a variable assignment Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-17 20:05:28 +01:00
package main
import (
"os"
"path/filepath"
)
func main() {
repoFile := "path_of_file"
cleanRepoFile := filepath.Clean(repoFile)
Fix some typos in rules tests
2021-01-01 19:45:13 +00:00
_, err := os.OpenFile(cleanRepoFile, os.O_RDONLY, 0600)
Fix the rule G304 to handle the case when the input is cleaned as a variable assignment Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-17 20:05:28 +01:00
if err != nil {
panic(err)
}
}
Check nil pointer when variable is declared in a different file
2023-03-08 13:42:45 +00:00
`}, 0, gosec.NewConfig()},
{[]string{`
Fix the rule G304 to handle the case when the input is cleaned as a variable assignment Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-17 20:05:28 +01:00
package main
import (
"os"
"path/filepath"
)
func openFile(filePath string) {
Fix some typos in rules tests
2021-01-01 19:45:13 +00:00
_, err := os.OpenFile(filepath.Clean(filePath), os.O_RDONLY, 0600)
Fix the rule G304 to handle the case when the input is cleaned as a variable assignment Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-17 20:05:28 +01:00
if err != nil {
panic(err)
}
}
func main() {
repoFile := "path_of_file"
openFile(repoFile)
}
Check nil pointer when variable is declared in a different file
2023-03-08 13:42:45 +00:00
`}, 0, gosec.NewConfig()},
{[]string{`
Add also filepath.Rel as a sanitization method for input argument in the G304 rule Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-19 07:39:55 +01:00
package main
import (
"os"
"path/filepath"
)
Track back when a file path was sanitized with filepath.Clean (#912) * Track back when a file path was sanitized with filepath.Clean * Remove unused argument to fix lint warnings
2023-01-09 15:26:20 +00:00
func openFile(dir string, filePath string) {
fp := filepath.Join(dir, filePath)
fp = filepath.Clean(fp)
_, err := os.OpenFile(fp, os.O_RDONLY, 0600)
if err != nil {
panic(err)
}
}
func main() {
repoFile := "path_of_file"
dir := "path_of_dir"
openFile(dir, repoFile)
}
Check nil pointer when variable is declared in a different file
2023-03-08 13:42:45 +00:00
`}, 0, gosec.NewConfig()},
{[]string{`
Track back when a file path was sanitized with filepath.Clean (#912) * Track back when a file path was sanitized with filepath.Clean * Remove unused argument to fix lint warnings
2023-01-09 15:26:20 +00:00
package main
import (
"os"
"path/filepath"
)
Add also filepath.Rel as a sanitization method for input argument in the G304 rule Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-19 07:39:55 +01:00
func main() {
repoFile := "path_of_file"
Fix compilation errors in the test samples Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2021-01-04 08:19:01 +00:00
relFile, err := filepath.Rel("./", repoFile)
if err != nil {
panic(err)
}
_, err = os.OpenFile(relFile, os.O_RDONLY, 0600)
Add also filepath.Rel as a sanitization method for input argument in the G304 rule Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-19 07:39:55 +01:00
if err != nil {
panic(err)
}
}
Check nil pointer when variable is declared in a different file
2023-03-08 13:42:45 +00:00
`}, 0, gosec.NewConfig()},
{[]string{`
Add os.Create to the readfile rule (#761)
2022-01-12 18:33:17 +00:00
package main
import (
"io"
"os"
)
func createFile(file string) *os.File {
f, err := os.Create(file)
if err != nil {
panic(err)
}
return f
}
func main() {
s, err := os.Open("src")
if err != nil {
panic(err)
}
defer s.Close()
d := createFile("dst")
defer d.Close()
_, err = io.Copy(d, s)
if err != nil {
panic(err)
}
}`}, 1, gosec.NewConfig()},
Check nil pointer when variable is declared in a different file
2023-03-08 13:42:45 +00:00
{[]string{`
package main
import (
"fmt"
"path/filepath"
)
type foo struct {
}
func (f *foo) doSomething(silly string) error {
whoCares, err := filepath.Rel(THEWD, silly)
if err != nil {
return err
}
fmt.Printf("%s", whoCares)
return nil
}
func main() {
f := &foo{}
if err := f.doSomething("irrelevant"); err != nil {
panic(err)
}
}
`, `
package main
var THEWD string
`}, 0, gosec.NewConfig()},
Add os.Create to the readfile rule (#761)
2022-01-12 18:33:17 +00:00
}
New Rule Tainted file (#183) * Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178) * Add a tool which generates the TLS rule configuration from Mozilla server side TLS configuration * Update README * Remove trailing space in README * Update dependencies * Fix the commends of the generated functions * Add nil pointer check to rule. (#181) TypeOf returns the type of expression e, or nil if not found. We are calling .String() on a value that may be nil in this clause. Relates to #174 * Add support for YAML output format (#177) * Add YAML output format * Update README * added rule to check for tainted file path * added #nosec to main/issue.go * updated test case import
2018-03-08 23:23:27 +00:00
feat: adds support for path.Join and for tar archives in G305
2020-08-02 16:09:02 +01:00
// SampleCodeG305 - File path traversal when extracting zip/tar archives
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
SampleCodeG305 = []CodeSample{{[]string{`
Rule which detects a potential path traversal when extracting zip archives (#208) * Add a rule which detects file path traversal when extracting zip archive * Detect if any argument is derived from zip.File * Drop support for Go version 1.8
2018-07-18 13:31:07 +01:00
package unzip
import (
"archive/zip"
"io"
"os"
"path/filepath"
)
func unzip(archive, target string) error {
reader, err := zip.OpenReader(archive)
if err != nil {
return err
}
if err := os.MkdirAll(target, 0750); err != nil {
return err
}
for _, file := range reader.File {
path := filepath.Join(target, file.Name)
if file.FileInfo().IsDir() {
Remove space between `//` and `#nosec` in examples and internal use Comments intended for machines to read do not have the space by convention.
