Add support for #excluding specific rules

This commit is contained in:
Jon McClintock 2017-10-05 21:32:03 +00:00
parent 6de76c9261
commit 37cada13f3
37 changed files with 487 additions and 150 deletions

View file

@ -25,6 +25,7 @@ import (
"os"
"path"
"reflect"
"regexp"
"strings"
)
@ -54,10 +55,12 @@ type Context struct {
Root *ast.File
Config map[string]interface{}
Imports *ImportInfo
Ignores []map[string]bool
}
// The Rule interface used by all rules supported by GAS.
type Rule interface {
ID() string
Match(ast.Node, *Context) (*Issue, error)
}
@ -93,7 +96,7 @@ func NewAnalyzer(conf map[string]interface{}, logger *log.Logger) Analyzer {
a := Analyzer{
ignoreNosec: conf["ignoreNosec"].(bool),
ruleset: make(RuleSet),
context: &Context{nil, nil, nil, nil, nil, nil, nil},
context: &Context{nil, nil, nil, nil, nil, nil, nil, nil},
logger: logger,
Issues: make([]*Issue, 0, 16),
Stats: &Metrics{0, 0, 0, 0},
@ -180,22 +183,63 @@ func (gas *Analyzer) ProcessSource(filename string, source string) error {
}
// ignore a node (and sub-tree) if it is tagged with a "#nosec" comment
func (gas *Analyzer) ignore(n ast.Node) bool {
func (gas *Analyzer) ignore(n ast.Node) ([]string, bool) {
if groups, ok := gas.context.Comments[n]; ok && !gas.ignoreNosec {
for _, group := range groups {
if strings.Contains(group.Text(), "#nosec") {
return nil, true
}
if strings.Contains(group.Text(), "#exclude") {
gas.Stats.NumNosec++
return true
// Pull out the specific rules that are listed to be ignored.
re := regexp.MustCompile("!(G\\d{3})")
matches := re.FindAllStringSubmatch(group.Text(), -1)
// Find the rule IDs to ignore.
ignores := make([]string, 0)
for _, v := range matches {
ignores = append(ignores, v[1])
}
return ignores, false
}
}
}
return false
return nil, false
}
// Visit runs the GAS visitor logic over an AST created by parsing go code.
// Rule methods added with AddRule will be invoked as necessary.
func (gas *Analyzer) Visit(n ast.Node) ast.Visitor {
if !gas.ignore(n) {
// If we've reached the end of this branch, pop off the ignores stack.
if n == nil {
if len(gas.context.Ignores) > 0 {
gas.context.Ignores = gas.context.Ignores[1:]
}
return gas
}
// Get any new rule exclusions.
ignoredRules, ignoreAll := gas.ignore(n)
if ignoreAll {
return nil
}
// Now create the union of exclusions.
ignores := make(map[string]bool, 0)
if len(gas.context.Ignores) > 0 {
for k, v := range gas.context.Ignores[0] {
ignores[k] = v
}
}
for _, v := range ignoredRules {
ignores[v] = true
}
// Push the new set onto the stack.
gas.context.Ignores = append([]map[string]bool{ignores}, gas.context.Ignores...)
// Track aliased and initialization imports
if imported, ok := n.(*ast.ImportSpec); ok {
@ -217,6 +261,9 @@ func (gas *Analyzer) Visit(n ast.Node) ast.Visitor {
if val, ok := gas.ruleset[reflect.TypeOf(n)]; ok {
for _, rule := range val {
if _, ok := ignores[rule.ID()]; ok {
continue
}
ret, err := rule.Match(n, gas.context)
if err != nil {
file, line := GetLocation(n, gas.context)
@ -230,6 +277,4 @@ func (gas *Analyzer) Visit(n ast.Node) ast.Visitor {
}
}
return gas
}
return nil
}

View file

@ -11,6 +11,10 @@ type callListRule struct {
matched int
}
func (r *callListRule) ID() string {
return r.MetaData.ID
}
func (r *callListRule) Match(n ast.Node, c *Context) (gi *Issue, err error) {
if r.callList.ContainsCallExpr(n, c) {
r.matched += 1
@ -25,6 +29,7 @@ func TestCallListContainsCallExpr(t *testing.T) {
calls.AddAll("bytes.Buffer", "Write", "WriteTo")
rule := &callListRule{
MetaData: MetaData{
ID: "TEST",
Severity: Low,
Confidence: Low,
What: "A dummy rule",

View file

@ -16,6 +16,10 @@ type dummyRule struct {
matched int
}
func (r *dummyRule) ID() string {
return r.MetaData.ID
}
func (r *dummyRule) Match(n ast.Node, c *Context) (gi *Issue, err error) {
if callexpr, matched := r.callback(n, c, r.pkgOrType, r.funcsOrMethods...); matched {
r.matched += 1

View file

@ -42,6 +42,7 @@ type Issue struct {
// MetaData is embedded in all GAS rules. The Severity, Confidence and What message
// will be passed tbhrough to reported issues.
type MetaData struct {
ID string
Severity Score
Confidence Score
What string

