2017-07-19 22:17:00 +01:00
|
|
|
package rules_test
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"log"
|
|
|
|
|
2022-01-03 17:11:35 +00:00
|
|
|
. "github.com/onsi/ginkgo/v2"
|
2017-07-19 22:17:00 +01:00
|
|
|
. "github.com/onsi/gomega"
|
2023-03-30 08:31:24 +01:00
|
|
|
|
2020-04-01 21:18:39 +01:00
|
|
|
"github.com/securego/gosec/v2"
|
|
|
|
"github.com/securego/gosec/v2/rules"
|
|
|
|
"github.com/securego/gosec/v2/testutils"
|
2017-07-19 22:17:00 +01:00
|
|
|
)
|
|
|
|
|
2018-07-19 17:42:25 +01:00
|
|
|
var _ = Describe("gosec rules", func() {
|
2017-07-19 22:17:00 +01:00
|
|
|
var (
|
2018-04-20 00:45:04 +01:00
|
|
|
logger *log.Logger
|
2018-07-19 17:42:25 +01:00
|
|
|
config gosec.Config
|
|
|
|
analyzer *gosec.Analyzer
|
2019-06-25 09:29:19 +01:00
|
|
|
runner func(string, []testutils.CodeSample)
|
2018-04-20 00:45:04 +01:00
|
|
|
buildTags []string
|
2019-04-28 18:33:50 +01:00
|
|
|
tests bool
|
2017-07-19 22:17:00 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
BeforeEach(func() {
|
2018-01-29 23:32:04 +00:00
|
|
|
logger, _ = testutils.NewLogger()
|
2018-07-19 17:42:25 +01:00
|
|
|
config = gosec.NewConfig()
|
2022-02-16 17:23:37 +00:00
|
|
|
analyzer = gosec.NewAnalyzer(config, tests, false, false, 1, logger)
|
2019-06-25 09:29:19 +01:00
|
|
|
runner = func(rule string, samples []testutils.CodeSample) {
|
2017-07-19 22:17:00 +01:00
|
|
|
for n, sample := range samples {
|
|
|
|
analyzer.Reset()
|
2019-06-25 09:29:19 +01:00
|
|
|
analyzer.SetConfig(sample.Config)
|
2021-12-09 10:53:36 +00:00
|
|
|
analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, rule)).RulesInfo())
|
2017-07-19 22:17:00 +01:00
|
|
|
pkg := testutils.NewTestPackage()
|
2017-09-16 01:12:27 +01:00
|
|
|
defer pkg.Close()
|
2018-09-28 09:42:25 +01:00
|
|
|
for i, code := range sample.Code {
|
|
|
|
pkg.AddFile(fmt.Sprintf("sample_%d_%d.go", n, i), code)
|
2018-09-28 08:46:59 +01:00
|
|
|
}
|
2018-03-12 22:57:10 +00:00
|
|
|
err := pkg.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
2021-01-01 19:30:45 +00:00
|
|
|
Expect(pkg.PrintErrors()).Should(BeZero())
|
2018-04-20 00:45:04 +01:00
|
|
|
err = analyzer.Process(buildTags, pkg.Path)
|
2018-03-12 22:57:10 +00:00
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
2019-02-26 22:24:06 +00:00
|
|
|
issues, _, _ := analyzer.Report()
|
2017-07-19 22:17:00 +01:00
|
|
|
if len(issues) != sample.Errors {
|
|
|
|
fmt.Println(sample.Code)
|
|
|
|
}
|
|
|
|
Expect(issues).Should(HaveLen(sample.Errors))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
Context("report correct errors for all samples", func() {
|
2017-12-28 06:54:10 +00:00
|
|
|
It("should detect hardcoded credentials", func() {
|
2017-07-19 22:17:00 +01:00
|
|
|
runner("G101", testutils.SampleCodeG101)
|
|
|
|
})
|
|
|
|
|
2023-06-15 09:18:03 +01:00
|
|
|
It("should detect hardcoded credential values", func() {
|
|
|
|
runner("G101", testutils.SampleCodeG101Values)
|
|
|
|
})
|
|
|
|
|
2017-12-28 06:54:10 +00:00
|
|
|
It("should detect binding to all network interfaces", func() {
|
2017-07-19 22:17:00 +01:00