2021-12-15 18:31:14 +00:00
os.MkdirAll(path, file.Mode()) //#nosec
Rule which detects a potential path traversal when extracting zip archives (#208) * Add a rule which detects file path traversal when extracting zip archive * Detect if any argument is derived from zip.File * Drop support for Go version 1.8
2018-07-18 13:31:07 +01:00
continue
}
fileReader, err := file.Open()
if err != nil {
return err
}
defer fileReader.Close()
targetFile, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, file.Mode())
if err != nil {
return err
}
defer targetFile.Close()
if _, err := io.Copy(targetFile, fileReader); err != nil {
return err
}
}
return nil
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
}`}, 1, gosec.NewConfig()}, {[]string{`
Rule which detects a potential path traversal when extracting zip archives (#208) * Add a rule which detects file path traversal when extracting zip archive * Detect if any argument is derived from zip.File * Drop support for Go version 1.8
2018-07-18 13:31:07 +01:00
package unzip
import (
"archive/zip"
"io"
"os"
"path/filepath"
)
func unzip(archive, target string) error {
reader, err := zip.OpenReader(archive)
if err != nil {
return err
}
if err := os.MkdirAll(target, 0750); err != nil {
return err
}
for _, file := range reader.File {
archiveFile := file.Name
path := filepath.Join(target, archiveFile)
if file.FileInfo().IsDir() {
Remove space between `//` and `#nosec` in examples and internal use Comments intended for machines to read do not have the space by convention.
2021-12-15 18:31:14 +00:00
os.MkdirAll(path, file.Mode()) //#nosec
Rule which detects a potential path traversal when extracting zip archives (#208) * Add a rule which detects file path traversal when extracting zip archive * Detect if any argument is derived from zip.File * Drop support for Go version 1.8
2018-07-18 13:31:07 +01:00
continue
}
fileReader, err := file.Open()
if err != nil {
return err
}
defer fileReader.Close()
targetFile, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, file.Mode())
if err != nil {
return err
}
defer targetFile.Close()
if _, err := io.Copy(targetFile, fileReader); err != nil {
return err
}
}
return nil
feat: adds support for path.Join and for tar archives in G305
2020-08-02 16:09:02 +01:00
}`}, 1, gosec.NewConfig()}, {[]string{`
package zip
import (
"archive/zip"
"io"
"os"
"path"
)
func extractFile(f *zip.File, destPath string) error {
filePath := path.Join(destPath, f.Name)
os.MkdirAll(path.Dir(filePath), os.ModePerm)
rc, err := f.Open()
if err != nil {
return err
}
defer rc.Close()
fw, err := os.Create(filePath)
if err != nil {
return err
}
defer fw.Close()
if _, err = io.Copy(fw, rc); err != nil {
return err
}
if f.FileInfo().Mode()&os.ModeSymlink != 0 {
return nil
}
if err = os.Chtimes(filePath, f.ModTime(), f.ModTime()); err != nil {
return err
}
return os.Chmod(filePath, f.FileInfo().Mode())
}`}, 1, gosec.NewConfig()}, {[]string{`
package tz
import (
"archive/tar"
"io"
"os"
"path"
)
func extractFile(f *tar.Header, tr *tar.Reader, destPath string) error {
filePath := path.Join(destPath, f.Name)
os.MkdirAll(path.Dir(filePath), os.ModePerm)
fw, err := os.Create(filePath)
if err != nil {
return err
}
defer fw.Close()
if _, err = io.Copy(fw, tr); err != nil {
return err
}
if f.FileInfo().Mode()&os.ModeSymlink != 0 {
return nil
}
if err = os.Chtimes(filePath, f.FileInfo().ModTime(), f.FileInfo().ModTime()); err != nil {
return err
}
return os.Chmod(filePath, f.FileInfo().Mode())
Fileperms (#442)
2020-02-28 11:48:18 +00:00
}`}, 1, gosec.NewConfig()}}
// SampleCodeG306 - Poor permissions for WriteFile
SampleCodeG306 = []CodeSample{
{[]string{`package main
import (
"bufio"
"fmt"
"io/ioutil"
"os"
)
func check(e error) {
if e != nil {
panic(e)
}
}
func main() {
Change naming rule from blacklist to blocklist
2020-06-29 12:21:15 +01:00
Fileperms (#442)
2020-02-28 11:48:18 +00:00
d1 := []byte("hello\ngo\n")
err := ioutil.WriteFile("/tmp/dat1", d1, 0744)
check(err)
allowed := ioutil.WriteFile("/tmp/dat1", d1, 0600)
check(allowed)
Change naming rule from blacklist to blocklist
2020-06-29 12:21:15 +01:00
Fileperms (#442)
2020-02-28 11:48:18 +00:00
f, err := os.Create("/tmp/dat2")
check(err)
Change naming rule from blacklist to blocklist
2020-06-29 12:21:15 +01:00
Fileperms (#442)
2020-02-28 11:48:18 +00:00
defer f.Close()
Change naming rule from blacklist to blocklist
2020-06-29 12:21:15 +01:00
Fileperms (#442)
2020-02-28 11:48:18 +00:00
d2 := []byte{115, 111, 109, 101, 10}
n2, err := f.Write(d2)