View file

@ -22,43 +22,49 @@ import (
)
type RuleInfo struct {
id string
description string
build func(map[string]interface{}) (gas.Rule, []ast.Node)
build func(string, map[string]interface{}) (gas.Rule, []ast.Node)
}
// GetFullRuleList get the full list of all rules available to GAS
func GetFullRuleList() map[string]RuleInfo {
return map[string]RuleInfo{
rules := []RuleInfo{
// misc
"G101": RuleInfo{"Look for hardcoded credentials", rules.NewHardcodedCredentials},
"G102": RuleInfo{"Bind to all interfaces", rules.NewBindsToAllNetworkInterfaces},
"G103": RuleInfo{"Audit the use of unsafe block", rules.NewUsingUnsafe},
"G104": RuleInfo{"Audit errors not checked", rules.NewNoErrorCheck},
"G105": RuleInfo{"Audit the use of big.Exp function", rules.NewUsingBigExp},
RuleInfo{"G101", "Look for hardcoded credentials", rules.NewHardcodedCredentials},
RuleInfo{"G102", "Bind to all interfaces", rules.NewBindsToAllNetworkInterfaces},
RuleInfo{"G103", "Audit the use of unsafe block", rules.NewUsingUnsafe},
RuleInfo{"G104", "Audit errors not checked", rules.NewNoErrorCheck},
RuleInfo{"G105", "Audit the use of big.Exp function", rules.NewUsingBigExp},
// injection
"G201": RuleInfo{"SQL query construction using format string", rules.NewSqlStrFormat},
"G202": RuleInfo{"SQL query construction using string concatenation", rules.NewSqlStrConcat},
"G203": RuleInfo{"Use of unescaped data in HTML templates", rules.NewTemplateCheck},
"G204": RuleInfo{"Audit use of command execution", rules.NewSubproc},
RuleInfo{"G201", "SQL query construction using format string", rules.NewSqlStrFormat},
RuleInfo{"G202", "SQL query construction using string concatenation", rules.NewSqlStrConcat},
RuleInfo{"G203", "Use of unescaped data in HTML templates", rules.NewTemplateCheck},
RuleInfo{"G204", "Audit use of command execution", rules.NewSubproc},
// filesystem
"G301": RuleInfo{"Poor file permissions used when creating a directory", rules.NewMkdirPerms},
"G302": RuleInfo{"Poor file permisions used when creation file or using chmod", rules.NewFilePerms},
"G303": RuleInfo{"Creating tempfile using a predictable path", rules.NewBadTempFile},
RuleInfo{"G301", "Poor file permissions used when creating a directory", rules.NewMkdirPerms},
RuleInfo{"G302", "Poor file permisions used when creation file or using chmod", rules.NewFilePerms},
RuleInfo{"G303", "Creating tempfile using a predictable path", rules.NewBadTempFile},
// crypto
"G401": RuleInfo{"Detect the usage of DES, RC4, or MD5", rules.NewUsesWeakCryptography},
"G402": RuleInfo{"Look for bad TLS connection settings", rules.NewIntermediateTlsCheck},
"G403": RuleInfo{"Ensure minimum RSA key length of 2048 bits", rules.NewWeakKeyStrength},
"G404": RuleInfo{"Insecure random number source (rand)", rules.NewWeakRandCheck},
RuleInfo{"G401", "Detect the usage of DES, RC4, or MD5", rules.NewUsesWeakCryptography},
RuleInfo{"G402", "Look for bad TLS connection settings", rules.NewIntermediateTlsCheck},
RuleInfo{"G403", "Ensure minimum RSA key length of 2048 bits", rules.NewWeakKeyStrength},
RuleInfo{"G404", "Insecure random number source (rand)", rules.NewWeakRandCheck},
// blacklist
"G501": RuleInfo{"Import blacklist: crypto/md5", rules.NewBlacklist_crypto_md5},
"G502": RuleInfo{"Import blacklist: crypto/des", rules.NewBlacklist_crypto_des},
"G503": RuleInfo{"Import blacklist: crypto/rc4", rules.NewBlacklist_crypto_rc4},
"G504": RuleInfo{"Import blacklist: net/http/cgi", rules.NewBlacklist_net_http_cgi},
RuleInfo{"G501", "Import blacklist: crypto/md5", rules.NewBlacklist_crypto_md5},
RuleInfo{"G502", "Import blacklist: crypto/des", rules.NewBlacklist_crypto_des},
RuleInfo{"G503", "Import blacklist: crypto/rc4", rules.NewBlacklist_crypto_rc4},
RuleInfo{"G504", "Import blacklist: net/http/cgi", rules.NewBlacklist_net_http_cgi},
}
ruleMap := make(map[string]RuleInfo)
for _, v := range rules {
ruleMap[v.id] = v
}
return ruleMap
}
func AddRules(analyzer *gas.Analyzer, conf map[string]interface{}) {
@ -85,7 +91,7 @@ func AddRules(analyzer *gas.Analyzer, conf map[string]interface{}) {
delete(all, v)
}
for _, v := range all {
analyzer.AddRule(v.build(conf))
for k, v := range all {
analyzer.AddRule(v.build(k, conf))
}
}

View file

@ -15,8 +15,9 @@
package rules
import (
gas "github.com/GoASTScanner/gas/core"
"go/ast"
gas "github.com/GoASTScanner/gas/core"
)
type UsingBigExp struct {
@ -25,17 +26,22 @@ type UsingBigExp struct {
calls []string
}
func (r *UsingBigExp) ID() string {
return r.MetaData.ID
}
func (r *UsingBigExp) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err error) {
if _, matched := gas.MatchCallByType(n, c, r.pkg, r.calls...); matched {
return gas.NewIssue(c, n, r.What, r.Severity, r.Confidence), nil
}
return nil, nil
}
func NewUsingBigExp(conf map[string]interface{}) (gas.Rule, []ast.Node) {
func NewUsingBigExp(id string, conf map[string]interface{}) (gas.Rule, []ast.Node) {
return &UsingBigExp{
pkg: "*math/big.Int",
calls: []string{"Exp"},
MetaData: gas.MetaData{
ID: id,
What: "Use of math/big.Int.Exp function should be audited for modulus == 0",
Severity: gas.Low,
Confidence: gas.High,

View file

@ -23,7 +23,7 @@ import (
func TestBigExp(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewUsingBigExp(config))
analyzer.AddRule(NewUsingBigExp("TEST", config))
issues := gasTestRunner(`
package main

View file

@ -28,6 +28,10 @@ type BindsToAllNetworkInterfaces struct {
pattern *regexp.Regexp
}
func (r *BindsToAllNetworkInterfaces) ID() string {
return r.MetaData.ID
}
func (r *BindsToAllNetworkInterfaces) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err error) {
if node := gas.MatchCall(n, r.call); node != nil {
if arg, err := gas.GetString(node.Args[1]); err == nil {
@ -39,11 +43,12 @@ func (r *BindsToAllNetworkInterfaces) Match(n ast.Node, c *gas.Context) (gi *gas
return
}
func NewBindsToAllNetworkInterfaces(conf map[string]interface{}) (gas.Rule, []ast.Node) {
func NewBindsToAllNetworkInterfaces(id string, conf map[string]interface{}) (gas.Rule, []ast.Node) {
return &BindsToAllNetworkInterfaces{
call: regexp.MustCompile(`^(net|tls)\.Listen$`),
pattern: regexp.MustCompile(`^(0.0.0.0|:).*$`),
MetaData: gas.MetaData{
ID: id,
Severity: gas.Medium,
Confidence: gas.High,
What: "Binds to all network interfaces",

