mirror of
https://github.com/securego/gosec.git
synced 2024-12-24 11:35:52 +00:00
Fix lint and fail on error in the ci build
This commit is contained in:
parent
dbb9811e62
commit
1256f16f33
51 changed files with 218 additions and 203 deletions
1
.github/workflows/ci.yml
vendored
1
.github/workflows/ci.yml
vendored
|
@ -20,7 +20,6 @@ jobs:
|
|||
${{ runner.os }}-go-
|
||||
- name: golangci-lint
|
||||
uses: golangci/golangci-lint-action@v2
|
||||
continue-on-error: true
|
||||
with:
|
||||
version: latest
|
||||
test:
|
||||
|
|
|
@ -1,13 +1,23 @@
|
|||
linters:
|
||||
enable:
|
||||
- megacheck
|
||||
- govet
|
||||
- unparam
|
||||
- unconvert
|
||||
- misspell
|
||||
- gofmt
|
||||
- golint
|
||||
- gosec
|
||||
- nakedret
|
||||
- dogsled
|
||||
- asciicheck
|
||||
- bodyclose
|
||||
- depguard
|
||||
- dogsled
|
||||
- durationcheck
|
||||
- errcheck
|
||||
- exportloopref
|
||||
- gofmt
|
||||
- gofumpt
|
||||
- goimports
|
||||
- gosec
|
||||
- govet
|
||||
- importas
|
||||
- megacheck
|
||||
- misspell
|
||||
- nakedret
|
||||
- nolintlint
|
||||
- revive
|
||||
- unconvert
|
||||
- unparam
|
||||
- wastedassign
|
|
@ -28,7 +28,6 @@ import (
|
|||
"reflect"
|
||||
"regexp"
|
||||
"strconv"
|
||||
|
||||
"strings"
|
||||
|
||||
"golang.org/x/tools/go/packages"
|
||||
|
|
|
@ -17,7 +17,6 @@ import (
|
|||
)
|
||||
|
||||
var _ = Describe("Analyzer", func() {
|
||||
|
||||
var (
|
||||
analyzer *gosec.Analyzer
|
||||
logger *log.Logger
|
||||
|
@ -30,7 +29,6 @@ var _ = Describe("Analyzer", func() {
|
|||
})
|
||||
|
||||
Context("when processing a package", func() {
|
||||
|
||||
It("should not report an error if the package contains no Go files", func() {
|
||||
analyzer.LoadRules(rules.Generate().Builders())
|
||||
dir, err := ioutil.TempDir("", "empty")
|
||||
|
@ -118,7 +116,6 @@ var _ = Describe("Analyzer", func() {
|
|||
Expect(err).ShouldNot(HaveOccurred())
|
||||
controlIssues, _, _ := analyzer.Report()
|
||||
Expect(controlIssues).Should(HaveLen(sample.Errors))
|
||||
|
||||
})
|
||||
|
||||
It("should report Go build errors and invalid files", func() {
|
||||
|
@ -262,7 +259,6 @@ var _ = Describe("Analyzer", func() {
|
|||
Expect(err).ShouldNot(HaveOccurred())
|
||||
nosecIssues, _, _ := customAnalyzer.Report()
|
||||
Expect(nosecIssues).Should(HaveLen(sample.Errors))
|
||||
|
||||
})
|
||||
|
||||
It("should be possible to use an alternative nosec tag", func() {
|
||||
|
@ -286,7 +282,6 @@ var _ = Describe("Analyzer", func() {
|
|||
Expect(err).ShouldNot(HaveOccurred())
|
||||
nosecIssues, _, _ := customAnalyzer.Report()
|
||||
Expect(nosecIssues).Should(HaveLen(0))
|
||||
|
||||
})
|
||||
|
||||
It("should ignore vulnerabilities when the default tag is found", func() {
|
||||
|
@ -310,7 +305,6 @@ var _ = Describe("Analyzer", func() {
|
|||
Expect(err).ShouldNot(HaveOccurred())
|
||||
nosecIssues, _, _ := customAnalyzer.Report()
|
||||
Expect(nosecIssues).Should(HaveLen(0))
|
||||
|
||||
})
|
||||
|
||||
It("should be able to analyze Go test package", func() {
|
||||
|
@ -356,7 +350,6 @@ var _ = Describe("Analyzer", func() {
|
|||
})
|
||||
|
||||
Context("when parsing errors from a package", func() {
|
||||
|
||||
It("should return no error when the error list is empty", func() {
|
||||
pkg := &packages.Package{}
|
||||
err := analyzer.ParseErrors(pkg)
|
||||
|
|
|
@ -10,9 +10,7 @@ import (
|
|||
)
|
||||
|
||||
var _ = Describe("Call List", func() {
|
||||
var (
|
||||
calls gosec.CallList
|
||||
)
|
||||
var calls gosec.CallList
|
||||
BeforeEach(func() {
|
||||
calls = gosec.NewCallList()
|
||||
})
|
||||
|
|
|
@ -209,7 +209,7 @@ func getRootPaths(paths []string) []string {
|
|||
}
|
||||
|
||||