Rule for defering methods which return errors (#441)
2020-03-01 20:45:37 +00:00
defer check(err)
fmt.Printf("wrote %d bytes\n", n2)
Change naming rule from blacklist to blocklist
2020-06-29 12:21:15 +01:00
Rule for defering methods which return errors (#441)
2020-03-01 20:45:37 +00:00
n3, err := f.WriteString("writes\n")
fmt.Printf("wrote %d bytes\n", n3)
Change naming rule from blacklist to blocklist
2020-06-29 12:21:15 +01:00
Rule for defering methods which return errors (#441)
2020-03-01 20:45:37 +00:00
f.Sync()
Change naming rule from blacklist to blocklist
2020-06-29 12:21:15 +01:00
Rule for defering methods which return errors (#441)
2020-03-01 20:45:37 +00:00
w := bufio.NewWriter(f)
n4, err := w.WriteString("buffered\n")
fmt.Printf("wrote %d bytes\n", n4)
Change naming rule from blacklist to blocklist
2020-06-29 12:21:15 +01:00
Rule for defering methods which return errors (#441)
2020-03-01 20:45:37 +00:00
w.Flush()
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`}, 1, gosec.NewConfig()},
}
Rule which detects a potential path traversal when extracting zip archives (#208) * Add a rule which detects file path traversal when extracting zip archive * Detect if any argument is derived from zip.File * Drop support for Go version 1.8
2018-07-18 13:31:07 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
// SampleCodeG401 - Use of weak crypto MD5
SampleCodeG401 = []CodeSample{
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
{[]string{`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
import (
"crypto/md5"
"fmt"
"io"
"log"
"os"
)
Rule for defering methods which return errors (#441)
2020-03-01 20:45:37 +00:00
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
func main() {
f, err := os.Open("file.txt")
if err != nil {
log.Fatal(err)
}
defer f.Close()
Rule for defering methods which return errors (#441)
2020-03-01 20:45:37 +00:00
defer func() {
err := f.Close()
if err != nil {
log.Printf("error closing the file: %s", err)
}
}()
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
h := md5.New()
if _, err := io.Copy(h, f); err != nil {
log.Fatal(err)
}
fmt.Printf("%x", h.Sum(nil))
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`}, 1, gosec.NewConfig()},
}
Migrated old test cases.
2017-12-28 06:54:10 +00:00
Add sha1 to weak crypto primitives
2018-08-08 15:38:57 +01:00
// SampleCodeG401b - Use of weak crypto SHA1
SampleCodeG401b = []CodeSample{
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
{[]string{`
Add sha1 to weak crypto primitives
2018-08-08 15:38:57 +01:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Add sha1 to weak crypto primitives
2018-08-08 15:38:57 +01:00
import (
"crypto/sha1"
"fmt"
"io"
"log"
"os"
)
func main() {
f, err := os.Open("file.txt")
if err != nil {
log.Fatal(err)
}
defer f.Close()
h := sha1.New()
if _, err := io.Copy(h, f); err != nil {
log.Fatal(err)
}
fmt.Printf("%x", h.Sum(nil))
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`}, 1, gosec.NewConfig()},
}
Add sha1 to weak crypto primitives
2018-08-08 15:38:57 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
// SampleCodeG402 - TLS settings
fix: add variable assignment checking as part of MinVersion (#669) * fix: add variable assignment checking as part of MinVersion * fix: add more code to allow assignment with const * fix: rework the code and add more test cases for MinVersion * fix: format linting issue using gofumpt
2021-07-27 21:03:59 +01:00
SampleCodeG402 = []CodeSample{
{[]string{`
Migrated old test cases.
2017-12-28 06:54:10 +00:00
// InsecureSkipVerify
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
import (
"crypto/tls"
"fmt"
"net/http"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
func main() {
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
client := &http.Client{Transport: tr}
_, err := client.Get("https://golang.org/")
if err != nil {
fmt.Println(err)
}
Fix the TLS config rule when parsing the settings from a variable (#911)
2023-01-09 14:10:44 +00:00
}`}, 1, gosec.NewConfig()},
{[]string{`
// InsecureSkipVerify from variable
package main
import (
"crypto/tls"
)
func main() {
var conf tls.Config
conf.InsecureSkipVerify = true
fix: add variable assignment checking as part of MinVersion (#669) * fix: add variable assignment checking as part of MinVersion * fix: add more code to allow assignment with const * fix: rework the code and add more test cases for MinVersion * fix: format linting issue using gofumpt
2021-07-27 21:03:59 +01:00
}`}, 1, gosec.NewConfig()},
{[]string{
`
Migrated old test cases.