View file

@ -23,7 +23,7 @@ import (
func TestBind0000(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewBindsToAllNetworkInterfaces(config))
analyzer.AddRule(NewBindsToAllNetworkInterfaces("TEST", config))
issues := gasTestRunner(`
package main
@ -45,7 +45,7 @@ func TestBind0000(t *testing.T) {
func TestBindEmptyHost(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewBindsToAllNetworkInterfaces(config))
analyzer.AddRule(NewBindsToAllNetworkInterfaces("TEST", config))
issues := gasTestRunner(`
package main

View file

@ -25,6 +25,10 @@ type BlacklistImport struct {
Path string
}
func (r *BlacklistImport) ID() string {
return r.MetaData.ID
}
func (r *BlacklistImport) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err error) {
if node, ok := n.(*ast.ImportSpec); ok {
if r.Path == node.Path.Value && node.Name.String() != "_" {
@ -34,9 +38,10 @@ func (r *BlacklistImport) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err
return nil, nil
}
func NewBlacklist_crypto_md5(conf map[string]interface{}) (gas.Rule, []ast.Node) {
func NewBlacklist_crypto_md5(id string, conf map[string]interface{}) (gas.Rule, []ast.Node) {
return &BlacklistImport{
MetaData: gas.MetaData{
ID: id,
Severity: gas.High,
Confidence: gas.High,
What: "Use of weak cryptographic primitive",
@ -45,9 +50,10 @@ func NewBlacklist_crypto_md5(conf map[string]interface{}) (gas.Rule, []ast.Node)
}, []ast.Node{(*ast.ImportSpec)(nil)}
}
func NewBlacklist_crypto_des(conf map[string]interface{}) (gas.Rule, []ast.Node) {
func NewBlacklist_crypto_des(id string, conf map[string]interface{}) (gas.Rule, []ast.Node) {
return &BlacklistImport{
MetaData: gas.MetaData{
ID: id,
Severity: gas.High,
Confidence: gas.High,
What: "Use of weak cryptographic primitive",
@ -56,9 +62,10 @@ func NewBlacklist_crypto_des(conf map[string]interface{}) (gas.Rule, []ast.Node)
}, []ast.Node{(*ast.ImportSpec)(nil)}
}
func NewBlacklist_crypto_rc4(conf map[string]interface{}) (gas.Rule, []ast.Node) {
func NewBlacklist_crypto_rc4(id string, conf map[string]interface{}) (gas.Rule, []ast.Node) {
return &BlacklistImport{
MetaData: gas.MetaData{
ID: id,
Severity: gas.High,
Confidence: gas.High,
What: "Use of weak cryptographic primitive",
@ -67,9 +74,10 @@ func NewBlacklist_crypto_rc4(conf map[string]interface{}) (gas.Rule, []ast.Node)
}, []ast.Node{(*ast.ImportSpec)(nil)}
}
func NewBlacklist_net_http_cgi(conf map[string]interface{}) (gas.Rule, []ast.Node) {
func NewBlacklist_net_http_cgi(id string, conf map[string]interface{}) (gas.Rule, []ast.Node) {
return &BlacklistImport{
MetaData: gas.MetaData{
ID: id,
Severity: gas.High,
Confidence: gas.High,
What: "Go versions < 1.6.3 are vulnerable to Httpoxy attack: (CVE-2016-5386)",

View file

@ -13,8 +13,9 @@
package rules
import (
gas "github.com/GoASTScanner/gas/core"
"testing"
gas "github.com/GoASTScanner/gas/core"
)
const initOnlyImportSrc = `
@ -33,7 +34,7 @@ func main() {
func TestInitOnlyImport(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewBlacklist_crypto_md5(config))
analyzer.AddRule(NewBlacklist_crypto_md5("TEST", config))
issues := gasTestRunner(initOnlyImportSrc, analyzer)
checkTestResults(t, issues, 0, "")
}

View file

@ -15,9 +15,10 @@
package rules
import (
gas "github.com/GoASTScanner/gas/core"
"go/ast"
"go/types"
gas "github.com/GoASTScanner/gas/core"
)
type NoErrorCheck struct {
@ -25,6 +26,10 @@ type NoErrorCheck struct {
whitelist gas.CallList
}
func (r *NoErrorCheck) ID() string {
return r.MetaData.ID
}
func returnsError(callExpr *ast.CallExpr, ctx *gas.Context) int {
if tv := ctx.Info.TypeOf(callExpr); tv != nil {
switch t := tv.(type) {
@ -69,7 +74,7 @@ func (r *NoErrorCheck) Match(n ast.Node, ctx *gas.Context) (*gas.Issue, error) {
return nil, nil
}
func NewNoErrorCheck(conf map[string]interface{}) (gas.Rule, []ast.Node) {
func NewNoErrorCheck(id string, conf map[string]interface{}) (gas.Rule, []ast.Node) {
// TODO(gm) Come up with sensible defaults here. Or flip it to use a
// black list instead.
@ -87,6 +92,7 @@ func NewNoErrorCheck(conf map[string]interface{}) (gas.Rule, []ast.Node) {
}
return &NoErrorCheck{
MetaData: gas.MetaData{
ID: id,
Severity: gas.Low,
Confidence: gas.High,
What: "Errors unhandled.",

View file

@ -23,7 +23,7 @@ import (
func TestErrorsMulti(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewNoErrorCheck(config))
analyzer.AddRule(NewNoErrorCheck("TEST", config))
issues := gasTestRunner(
`package main
@ -47,7 +47,7 @@ func TestErrorsMulti(t *testing.T) {
func TestErrorsSingle(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewNoErrorCheck(config))
analyzer.AddRule(NewNoErrorCheck("TEST", config))
issues := gasTestRunner(
`package main
@ -81,7 +81,7 @@ func TestErrorsSingle(t *testing.T) {
func TestErrorsGood(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewNoErrorCheck(config))
analyzer.AddRule(NewNoErrorCheck("TEST", config))
issues := gasTestRunner(
`package main
@ -110,7 +110,7 @@ func TestErrorsWhitelisted(t *testing.T) {
},
}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewNoErrorCheck(config))
analyzer.AddRule(NewNoErrorCheck("TEST", config))
source := `package main
import (
"io"

