gosec/analyzer.go

// (c) Copyright 2016 Hewlett Packard Enterprise Development LP
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// Package gas holds the central scanning logic used by GAS
package gas

import (
	"go/ast"
	"go/build"
	"go/token"
	"go/types"
	"log"
	"path"
	"reflect"
	"strings"

	"golang.org/x/tools/go/loader"
)

// The Context is populated with data parsed from the source code as it is scanned.
// It is passed through to all rule functions as they are called. Rules may use
// this data in conjunction withe the encoutered AST node.
type Context struct {
	FileSet  *token.FileSet
	Comments ast.CommentMap
	Info     *types.Info
	Pkg      *types.Package
	Root     *ast.File
	Config   map[string]interface{}
	Imports  *ImportTracker
}

// Metrics used when reporting information about a scanning run.
type Metrics struct {
	NumFiles int `json:"files"`
	NumLines int `json:"lines"`
	NumNosec int `json:"nosec"`
	NumFound int `json:"found"`
}

// The Analyzer object is the main object of GAS. It has methods traverse an AST
// and invoke the correct checking rules as on each node as required.
type Analyzer struct {
	ignoreNosec bool
	ruleset     RuleSet
	context     *Context
	config      Config
	logger      *log.Logger
	issues      []*Issue
	stats       *Metrics
}

// NewAnalyzer builds a new anaylzer.
func NewAnalyzer(conf Config, logger *log.Logger) *Analyzer {
	ignoreNoSec := false
	if val, err := conf.Get("ignoreNoSec"); err == nil {
		if override, ok := val.(bool); ok {
			ignoreNoSec = override
		}
	}
	return &Analyzer{
		ignoreNosec: ignoreNoSec,
		ruleset:     make(RuleSet),
		context:     &Context{},
		config:      conf,
		logger:      logger,
		issues:      make([]*Issue, 0, 16),
		stats:       &Metrics{},
	}
}

func (gas *Analyzer) LoadRules(ruleDefinitions ...RuleBuilder) {
	for _, builder := range ruleDefinitions {
		r, nodes := builder(gas.config)
		gas.ruleset.Register(r, nodes...)
	}
}

func (gas *Analyzer) Process(packagePath string) error {

	basePackage, err := build.Default.ImportDir(packagePath, build.ImportComment)
	if err != nil {
		return err
	}

	packageConfig := loader.Config{Build: &build.Default}
	packageFiles := make([]string, 0)
	for _, filename := range basePackage.GoFiles {
		packageFiles = append(packageFiles, path.Join(packagePath, filename))
	}

	packageConfig.CreateFromFilenames(basePackage.Name, packageFiles...)
	builtPackage, err := packageConfig.Load()
	if err != nil {
		return err
	}

	for _, pkg := range builtPackage.Created {
		gas.logger.Println("Checking package:", pkg.String())
		for _, file := range pkg.Files {
			gas.logger.Println("Checking file:", builtPackage.Fset.File(file.Pos()).Name())
			gas.context.FileSet = builtPackage.Fset
			gas.context.Config = gas.config
			gas.context.Comments = ast.NewCommentMap(gas.context.FileSet, file, file.Comments)
			gas.context.Root = file
			gas.context.Info = &pkg.Info
			gas.context.Pkg = pkg.Pkg
			gas.context.Imports = NewImportTracker()
			gas.context.Imports.TrackPackages(gas.context.Pkg.Imports()...)
			ast.Walk(gas, file)
			gas.stats.NumFiles++
			gas.stats.NumLines += builtPackage.Fset.File(file.Pos()).LineCount()
		}
	}
	return nil
}

// ignore a node (and sub-tree) if it is tagged with a "#nosec" comment
func (gas *Analyzer) ignore(n ast.Node) bool {
	if groups, ok := gas.context.Comments[n]; ok && !gas.ignoreNosec {
		for _, group := range groups {
			if strings.Contains(group.Text(), "#nosec") {
				gas.stats.NumNosec++
				return true
			}
		}
	}
	return false
}

// Visit runs the GAS visitor logic over an AST created by parsing go code.
// Rule methods added with AddRule will be invoked as necessary.
func (gas *Analyzer) Visit(n ast.Node) ast.Visitor {
	if !gas.ignore(n) {

		// Track aliased and initialization imports
		gas.context.Imports.TrackImport(n)

		for _, rule := range gas.ruleset.RegisteredFor(n) {
			issue, err := rule.Match(n, gas.context)
			if err != nil {
				file, line := GetLocation(n, gas.context)
				file = path.Base(file)
				gas.logger.Printf("Rule error: %v => %s (%s:%d)\n", reflect.TypeOf(rule), err, file, line)
			}
			if issue != nil {
				gas.issues = append(gas.issues, issue)
				gas.stats.NumFound++
			}
		}
		return gas
	}
	return nil
}