2017-12-28 06:54:10 +00:00
// Insecure minimum version
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
import (
"crypto/tls"
"fmt"
"net/http"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
func main() {
tr := &http.Transport{
TLSClientConfig: &tls.Config{MinVersion: 0},
}
client := &http.Client{Transport: tr}
_, err := client.Get("https://golang.org/")
if err != nil {
fmt.Println(err)
}
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`,
fix: add variable assignment checking as part of MinVersion (#669) * fix: add variable assignment checking as part of MinVersion * fix: add more code to allow assignment with const * fix: rework the code and add more test cases for MinVersion * fix: format linting issue using gofumpt
2021-07-27 21:03:59 +01:00
}, 1, gosec.NewConfig()},
{[]string{
`
// Insecure minimum version
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
fix: add variable assignment checking as part of MinVersion (#669) * fix: add variable assignment checking as part of MinVersion * fix: add more code to allow assignment with const * fix: rework the code and add more test cases for MinVersion * fix: format linting issue using gofumpt
2021-07-27 21:03:59 +01:00
import (
"crypto/tls"
"fmt"
)
func CaseNotError() *tls.Config {
var v uint16 = tls.VersionTLS13
return &tls.Config{
MinVersion: v,
}
}
func main() {
a := CaseNotError()
fmt.Printf("Debug: %v\n", a.MinVersion)
}`,
}, 0, gosec.NewConfig()},
{[]string{
`
// Insecure minimum version
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
fix: add variable assignment checking as part of MinVersion (#669) * fix: add variable assignment checking as part of MinVersion * fix: add more code to allow assignment with const * fix: rework the code and add more test cases for MinVersion * fix: format linting issue using gofumpt
2021-07-27 21:03:59 +01:00
import (
"crypto/tls"
"fmt"
)
func CaseNotError() *tls.Config {
return &tls.Config{
MinVersion: tls.VersionTLS13,
}
}
func main() {
a := CaseNotError()
fmt.Printf("Debug: %v\n", a.MinVersion)
}`,
}, 0, gosec.NewConfig()},
{[]string{
`
// Insecure minimum version
package main
import (
"crypto/tls"
"fmt"
)
func CaseError() *tls.Config {
var v = &tls.Config{
MinVersion: 0,
}
return v
}
func main() {
a := CaseError()
fmt.Printf("Debug: %v\n", a.MinVersion)
}`,
}, 1, gosec.NewConfig()},
{[]string{
`
// Insecure minimum version
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
fix: add variable assignment checking as part of MinVersion (#669) * fix: add variable assignment checking as part of MinVersion * fix: add more code to allow assignment with const * fix: rework the code and add more test cases for MinVersion * fix: format linting issue using gofumpt
2021-07-27 21:03:59 +01:00
import (
"crypto/tls"
"fmt"
)
func CaseError() *tls.Config {
var v = &tls.Config{
MinVersion: getVersion(),
}
return v
}
func getVersion() uint16 {
return tls.VersionTLS12
}
func main() {
a := CaseError()
fmt.Printf("Debug: %v\n", a.MinVersion)
}`,
}, 1, gosec.NewConfig()},
{[]string{
`
// Insecure minimum version
package main
import (
"crypto/tls"
"fmt"
"net/http"
)
var theValue uint16 = 0x0304
func main() {
tr := &http.Transport{
TLSClientConfig: &tls.Config{MinVersion: theValue},
}
client := &http.Client{Transport: tr}
_, err := client.Get("https://golang.org/")
if err != nil {
fmt.Println(err)
}
}
`,
}, 0, gosec.NewConfig()},
{[]string{`
Migrated old test cases.
2017-12-28 06:54:10 +00:00
// Insecure max version
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
import (
"crypto/tls"
"fmt"
"net/http"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
func main() {
tr := &http.Transport{
TLSClientConfig: &tls.Config{MaxVersion: 0},
}
client := &http.Client{Transport: tr}
_, err := client.Get("https://golang.org/")
if err != nil {
fmt.Println(err)
}
}
fix: add variable assignment checking as part of MinVersion (#669) * fix: add variable assignment checking as part of MinVersion * fix: add more code to allow assignment with const * fix: rework the code and add more test cases for MinVersion * fix: format linting issue using gofumpt
2021-07-27 21:03:59 +01:00
`}, 1, gosec.NewConfig()},
{
[]string{`
Migrated old test cases.
2017-12-28 06:54:10 +00:00
// Insecure ciphersuite selection
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
import (
"crypto/tls"
"fmt"
"net/http"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
func main() {
tr := &http.Transport{
TLSClientConfig: &tls.Config{CipherSuites: []uint16{
Regenerate the TLS configuration based on latest Mozilla's recommended ciphers Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-09 14:14:41 +01:00
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
Migrated old test cases.
