Change naming rule from blacklist to blocklist

This commit is contained in:
evalphobia 2020-06-29 20:21:15 +09:00 committed by Cosmin Cojocar
parent 3784ffea4e
commit 03f12f3f5d
6 changed files with 77 additions and 77 deletions

View file

@ -41,7 +41,7 @@ wget -O - -q https://raw.githubusercontent.com/securego/gosec/master/install.sh
# then you will have to download a tar.gz file for your operating system instead of a binary file # then you will have to download a tar.gz file for your operating system instead of a binary file
wget https://github.com/securego/gosec/releases/download/vX.Y.Z/gosec_vX.Y.Z_OS.tar.gz wget https://github.com/securego/gosec/releases/download/vX.Y.Z/gosec_vX.Y.Z_OS.tar.gz
# The file will be in the current folder where you run the command # The file will be in the current folder where you run the command
# and you can check the checksum like this # and you can check the checksum like this
echo "<check sum from the check sum file> gosec_vX.Y.Z_OS.tar.gz" | sha256sum -c - echo "<check sum from the check sum file> gosec_vX.Y.Z_OS.tar.gz" | sha256sum -c -
@ -66,7 +66,7 @@ jobs:
env: env:
GO111MODULE: on GO111MODULE: on
steps: steps:
- name: Checkout Source - name: Checkout Source
uses: actions/checkout@v2 uses: actions/checkout@v2
- name: Run Gosec Security Scanner - name: Run Gosec Security Scanner
uses: securego/gosec@master uses: securego/gosec@master
@ -114,11 +114,11 @@ directory you can supply `./...` as the input argument.
- G402: Look for bad TLS connection settings - G402: Look for bad TLS connection settings
- G403: Ensure minimum RSA key length of 2048 bits - G403: Ensure minimum RSA key length of 2048 bits
- G404: Insecure random number source (rand) - G404: Insecure random number source (rand)
- G501: Import blacklist: crypto/md5 - G501: Import blocklist: crypto/md5
- G502: Import blacklist: crypto/des - G502: Import blocklist: crypto/des
- G503: Import blacklist: crypto/rc4 - G503: Import blocklist: crypto/rc4
- G504: Import blacklist: net/http/cgi - G504: Import blocklist: net/http/cgi
- G505: Import blacklist: crypto/sha1 - G505: Import blocklist: crypto/sha1
- G601: Implicit memory aliasing of items from a range statement - G601: Implicit memory aliasing of items from a range statement
### Retired rules ### Retired rules
@ -161,7 +161,7 @@ A number of global settings can be provided in a configuration file as follows:
# Run with a global configuration file # Run with a global configuration file
$ gosec -conf config.json . $ gosec -conf config.json .
``` ```
Also some rules accept configuration. For instance on rule `G104`, it is possible to define packages along with a list Also some rules accept configuration. For instance on rule `G104`, it is possible to define packages along with a list
of functions which will be skipped when auditing the not checked errors: of functions which will be skipped when auditing the not checked errors:
```JSON ```JSON
@ -186,14 +186,14 @@ You can also configure the hard-coded credentials rule `G101` with additional pa
} }
``` ```
### Dependencies ### Dependencies
gosec will fetch automatically the dependencies of the code which is being analyzed when go module is turned on (e.g.` GO111MODULE=on`). If this is not the case, gosec will fetch automatically the dependencies of the code which is being analyzed when go module is turned on (e.g.` GO111MODULE=on`). If this is not the case,
the dependencies need to be explicitly downloaded by running the `go get -d` command before the scan. the dependencies need to be explicitly downloaded by running the `go get -d` command before the scan.
### Excluding test files and folders ### Excluding test files and folders
gosec will ignore test files across all packages and any dependencies in your vendor directory. gosec will ignore test files across all packages and any dependencies in your vendor directory.
The scanning of test files can be enabled with the following flag: The scanning of test files can be enabled with the following flag:
@ -233,7 +233,7 @@ func main(){
``` ```
When a specific false positive has been identified and verified as safe, you may wish to suppress only that single rule (or a specific set of rules) When a specific false positive has been identified and verified as safe, you may wish to suppress only that single rule (or a specific set of rules)
within a section of code, while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within within a section of code, while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within
the `#nosec` annotation, e.g: `/* #nosec G401 */` or `// #nosec G201 G202 G203` the `#nosec` annotation, e.g: `/* #nosec G401 */` or `// #nosec G201 G202 G203`
In some cases you may also want to revisit places where `#nosec` annotations In some cases you may also want to revisit places where `#nosec` annotations
@ -300,7 +300,7 @@ You can also build locally the docker image by using the command:
make image make image
``` ```
You can run the `gosec` tool in a container against your local Go project. You only have to mount the project You can run the `gosec` tool in a container against your local Go project. You only have to mount the project
into a volume as follows: into a volume as follows:
```bash ```bash
@ -327,4 +327,4 @@ This will generate the `rules/tls_config.go` file which will contain the current
## Who is using gosec? ## Who is using gosec?
This is a [list](USERS.md) with some of the gosec's users. This is a [list](USERS.md) with some of the gosec's users.