func getPrintedFormat(format string, verbose string) string {
|
||||
var fileFormat = format
|
||||
fileFormat := format
|
||||
if format != "" && verbose != "" {
|
||||
fileFormat = verbose
|
||||
}
|
||||
|
@ -217,7 +217,6 @@ func getPrintedFormat(format string, verbose string) string {
|
|||
}
|
||||
|
||||
func printReport(format string, color bool, rootPaths []string, reportInfo *gosec.ReportInfo) error {
|
||||
|
||||
err := report.CreateReport(os.Stdout, format, color, rootPaths, reportInfo)
|
||||
if err != nil {
|
||||
return err
|
||||
|
@ -226,7 +225,6 @@ func printReport(format string, color bool, rootPaths []string, reportInfo *gose
|
|||
}
|
||||
|
||||
func saveReport(filename, format string, rootPaths []string, reportInfo *gosec.ReportInfo) error {
|
||||
|
||||
outfile, err := os.Create(filename)
|
||||
if err != nil {
|
||||
return err
|
||||
|
@ -386,7 +384,7 @@ func main() {
|
|||
reportInfo := gosec.NewReportInfo(issues, metrics, errors).WithVersion(Version)
|
||||
|
||||
if *flagOutput == "" || *flagStdOut {
|
||||
var fileFormat = getPrintedFormat(*flagOutput, *flagVerbose)
|
||||
fileFormat := getPrintedFormat(*flagOutput, *flagVerbose)
|
||||
if err := printReport(fileFormat, *flagColor, rootPaths, reportInfo); err != nil {
|
||||
logger.Fatal((err))
|
||||
}
|
||||
|
|
|
@ -12,7 +12,6 @@ import (
|
|||
func extractLineNumber(s string) int {
|
||||
lineNumber, _ := strconv.Atoi(strings.Split(s, "-")[0])
|
||||
return lineNumber
|
||||
|
||||
}
|
||||
|
||||
type sortBySeverity []*gosec.Issue
|
||||
|
|
|
@ -26,11 +26,13 @@ import (
|
|||
"strings"
|
||||
)
|
||||
|
||||
type command func(args ...string)
|
||||
type utilities struct {
|
||||
type (
|
||||
command func(args ...string)
|
||||
utilities struct {
|
||||
commands map[string]command
|
||||
call []string
|
||||
}
|
||||
)
|
||||
|
||||
// Custom commands / utilities to run instead of default analyzer
|
||||
func newUtils() *utilities {
|
||||
|
@ -58,7 +60,6 @@ func (u *utilities) String() string {
|
|||
func (u *utilities) Set(opt string) error {
|
||||
if _, ok := u.commands[opt]; !ok {
|
||||
return fmt.Errorf("valid tools are: %s", u.String())
|
||||
|
||||
}
|
||||
u.call = append(u.call, opt)
|
||||
return nil
|
||||
|
@ -171,7 +172,6 @@ func checkContext(ctx *context, file string) bool {
|
|||
}
|
||||
|
||||
func dumpCallObj(files ...string) {
|
||||
|
||||
for _, file := range files {
|
||||
if shouldSkip(file) {
|
||||
continue
|
||||
|
|
|
@ -16,7 +16,6 @@ var _ = Describe("Configuration", func() {
|
|||
})
|
||||
|
||||
Context("when loading from disk", func() {
|
||||
|
||||
It("should be possible to load configuration from a file", func() {
|
||||
json := `{"G101": {}}`
|
||||
buffer := bytes.NewBufferString(json)
|
||||
|
@ -35,7 +34,6 @@ var _ = Describe("Configuration", func() {
|
|||
_, err = configuration.ReadFrom(emptyBuffer)
|
||||
Expect(err).Should(HaveOccurred())
|
||||
})
|
||||
|
||||
})
|
||||
|
||||
Context("when saving to disk", func() {
|
||||
|
@ -49,7 +47,6 @@ var _ = Describe("Configuration", func() {
|
|||
})
|
||||
|
||||
It("should be possible to save configuration to file", func() {
|
||||
|
||||
configuration.Set("G101", map[string]string{
|
||||
"mode": "strict",
|
||||
})
|
||||
|
@ -59,12 +56,10 @@ var _ = Describe("Configuration", func() {
|
|||
Expect(int(nbytes)).ShouldNot(BeZero())
|
||||
Expect(err).ShouldNot(HaveOccurred())
|
||||
Expect(buffer.String()).Should(Equal(`{"G101":{"mode":"strict"},"global":{}}`))
|
||||
|
||||
})
|
||||
})
|
||||
|
||||
Context("when configuring rules", func() {
|
||||
|
||||
It("should be possible to get configuration for a rule", func() {
|
||||
settings := map[string]string{
|
||||
"ciphers": "AES256-GCM",