// Report returns the current issues discovered and the metrics about the scan
func (gas *Analyzer) Report() ([]*Issue, *Metrics) {
	return gas.issues, gas.stats
}
Initial public release 2016-07-20 11:02:01 +01:00			`// (c) Copyright 2016 Hewlett Packard Enterprise Development LP`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

Simplify analyzer and command line interface The analyzer now only handles packages rather than one off files. This simplifies the CLI functionality significantly. 2017-05-10 05:26:53 +01:00			`// Package gas holds the central scanning logic used by GAS`
Restructure to focus on lib rather than cli 2017-04-26 16:08:46 +01:00			`package gas`
Initial public release 2016-07-20 11:02:01 +01:00
			`import (`
			`"go/ast"`
Simplify analyzer and command line interface The analyzer now only handles packages rather than one off files. This simplifies the CLI functionality significantly. 2017-05-10 05:26:53 +01:00			`"go/build"`
Initial public release 2016-07-20 11:02:01 +01:00			`"go/token"`
			`"go/types"`
			`"log"`
Address unhandled error conditions Closes #95 2016-12-02 18:20:23 +00:00			`"path"`
Initial public release 2016-07-20 11:02:01 +01:00			`"reflect"`
			`"strings"`
Process via packages instead of files Initial commit to change GAS to process packages rather than standalone files. This is to address issues with type resolution for external dependencies. Uses golang.org/x/tools/go/loader to prepare analyzer input rather than finding the individual files. 2017-04-26 00:01:28 +01:00
			`"golang.org/x/tools/go/loader"`
Initial public release 2016-07-20 11:02:01 +01:00			`)`

Adding some inline documentation for godoc 2016-08-12 14:17:28 +01:00			`// The Context is populated with data parsed from the source code as it is scanned.`
			`// It is passed through to all rule functions as they are called. Rules may use`
			`// this data in conjunction withe the encoutered AST node.`
Initial public release 2016-07-20 11:02:01 +01:00			`type Context struct {`
			`FileSet *token.FileSet`
			`Comments ast.CommentMap`
			`Info *types.Info`
			`Pkg *types.Package`
Fixing config It should have been in the context object, not the analyzer 2016-08-05 11:04:06 +01:00			`Root *ast.File`
			`Config map[string]interface{}`
Simplify analyzer and command line interface The analyzer now only handles packages rather than one off files. This simplifies the CLI functionality significantly. 2017-05-10 05:26:53 +01:00			`Imports *ImportTracker`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

Adding some inline documentation for godoc 2016-08-12 14:17:28 +01:00			`// Metrics used when reporting information about a scanning run.`
Initial public release 2016-07-20 11:02:01 +01:00			`type Metrics struct {`
Use encoding/json for -fmt json output 2016-07-26 00:39:55 +01:00			NumFiles int `json:"files"`
			NumLines int `json:"lines"`
			NumNosec int `json:"nosec"`
			NumFound int `json:"found"`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

Adding some inline documentation for godoc 2016-08-12 14:17:28 +01:00			`// The Analyzer object is the main object of GAS. It has methods traverse an AST`
			`// and invoke the correct checking rules as on each node as required.`
Initial public release 2016-07-20 11:02:01 +01:00			`type Analyzer struct {`
Fixing annotations The logic around annotations (nosec) was broken, meaning they were ignored by default and would not skip sub-blocks. This fixes the problem and also adds a test to make sure it wont be broken in the future. Closes #25 2016-07-28 12:51:25 +01:00			`ignoreNosec bool`
Initial public release 2016-07-20 11:02:01 +01:00			`ruleset RuleSet`
Recreate fileset each time we process a file Some files were being counted multiple times here and giving a skewed result for line numbers processed. Closes #100 2016-12-02 23:21:13 +00:00			`context *Context`
Restructure and introduce a standalone config 2017-04-28 22:46:26 +01:00			`config Config`
Initial public release 2016-07-20 11:02:01 +01:00			`logger *log.Logger`
Simplify analyzer and command line interface The analyzer now only handles packages rather than one off files. This simplifies the CLI functionality significantly. 2017-05-10 05:26:53 +01:00			`issues []*Issue`
			`stats *Metrics`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