2017-12-28 06:54:10 +00:00
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
},},
}
client := &http.Client{Transport: tr}
_, err := client.Get("https://golang.org/")
if err != nil {
fmt.Println(err)
}
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`}, 1, gosec.NewConfig(),
fix: add variable assignment checking as part of MinVersion (#669) * fix: add variable assignment checking as part of MinVersion * fix: add more code to allow assignment with const * fix: rework the code and add more test cases for MinVersion * fix: format linting issue using gofumpt
2021-07-27 21:03:59 +01:00
},
{[]string{`
Improve the TLS version checking Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-23 10:34:08 +01:00
// secure max version when min version is specified
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Improve the TLS version checking Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-23 10:34:08 +01:00
import (
"crypto/tls"
"fmt"
"net/http"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Improve the TLS version checking Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-23 10:34:08 +01:00
func main() {
tr := &http.Transport{
TLSClientConfig: &tls.Config{MaxVersion: 0, MinVersion: tls.VersionTLS13},
}
client := &http.Client{Transport: tr}
_, err := client.Get("https://golang.org/")
if err != nil {
fmt.Println(err)
}
fix: add variable assignment checking as part of MinVersion (#669) * fix: add variable assignment checking as part of MinVersion * fix: add more code to allow assignment with const * fix: rework the code and add more test cases for MinVersion * fix: format linting issue using gofumpt
2021-07-27 21:03:59 +01:00
}`}, 0, gosec.NewConfig()},
{[]string{`
Reset the state of TLS rule after each version check (#570) Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2021-02-11 09:52:16 +00:00
package p0
import "crypto/tls"
func TlsConfig0() *tls.Config {
var v uint16 = 0
return &tls.Config{MinVersion: v}
}
`, `
package p0
import "crypto/tls"
func TlsConfig1() *tls.Config {
return &tls.Config{MinVersion: 0x0304}
}
fix: add variable assignment checking as part of MinVersion (#669) * fix: add variable assignment checking as part of MinVersion * fix: add more code to allow assignment with const * fix: rework the code and add more test cases for MinVersion * fix: format linting issue using gofumpt
2021-07-27 21:03:59 +01:00
`}, 1, gosec.NewConfig()},
Add a test for tls min version defined in a different file
2022-01-26 17:13:53 +00:00
{[]string{`
package main
import (
"crypto/tls"
"fmt"
)
func main() {
cfg := tls.Config{
MinVersion: MinVer,
}
fmt.Println("tls min version", cfg.MinVersion)
}
`, `
package main
import "crypto/tls"
const MinVer = tls.VersionTLS13
Fix for G402. Check package path instead of package name (#838)
2022-07-28 07:51:30 +01:00
`}, 0, gosec.NewConfig()},
{[]string{`
package main
import (
"crypto/tls"
cryptotls "crypto/tls"
)
func main() {
_ = tls.Config{MinVersion: tls.VersionTLS12}
_ = cryptotls.Config{MinVersion: cryptotls.VersionTLS12}
}
Add a test for tls min version defined in a different file
2022-01-26 17:13:53 +00:00
`}, 0, gosec.NewConfig()},
fix: add variable assignment checking as part of MinVersion (#669) * fix: add variable assignment checking as part of MinVersion * fix: add more code to allow assignment with const * fix: rework the code and add more test cases for MinVersion * fix: format linting issue using gofumpt
2021-07-27 21:03:59 +01:00
}
Migrated old test cases.
2017-12-28 06:54:10 +00:00
// SampleCodeG403 - weak key strength
SampleCodeG403 = []CodeSample{
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
{[]string{`
Migrated old test cases.
2017-12-28 06:54:10 +00:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
import (
"crypto/rand"
"crypto/rsa"
"fmt"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
func main() {
//Generate Private Key
pvk, err := rsa.GenerateKey(rand.Reader, 1024)
if err != nil {
fmt.Println(err)
}
fmt.Println(pvk)
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`}, 1, gosec.NewConfig()},
}
Migrated old test cases.
2017-12-28 06:54:10 +00:00
// SampleCodeG404 - weak random number
SampleCodeG404 = []CodeSample{
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
{[]string{`
Migrated old test cases.
2017-12-28 06:54:10 +00:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
import "crypto/rand"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
func main() {
good, _ := rand.Read(nil)
println(good)
Add more tests samples to increase coverage Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-15 11:26:56 +01:00
}`}, 0, gosec.NewConfig()},
{[]string{`
Migrated old test cases.
2017-12-28 06:54:10 +00:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
import "math/rand"
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
func main() {
bad := rand.Int()
println(bad)
Add more tests samples to increase coverage Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-15 11:26:56 +01:00
}`}, 1, gosec.NewConfig()},
{[]string{`
Migrated old test cases.