View file

@ -29,6 +29,10 @@ type FilePermissions struct {
calls []string
}
func (r *FilePermissions) ID() string {
return r.MetaData.ID
}
func getConfiguredMode(conf map[string]interface{}, configKey string, defaultMode int64) int64 {
var mode int64 = defaultMode
if value, ok := conf[configKey]; ok {
@ -56,13 +60,14 @@ func (r *FilePermissions) Match(n ast.Node, c *gas.Context) (*gas.Issue, error)
return nil, nil
}
func NewFilePerms(conf map[string]interface{}) (gas.Rule, []ast.Node) {
func NewFilePerms(id string, conf map[string]interface{}) (gas.Rule, []ast.Node) {
mode := getConfiguredMode(conf, "G302", 0600)
return &FilePermissions{
mode: mode,
pkg: "os",
calls: []string{"OpenFile", "Chmod"},
MetaData: gas.MetaData{
ID: id,
Severity: gas.Medium,
Confidence: gas.High,
What: fmt.Sprintf("Expect file permissions to be %#o or less", mode),
@ -70,13 +75,14 @@ func NewFilePerms(conf map[string]interface{}) (gas.Rule, []ast.Node) {
}, []ast.Node{(*ast.CallExpr)(nil)}
}
func NewMkdirPerms(conf map[string]interface{}) (gas.Rule, []ast.Node) {
func NewMkdirPerms(id string, conf map[string]interface{}) (gas.Rule, []ast.Node) {
mode := getConfiguredMode(conf, "G301", 0700)
return &FilePermissions{
mode: mode,
pkg: "os",
calls: []string{"Mkdir", "MkdirAll"},
MetaData: gas.MetaData{
ID: id,
Severity: gas.Medium,
Confidence: gas.High,
What: fmt.Sprintf("Expect directory permissions to be %#o or less", mode),

View file

@ -23,7 +23,7 @@ import (
func TestChmod(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewFilePerms(config))
analyzer.AddRule(NewFilePerms("TEST", config))
issues := gasTestRunner(`
package main
@ -41,7 +41,7 @@ func TestChmod(t *testing.T) {
func TestMkdir(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewMkdirPerms(config))
analyzer.AddRule(NewMkdirPerms("TEST", config))
issues := gasTestRunner(`
package main

View file

@ -15,12 +15,13 @@
package rules
import (
gas "github.com/GoASTScanner/gas/core"
"go/ast"
"go/token"
"regexp"
"github.com/nbutton23/zxcvbn-go"
gas "github.com/GoASTScanner/gas/core"
zxcvbn "github.com/nbutton23/zxcvbn-go"
"strconv"
)
@ -33,6 +34,10 @@ type Credentials struct {
ignoreEntropy bool
}
func (r *Credentials) ID() string {
return r.MetaData.ID
}
func truncate(s string, n int) string {
if n > len(s) {
return s
@ -100,7 +105,7 @@ func (r *Credentials) matchGenDecl(decl *ast.GenDecl, ctx *gas.Context) (*gas.Is
return nil, nil
}
func NewHardcodedCredentials(conf map[string]interface{}) (gas.Rule, []ast.Node) {
func NewHardcodedCredentials(id string, conf map[string]interface{}) (gas.Rule, []ast.Node) {
pattern := `(?i)passwd|pass|password|pwd|secret|token`
entropyThreshold := 80.0
perCharThreshold := 3.0
@ -140,6 +145,7 @@ func NewHardcodedCredentials(conf map[string]interface{}) (gas.Rule, []ast.Node)
ignoreEntropy: ignoreEntropy,
truncate: truncateString,
MetaData: gas.MetaData{
ID: id,
What: "Potential hardcoded credentials",
Confidence: gas.Low,
Severity: gas.High,

View file

@ -23,7 +23,7 @@ import (
func TestHardcoded(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewHardcodedCredentials(config))
analyzer.AddRule(NewHardcodedCredentials("TEST", config))
issues := gasTestRunner(
`
@ -43,7 +43,7 @@ func TestHardcoded(t *testing.T) {
func TestHardcodedWithEntropy(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewHardcodedCredentials(config))
analyzer.AddRule(NewHardcodedCredentials("TEST", config))
issues := gasTestRunner(
`
@ -68,7 +68,7 @@ func TestHardcodedIgnoreEntropy(t *testing.T) {
},
}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewHardcodedCredentials(config))
analyzer.AddRule(NewHardcodedCredentials("TEST", config))
issues := gasTestRunner(
`
@ -88,7 +88,7 @@ func TestHardcodedIgnoreEntropy(t *testing.T) {
func TestHardcodedGlobalVar(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewHardcodedCredentials(config))
analyzer.AddRule(NewHardcodedCredentials("TEST", config))
issues := gasTestRunner(`
package samples
@ -108,7 +108,7 @@ func TestHardcodedGlobalVar(t *testing.T) {
func TestHardcodedConstant(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewHardcodedCredentials(config))
analyzer.AddRule(NewHardcodedCredentials("TEST", config))
issues := gasTestRunner(`
package samples
@ -128,7 +128,7 @@ func TestHardcodedConstant(t *testing.T) {
func TestHardcodedConstantMulti(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewHardcodedCredentials(config))
analyzer.AddRule(NewHardcodedCredentials("TEST", config))
issues := gasTestRunner(`
package samples
@ -150,7 +150,7 @@ func TestHardcodedConstantMulti(t *testing.T) {
func TestHardecodedVarsNotAssigned(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewHardcodedCredentials(config))
analyzer.AddRule(NewHardcodedCredentials("TEST", config))
issues := gasTestRunner(`
package main
var password string
@ -163,7 +163,7 @@ func TestHardecodedVarsNotAssigned(t *testing.T) {
func TestHardcodedConstInteger(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewHardcodedCredentials(config))
analyzer.AddRule(NewHardcodedCredentials("TEST", config))
issues := gasTestRunner(`
package main
@ -180,7 +180,7 @@ func TestHardcodedConstInteger(t *testing.T) {
func TestHardcodedConstString(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewHardcodedCredentials(config))
analyzer.AddRule(NewHardcodedCredentials("TEST", config))
issues := gasTestRunner(`
package main