View file

@ -21,9 +21,9 @@ import (
"github.com/securego/gosec/v2" "github.com/securego/gosec/v2"
) )
type blacklistedImport struct { type blocklistedImport struct {
gosec.MetaData gosec.MetaData
Blacklisted map[string]string Blocklisted map[string]string
} }
func unquote(original string) string { func unquote(original string) string {
@ -32,63 +32,63 @@ func unquote(original string) string {
return strings.TrimRight(copy, `"`) return strings.TrimRight(copy, `"`)
} }
func (r *blacklistedImport) ID() string { func (r *blocklistedImport) ID() string {
return r.MetaData.ID return r.MetaData.ID
} }
func (r *blacklistedImport) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) { func (r *blocklistedImport) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
if node, ok := n.(*ast.ImportSpec); ok { if node, ok := n.(*ast.ImportSpec); ok {
if description, ok := r.Blacklisted[unquote(node.Path.Value)]; ok { if description, ok := r.Blocklisted[unquote(node.Path.Value)]; ok {
return gosec.NewIssue(c, node, r.ID(), description, r.Severity, r.Confidence), nil return gosec.NewIssue(c, node, r.ID(), description, r.Severity, r.Confidence), nil
} }
} }
return nil, nil return nil, nil
} }
// NewBlacklistedImports reports when a blacklisted import is being used. // NewBlocklistedImports reports when a blocklisted import is being used.
// Typically when a deprecated technology is being used. // Typically when a deprecated technology is being used.
func NewBlacklistedImports(id string, conf gosec.Config, blacklist map[string]string) (gosec.Rule, []ast.Node) { func NewBlocklistedImports(id string, conf gosec.Config, blocklist map[string]string) (gosec.Rule, []ast.Node) {
return &blacklistedImport{ return &blocklistedImport{
MetaData: gosec.MetaData{ MetaData: gosec.MetaData{
ID: id, ID: id,
Severity: gosec.Medium, Severity: gosec.Medium,
Confidence: gosec.High, Confidence: gosec.High,
}, },
Blacklisted: blacklist, Blocklisted: blocklist,
}, []ast.Node{(*ast.ImportSpec)(nil)} }, []ast.Node{(*ast.ImportSpec)(nil)}
} }
// NewBlacklistedImportMD5 fails if MD5 is imported // NewBlocklistedImportMD5 fails if MD5 is imported
func NewBlacklistedImportMD5(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { func NewBlocklistedImportMD5(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
return NewBlacklistedImports(id, conf, map[string]string{ return NewBlocklistedImports(id, conf, map[string]string{
"crypto/md5": "Blacklisted import crypto/md5: weak cryptographic primitive", "crypto/md5": "Blocklisted import crypto/md5: weak cryptographic primitive",
}) })
} }
// NewBlacklistedImportDES fails if DES is imported // NewBlocklistedImportDES fails if DES is imported
func NewBlacklistedImportDES(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { func NewBlocklistedImportDES(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
return NewBlacklistedImports(id, conf, map[string]string{ return NewBlocklistedImports(id, conf, map[string]string{
"crypto/des": "Blacklisted import crypto/des: weak cryptographic primitive", "crypto/des": "Blocklisted import crypto/des: weak cryptographic primitive",
}) })
} }
// NewBlacklistedImportRC4 fails if DES is imported // NewBlocklistedImportRC4 fails if DES is imported
func NewBlacklistedImportRC4(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { func NewBlocklistedImportRC4(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
return NewBlacklistedImports(id, conf, map[string]string{ return NewBlocklistedImports(id, conf, map[string]string{
"crypto/rc4": "Blacklisted import crypto/rc4: weak cryptographic primitive", "crypto/rc4": "Blocklisted import crypto/rc4: weak cryptographic primitive",
}) })
} }
// NewBlacklistedImportCGI fails if CGI is imported // NewBlocklistedImportCGI fails if CGI is imported
func NewBlacklistedImportCGI(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { func NewBlocklistedImportCGI(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
return NewBlacklistedImports(id, conf, map[string]string{ return NewBlocklistedImports(id, conf, map[string]string{
"net/http/cgi": "Blacklisted import net/http/cgi: Go versions < 1.6.3 are vulnerable to Httpoxy attack: (CVE-2016-5386)", "net/http/cgi": "Blocklisted import net/http/cgi: Go versions < 1.6.3 are vulnerable to Httpoxy attack: (CVE-2016-5386)",
}) })
} }
// NewBlacklistedImportSHA1 fails if SHA1 is imported // NewBlocklistedImportSHA1 fails if SHA1 is imported
func NewBlacklistedImportSHA1(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { func NewBlocklistedImportSHA1(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
return NewBlacklistedImports(id, conf, map[string]string{ return NewBlocklistedImports(id, conf, map[string]string{
"crypto/sha1": "Blacklisted import crypto/sha1: weak cryptographic primitive", "crypto/sha1": "Blocklisted import crypto/sha1: weak cryptographic primitive",
}) })
} }