2017-12-28 06:54:10 +00:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
import (
"crypto/rand"
mrand "math/rand"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
func main() {
good, _ := rand.Read(nil)
println(good)
Fix unit test when checking a mix of good and bad random functions Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-15 11:10:08 +01:00
bad := mrand.Int31()
println(bad)
Add more tests samples to increase coverage Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-15 11:26:56 +01:00
}`}, 1, gosec.NewConfig()},
{[]string{`
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Add more tests samples to increase coverage Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-15 11:26:56 +01:00
import (
"math/rand"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Add more tests samples to increase coverage Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-15 11:26:56 +01:00
func main() {
Fix some typos in rules tests
2021-01-01 19:45:13 +00:00
gen := rand.New(rand.NewSource(10))
Add more tests samples to increase coverage Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-15 11:26:56 +01:00
bad := gen.Int()
println(bad)
}`}, 1, gosec.NewConfig()},
{[]string{`
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Add more tests samples to increase coverage Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-15 11:26:56 +01:00
import (
"math/rand"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Add more tests samples to increase coverage Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-15 11:26:56 +01:00
func main() {
bad := rand.Intn(10)
println(bad)
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`}, 1, gosec.NewConfig()},
Fix false positives for G404 with aliased packages It appears that `GetImportedName` returns _both_ aliased and non-aliased imports. As a result, a file having both crypto/rand and math/rand (but aliased) would trigger false positives on G404. Given the following file; ```go package main import ( "crypto/rand" "math/big" rnd "math/rand" ) func main() { _, _ = rand.Int(rand.Reader, big.NewInt(int64(2))) _ = rnd.Intn(2) } ``` And patching for debugging; ```patch diff --git a/helpers.go b/helpers.go index 437d032..80f4233 100644 --- a/helpers.go +++ b/helpers.go @@ -250,6 +250,8 @@ func GetBinaryExprOperands(be *ast.BinaryExpr) []ast.Node { // GetImportedName returns the name used for the package within the // code. It will ignore initialization only imports. func GetImportedName(path string, ctx *Context) (string, bool) { + fmt.Printf("%+v", ctx.Imports.Imported) + os.Exit(1) importName, imported := ctx.Imports.Imported[path] if !imported { return "", false ``` Would show that `math/rand` was included in the list, using it's non-aliased name (`:rand`). gosec -quiet . map[crypto/rand:rand math/big:big math/rand:rand] This patch works around this problem by reversing the order in which imports are resolved in `MatchCallByPackage()`. Aliased packages are tried first, after which non-aliased imports are tried. Given the example application mentioned above: Before this patch: ```bash gosec -quiet . Results: [/Users/sebastiaan/Projects/test/gosec-issue/main.go:10] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 9: func main() { > 10: _, _ = rand.Int(rand.Reader, big.NewInt(int64(2))) 11: _ = rnd.Intn(2) ``` With this patch applied: ```bash gosec --quiet . Results: [/Users/sebastiaan/Projects/test/gosec-issue/main.go:11] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 10: _, _ = rand.Int(rand.Reader, big.NewInt(int64(2))) > 11: _ = rnd.Intn(2) 12: } ``` Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-04 15:32:03 +01:00
{[]string{`
package main
import (
"crypto/rand"
"math/big"
rnd "math/rand"
)
func main() {
good, _ := rand.Int(rand.Reader, big.NewInt(int64(2)))
println(good)
bad := rnd.Intn(2)
println(bad)
}
`}, 1, gosec.NewConfig()},
Refactor to support duplicate imports with different aliases (#865) The existing code assumed imports to be either imported, or imported with an alias. Badly formatted files may have duplicate imports for a package, using different aliases. This patch refactors the code, and; Introduces a new `GetImportedNames` function, which returns all name(s) and aliase(s) for a package, which effectively combines `GetAliasedName` and `GetImportedName`, but adding support for duplicate imports. The old `GetAliasedName` and `GetImportedName` functions have been rewritten to use the new function and marked deprecated, but could be removed if there are no external consumers. With this patch, the linter is able to detect issues in files such as; package main import ( crand "crypto/rand" "math/big" "math/rand" rand2 "math/rand" rand3 "math/rand" ) func main() { _, _ = crand.Int(crand.Reader, big.NewInt(int64(2))) // good _ = rand.Intn(2) // bad _ = rand2.Intn(2) // bad _ = rand3.Intn(2) // bad } Before this patch, only a single issue would be detected: gosec --quiet . [main.go:14] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 13: > 14: _ = rand.Intn(2) // bad 15: _ = rand2.Intn(2) // bad With this patch, all issues are identified: gosec --quiet . [main.go:16] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 15: _ = rand2.Intn(2) // bad > 16: _ = rand3.Intn(2) // bad 17: } [main.go:15] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 14: _ = rand.Intn(2) // bad > 15: _ = rand2.Intn(2) // bad 16: _ = rand3.Intn(2) // bad [main.go:14] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 13: > 14: _ = rand.Intn(2) // bad 15: _ = rand2.Intn(2) // bad While working on this change, I noticed that ImportTracker.TrackFile() was not able to find import aliases; Analyser.Check() called both ImportTracker.TrackFile() and ast.Walk(), which (with the updated ImportTracker) resulted in importes to be in- correctly included multiple times (once with the correct alias, once with the default). I updated ImportTracker.TrackFile() to fix this, but with the updated ImportTracker, Analyser.Check() no longer has to call ImportTracker.TrackFile() separately, as ast.Walk() already handles the file, and will find all imports. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-17 09:59:18 +01:00
{[]string{`
package main
import (
crand "crypto/rand"
"math/big"
"math/rand"
rand2 "math/rand"
rand3 "math/rand"
)
func main() {
_, _ = crand.Int(crand.Reader, big.NewInt(int64(2))) // good
_ = rand.Intn(2) // bad
_ = rand2.Intn(2) // bad
_ = rand3.Intn(2) // bad
}
`}, 3, gosec.NewConfig()},
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}
Migrated old test cases.