View file

@ -23,7 +23,7 @@ import (
func TestHttpoxy(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewBlacklist_net_http_cgi(config))
analyzer.AddRule(NewBlacklist_net_http_cgi("TEST", config))
issues := gasTestRunner(`
package main

View file

@ -23,7 +23,7 @@ import (
func TestNosec(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewSubproc(config))
analyzer.AddRule(NewSubproc("G001", config))
issues := gasTestRunner(
`package main
@ -43,7 +43,7 @@ func TestNosec(t *testing.T) {
func TestNosecBlock(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewSubproc(config))
analyzer.AddRule(NewSubproc("G001", config))
issues := gasTestRunner(
`package main
@ -66,7 +66,7 @@ func TestNosecBlock(t *testing.T) {
func TestNosecIgnore(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": true}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewSubproc(config))
analyzer.AddRule(NewSubproc("G001", config))
issues := gasTestRunner(
`package main
@ -83,3 +83,176 @@ func TestNosecIgnore(t *testing.T) {
checkTestResults(t, issues, 1, "Subprocess launching with variable.")
}
func TestNosecExcludeOne(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewSubproc("G001", config))
issues := gasTestRunner(
`package main
import (
"os"
"os/exec"
)
func main() {
cmd := exec.Command("sh", "-c", os.Getenv("BLAH")) // #exclude !G001
cmd.Run()
}`, analyzer)
checkTestResults(t, issues, 0, "None")
}
func TestNosecExcludeOneNoMatch(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewSubproc("G001", config))
issues := gasTestRunner(
`package main
import (
"os"
"os/exec"
)
func main() {
cmd := exec.Command("sh", "-c", os.Getenv("BLAH")) // #exclude !G002
cmd.Run()
}`, analyzer)
checkTestResults(t, issues, 1, "Subprocess launching with variable.")
}
func TestNosecExcludeOneMatchNextLine(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewSubproc("G001", config))
issues := gasTestRunner(
`package main
import (
"os"
"os/exec"
)
func main() {
cmd := exec.Command("sh", "-c", os.Getenv("FOO")) // #exclude !G001
cmd = exec.Command("sh", "-c", os.Getenv("BAR"))
cmd.Run()
}`, analyzer)
checkTestResults(t, issues, 1, "Subprocess launching with variable.")
}
func TestNosecBlockExcludeOne(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewSubproc("G001", config))
issues := gasTestRunner(
`package main
import (
"os"
"os/exec"
)
func main() {
// #exclude !G001
if true {
cmd := exec.Command("sh", "-c", os.Getenv("BLAH"))
cmd.Run()
}
}`, analyzer)
checkTestResults(t, issues, 0, "None")
}
func TestNosecBlockExcludeOneNoMatch(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewSubproc("G001", config))
issues := gasTestRunner(
`package main
import (
"os"
"os/exec"
)
func main() {
// #exclude !G002
if true {
cmd := exec.Command("sh", "-c", os.Getenv("BLAH"))
cmd.Run()
}
}`, analyzer)
checkTestResults(t, issues, 1, "Subprocess launching with variable.")
}
func TestNosecExcludeTwoNoMatch(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewSubproc("G001", config))
analyzer.AddRule(NewWeakRandCheck("G002", config))
issues := gasTestRunner(
`package main
import (
"math/rand"
"os"
"os/exec"
)
func main() {
cmd := exec.Command("sh", "-c", os.Getenv("BLAH"), string(rand.Int())) // #exclude !G003 !G004
cmd.Run()
}`, analyzer)
checkTestResults(t, issues, 2, "")
}
func TestNosecExcludeTwoOneMatch(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewSubproc("G001", config))
analyzer.AddRule(NewWeakRandCheck("G002", config))
issues := gasTestRunner(
`package main
import (
"math/rand"
"os"
"os/exec"
)
func main() {
cmd := exec.Command("sh", "-c", os.Getenv("BLAH"), string(rand.Int())) // #exclude !G001 !G004
cmd.Run()
}`, analyzer)
checkTestResults(t, issues, 1, "Use of weak random number generator")
}
func TestNosecExcludeTwoBothMatch(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewSubproc("G001", config))
analyzer.AddRule(NewWeakRandCheck("G002", config))
issues := gasTestRunner(
`package main
import (
"math/rand"
"os"
"os/exec"
)
func main() {
cmd := exec.Command("sh", "-c", os.Getenv("BLAH"), string(rand.Int())) // #exclude !G001 !G002
cmd.Run()
}`, analyzer)
checkTestResults(t, issues, 0, "No issues")
}

View file

@ -26,6 +26,10 @@ type WeakRand struct {
packagePath string
}
func (r *WeakRand) ID() string {
return r.MetaData.ID
}
func (w *WeakRand) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
for _, funcName := range w.funcNames {
if _, matched := gas.MatchCallByPackage(n, c, w.packagePath, funcName); matched {
@ -36,11 +40,12 @@ func (w *WeakRand) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
return nil, nil
}
func NewWeakRandCheck(conf map[string]interface{}) (gas.Rule, []ast.Node) {
func NewWeakRandCheck(id string, conf map[string]interface{}) (gas.Rule, []ast.Node) {
return &WeakRand{
funcNames: []string{"Read", "Int"},
packagePath: "math/rand",
MetaData: gas.MetaData{
ID: id,
Severity: gas.High,
Confidence: gas.Medium,
What: "Use of weak random number generator (math/rand instead of crypto/rand)",

