Track both #nosec and #nosec rulelist for one violation (#741)

This commit is contained in:
Yiwei Ding 2021-12-21 06:33:01 +08:00 committed by GitHub
parent e0f354aa0d
commit 2d1c1a6df7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 28 additions and 6 deletions

View file

@ -394,10 +394,13 @@ func (gosec *Analyzer) Visit(n ast.Node) ast.Visitor {
for _, rule := range gosec.ruleset.RegisteredFor(n) { for _, rule := range gosec.ruleset.RegisteredFor(n) {
// Check if all rules are ignored. // Check if all rules are ignored.
suppressions, ignored := ignores[aliasOfAllRules] generalSuppressions, generalIgnored := ignores[aliasOfAllRules]
if !ignored { // Check if the specific rule is ignored
suppressions, ignored = ignores[rule.ID()] ruleSuppressions, ruleIgnored := ignores[rule.ID()]
}
ignored := generalIgnored || ruleIgnored
suppressions := append(generalSuppressions, ruleSuppressions...)
// Track external suppressions. // Track external suppressions.
if gosec.ruleset.IsRuleSuppressed(rule.ID()) { if gosec.ruleset.IsRuleSuppressed(rule.ID()) {
ignored = true ignored = true

View file

@ -620,7 +620,7 @@ var _ = Describe("Analyzer", func() {
err = analyzer.Process(buildTags, nosecPackage.Path) err = analyzer.Process(buildTags, nosecPackage.Path)
Expect(err).ShouldNot(HaveOccurred()) Expect(err).ShouldNot(HaveOccurred())
issues, _, _ := analyzer.Report() issues, _, _ := analyzer.Report()
Expect(issues).To(HaveLen(1)) Expect(issues).To(HaveLen(sample.Errors))
Expect(issues[0].Suppressions).To(HaveLen(1)) Expect(issues[0].Suppressions).To(HaveLen(1))
Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource")) Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource"))
Expect(issues[0].Suppressions[0].Justification).To(Equal("Justification")) Expect(issues[0].Suppressions[0].Justification).To(Equal("Justification"))
@ -640,12 +640,31 @@ var _ = Describe("Analyzer", func() {
err = analyzer.Process(buildTags, nosecPackage.Path) err = analyzer.Process(buildTags, nosecPackage.Path)
Expect(err).ShouldNot(HaveOccurred()) Expect(err).ShouldNot(HaveOccurred())
issues, _, _ := analyzer.Report() issues, _, _ := analyzer.Report()
Expect(issues).To(HaveLen(1)) Expect(issues).To(HaveLen(sample.Errors))
Expect(issues[0].Suppressions).To(HaveLen(1)) Expect(issues[0].Suppressions).To(HaveLen(1))
Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource")) Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource"))
Expect(issues[0].Suppressions[0].Justification).To(Equal("")) Expect(issues[0].Suppressions[0].Justification).To(Equal(""))
}) })
It("should track multiple suppressions if the violation is suppressed by both #nosec and #nosec RuleList", func() {
sample := testutils.SampleCodeG101[0]
source := sample.Code[0]
analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G101")).RulesInfo())
nosecPackage := testutils.NewTestPackage()
defer nosecPackage.Close()
nosecSource := strings.Replace(source, "}", "} //#nosec G101 -- Justification", 1)
nosecSource = strings.Replace(nosecSource, "func", "//#nosec\nfunc", 1)
nosecPackage.AddFile("pwd.go", nosecSource)
err := nosecPackage.Build()
Expect(err).ShouldNot(HaveOccurred())
err = analyzer.Process(buildTags, nosecPackage.Path)
Expect(err).ShouldNot(HaveOccurred())
issues, _, _ := analyzer.Report()
Expect(issues).To(HaveLen(sample.Errors))
Expect(issues[0].Suppressions).To(HaveLen(2))
})
It("should not report an error if the rule is not included", func() { It("should not report an error if the rule is not included", func() {
sample := testutils.SampleCodeG101[0] sample := testutils.SampleCodeG101[0]
source := sample.Code[0] source := sample.Code[0]