View file

@ -90,12 +90,12 @@ func Generate(filters ...RuleFilter) RuleList {
{"G403", "Ensure minimum RSA key length of 2048 bits", NewWeakKeyStrength}, {"G403", "Ensure minimum RSA key length of 2048 bits", NewWeakKeyStrength},
{"G404", "Insecure random number source (rand)", NewWeakRandCheck}, {"G404", "Insecure random number source (rand)", NewWeakRandCheck},
// blacklist // blocklist
{"G501", "Import blacklist: crypto/md5", NewBlacklistedImportMD5}, {"G501", "Import blocklist: crypto/md5", NewBlocklistedImportMD5},
{"G502", "Import blacklist: crypto/des", NewBlacklistedImportDES}, {"G502", "Import blocklist: crypto/des", NewBlocklistedImportDES},
{"G503", "Import blacklist: crypto/rc4", NewBlacklistedImportRC4}, {"G503", "Import blocklist: crypto/rc4", NewBlocklistedImportRC4},
{"G504", "Import blacklist: net/http/cgi", NewBlacklistedImportCGI}, {"G504", "Import blocklist: net/http/cgi", NewBlocklistedImportCGI},
{"G505", "Import blacklist: crypto/sha1", NewBlacklistedImportSHA1}, {"G505", "Import blocklist: crypto/sha1", NewBlocklistedImportSHA1},
// memory safety // memory safety
{"G601", "Implicit memory aliasing in RangeStmt", NewImplicitAliasing}, {"G601", "Implicit memory aliasing in RangeStmt", NewImplicitAliasing},

View file

@ -155,23 +155,23 @@ var _ = Describe("gosec rules", func() {
runner("G404", testutils.SampleCodeG404) runner("G404", testutils.SampleCodeG404)
}) })
It("should detect blacklisted imports - MD5", func() { It("should detect blocklisted imports - MD5", func() {
runner("G501", testutils.SampleCodeG501) runner("G501", testutils.SampleCodeG501)
}) })
It("should detect blacklisted imports - DES", func() { It("should detect blocklisted imports - DES", func() {
runner("G502", testutils.SampleCodeG502) runner("G502", testutils.SampleCodeG502)
}) })
It("should detect blacklisted imports - RC4", func() { It("should detect blocklisted imports - RC4", func() {
runner("G503", testutils.SampleCodeG503) runner("G503", testutils.SampleCodeG503)
}) })
It("should detect blacklisted imports - CGI (httpoxy)", func() { It("should detect blocklisted imports - CGI (httpoxy)", func() {
runner("G504", testutils.SampleCodeG504) runner("G504", testutils.SampleCodeG504)
}) })
It("should detect blacklisted imports - SHA1", func() { It("should detect blocklisted imports - SHA1", func() {
runner("G505", testutils.SampleCodeG505) runner("G505", testutils.SampleCodeG505)
}) })