View file

@ -23,7 +23,7 @@ import (
func TestRandOk(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewWeakRandCheck(config))
analyzer.AddRule(NewWeakRandCheck("TEST", config))
issues := gasTestRunner(
`
@ -42,7 +42,7 @@ func TestRandOk(t *testing.T) {
func TestRandBad(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewWeakRandCheck(config))
analyzer.AddRule(NewWeakRandCheck("TEST", config))
issues := gasTestRunner(
`
@ -62,7 +62,7 @@ func TestRandBad(t *testing.T) {
func TestRandRenamed(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewWeakRandCheck(config))
analyzer.AddRule(NewWeakRandCheck("TEST", config))
issues := gasTestRunner(
`

View file

@ -28,6 +28,10 @@ type WeakKeyStrength struct {
bits int
}
func (r *WeakKeyStrength) ID() string {
return r.MetaData.ID
}
func (w *WeakKeyStrength) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
if node := gas.MatchCall(n, w.pattern); node != nil {
if bits, err := gas.GetInt(node.Args[1]); err == nil && bits < (int64)(w.bits) {
@ -37,12 +41,13 @@ func (w *WeakKeyStrength) Match(n ast.Node, c *gas.Context) (*gas.Issue, error)
return nil, nil
}
func NewWeakKeyStrength(conf map[string]interface{}) (gas.Rule, []ast.Node) {
func NewWeakKeyStrength(id string, conf map[string]interface{}) (gas.Rule, []ast.Node) {
bits := 2048
return &WeakKeyStrength{
pattern: regexp.MustCompile(`^rsa\.GenerateKey$`),
bits: bits,
MetaData: gas.MetaData{
ID: id,
Severity: gas.Medium,
Confidence: gas.High,
What: fmt.Sprintf("RSA keys should be at least %d bits", bits),

View file

@ -23,7 +23,7 @@ import (
func TestRSAKeys(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewWeakKeyStrength(config))
analyzer.AddRule(NewWeakKeyStrength("TEST", config))
issues := gasTestRunner(
`package main

View file

@ -30,6 +30,14 @@ type SqlStrConcat struct {
SqlStatement
}
func (r *SqlStatement) ID() string {
return r.MetaData.ID
}
func (r *SqlStrConcat) ID() string {
return r.MetaData.ID
}
// see if we can figure out what it is
func (s *SqlStrConcat) checkObject(n *ast.Ident) bool {
if n.Obj != nil {
@ -56,11 +64,12 @@ func (s *SqlStrConcat) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
return nil, nil
}
func NewSqlStrConcat(conf map[string]interface{}) (gas.Rule, []ast.Node) {
func NewSqlStrConcat(id string, conf map[string]interface{}) (gas.Rule, []ast.Node) {
return &SqlStrConcat{
SqlStatement: SqlStatement{
pattern: regexp.MustCompile(`(?)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE) `),
MetaData: gas.MetaData{
ID: id,
Severity: gas.Medium,
Confidence: gas.High,
What: "SQL string concatenation",
@ -84,12 +93,13 @@ func (s *SqlStrFormat) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err err
return nil, nil
}
func NewSqlStrFormat(conf map[string]interface{}) (gas.Rule, []ast.Node) {
func NewSqlStrFormat(id string, conf map[string]interface{}) (gas.Rule, []ast.Node) {
return &SqlStrFormat{
call: regexp.MustCompile(`^fmt\.Sprintf$`),
SqlStatement: SqlStatement{
pattern: regexp.MustCompile("(?)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE) "),
MetaData: gas.MetaData{
ID: id,
Severity: gas.Medium,
Confidence: gas.High,
What: "SQL string formatting",

View file

@ -23,7 +23,7 @@ import (
func TestSQLInjectionViaConcatenation(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewSqlStrConcat(config))
analyzer.AddRule(NewSqlStrConcat("TEST", config))
source := `
package main
@ -51,7 +51,7 @@ func TestSQLInjectionViaConcatenation(t *testing.T) {
func TestSQLInjectionViaIntepolation(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewSqlStrFormat(config))
analyzer.AddRule(NewSqlStrFormat("TEST", config))
source := `
package main
@ -81,8 +81,8 @@ func TestSQLInjectionViaIntepolation(t *testing.T) {
func TestSQLInjectionFalsePositiveA(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewSqlStrConcat(config))
analyzer.AddRule(NewSqlStrFormat(config))
analyzer.AddRule(NewSqlStrConcat("TEST1", config))
analyzer.AddRule(NewSqlStrFormat("TEST2", config))
source := `
@ -115,8 +115,8 @@ func TestSQLInjectionFalsePositiveA(t *testing.T) {
func TestSQLInjectionFalsePositiveB(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewSqlStrConcat(config))
analyzer.AddRule(NewSqlStrFormat(config))
analyzer.AddRule(NewSqlStrConcat("TEST1", config))
analyzer.AddRule(NewSqlStrFormat("TEST2", config))
source := `
@ -149,8 +149,8 @@ func TestSQLInjectionFalsePositiveB(t *testing.T) {
func TestSQLInjectionFalsePositiveC(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewSqlStrConcat(config))
analyzer.AddRule(NewSqlStrFormat(config))
analyzer.AddRule(NewSqlStrConcat("TEST1", config))
analyzer.AddRule(NewSqlStrFormat("TEST2", config))
source := `
@ -183,8 +183,8 @@ func TestSQLInjectionFalsePositiveC(t *testing.T) {
func TestSQLInjectionFalsePositiveD(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewSqlStrConcat(config))
analyzer.AddRule(NewSqlStrFormat(config))
analyzer.AddRule(NewSqlStrConcat("TEST1", config))
analyzer.AddRule(NewSqlStrFormat("TEST2", config))
source := `

View file

@ -23,9 +23,14 @@ import (
)
type Subprocess struct {
gas.MetaData
pattern *regexp.Regexp
}
func (r *Subprocess) ID() string {
return r.MetaData.ID
}
func (r *Subprocess) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
if node := gas.MatchCall(n, r.pattern); node != nil {
for _, arg := range node.Args {
@ -43,14 +48,19 @@ func (r *Subprocess) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
}
}
what := "Subprocess launching should be audited."
return gas.NewIssue(c, n, what, gas.Low, gas.High), nil
return gas.NewIssue(c, n, r.What, r.Severity, r.Confidence), nil
}
return nil, nil
}
func NewSubproc(conf map[string]interface{}) (gas.Rule, []ast.Node) {
func NewSubproc(id string, conf map[string]interface{}) (gas.Rule, []ast.Node) {
return &Subprocess{
pattern: regexp.MustCompile(`^exec\.Command|syscall\.Exec$`),
MetaData: gas.MetaData{
ID: id,
Severity: gas.Low,
Confidence: gas.High,
What: "Subprocess launching should be audited.",
},
}, []ast.Node{(*ast.CallExpr)(nil)}
}