|
|
|
runner("G102", testutils.SampleCodeG102)
|
|
|
|
})
|
|
|
|
|
2017-12-28 06:54:10 +00:00
|
|
|
It("should use of unsafe block", func() {
|
2017-07-19 22:17:00 +01:00
|
|
|
runner("G103", testutils.SampleCodeG103)
|
|
|
|
})
|
|
|
|
|
2019-01-14 11:37:40 +00:00
|
|
|
It("should detect errors not being checked", func() {
|
2017-07-19 22:17:00 +01:00
|
|
|
runner("G104", testutils.SampleCodeG104)
|
|
|
|
})
|
|
|
|
|
2019-01-14 11:37:40 +00:00
|
|
|
It("should detect errors not being checked in audit mode", func() {
|
2019-06-25 09:29:19 +01:00
|
|
|
runner("G104", testutils.SampleCodeG104Audit)
|
2019-01-14 11:37:40 +00:00
|
|
|
})
|
|
|
|
|
2018-02-06 15:56:26 +00:00
|
|
|
It("should detect of ssh.InsecureIgnoreHostKey function", func() {
|
|
|
|
runner("G106", testutils.SampleCodeG106)
|
|
|
|
})
|
|
|
|
|
2018-09-04 07:55:03 +01:00
|
|
|
It("should detect ssrf via http requests with variable url", func() {
|
|
|
|
runner("G107", testutils.SampleCodeG107)
|
|
|
|
})
|
|
|
|
|
2019-09-20 09:46:06 +01:00
|
|
|
It("should detect pprof endpoint", func() {
|
|
|
|
runner("G108", testutils.SampleCodeG108)
|
|
|
|
})
|
|
|
|
|
2020-01-06 08:55:52 +00:00
|
|
|
It("should detect integer overflow", func() {
|
|
|
|
runner("G109", testutils.SampleCodeG109)
|
|
|
|
})
|
|
|
|
|
2020-01-19 19:40:19 +00:00
|
|
|
It("should detect DoS vulnerability via decompression bomb", func() {
|
|
|
|
runner("G110", testutils.SampleCodeG110)
|
|
|
|
})
|
|
|
|
|
2022-03-06 09:58:47 +00:00
|
|
|
It("should detect potential directory traversal", func() {
|
|
|
|
runner("G111", testutils.SampleCodeG111)
|
|
|
|
})
|
|
|
|
|
2022-04-30 11:38:50 +01:00
|
|
|
It("should detect potential slowloris attack", func() {
|
|
|
|
runner("G112", testutils.SampleCodeG112)
|
|
|
|
})
|
|
|
|
|
2022-06-02 23:19:51 +01:00
|
|
|
It("should detect potential uncontrolled memory consumption in Rat.SetString", func() {
|
|
|
|
runner("G113", testutils.SampleCodeG113)
|
|
|
|
})
|
|
|
|
|
2022-08-02 16:16:44 +01:00
|
|
|
It("should detect uses of net/http serve functions that have no support for setting timeouts", func() {
|
|
|
|
runner("G114", testutils.SampleCodeG114)
|
|
|
|
})
|
|
|
|
|
2017-12-28 06:54:10 +00:00
|
|
|
It("should detect sql injection via format strings", func() {
|
|
|
|
runner("G201", testutils.SampleCodeG201)
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should detect sql injection via string concatenation", func() {
|
|
|
|
runner("G202", testutils.SampleCodeG202)
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should detect unescaped html in templates", func() {
|
|
|
|
runner("G203", testutils.SampleCodeG203)
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should detect command execution", func() {
|
|
|
|
runner("G204", testutils.SampleCodeG204)
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should detect poor file permissions on mkdir", func() {
|
|
|
|
runner("G301", testutils.SampleCodeG301)
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should detect poor permissions when creating or chmod a file", func() {