View file

@ -22,7 +22,7 @@ import (
type usesWeakCryptography struct { type usesWeakCryptography struct {
gosec.MetaData gosec.MetaData
blacklist map[string][]string blocklist map[string][]string
} }
func (r *usesWeakCryptography) ID() string { func (r *usesWeakCryptography) ID() string {
@ -30,7 +30,7 @@ func (r *usesWeakCryptography) ID() string {
} }
func (r *usesWeakCryptography) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) { func (r *usesWeakCryptography) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
for pkg, funcs := range r.blacklist { for pkg, funcs := range r.blocklist {
if _, matched := gosec.MatchCallByPackage(n, c, pkg, funcs...); matched { if _, matched := gosec.MatchCallByPackage(n, c, pkg, funcs...); matched {
return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil
} }
@ -46,7 +46,7 @@ func NewUsesWeakCryptography(id string, conf gosec.Config) (gosec.Rule, []ast.No
calls["crypto/sha1"] = []string{"New", "Sum"} calls["crypto/sha1"] = []string{"New", "Sum"}
calls["crypto/rc4"] = []string{"NewCipher"} calls["crypto/rc4"] = []string{"NewCipher"}
rule := &usesWeakCryptography{ rule := &usesWeakCryptography{
blacklist: calls, blocklist: calls,
MetaData: gosec.MetaData{ MetaData: gosec.MetaData{
ID: id, ID: id,
Severity: gosec.Medium, Severity: gosec.Medium,