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
package cwe_test
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
. "github.com/onsi/ginkgo"
|
||||
. "github.com/onsi/gomega"
|
||||
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestCwe(t *testing.T) {
|
||||
|
|
|
@ -17,6 +17,5 @@ var _ = Describe("CWE data", func() {
|
|||
Expect(weakness.Name).ShouldNot(BeNil())
|
||||
Expect(weakness.Description).ShouldNot(BeNil())
|
||||
})
|
||||
|
||||
})
|
||||
})
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
package gosec_test
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
. "github.com/onsi/ginkgo"
|
||||
. "github.com/onsi/gomega"
|
||||
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestGosec(t *testing.T) {
|
||||
|
|
|
@ -168,7 +168,6 @@ func GetCallInfo(n ast.Node, ctx *Context) (string, string, error) {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
case *ast.Ident:
|
||||
|
@ -220,7 +219,6 @@ func GetIdentStringValues(ident *ast.Ident) []string {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
return values
|
||||
}
|
||||
|
|
3
issue.go
3
issue.go
|
@ -19,11 +19,12 @@ import (
|
|||
"bytes"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"github.com/securego/gosec/v2/cwe"
|
||||
"go/ast"
|
||||
"go/token"
|
||||
"os"
|
||||
"strconv"
|
||||
|
||||
"github.com/securego/gosec/v2/cwe"
|
||||
)
|
||||
|
||||
// Score type used by severity and confidence values
|
||||
|
|
|
@ -11,7 +11,6 @@ import (
|
|||
)
|
||||
|
||||
var _ = Describe("Issue", func() {
|
||||
|
||||
Context("when creating a new issue", func() {
|
||||
It("should create a code snippet from the specified ast.Node", func() {
|
||||
var target *ast.BasicLit
|
||||
|
@ -134,7 +133,5 @@ func main() {
|
|||
It("should maintain the provided confidence score", func() {
|
||||
Skip("Not implemented")
|
||||
})
|
||||
|
||||
})
|
||||
|
||||
})
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
package report
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
. "github.com/onsi/ginkgo"
|
||||
. "github.com/onsi/gomega"
|
||||
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestRules(t *testing.T) {
|
||||
|
|
|
@ -272,15 +272,15 @@ var _ = Describe("Formatter", func() {
|
|||
|
||||
testSuite = junitReport.Testsuites[1]
|
||||
Expect(testSuite.Testcases[0].Name).To(Equal(issues[1].File))
|
||||
|
||||
})
|
||||
})
|
||||
Context("When using different report formats", func() {
|
||||
|
||||
grules := []string{"G101", "G102", "G103", "G104", "G106",
|
||||
grules := []string{
|
||||
"G101", "G102", "G103", "G104", "G106",
|
||||
"G107", "G109", "G110", "G201", "G202", "G203", "G204",
|
||||
"G301", "G302", "G303", "G304", "G305", "G401", "G402",
|
||||
"G403", "G404", "G501", "G502", "G503", "G504", "G505"}
|
||||
"G403", "G404", "G501", "G502", "G503", "G504", "G505",
|
||||
}
|
||||
|
||||
It("csv formatted report should contain the CWE mapping", func() {
|
||||
for _, rule := range grules {
|
||||
|
|
|
@ -14,7 +14,6 @@ import (
|
|||
|
||||
// GenerateReport Convert a gosec report to a Sarif Report
|
||||
func GenerateReport(rootPaths []string, data *gosec.ReportInfo) (*Report, error) {
|
||||
|
||||
type rule struct {
|
||||
index int
|
||||
rule *ReportingDescriptor
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
package sonar_test
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
. "github.com/onsi/ginkgo"
|
||||
. "github.com/onsi/gomega"
|
||||
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestRules(t *testing.T) {
|
||||
|
|
|
@ -336,6 +336,5 @@ var _ = Describe("Resolve ast node to concrete value", func() {
|
|||
Expect(value).ShouldNot(BeNil())
|
||||
Expect(gosec.TryResolve(value, ctx)).Should(BeFalse())