View file

@ -23,7 +23,7 @@ import (
func TestSubprocess(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewSubproc(config))
analyzer.AddRule(NewSubproc("TEST", config))
issues := gasTestRunner(`
package main
@ -51,7 +51,7 @@ func TestSubprocess(t *testing.T) {
func TestSubprocessVar(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewSubproc(config))
analyzer.AddRule(NewSubproc("TEST", config))
issues := gasTestRunner(`
package main
@ -80,7 +80,7 @@ func TestSubprocessVar(t *testing.T) {
func TestSubprocessPath(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewSubproc(config))
analyzer.AddRule(NewSubproc("TEST", config))
issues := gasTestRunner(`
package main
@ -107,7 +107,7 @@ func TestSubprocessPath(t *testing.T) {
func TestSubprocessSyscall(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewSubproc(config))
analyzer.AddRule(NewSubproc("TEST", config))
issues := gasTestRunner(`
package main

View file

@ -27,6 +27,10 @@ type BadTempFile struct {
call *regexp.Regexp
}
func (r *BadTempFile) ID() string {
return r.MetaData.ID
}
func (t *BadTempFile) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err error) {
if node := gas.MatchCall(n, t.call); node != nil {
if arg, e := gas.GetString(node.Args[0]); t.args.MatchString(arg) && e == nil {
@ -36,11 +40,12 @@ func (t *BadTempFile) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err erro
return nil, nil
}
func NewBadTempFile(conf map[string]interface{}) (gas.Rule, []ast.Node) {
func NewBadTempFile(id string, conf map[string]interface{}) (gas.Rule, []ast.Node) {
return &BadTempFile{
call: regexp.MustCompile(`ioutil\.WriteFile|os\.Create`),
args: regexp.MustCompile(`^/tmp/.*$|^/var/tmp/.*$`),
MetaData: gas.MetaData{
ID: id,
Severity: gas.Medium,
Confidence: gas.High,
What: "File creation in shared tmp directory without using ioutil.Tempfile",

View file

@ -23,7 +23,7 @@ import (
func TestTempfiles(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewBadTempFile(config))
analyzer.AddRule(NewBadTempFile("TEST", config))
source := `
package samples

View file

@ -26,6 +26,10 @@ type TemplateCheck struct {
call *regexp.Regexp
}
func (r *TemplateCheck) ID() string {
return r.MetaData.ID
}
func (t *TemplateCheck) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err error) {
if node := gas.MatchCall(n, t.call); node != nil {
for _, arg := range node.Args {
@ -37,10 +41,11 @@ func (t *TemplateCheck) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err er
return nil, nil
}
func NewTemplateCheck(conf map[string]interface{}) (gas.Rule, []ast.Node) {
func NewTemplateCheck(id string, conf map[string]interface{}) (gas.Rule, []ast.Node) {
return &TemplateCheck{
call: regexp.MustCompile(`^template\.(HTML|JS|URL)$`),
MetaData: gas.MetaData{
ID: id,
Severity: gas.Medium,
Confidence: gas.Low,
What: "this method will not auto-escape HTML. Verify data is well formed.",

View file

@ -23,7 +23,7 @@ import (
func TestTemplateCheckSafe(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewTemplateCheck(config))
analyzer.AddRule(NewTemplateCheck("TEST", config))
source := `
package samples
@ -51,7 +51,7 @@ func TestTemplateCheckSafe(t *testing.T) {
func TestTemplateCheckBadHTML(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewTemplateCheck(config))
analyzer.AddRule(NewTemplateCheck("TEST", config))
source := `
package samples
@ -80,7 +80,7 @@ func TestTemplateCheckBadHTML(t *testing.T) {
func TestTemplateCheckBadJS(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewTemplateCheck(config))
analyzer.AddRule(NewTemplateCheck("TEST", config))
source := `
package samples
@ -109,7 +109,7 @@ func TestTemplateCheckBadJS(t *testing.T) {
func TestTemplateCheckBadURL(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewTemplateCheck(config))
analyzer.AddRule(NewTemplateCheck("TEST", config))
source := `
package samples

View file

@ -24,12 +24,17 @@ import (
)
type InsecureConfigTLS struct {
gas.MetaData
MinVersion int16
MaxVersion int16
pattern *regexp.Regexp
goodCiphers []string
}
func (r *InsecureConfigTLS) ID() string {
return r.MetaData.ID
}
func stringInSlice(a string, list []string) bool {
for _, b := range list {
if b == a {
@ -121,7 +126,7 @@ func (t *InsecureConfigTLS) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, er
return
}
func NewModernTlsCheck(conf map[string]interface{}) (gas.Rule, []ast.Node) {
func NewModernTlsCheck(id string, conf map[string]interface{}) (gas.Rule, []ast.Node) {
// https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
return &InsecureConfigTLS{
pattern: regexp.MustCompile(`^tls\.Config$`),
@ -135,10 +140,13 @@ func NewModernTlsCheck(conf map[string]interface{}) (gas.Rule, []ast.Node) {
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
},
MetaData: gas.MetaData{
ID: id,
},
}, []ast.Node{(*ast.CompositeLit)(nil)}
}
func NewIntermediateTlsCheck(conf map[string]interface{}) (gas.Rule, []ast.Node) {
func NewIntermediateTlsCheck(id string, conf map[string]interface{}) (gas.Rule, []ast.Node) {
// https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
return &InsecureConfigTLS{
pattern: regexp.MustCompile(`^tls\.Config$`),
@ -161,10 +169,13 @@ func NewIntermediateTlsCheck(conf map[string]interface{}) (gas.Rule, []ast.Node)
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
},
MetaData: gas.MetaData{
ID: id,
},
}, []ast.Node{(*ast.CompositeLit)(nil)}
}
func NewCompatTlsCheck(conf map[string]interface{}) (gas.Rule, []ast.Node) {
func NewCompatTlsCheck(id string, conf map[string]interface{}) (gas.Rule, []ast.Node) {
// https://wiki.mozilla.org/Security/Server_Side_TLS#Old_compatibility_.28default.29
return &InsecureConfigTLS{
pattern: regexp.MustCompile(`^tls\.Config$`),
@ -189,5 +200,8 @@ func NewCompatTlsCheck(conf map[string]interface{}) (gas.Rule, []ast.Node) {
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
},
MetaData: gas.MetaData{
ID: id,
},
}, []ast.Node{(*ast.CompositeLit)(nil)}
}

