diff --git a/main.go b/main.go index ff6521d..6ee0410 100644 --- a/main.go +++ b/main.go @@ -56,7 +56,10 @@ USAGE: $ gas -fmt=json -out=results.json ./... # Run a specific set of rules (by default all rules will be run): - $ gas -rule=sql -rule=sql ./... + $ gas -include=G101,G203,G401 ./... + + # Run all rules except the provided + $ gas -exclude=G101 ./... ` @@ -140,10 +143,10 @@ func main() { flag.Var(&excluded, "skip", "File pattern to exclude from scan") incRules := "" - flag.StringVar(&incRules, "include", "", "comma sperated list of rules IDs to include, see rule list") + flag.StringVar(&incRules, "include", "", "Comma separated list of rules IDs to include. (see rule list)") excRules := "" - flag.StringVar(&excRules, "exclude", "", "comma sperated list of rules IDs to exclude, see rule list") + flag.StringVar(&excRules, "exclude", "", "Comma separated list of rules IDs to exclude. (see rule list)") // Custom commands / utilities to run instead of default analyzer tools := newUtils() diff --git a/rulelist.go b/rulelist.go index 2502122..72b4cb3 100644 --- a/rulelist.go +++ b/rulelist.go @@ -31,33 +31,33 @@ type RuleInfo struct { func GetFullRuleList() map[string]RuleInfo { return map[string]RuleInfo{ // misc - "G101": RuleInfo{"hardcoded credentials", rules.NewHardcodedCredentials}, - "G102": RuleInfo{"bind to all interfaces", rules.NewBindsToAllNetworkInterfaces}, - "G103": RuleInfo{"use of unsafe block", rules.NewUsingUnsafe}, - "G104": RuleInfo{"errors not checked", rules.NewTemplateCheck}, + "G101": RuleInfo{"Look for hardcoded credentials", rules.NewHardcodedCredentials}, + "G102": RuleInfo{"Bind to all interfaces", rules.NewBindsToAllNetworkInterfaces}, + "G103": RuleInfo{"Audit the use of unsafe block", rules.NewUsingUnsafe}, + "G104": RuleInfo{"Audit errors not checked", rules.NewTemplateCheck}, // injection - "G201": RuleInfo{"sql string format", rules.NewSqlStrFormat}, - "G202": RuleInfo{"sql string concat", rules.NewSqlStrConcat}, - "G203": RuleInfo{"unescaped templates", rules.NewTemplateCheck}, - "G204": RuleInfo{"use of exec", rules.NewSubproc}, + "G201": RuleInfo{"SQL query construction using format string", rules.NewSqlStrFormat}, + "G202": RuleInfo{"SQL query construction using string concatenation", rules.NewSqlStrConcat}, + "G203": RuleInfo{"Use of unescaped data in HTML templates", rules.NewTemplateCheck}, + "G204": RuleInfo{"Audit use of command execution", rules.NewSubproc}, // filesystem - "G301": RuleInfo{"poor mkdir permissions", rules.NewMkdirPerms}, - "G302": RuleInfo{"poor chmod permisions", rules.NewChmodPerms}, - "G303": RuleInfo{"predicatable tempfile", rules.NewBadTempFile}, + "G301": RuleInfo{"Poor file permissions used when creating a directory", rules.NewMkdirPerms}, + "G302": RuleInfo{"Poor file permisions used with chmod", rules.NewChmodPerms}, + "G303": RuleInfo{"Creating tempfile using a predictable path", rules.NewBadTempFile}, // crypto - "G401": RuleInfo{"weak crypto", rules.NewUsesWeakCryptography}, - "G402": RuleInfo{"bad TLS options", rules.NewIntermediateTlsCheck}, - "G403": RuleInfo{"bad RSA key length", rules.NewWeakKeyStrength}, - "G404": RuleInfo{"poor random source (rand)", rules.NewWeakRandCheck}, + "G401": RuleInfo{"Detect the usage of DES, RC4, or MD5", rules.NewUsesWeakCryptography}, + "G402": RuleInfo{"Look for bad TLS connection settings", rules.NewIntermediateTlsCheck}, + "G403": RuleInfo{"Ensure minimum RSA key length of 2048 bits", rules.NewWeakKeyStrength}, + "G404": RuleInfo{"Insecure random number source (rand)", rules.NewWeakRandCheck}, // blacklist - "G501": RuleInfo{"blacklist: crypto/md5", rules.NewBlacklist_crypto_md5}, - "G502": RuleInfo{"blacklist: crypto/des", rules.NewBlacklist_crypto_des}, - "G503": RuleInfo{"blacklist: crypto/rc4", rules.NewBlacklist_crypto_rc4}, - "G504": RuleInfo{"blacklist: net/http/cgi", rules.NewBlacklist_net_http_cgi}, + "G501": RuleInfo{"Import blacklist: crypto/md5", rules.NewBlacklist_crypto_md5}, + "G502": RuleInfo{"Import blacklist: crypto/des", rules.NewBlacklist_crypto_des}, + "G503": RuleInfo{"Import blacklist: crypto/rc4", rules.NewBlacklist_crypto_rc4}, + "G504": RuleInfo{"Import blacklist: net/http/cgi", rules.NewBlacklist_net_http_cgi}, } }