|
|
|
|
runner("G302", testutils.SampleCodeG302)
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should detect insecure temp file creation", func() {
|
|
|
|
runner("G303", testutils.SampleCodeG303)
|
|
|
|
})
|
|
|
|
|
2018-03-08 23:23:27 +00:00
|
|
|
It("should detect file path provided as taint input", func() {
|
|
|
|
runner("G304", testutils.SampleCodeG304)
|
|
|
|
})
|
|
|
|
|
2018-07-18 13:31:07 +01:00
|
|
|
It("should detect file path traversal when extracting zip archive", func() {
|
|
|
|
runner("G305", testutils.SampleCodeG305)
|
|
|
|
})
|
|
|
|
|
2020-02-28 11:48:18 +00:00
|
|
|
It("should detect poor permissions when writing to a file", func() {
|
|
|
|
runner("G306", testutils.SampleCodeG306)
|
|
|
|
})
|
|
|
|
|
2017-12-28 06:54:10 +00:00
|
|
|
It("should detect weak crypto algorithms", func() {
|
|
|
|
runner("G401", testutils.SampleCodeG401)
|
|
|
|
})
|
|
|
|
|
2018-08-08 15:38:57 +01:00
|
|
|
It("should detect weak crypto algorithms", func() {
|
|
|
|
runner("G401", testutils.SampleCodeG401b)
|
|
|
|
})
|
|
|
|
|
2017-12-28 06:54:10 +00:00
|
|
|
It("should find insecure tls settings", func() {
|
|
|
|
runner("G402", testutils.SampleCodeG402)
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should detect weak creation of weak rsa keys", func() {
|
|
|
|
runner("G403", testutils.SampleCodeG403)
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should find non cryptographically secure random number sources", func() {
|
|
|
|
runner("G404", testutils.SampleCodeG404)
|
|
|
|
})
|
|
|
|
|
2020-06-29 12:21:15 +01:00
|
|
|
It("should detect blocklisted imports - MD5", func() {
|
2017-12-28 06:54:10 +00:00
|
|
|
runner("G501", testutils.SampleCodeG501)
|
|
|
|
})
|
|
|
|
|
2020-06-29 12:21:15 +01:00
|
|
|
It("should detect blocklisted imports - DES", func() {
|
2017-12-28 06:54:10 +00:00
|
|
|
runner("G502", testutils.SampleCodeG502)
|
|
|
|
})
|
|
|
|
|
2020-06-29 12:21:15 +01:00
|
|
|
It("should detect blocklisted imports - RC4", func() {
|
2017-12-28 06:54:10 +00:00
|
|
|
runner("G503", testutils.SampleCodeG503)
|
|
|
|
})
|
|
|
|
|
2020-06-29 12:21:15 +01:00
|
|
|
It("should detect blocklisted imports - CGI (httpoxy)", func() {
|
2017-12-28 06:54:10 +00:00
|
|
|
runner("G504", testutils.SampleCodeG504)
|
|
|
|
})
|
2019-12-19 17:39:33 +00:00
|
|
|
|
2020-06-29 12:21:15 +01:00
|
|
|
It("should detect blocklisted imports - SHA1", func() {
|
2018-08-08 15:38:57 +01:00
|
|
|
runner("G505", testutils.SampleCodeG505)
|
|
|
|
})
|
2017-12-28 06:54:10 +00:00
|
|
|
|
2019-12-19 17:39:33 +00:00
|
|
|
It("should detect implicit aliasing in ForRange", func() {
|
2024-03-07 11:18:23 +00:00
|
|
|
major, minor, _ := gosec.GoVersion()
|
|
|
|
if major <= 1 && minor < 22 {
|
|
|
|
runner("G601", testutils.SampleCodeG601)
|
|
|
|
}
|
2019-12-19 17:39:33 +00:00
|
|
|
})
|
2023-06-21 08:56:36 +01:00
|
|
|
|
|
|
|
It("should detect out of bounds slice access", func() {
|
|
|
|
runner("G602", testutils.SampleCodeG602)
|
|
|
|
})
|
2017-07-19 22:17:00 +01:00
|
|
|
})
|
|
|
|
})
|