View file

@ -23,7 +23,7 @@ import (
func TestInsecureSkipVerify(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewModernTlsCheck(config))
analyzer.AddRule(NewModernTlsCheck("TEST", config))
issues := gasTestRunner(`
package main
@ -52,7 +52,7 @@ func TestInsecureSkipVerify(t *testing.T) {
func TestInsecureMinVersion(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewModernTlsCheck(config))
analyzer.AddRule(NewModernTlsCheck("TEST", config))
issues := gasTestRunner(`
package main
@ -81,7 +81,7 @@ func TestInsecureMinVersion(t *testing.T) {
func TestInsecureMaxVersion(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewModernTlsCheck(config))
analyzer.AddRule(NewModernTlsCheck("TEST", config))
issues := gasTestRunner(`
package main
@ -110,7 +110,7 @@ func TestInsecureMaxVersion(t *testing.T) {
func TestInsecureCipherSuite(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewModernTlsCheck(config))
analyzer.AddRule(NewModernTlsCheck("TEST", config))
issues := gasTestRunner(`
package main
@ -142,7 +142,7 @@ func TestInsecureCipherSuite(t *testing.T) {
func TestPreferServerCipherSuites(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewModernTlsCheck(config))
analyzer.AddRule(NewModernTlsCheck("TEST", config))
issues := gasTestRunner(`
package main

View file

@ -15,8 +15,9 @@
package rules
import (
gas "github.com/GoASTScanner/gas/core"
"go/ast"
gas "github.com/GoASTScanner/gas/core"
)
type UsingUnsafe struct {
@ -25,6 +26,10 @@ type UsingUnsafe struct {
calls []string
}
func (r *UsingUnsafe) ID() string {
return r.MetaData.ID
}
func (r *UsingUnsafe) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err error) {
if _, matches := gas.MatchCallByPackage(n, c, r.pkg, r.calls...); matches {
return gas.NewIssue(c, n, r.What, r.Severity, r.Confidence), nil
@ -32,11 +37,12 @@ func (r *UsingUnsafe) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err erro
return nil, nil
}
func NewUsingUnsafe(conf map[string]interface{}) (gas.Rule, []ast.Node) {
func NewUsingUnsafe(id string, conf map[string]interface{}) (gas.Rule, []ast.Node) {
return &UsingUnsafe{
pkg: "unsafe",
calls: []string{"Alignof", "Offsetof", "Sizeof", "Pointer"},
MetaData: gas.MetaData{
ID: id,
What: "Use of unsafe calls should be audited",
Severity: gas.Low,
Confidence: gas.High,

View file

@ -23,7 +23,7 @@ import (
func TestUnsafe(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewUsingUnsafe(config))
analyzer.AddRule(NewUsingUnsafe("TEST", config))
issues := gasTestRunner(`
package main

View file

@ -25,6 +25,10 @@ type UsesWeakCryptography struct {
blacklist map[string][]string
}
func (r *UsesWeakCryptography) ID() string {
return r.MetaData.ID
}
func (r *UsesWeakCryptography) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
for pkg, funcs := range r.blacklist {
@ -36,7 +40,7 @@ func (r *UsesWeakCryptography) Match(n ast.Node, c *gas.Context) (*gas.Issue, er
}
// Uses des.* md5.* or rc4.*
func NewUsesWeakCryptography(conf map[string]interface{}) (gas.Rule, []ast.Node) {
func NewUsesWeakCryptography(id string, conf map[string]interface{}) (gas.Rule, []ast.Node) {
calls := make(map[string][]string)
calls["crypto/des"] = []string{"NewCipher", "NewTripleDESCipher"}
calls["crypto/md5"] = []string{"New", "Sum"}
@ -44,6 +48,7 @@ func NewUsesWeakCryptography(conf map[string]interface{}) (gas.Rule, []ast.Node)
rule := &UsesWeakCryptography{
blacklist: calls,
MetaData: gas.MetaData{
ID: id,
Severity: gas.Medium,
Confidence: gas.High,
What: "Use of weak cryptographic primitive",

View file

@ -23,8 +23,8 @@ import (
func TestMD5(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewBlacklist_crypto_md5(config))
analyzer.AddRule(NewUsesWeakCryptography(config))
analyzer.AddRule(NewBlacklist_crypto_md5("TEST1", config))
analyzer.AddRule(NewUsesWeakCryptography("TEST2", config))
issues := gasTestRunner(`
package main
@ -45,8 +45,8 @@ func TestMD5(t *testing.T) {
func TestDES(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewBlacklist_crypto_des(config))
analyzer.AddRule(NewUsesWeakCryptography(config))
analyzer.AddRule(NewBlacklist_crypto_des("TEST1", config))
analyzer.AddRule(NewUsesWeakCryptography("TEST2", config))
issues := gasTestRunner(`
package main
@ -85,8 +85,8 @@ func TestDES(t *testing.T) {
func TestRC4(t *testing.T) {
config := map[string]interface{}{"ignoreNosec": false}
analyzer := gas.NewAnalyzer(config, nil)
analyzer.AddRule(NewBlacklist_crypto_rc4(config))
analyzer.AddRule(NewUsesWeakCryptography(config))
analyzer.AddRule(NewBlacklist_crypto_rc4("TEST1", config))
analyzer.AddRule(NewUsesWeakCryptography("TEST2", config))
issues := gasTestRunner(`
package main