View file

@ -76,7 +76,7 @@ import "fmt"
func main() { func main() {
var password string var password string
if password == "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" { if password == "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" {
fmt.Println("password equality") fmt.Println("password equality")
} }
}`}, 1, gosec.NewConfig()}, }`}, 1, gosec.NewConfig()},
{[]string{` {[]string{`
@ -85,7 +85,7 @@ import "fmt"
func main() { func main() {
var password string var password string
if password != "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" { if password != "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" {
fmt.Println("password equality") fmt.Println("password equality")
} }
}`}, 1, gosec.NewConfig()}, }`}, 1, gosec.NewConfig()},
{[]string{` {[]string{`
@ -94,7 +94,7 @@ import "fmt"
func main() { func main() {
var p string var p string
if p != "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" { if p != "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" {
fmt.Println("password equality") fmt.Println("password equality")
} }
}`}, 0, gosec.NewConfig()}} }`}, 0, gosec.NewConfig()}}
@ -522,7 +522,7 @@ func main() {
} }
fmt.Println(resp.Status) fmt.Println(resp.Status)
}`}, 0, gosec.NewConfig()}, {[]string{` }`}, 0, gosec.NewConfig()}, {[]string{`
// An exported variable declared a packaged scope is not secure // An exported variable declared a packaged scope is not secure
// because it can changed at any time // because it can changed at any time
package main package main
@ -1672,34 +1672,34 @@ func check(e error) {
} }
func main() { func main() {
d1 := []byte("hello\ngo\n") d1 := []byte("hello\ngo\n")
err := ioutil.WriteFile("/tmp/dat1", d1, 0744) err := ioutil.WriteFile("/tmp/dat1", d1, 0744)
check(err) check(err)
allowed := ioutil.WriteFile("/tmp/dat1", d1, 0600) allowed := ioutil.WriteFile("/tmp/dat1", d1, 0600)
check(allowed) check(allowed)
f, err := os.Create("/tmp/dat2") f, err := os.Create("/tmp/dat2")
check(err) check(err)
defer f.Close() defer f.Close()
d2 := []byte{115, 111, 109, 101, 10} d2 := []byte{115, 111, 109, 101, 10}
n2, err := f.Write(d2) n2, err := f.Write(d2)
defer check(err) defer check(err)
fmt.Printf("wrote %d bytes\n", n2) fmt.Printf("wrote %d bytes\n", n2)
n3, err := f.WriteString("writes\n") n3, err := f.WriteString("writes\n")
fmt.Printf("wrote %d bytes\n", n3) fmt.Printf("wrote %d bytes\n", n3)
f.Sync() f.Sync()
w := bufio.NewWriter(f) w := bufio.NewWriter(f)
n4, err := w.WriteString("buffered\n") n4, err := w.WriteString("buffered\n")
fmt.Printf("wrote %d bytes\n", n4) fmt.Printf("wrote %d bytes\n", n4)
w.Flush() w.Flush()
}`}, 1, gosec.NewConfig()}} }`}, 1, gosec.NewConfig()}}
@ -1739,16 +1739,16 @@ func main() {
defer check(err) defer check(err)
fmt.Printf("wrote %d bytes\n", n2) fmt.Printf("wrote %d bytes\n", n2)
n3, err := f.WriteString("writes\n") n3, err := f.WriteString("writes\n")
fmt.Printf("wrote %d bytes\n", n3) fmt.Printf("wrote %d bytes\n", n3)
f.Sync() f.Sync()
w := bufio.NewWriter(f) w := bufio.NewWriter(f)
n4, err := w.WriteString("buffered\n") n4, err := w.WriteString("buffered\n")
fmt.Printf("wrote %d bytes\n", n4) fmt.Printf("wrote %d bytes\n", n4)
w.Flush() w.Flush()
}`}, 1, gosec.NewConfig()}} }`}, 1, gosec.NewConfig()}}
@ -1973,7 +1973,7 @@ func main() {
println(bad) println(bad)
}`}, 1, gosec.NewConfig()}} }`}, 1, gosec.NewConfig()}}
// SampleCodeG501 - Blacklisted import MD5 // SampleCodeG501 - Blocklisted import MD5
SampleCodeG501 = []CodeSample{ SampleCodeG501 = []CodeSample{
{[]string{` {[]string{`
package main package main
@ -1988,7 +1988,7 @@ func main() {
} }
}`}, 1, gosec.NewConfig()}} }`}, 1, gosec.NewConfig()}}
// SampleCodeG502 - Blacklisted import DES // SampleCodeG502 - Blocklisted import DES
SampleCodeG502 = []CodeSample{ SampleCodeG502 = []CodeSample{
{[]string{` {[]string{`
package main package main
@ -2016,7 +2016,7 @@ func main() {
fmt.Println("Secret message is: %s", hex.EncodeToString(ciphertext)) fmt.Println("Secret message is: %s", hex.EncodeToString(ciphertext))
}`}, 1, gosec.NewConfig()}} }`}, 1, gosec.NewConfig()}}
// SampleCodeG503 - Blacklisted import RC4 // SampleCodeG503 - Blocklisted import RC4
SampleCodeG503 = []CodeSample{{[]string{` SampleCodeG503 = []CodeSample{{[]string{`
package main package main
import ( import (
@ -2035,7 +2035,7 @@ func main() {
fmt.Println("Secret message is: %s", hex.EncodeToString(ciphertext)) fmt.Println("Secret message is: %s", hex.EncodeToString(ciphertext))
}`}, 1, gosec.NewConfig()}} }`}, 1, gosec.NewConfig()}}
// SampleCodeG504 - Blacklisted import CGI // SampleCodeG504 - Blocklisted import CGI
SampleCodeG504 = []CodeSample{{[]string{` SampleCodeG504 = []CodeSample{{[]string{`
package main package main
import ( import (
@ -2045,7 +2045,7 @@ import (
func main() { func main() {
cgi.Serve(http.FileServer(http.Dir("/usr/share/doc"))) cgi.Serve(http.FileServer(http.Dir("/usr/share/doc")))
}`}, 1, gosec.NewConfig()}} }`}, 1, gosec.NewConfig()}}
// SampleCodeG505 - Blacklisted import SHA1 // SampleCodeG505 - Blocklisted import SHA1
SampleCodeG505 = []CodeSample{ SampleCodeG505 = []CodeSample{
{[]string{` {[]string{`
package main package main