|
||||
})
|
||||
|
||||
})
|
||||
})
|
||||
|
|
|
@ -27,9 +27,7 @@ func (m *mockrule) Match(n ast.Node, ctx *gosec.Context) (*gosec.Issue, error) {
|
|||
}
|
||||
|
||||
var _ = Describe("Rule", func() {
|
||||
|
||||
Context("when using a ruleset", func() {
|
||||
|
||||
var (
|
||||
ruleset gosec.RuleSet
|
||||
dummyErrorRule gosec.Rule
|
||||
|
@ -65,7 +63,6 @@ var _ = Describe("Rule", func() {
|
|||
Expect(ruleset.RegisteredFor(unregisteredNode)).Should(BeEmpty())
|
||||
Expect(ruleset.RegisteredFor(registeredNodeA)).Should(ContainElement(dummyIssueRule))
|
||||
Expect(ruleset.RegisteredFor(registeredNodeB)).Should(ContainElement(dummyIssueRule))
|
||||
|
||||
})
|
||||
|
||||
It("should not register a rule when no ast.Nodes are specified", func() {
|
||||
|
@ -83,7 +80,5 @@ var _ = Describe("Rule", func() {
|
|||
Expect(ruleset.RegisteredFor(registeredNode)).Should(ContainElement(dummyErrorRule))
|
||||
Expect(ruleset.RegisteredFor(registeredNode)).Should(ContainElement(dummyIssueRule))
|
||||
})
|
||||
|
||||
})
|
||||
|
||||
})
|
||||
|
|
|
@ -44,7 +44,6 @@ func (r *badDefer) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
return nil, nil
|
||||
|
|
|
@ -34,7 +34,7 @@ func (r *filePermissions) ID() string {
|
|||
}
|
||||
|
||||
func getConfiguredMode(conf map[string]interface{}, configKey string, defaultMode int64) int64 {
|
||||
var mode = defaultMode
|
||||
mode := defaultMode
|
||||
if value, ok := conf[configKey]; ok {
|
||||
switch value := value.(type) {
|
||||
case int64:
|
||||
|
|
|
@ -121,7 +121,7 @@ func NewHardcodedCredentials(id string, conf gosec.Config) (gosec.Rule, []ast.No
|
|||
entropyThreshold := 80.0
|
||||
perCharThreshold := 3.0
|
||||
ignoreEntropy := false
|
||||
var truncateString = 16
|
||||
truncateString := 16
|
||||
if val, ok := conf["G101"]; ok {
|
||||
conf := val.(map[string]interface{})
|
||||
if configPattern, ok := conf["pattern"]; ok {
|
||||
|
|
|
@ -43,8 +43,10 @@ func (w *weakRand) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
|
|||
// NewWeakRandCheck detects the use of random number generator that isn't cryptographically secure
|
||||
func NewWeakRandCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
|
||||
return &weakRand{
|
||||
funcNames: []string{"New", "Read", "Float32", "Float64", "Int", "Int31",
|
||||
"Int31n", "Int63", "Int63n", "Intn", "NormalFloat64", "Uint32", "Uint64"},
|
||||
funcNames: []string{
|
||||
"New", "Read", "Float32", "Float64", "Int", "Int31",
|
||||
"Int31n", "Int63", "Int63n", "Intn", "NormalFloat64", "Uint32", "Uint64",
|
||||
},
|
||||
packagePath: "math/rand",
|
||||
MetaData: gosec.MetaData{
|
||||
ID: id,
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
package rules_test
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
. "github.com/onsi/ginkgo"
|
||||
. "github.com/onsi/gomega"
|
||||
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestRules(t *testing.T) {
|
||||
|
|
|
@ -13,7 +13,6 @@ import (
|
|||
)
|
||||
|
||||
var _ = Describe("gosec rules", func() {
|
||||
|
||||
var (
|
||||
logger *log.Logger
|
||||
config gosec.Config
|
||||
|
@ -179,7 +178,5 @@ var _ = Describe("gosec rules", func() {
|
|||
It("should detect implicit aliasing in ForRange", func() {
|
||||
runner("G601", testutils.SampleCodeG601)
|
||||
})
|
||||
|
||||
})
|
||||
|
||||
})
|
||||
|
|
16
rules/sql.go
16
rules/sql.go
|
@ -186,7 +186,7 @@ func (s *sqlStrFormat) checkQuery(call *ast.CallExpr, ctx *gosec.Context) (*gose
|
|||
decl := ident.Obj.Decl
|
||||
if assign, ok := decl.(*ast.AssignStmt); ok {
|
||||
for _, expr := range assign.Rhs {
|
||||
issue, err := s.checkFormatting(expr, ctx)
|
||||
issue := s.checkFormatting(expr, ctx)
|
||||
if issue != nil {