2017-12-28 06:54:10 +00:00
Change naming rule from blacklist to blocklist
2020-06-29 12:21:15 +01:00
// SampleCodeG501 - Blocklisted import MD5
Migrated old test cases.
2017-12-28 06:54:10 +00:00
SampleCodeG501 = []CodeSample{
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
{[]string{`
Migrated old test cases.
2017-12-28 06:54:10 +00:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
import (
"crypto/md5"
"fmt"
"os"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
func main() {
for _, arg := range os.Args {
fmt.Printf("%x - %s\n", md5.Sum([]byte(arg)), arg)
}
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`}, 1, gosec.NewConfig()},
}
Migrated old test cases.
2017-12-28 06:54:10 +00:00
Change naming rule from blacklist to blocklist
2020-06-29 12:21:15 +01:00
// SampleCodeG502 - Blocklisted import DES
Migrated old test cases.
2017-12-28 06:54:10 +00:00
SampleCodeG502 = []CodeSample{
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
{[]string{`
Migrated old test cases.
2017-12-28 06:54:10 +00:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
import (
"crypto/cipher"
"crypto/des"
"crypto/rand"
"encoding/hex"
"fmt"
"io"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
func main() {
block, err := des.NewCipher([]byte("sekritz"))
if err != nil {
panic(err)
}
plaintext := []byte("I CAN HAZ SEKRIT MSG PLZ")
ciphertext := make([]byte, des.BlockSize+len(plaintext))
iv := ciphertext[:des.BlockSize]
if _, err := io.ReadFull(rand.Reader, iv); err != nil {
panic(err)
}
stream := cipher.NewCFBEncrypter(block, iv)
stream.XORKeyStream(ciphertext[des.BlockSize:], plaintext)
fmt.Println("Secret message is: %s", hex.EncodeToString(ciphertext))
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`}, 1, gosec.NewConfig()},
}
Migrated old test cases.
2017-12-28 06:54:10 +00:00
Change naming rule from blacklist to blocklist
2020-06-29 12:21:15 +01:00
// SampleCodeG503 - Blocklisted import RC4
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
SampleCodeG503 = []CodeSample{{[]string{`
Migrated old test cases.
2017-12-28 06:54:10 +00:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
import (
"crypto/rc4"
"encoding/hex"
"fmt"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
func main() {
cipher, err := rc4.NewCipher([]byte("sekritz"))
if err != nil {
panic(err)
}
plaintext := []byte("I CAN HAZ SEKRIT MSG PLZ")
ciphertext := make([]byte, len(plaintext))
cipher.XORKeyStream(ciphertext, plaintext)
fmt.Println("Secret message is: %s", hex.EncodeToString(ciphertext))
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
}`}, 1, gosec.NewConfig()}}
Migrated old test cases.
2017-12-28 06:54:10 +00:00
Change naming rule from blacklist to blocklist
2020-06-29 12:21:15 +01:00
// SampleCodeG504 - Blocklisted import CGI
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
SampleCodeG504 = []CodeSample{{[]string{`
Migrated old test cases.
2017-12-28 06:54:10 +00:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
import (
"net/http/cgi"
"net/http"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Migrated old test cases.
2017-12-28 06:54:10 +00:00
func main() {
cgi.Serve(http.FileServer(http.Dir("/usr/share/doc")))
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
}`}, 1, gosec.NewConfig()}}
Change naming rule from blacklist to blocklist
2020-06-29 12:21:15 +01:00
// SampleCodeG505 - Blocklisted import SHA1
Add sha1 to weak crypto primitives
2018-08-08 15:38:57 +01:00
SampleCodeG505 = []CodeSample{
Refactor the test code sample to support multiple files per sample
2018-09-28 09:42:25 +01:00
{[]string{`
Add sha1 to weak crypto primitives
2018-08-08 15:38:57 +01:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Add sha1 to weak crypto primitives
2018-08-08 15:38:57 +01:00
import (
"crypto/sha1"
"fmt"
"os"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Add sha1 to weak crypto primitives
2018-08-08 15:38:57 +01:00
func main() {
for _, arg := range os.Args {
fmt.Printf("%x - %s\n", sha1.Sum([]byte(arg)), arg)
}
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
}`}, 1, gosec.NewConfig()},
}
Rule which detects aliasing of values in RangeStmt
2019-12-19 17:39:33 +00:00
Add null pointer check in G601 fixes: #475
2020-05-20 16:17:44 +01:00
// SampleCodeG601 - Implicit aliasing over range statement
SampleCodeG601 = []CodeSample{
Fix lint and fail on error in the ci build
2021-05-31 09:44:12 +01:00
{[]string{
`
Add null pointer check in G601 fixes: #475
2020-05-20 16:17:44 +01:00
package main
Rule which detects aliasing of values in RangeStmt
2019-12-19 17:39:33 +00:00
import "fmt"
var vector []*string