Fix typos in godocs 2016-08-28 19:22:08 +01:00			`// NewAnalyzer builds a new anaylzer.`
Simplify analyzer and command line interface The analyzer now only handles packages rather than one off files. This simplifies the CLI functionality significantly. 2017-05-10 05:26:53 +01:00			`func NewAnalyzer(conf Config, logger log.Logger) Analyzer {`
Restructure and introduce a standalone config 2017-04-28 22:46:26 +01:00			`ignoreNoSec := false`
			`if val, err := conf.Get("ignoreNoSec"); err == nil {`
			`if override, ok := val.(bool); ok {`
			`ignoreNoSec = override`
			`}`
			`}`
Simplify analyzer and command line interface The analyzer now only handles packages rather than one off files. This simplifies the CLI functionality significantly. 2017-05-10 05:26:53 +01:00			`return &Analyzer{`
Restructure and introduce a standalone config 2017-04-28 22:46:26 +01:00			`ignoreNosec: ignoreNoSec,`
Initial public release 2016-07-20 11:02:01 +01:00			`ruleset: make(RuleSet),`
Process via packages instead of files Initial commit to change GAS to process packages rather than standalone files. This is to address issues with type resolution for external dependencies. Uses golang.org/x/tools/go/loader to prepare analyzer input rather than finding the individual files. 2017-04-26 00:01:28 +01:00			`context: &Context{},`
Restructure and introduce a standalone config 2017-04-28 22:46:26 +01:00			`config: conf,`
Recreate fileset each time we process a file Some files were being counted multiple times here and giving a skewed result for line numbers processed. Closes #100 2016-12-02 23:21:13 +00:00			`logger: logger,`
Simplify analyzer and command line interface The analyzer now only handles packages rather than one off files. This simplifies the CLI functionality significantly. 2017-05-10 05:26:53 +01:00			`issues: make([]*Issue, 0, 16),`
			`stats: &Metrics{},`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
			`}`

Simplify analyzer and command line interface The analyzer now only handles packages rather than one off files. This simplifies the CLI functionality significantly. 2017-05-10 05:26:53 +01:00			`func (gas *Analyzer) LoadRules(ruleDefinitions ...RuleBuilder) {`
			`for _, builder := range ruleDefinitions {`
			`r, nodes := builder(gas.config)`
			`gas.ruleset.Register(r, nodes...)`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
			`}`

Simplify analyzer and command line interface The analyzer now only handles packages rather than one off files. This simplifies the CLI functionality significantly. 2017-05-10 05:26:53 +01:00			`func (gas *Analyzer) Process(packagePath string) error {`
Initial public release 2016-07-20 11:02:01 +01:00
Simplify analyzer and command line interface The analyzer now only handles packages rather than one off files. This simplifies the CLI functionality significantly. 2017-05-10 05:26:53 +01:00			`basePackage, err := build.Default.ImportDir(packagePath, build.ImportComment)`
			`if err != nil {`
			`return err`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

Simplify analyzer and command line interface The analyzer now only handles packages rather than one off files. This simplifies the CLI functionality significantly. 2017-05-10 05:26:53 +01:00			`packageConfig := loader.Config{Build: &build.Default}`
			`packageFiles := make([]string, 0)`
			`for _, filename := range basePackage.GoFiles {`
			`packageFiles = append(packageFiles, path.Join(packagePath, filename))`
			`}`
Process via packages instead of files Initial commit to change GAS to process packages rather than standalone files. This is to address issues with type resolution for external dependencies. Uses golang.org/x/tools/go/loader to prepare analyzer input rather than finding the individual files. 2017-04-26 00:01:28 +01:00
Simplify analyzer and command line interface The analyzer now only handles packages rather than one off files. This simplifies the CLI functionality significantly. 2017-05-10 05:26:53 +01:00			`packageConfig.CreateFromFilenames(basePackage.Name, packageFiles...)`
			`builtPackage, err := packageConfig.Load()`
			`if err != nil {`
			`return err`
Process via packages instead of files Initial commit to change GAS to process packages rather than standalone files. This is to address issues with type resolution for external dependencies. Uses golang.org/x/tools/go/loader to prepare analyzer input rather than finding the individual files. 2017-04-26 00:01:28 +01:00			`}`

Simplify analyzer and command line interface The analyzer now only handles packages rather than one off files. This simplifies the CLI functionality significantly. 2017-05-10 05:26:53 +01:00			`for _, pkg := range builtPackage.Created {`
			`gas.logger.Println("Checking package:", pkg.String())`
			`for _, file := range pkg.Files {`
			`gas.logger.Println("Checking file:", builtPackage.Fset.File(file.Pos()).Name())`
			`gas.context.FileSet = builtPackage.Fset`
			`gas.context.Config = gas.config`
			`gas.context.Comments = ast.NewCommentMap(gas.context.FileSet, file, file.Comments)`
			`gas.context.Root = file`
			`gas.context.Info = &pkg.Info`
			`gas.context.Pkg = pkg.Pkg`
			`gas.context.Imports = NewImportTracker()`
			`gas.context.Imports.TrackPackages(gas.context.Pkg.Imports()...)`
			`ast.Walk(gas, file)`
			`gas.stats.NumFiles++`
			`gas.stats.NumLines += builtPackage.Fset.File(file.Pos()).LineCount()`
			`}`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
Simplify analyzer and command line interface The analyzer now only handles packages rather than one off files. This simplifies the CLI functionality significantly. 2017-05-10 05:26:53 +01:00			`return nil`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