|
||||
return issue, err
|
||||
}
|
||||
|
@ -197,7 +197,7 @@ func (s *sqlStrFormat) checkQuery(call *ast.CallExpr, ctx *gosec.Context) (*gose
|
|||
return nil, nil
|
||||
}
|
||||
|
||||
func (s *sqlStrFormat) checkFormatting(n ast.Node, ctx *gosec.Context) (*gosec.Issue, error) {
|
||||
func (s *sqlStrFormat) checkFormatting(n ast.Node, ctx *gosec.Context) *gosec.Issue {
|
||||
// argIndex changes the function argument which gets matched to the regex
|
||||
argIndex := 0
|
||||
if node := s.fmtCalls.ContainsPkgCallExpr(n, ctx, false); node != nil {
|
||||
|
@ -208,7 +208,7 @@ func (s *sqlStrFormat) checkFormatting(n ast.Node, ctx *gosec.Context) (*gosec.I
|
|||
if arg, ok := node.Args[0].(*ast.SelectorExpr); ok {
|
||||
if ident, ok := arg.X.(*ast.Ident); ok {
|
||||
if s.noIssue.Contains(ident.Name, arg.Sel.Name) {
|
||||
return nil, nil
|
||||
return nil
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -219,7 +219,7 @@ func (s *sqlStrFormat) checkFormatting(n ast.Node, ctx *gosec.Context) (*gosec.I
|
|||
|
||||
// no formatter
|
||||
if len(node.Args) == 0 {
|
||||
return nil, nil
|
||||
return nil
|
||||
}
|
||||
|
||||
var formatter string
|
||||
|
@ -233,7 +233,7 @@ func (s *sqlStrFormat) checkFormatting(n ast.Node, ctx *gosec.Context) (*gosec.I
|
|||
formatter = arg
|
||||
}
|
||||
if len(formatter) <= 0 {
|
||||
return nil, nil
|
||||
return nil
|
||||
}
|
||||
|
||||
// If all formatter args are quoted or constant, then the SQL construction is safe
|
||||
|
@ -246,14 +246,14 @@ func (s *sqlStrFormat) checkFormatting(n ast.Node, ctx *gosec.Context) (*gosec.I
|
|||
}
|
||||
}
|
||||
if allSafe {
|
||||
return nil, nil
|
||||
return nil
|
||||
}
|
||||
}
|
||||
if s.MatchPatterns(formatter) {
|
||||
return gosec.NewIssue(ctx, n, s.ID(), s.What, s.Severity, s.Confidence), nil
|
||||
return gosec.NewIssue(ctx, n, s.ID(), s.What, s.Severity, s.Confidence)
|
||||
}
|
||||
}
|
||||
return nil, nil
|
||||
return nil
|
||||
}
|
||||
|
||||
// Check SQL query formatting issues such as "fmt.Sprintf("SELECT * FROM foo where '%s', userInput)"
|
||||
|
|
|
@ -43,7 +43,6 @@ func (t *templateCheck) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error
|
|||
// NewTemplateCheck constructs the template check rule. This rule is used to
|
||||
// find use of templates where HTML/JS escaping is not being used
|
||||
func NewTemplateCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
|
||||
|
||||
calls := gosec.NewCallList()
|
||||
calls.Add("html/template", "HTML")
|
||||
calls.Add("html/template", "HTMLAttr")
|
||||
|
|
|
@ -112,7 +112,6 @@ func (t *insecureConfigTLS) processTLSConfVal(n *ast.KeyValueExpr, c *gosec.Cont
|
|||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
|
|
@ -11,14 +11,16 @@ type CodeSample struct {
|
|||
|
||||
var (
|
||||
// SampleCodeG101 code snippets for hardcoded credentials
|
||||
SampleCodeG101 = []CodeSample{{[]string{`
|
||||
SampleCodeG101 = []CodeSample{
|
||||
{[]string{`
|
||||
package main
|
||||
import "fmt"
|
||||
func main() {
|
||||
username := "admin"
|
||||
password := "f62e5bcda4fae4f82370da0c6f20697b8f8447ef"
|
||||
fmt.Println("Doing something with: ", username, password)
|
||||
}`}, 1, gosec.NewConfig()}, {[]string{`
|
||||
}`}, 1, gosec.NewConfig()},
|
||||
{[]string{`
|
||||
// Entropy check should not report this error by default
|
||||
package main
|
||||
import "fmt"
|
||||
|
@ -26,21 +28,24 @@ func main() {
|
|||
username := "admin"
|
||||
password := "secret"
|
||||
fmt.Println("Doing something with: ", username, password)
|
||||
}`}, 0, gosec.NewConfig()}, {[]string{`
|
||||
}`}, 0, gosec.NewConfig()},
|
||||
{[]string{`
|
||||
package main
|
||||
import "fmt"
|
||||