func appendVector(s *string) {
vector = append(vector, s)
}
func printVector() {
for _, item := range vector {
fmt.Printf("%s", *item)
}
fmt.Println()
}
Fix compilation errors in the test samples Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2021-01-04 08:19:01 +00:00
func foo() (int, **string, *string) {
Rule which detects aliasing of values in RangeStmt
2019-12-19 17:39:33 +00:00
for _, item := range vector {
return 0, &item, item
}
Fix compilation errors in the test samples Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2021-01-04 08:19:01 +00:00
return 0, nil, nil
Rule which detects aliasing of values in RangeStmt
2019-12-19 17:39:33 +00:00
}
func main() {
for _, item := range []string{"A", "B", "C"} {
appendVector(&item)
}
printVector()
zero, c_star, c := foo()
Fix some typos in rules tests
2021-01-01 19:45:13 +00:00
fmt.Printf("%d %v %s", zero, c_star, c)
Add null pointer check in G601 fixes: #475
2020-05-20 16:17:44 +01:00
}`,
}, 1, gosec.NewConfig()},
{[]string{`
// see: github.com/securego/gosec/issues/475
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Add null pointer check in G601 fixes: #475
2020-05-20 16:17:44 +01:00
import (
"fmt"
)
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Add null pointer check in G601 fixes: #475
2020-05-20 16:17:44 +01:00
func main() {
sampleMap := map[string]string{}
sampleString := "A string"
for sampleString, _ = range sampleMap {
fmt.Println(sampleString)
}
}`}, 0, gosec.NewConfig()},
Recognize struct field in G601 Signed-off-by: futuretea <1913508671@qq.com>
2023-06-02 08:57:40 +01:00
{[]string{`
package main
import (
"fmt"
)
type sampleStruct struct {
name string
}
func main() {
samples := []sampleStruct{
{name: "a"},
{name: "b"},
}
for _, sample := range samples {
fmt.Println(sample.name)
}
}`}, 0, gosec.NewConfig()},
{[]string{`
package main
import (
"fmt"
)
type sampleStruct struct {
name string
}
func main() {
samples := []sampleStruct{
{name: "a"},
{name: "b"},
}
for _, sample := range samples {
fmt.Println(&sample.name)
}
}`}, 1, gosec.NewConfig()},
{[]string{`
package main
import (
"fmt"
)
type subStruct struct {
name string
}
type sampleStruct struct {
sub subStruct
}
func main() {
samples := []sampleStruct{
{sub: subStruct{name: "a"}},
{sub: subStruct{name: "b"}},
}
for _, sample := range samples {
fmt.Println(&sample.sub.name)
}
}`}, 1, gosec.NewConfig()},
Add null pointer check in G601 fixes: #475
2020-05-20 16:17:44 +01:00
}
Rule which detects aliasing of values in RangeStmt
2019-12-19 17:39:33 +00:00
Add null pointer check in G601 fixes: #475
2020-05-20 16:17:44 +01:00
// SampleCodeBuildTag - G601 build tags
SampleCodeBuildTag = []CodeSample{{[]string{`
Append the package load errors to analyser's errors Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-30 15:57:32 +01:00
// +build tag
Add an option for Go build tags (#201) * Add an option for Go build tags * Update README with a section for Go build tags
2018-04-20 00:45:04 +01:00
package main
chore(lint): enable errorlint and gci (#698)
2021-09-13 08:40:10 +01:00
Add an option for Go build tags (#201) * Add an option for Go build tags * Update README with a section for Go build tags
2018-04-20 00:45:04 +01:00
func main() {
fmt.Println("no package imported error")
Refactor the rules tests to be able to configure the analyzer config per test sample Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 09:29:19 +01:00
}`}, 1, gosec.NewConfig()}}
Add a test sample for Cgo files Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-01-15 15:56:50 +00:00
// SampleCodeCgo - Cgo file sample
SampleCodeCgo = []CodeSample{{[]string{`
package main
import (
"fmt"
"unsafe"
)
/*
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int printData(unsigned char *data) {
return printf("cData: %lu \"%s\"\n", (long unsigned int)strlen(data), data);
}
*/
import "C"
func main() {
// Allocate C data buffer.
width, height := 8, 2
lenData := width * height
// add string terminating null byte
cData := (*C.uchar)(C.calloc(C.size_t(lenData+1), C.sizeof_uchar))
// When no longer in use, free C allocations.
defer C.free(unsafe.Pointer(cData))
// Go slice reference to C data buffer,
// minus string terminating null byte
gData := (*[1 << 30]byte)(unsafe.Pointer(cData))[:lenData:lenData]
// Write and read cData via gData.
for i := range gData {
gData[i] = '.'
}
copy(gData[0:], "Data")
gData[len(gData)-1] = 'X'
fmt.Printf("gData: %d %q\n", len(gData), gData)
C.printData(cData)
}
`}, 0, gosec.NewConfig()}}
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API
2017-07-19 22:17:00 +01:00
)
Reference in a new issue Copy permalink