Fix nosec to work as documented This commit fixes the nosec feature to check for '#nosec' instead of 'nosec'. This should help reduce false positives associated with comments that have 'nosec' in them somewhere. 2016-12-02 21:45:59 +00:00			`// ignore a node (and sub-tree) if it is tagged with a "#nosec" comment`
Adding some inline documentation for godoc 2016-08-12 14:17:28 +01:00			`func (gas *Analyzer) ignore(n ast.Node) bool {`
Fixing annotations The logic around annotations (nosec) was broken, meaning they were ignored by default and would not skip sub-blocks. This fixes the problem and also adds a test to make sure it wont be broken in the future. Closes #25 2016-07-28 12:51:25 +01:00			`if groups, ok := gas.context.Comments[n]; ok && !gas.ignoreNosec {`
Initial public release 2016-07-20 11:02:01 +01:00			`for _, group := range groups {`
Fix nosec to work as documented This commit fixes the nosec feature to check for '#nosec' instead of 'nosec'. This should help reduce false positives associated with comments that have 'nosec' in them somewhere. 2016-12-02 21:45:59 +00:00			`if strings.Contains(group.Text(), "#nosec") {`
Simplify analyzer and command line interface The analyzer now only handles packages rather than one off files. This simplifies the CLI functionality significantly. 2017-05-10 05:26:53 +01:00			`gas.stats.NumNosec++`
Initial public release 2016-07-20 11:02:01 +01:00			`return true`
			`}`
			`}`
			`}`
			`return false`
			`}`

Adding some inline documentation for godoc 2016-08-12 14:17:28 +01:00			`// Visit runs the GAS visitor logic over an AST created by parsing go code.`
			`// Rule methods added with AddRule will be invoked as necessary.`
Initial public release 2016-07-20 11:02:01 +01:00			`func (gas *Analyzer) Visit(n ast.Node) ast.Visitor {`
Adding some inline documentation for godoc 2016-08-12 14:17:28 +01:00			`if !gas.ignore(n) {`
MatchCallByPackage updated to avoid GetCallObject There seems to be an inconsistency in the way that the type.Info.Uses map is populated by the type checker in Go 1.5 and the latest release. It is possible to ascertain the package that relates to an object 1.7.x release but this does not work for earlier Go versions. To work around this limitation we now track imports, and monitor if they are aliased or initalization only imports. 2016-11-07 17:13:20 +00:00
			`// Track aliased and initialization imports`
Simplify analyzer and command line interface The analyzer now only handles packages rather than one off files. This simplifies the CLI functionality significantly. 2017-05-10 05:26:53 +01:00			`gas.context.Imports.TrackImport(n)`

			`for _, rule := range gas.ruleset.RegisteredFor(n) {`
			`issue, err := rule.Match(n, gas.context)`
			`if err != nil {`
			`file, line := GetLocation(n, gas.context)`
			`file = path.Base(file)`
			`gas.logger.Printf("Rule error: %v => %s (%s:%d)\n", reflect.TypeOf(rule), err, file, line)`
MatchCallByPackage updated to avoid GetCallObject There seems to be an inconsistency in the way that the type.Info.Uses map is populated by the type checker in Go 1.5 and the latest release. It is possible to ascertain the package that relates to an object 1.7.x release but this does not work for earlier Go versions. To work around this limitation we now track imports, and monitor if they are aliased or initalization only imports. 2016-11-07 17:13:20 +00:00			`}`
Simplify analyzer and command line interface The analyzer now only handles packages rather than one off files. This simplifies the CLI functionality significantly. 2017-05-10 05:26:53 +01:00			`if issue != nil {`
			`gas.issues = append(gas.issues, issue)`
			`gas.stats.NumFound++`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
			`}`
Fixing annotations The logic around annotations (nosec) was broken, meaning they were ignored by default and would not skip sub-blocks. This fixes the problem and also adds a test to make sure it wont be broken in the future. Closes #25 2016-07-28 12:51:25 +01:00			`return gas`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
Fixing annotations The logic around annotations (nosec) was broken, meaning they were ignored by default and would not skip sub-blocks. This fixes the problem and also adds a test to make sure it wont be broken in the future. Closes #25 2016-07-28 12:51:25 +01:00			`return nil`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
Simplify analyzer and command line interface The analyzer now only handles packages rather than one off files. This simplifies the CLI functionality significantly. 2017-05-10 05:26:53 +01:00
			`// Report returns the current issues discovered and the metrics about the scan`
			`func (gas Analyzer) Report() ([]Issue, *Metrics) {`
			`return gas.issues, gas.stats`
			`}`