var password = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef"
|
||||
func main() {
|
||||
username := "admin"
|
||||
fmt.Println("Doing something with: ", username, password)
|
||||
}`}, 1, gosec.NewConfig()}, {[]string{`
|
||||
}`}, 1, gosec.NewConfig()},
|
||||
{[]string{`
|
||||
package main
|
||||
import "fmt"
|
||||
const password = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef"
|
||||
func main() {
|
||||
username := "admin"
|
||||
fmt.Println("Doing something with: ", username, password)
|
||||
}`}, 1, gosec.NewConfig()}, {[]string{`
|
||||
}`}, 1, gosec.NewConfig()},
|
||||
{[]string{`
|
||||
package main
|
||||
import "fmt"
|
||||
const (
|
||||
|
@ -49,12 +54,14 @@ const (
|
|||
)
|
||||
func main() {
|
||||
fmt.Println("Doing something with: ", username, password)
|
||||
}`}, 1, gosec.NewConfig()}, {[]string{`
|
||||
}`}, 1, gosec.NewConfig()},
|
||||
{[]string{`
|
||||
package main
|
||||
var password string
|
||||
func init() {
|
||||
password = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef"
|
||||
}`}, 1, gosec.NewConfig()}, {[]string{`
|
||||
}`}, 1, gosec.NewConfig()},
|
||||
{[]string{`
|
||||
package main
|
||||
const (
|
||||
ATNStateSomethingElse = 1
|
||||
|
@ -62,7 +69,8 @@ const (
|
|||
)
|
||||
func main() {
|
||||
println(ATNStateTokenStart)
|
||||
}`}, 0, gosec.NewConfig()}, {[]string{`
|
||||
}`}, 0, gosec.NewConfig()},
|
||||
{[]string{`
|
||||
package main
|
||||
const (
|
||||
ATNStateTokenStart = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef"
|
||||
|
@ -96,7 +104,8 @@ func main() {
|
|||
if p != "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" {
|
||||
fmt.Println("password equality")
|
||||
}
|
||||
}`}, 0, gosec.NewConfig()}}
|
||||
}`}, 0, gosec.NewConfig()},
|
||||
}
|
||||
|
||||
// SampleCodeG102 code snippets for network binding
|
||||
SampleCodeG102 = []CodeSample{
|
||||
|
@ -201,7 +210,8 @@ func main() {
|
|||
addressHolder := uintptr(unsafe.Pointer(intPtr)) + unsafe.Sizeof(intArray[0])
|
||||
intPtr = (*int)(unsafe.Pointer(addressHolder))
|
||||
fmt.Printf("\nintPtr=%p, *intPtr=%d.\n\n", intPtr, *intPtr)
|
||||
}`}, 3, gosec.NewConfig()}}
|
||||
}`}, 3, gosec.NewConfig()},
|
||||
}
|
||||
|
||||
// SampleCodeG104 finds errors that aren't being handled
|
||||
SampleCodeG104 = []CodeSample{
|
||||
|
@ -314,7 +324,8 @@ func main() {
|
|||
createBuffer().WriteString("*bytes.Buffer")
|
||||
b := createBuffer()
|
||||
b.WriteString("*bytes.Buffer")
|
||||
}`}, 0, gosec.NewConfig()}} // it shoudn't return any errors because all method calls are whitelisted by default
|
||||
}`}, 0, gosec.NewConfig()},
|
||||
} // it shoudn't return any errors because all method calls are whitelisted by default
|
||||
|
||||
// SampleCodeG104Audit finds errors that aren't being handled in audit mode
|
||||
SampleCodeG104Audit = []CodeSample{
|
||||
|
@ -372,7 +383,8 @@ func main() {
|
|||
}`, `
|
||||
package main
|
||||
func dummy(){}
|
||||
`}, 0, gosec.Config{gosec.Globals: map[gosec.GlobalOption]string{gosec.Audit: "enabled"}}}}
|
||||
`}, 0, gosec.Config{gosec.Globals: map[gosec.GlobalOption]string{gosec.Audit: "enabled"}}},
|
||||
}
|
||||
|
||||
// SampleCodeG106 - ssh InsecureIgnoreHostKey
|
||||
SampleCodeG106 = []CodeSample{{[]string{`
|
||||
|
@ -675,7 +687,8 @@ func main() {
|
|||
}
|
||||
v := int32(value)
|
||||
fmt.Println(v)
|
||||
}`}, 0, gosec.NewConfig()}}
|
||||
}`}, 0, gosec.NewConfig()},
|
||||
}
|
||||
|
||||
// SampleCodeG110 - potential DoS vulnerability via decompression bomb
|
||||
SampleCodeG110 = []CodeSample{
|
||||
|
@ -791,7 +804,8 @@ func main() {
|
|||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
}`}, 0, gosec.NewConfig()}}
|
||||
}`}, 0, gosec.NewConfig()},
|
||||
}
|
||||
|
||||
// SampleCodeG201 - SQL injection via format string
|
||||
SampleCodeG201 = []CodeSample{
|
||||
|
@ -971,7 +985,8 @@ import (
|
|||
|
||||
func main(){
|
||||
fmt.Sprintln()
|
||||
}`}, 0, gosec.NewConfig()}}
|
||||
}`}, 0, gosec.NewConfig()},
|
||||
}
|
||||
|
||||
// SampleCodeG202 - SQL query string building via string concatenation
|
||||
SampleCodeG202 = []CodeSample{
|
||||
|
@ -1125,7 +1140,8 @@ func main(){
|
|||
}
|
||||
defer rows.Close()
|
||||
}
|
||||
`}, 0, gosec.NewConfig()}}
|
||||
`}, 0, gosec.NewConfig()},
|
||||
}
|
||||
|
||||
// SampleCodeG203 - Template checks
|
||||
SampleCodeG203 = []CodeSample{
|
||||
|
@ -1163,7 +1179,8 @@ func main() {
|
|||
"Body": template.HTML(a),
|
||||
}
|
||||
t.Execute(os.Stdout, v)
|
||||
}`}, 1, gosec.NewConfig()}, {[]string{
|
||||
}`,
|
||||
}, 1, gosec.NewConfig()}, {[]string{
|
||||
`
|
||||
package main
|
||||
import (
|
||||
|
@ -1179,7 +1196,8 @@ func main() {
|
|||
"Body": template.JS(a),
|
||||
}
|
||||
t.Execute(os.Stdout, v)
|
||||
}`}, 1, gosec.NewConfig()}, {[]string{
|
||||
}`,
|
||||
}, 1, gosec.NewConfig()}, {[]string{
|
||||
`
|
||||
package main
|
||||
import (
|
||||
|
@ -1195,10 +1213,13 @@ func main() {
|
|||
"Body": template.URL(a),
|
||||
}
|
||||
t.Execute(os.Stdout, v)
|
||||
}`}, 1, gosec.NewConfig()}}
|
||||
}`,
|
||||
}, 1, gosec.NewConfig()},
|
||||
}
|
||||
|
||||
// SampleCodeG204 - Subprocess auditing
|
||||
SampleCodeG204 = []CodeSample{{[]string{`
|
||||
SampleCodeG204 = []CodeSample{
|
||||
{[]string{`
|
||||
package main
|
||||
import (
|
||||
"log"
|
||||
|
@ -1211,7 +1232,8 @@ func main() {
|
|||
log.Fatal(err)
|
||||
}
|
||||
log.Printf("Command finished with error: %v", err)
|
||||
}`}, 0, gosec.NewConfig()}, {[]string{`
|
||||
}`}, 0, gosec.NewConfig()},
|
||||
{[]string{`
|
||||
// Calling any function which starts a new process with using
|
||||
// command line arguments as it's arguments is considered dangerous
|
||||
package main
|
||||
|
@ -1227,7 +1249,8 @@ func main() {
|
|||
log.Fatal(err)
|
||||
}
|
||||
log.Printf("Command finished with error: %v", err)
|
||||
}`}, 1, gosec.NewConfig()}, {[]string{`
|
||||
}`}, 1, gosec.NewConfig()},
|
||||
{[]string{`
|
||||
// Initializing a local variable using a environmental
|
||||
// variable is consider as a dangerous user input
|
||||
package main
|
||||
|
@ -1246,7 +1269,8 @@ func main() {
|
|||
log.Printf("Waiting for command to finish...")
|
||||
err = cmd.Wait()
|
||||
log.Printf("Command finished with error: %v", err)
|
||||
}`}, 1, gosec.NewConfig()}, {[]string{`
|
||||
}`}, 1, gosec.NewConfig()},
|
||||
{[]string{`
|
||||
// gosec doesn't have enough context to decide that the
|
||||
// command argument of the RunCmd function is harcoded string
|
||||
// and that's why it's better to warn the user so he can audit it
|
||||
|
@ -1269,7 +1293,8 @@ func RunCmd(command string) {
|
|||
|
||||
func main() {
|
||||
RunCmd("sleep")
|
||||
}`}, 1, gosec.NewConfig()}, {[]string{`
|
||||
}`}, 1, gosec.NewConfig()},
|
||||
{[]string{`
|
||||
// syscall.Exec function called with harcoded arguments
|
||||
// shouldn't be consider as a command injection
|
||||
package main
|
||||
|
@ -1283,7 +1308,8 @@ func main() {
|
|||
fmt.Printf("Error: %v\n", err)
|
||||
}
|
||||
}`}, 0, gosec.NewConfig()},
|
||||
{[]string{`
|
||||
{
|
||||
[]string{`
|
||||
package main
|
||||
|
||||
import (
|
||||
|
@ -1302,7 +1328,8 @@ func main() {
|
|||
RunCmd("sleep")
|
||||
}`}, 1, gosec.NewConfig(),
|
||||
},
|
||||
{[]string{`
|
||||
{
|
||||
[]string{`
|
||||
package main
|
||||
|
||||
import (
|
||||
|
@ -1340,7 +1367,8 @@ func main() {
|
|||
log.Printf("Waiting for command to finish...")
|
||||
err = cmd.Wait()
|
||||
log.Printf("Command finished with error: %v", err)
|
||||
}`}, 0, gosec.NewConfig()}}
|
||||
}`}, 0, gosec.NewConfig()},
|
||||
}
|
||||
|
||||
// SampleCodeG301 - mkdir permission check
|
||||
SampleCodeG301 = []CodeSample{{[]string{`
|
||||
|
@ -1855,7 +1883,8 @@ func main() {
|
|||
|
||||
w.Flush()
|
||||
|
||||
}`}, 1, gosec.NewConfig()}}
|
||||
}`}, 1, gosec.NewConfig()},
|
||||
}
|
||||
// SampleCodeG307 - Unsafe defer of os.Close
|
||||
SampleCodeG307 = []CodeSample{
|
||||
{[]string{`package main
|
||||
|
@ -1904,7 +1933,8 @@ func main() {
|
|||
|
||||
w.Flush()
|
||||
|
||||
}`}, 1, gosec.NewConfig()}}
|
||||
}`}, 1, gosec.NewConfig()},
|
||||
}
|
||||
|
||||
// SampleCodeG401 - Use of weak crypto MD5
|
||||
SampleCodeG401 = []CodeSample{
|
||||
|
@ -1937,7 +1967,8 @@ func main() {
|
|||
log.Fatal(err)
|
||||
}
|
||||
fmt.Printf("%x", h.Sum(nil))
|
||||
}`}, 1, gosec.NewConfig()}}
|
||||
}`}, 1, gosec.NewConfig()},
|
||||
}
|
||||
|
||||
// SampleCodeG401b - Use of weak crypto SHA1
|
||||
SampleCodeG401b = []CodeSample{
|
||||
|
@ -1962,7 +1993,8 @@ func main() {
|
|||
log.Fatal(err)
|
||||
}
|
||||
fmt.Printf("%x", h.Sum(nil))
|
||||
}`}, 1, gosec.NewConfig()}}
|
||||
}`}, 1, gosec.NewConfig()},
|
||||
}
|
||||
|
||||
// SampleCodeG402 - TLS settings
|
||||
SampleCodeG402 = []CodeSample{{[]string{`
|
||||
|
@ -2001,7 +2033,8 @@ func main() {
|
|||
if err != nil {
|
||||
fmt.Println(err)
|
||||
}
|
||||
}`}, 1, gosec.NewConfig()}, {[]string{`
|
||||
}`,
|
||||
}, 1, gosec.NewConfig()}, {[]string{`
|
||||
// Insecure max version
|
||||
package main
|
||||
import (
|
||||
|
@ -2040,7 +2073,8 @@ func main() {
|
|||
if err != nil {
|
||||
fmt.Println(err)
|
||||
}
|
||||
}`}, 1, gosec.NewConfig()}, {[]string{`
|
||||
}`}, 1, gosec.NewConfig(),
|
||||
}, {[]string{`
|
||||
// secure max version when min version is specified
|
||||
package main
|
||||
import (
|
||||
|
@ -2092,7 +2126,8 @@ func main() {
|
|||
fmt.Println(err)
|
||||
}
|
||||
fmt.Println(pvk)
|
||||
}`}, 1, gosec.NewConfig()}}
|
||||
}`}, 1, gosec.NewConfig()},
|
||||
}
|
||||
|
||||
// SampleCodeG404 - weak random number
|
||||
SampleCodeG404 = []CodeSample{
|
||||
|
@ -2140,7 +2175,8 @@ import (
|
|||
func main() {
|
||||
bad := rand.Intn(10)
|
||||
println(bad)
|
||||
}`}, 1, gosec.NewConfig()}}
|
||||
}`}, 1, gosec.NewConfig()},
|
||||
}
|
||||
|
||||
// SampleCodeG501 - Blocklisted import MD5
|
||||
SampleCodeG501 = []CodeSample{
|
||||
|
@ -2155,7 +2191,8 @@ func main() {
|
|||
for _, arg := range os.Args {
|
||||
fmt.Printf("%x - %s\n", md5.Sum([]byte(arg)), arg)
|
||||
}
|
||||
}`}, 1, gosec.NewConfig()}}
|
||||
}`}, 1, gosec.NewConfig()},
|
||||
}
|
||||
|
||||
// SampleCodeG502 - Blocklisted import DES
|
||||
SampleCodeG502 = []CodeSample{
|
||||
|
@ -2183,7 +2220,8 @@ func main() {
|
|||
stream := cipher.NewCFBEncrypter(block, iv)
|
||||
stream.XORKeyStream(ciphertext[des.BlockSize:], plaintext)
|
||||
fmt.Println("Secret message is: %s", hex.EncodeToString(ciphertext))
|
||||
}`}, 1, gosec.NewConfig()}}
|
||||
}`}, 1, gosec.NewConfig()},
|
||||
}
|
||||
|
||||
// SampleCodeG503 - Blocklisted import RC4
|
||||
SampleCodeG503 = []CodeSample{{[]string{`
|
||||
|
@ -2227,11 +2265,13 @@ func main() {
|
|||
for _, arg := range os.Args {
|
||||
fmt.Printf("%x - %s\n", sha1.Sum([]byte(arg)), arg)
|
||||
}
|
||||
}`}, 1, gosec.NewConfig()}}
|
||||
}`}, 1, gosec.NewConfig()},
|
||||
}
|
||||
|
||||
// SampleCodeG601 - Implicit aliasing over range statement
|
||||
SampleCodeG601 = []CodeSample{
|
||||
{[]string{`
|
||||
{[]string{
|
||||
`
|
||||
package main
|
||||
|
||||
import "fmt"
|
||||
|
|
Loading…
Reference in a new issue