Updated analyzer to use new way of initialization

* Removed old way of initializing analyzers
* Added the new analyzer to the rest of the default analyzers
* Fixed small bug in the rule
* Removed the test for the new analyzer from the file responsible for testing the rules
* Merged the diffrent examples into 1 variable
* Added tests for the analyzer
* Removed code that was used for testing rules, but it was used to test the analyzer

analyzer_test.go

@@ -187,22 +187,6 @@ var _ = Describe("Analyzer", func() {
 			Expect(controlIssues).Should(HaveLen(sample.Errors))
 		})
 
-		It("should find errors when nosec is not in use", func() {
-			sample := testutils.SampleCodeG407[0]
-			source := sample.Code[0]
-			analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G407")).RulesInfo())
-
-			controlPackage := testutils.NewTestPackage()
-			defer controlPackage.Close()
-			controlPackage.AddFile("aesOFB.go", source)
-			err := controlPackage.Build()
-			Expect(err).ShouldNot(HaveOccurred())
-			err = analyzer.Process(buildTags, controlPackage.Path)
-			Expect(err).ShouldNot(HaveOccurred())
-			controlIssues, _, _ := analyzer.Report()
-			Expect(controlIssues).Should(HaveLen(sample.Errors))
-		})
-
 		It("should report Go build errors and invalid files", func() {
 			analyzer.LoadRules(rules.Generate(false).RulesInfo())
 			pkg := testutils.NewTestPackage()
@@ -282,23 +266,6 @@ var _ = Describe("Analyzer", func() {
 			Expect(nosecIssues).Should(BeEmpty())
 		})
 
-		It("should not report errors when a nosec line comment is present", func() {
-			sample := testutils.SampleCodeG407[0]
-			source := sample.Code[0]
-			analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G407")).RulesInfo())
-
-			nosecPackage := testutils.NewTestPackage()
-			defer nosecPackage.Close()
-			nosecSource := strings.Replace(source, "cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\"))", "cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\")) //#nosec", 1)
-			nosecPackage.AddFile("aesOFB.go", nosecSource)
-			err := nosecPackage.Build()
-			Expect(err).ShouldNot(HaveOccurred())
-			err = analyzer.Process(buildTags, nosecPackage.Path)
-			Expect(err).ShouldNot(HaveOccurred())
-			nosecIssues, _, _ := analyzer.Report()
-			Expect(nosecIssues).Should(BeEmpty())
-		})
-
 		It("should not report errors when a nosec block comment is present", func() {
 			sample := testutils.SampleCodeG401[0]
 			source := sample.Code[0]
@@ -350,23 +317,6 @@ var _ = Describe("Analyzer", func() {
 			Expect(nosecIssues).Should(BeEmpty())
 		})
 
-		It("should not report errors when a nosec block comment is present", func() {
-			sample := testutils.SampleCodeG407[0]
-			source := sample.Code[0]
-			analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G407")).RulesInfo())
-
-			nosecPackage := testutils.NewTestPackage()
-			defer nosecPackage.Close()
-			nosecSource := strings.Replace(source, "cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\"))", "cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\")) /* #nosec */", 1)
-			nosecPackage.AddFile("aesOFB.go", nosecSource)
-			err := nosecPackage.Build()
-			Expect(err).ShouldNot(HaveOccurred())
-			err = analyzer.Process(buildTags, nosecPackage.Path)
-			Expect(err).ShouldNot(HaveOccurred())
-			nosecIssues, _, _ := analyzer.Report()
-			Expect(nosecIssues).Should(BeEmpty())
-		})
-
 		It("should not report errors when an exclude comment is present for the correct rule", func() {
 			// Rule for MD5 weak crypto usage
 			sample := testutils.SampleCodeG401[0]
@@ -421,24 +371,6 @@ var _ = Describe("Analyzer", func() {
 			Expect(nosecIssues).Should(BeEmpty())
 		})
 
-		It("should not report errors when an exclude comment is present for the correct rule", func() {
-			// Rule for hardcoded nonce/IV
-			sample := testutils.SampleCodeG407[0]
-			source := sample.Code[0]
-			analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G407")).RulesInfo())
-
-			nosecPackage := testutils.NewTestPackage()
-			defer nosecPackage.Close()
-			nosecSource := strings.Replace(source, "cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\"))", "cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\")) //#nosec G407", 1)
-			nosecPackage.AddFile("aesOFB.go", nosecSource)
-			err := nosecPackage.Build()
-			Expect(err).ShouldNot(HaveOccurred())
-			err = analyzer.Process(buildTags, nosecPackage.Path)
-			Expect(err).ShouldNot(HaveOccurred())
-			nosecIssues, _, _ := analyzer.Report()
-			Expect(nosecIssues).Should(BeEmpty())
-		})
-
 		It("should not report errors when a nosec  block and line comment are present", func() {
 			sample := testutils.SampleCodeG101[23]
 			source := sample.Code[0]
@@ -536,23 +468,6 @@ var _ = Describe("Analyzer", func() {
 			Expect(nosecIssues).Should(HaveLen(sample.Errors))
 		})
 
-		It("should report errors when an exclude comment is present for a different rule", func() {
-			sample := testutils.SampleCodeG407[0]
-			source := sample.Code[0]
-			analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G407")).RulesInfo())
-
-			nosecPackage := testutils.NewTestPackage()
-			defer nosecPackage.Close()
-			nosecSource := strings.Replace(source, "cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\"))", "cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\")) //#nosec G301", 1)
-			nosecPackage.AddFile("aesOFB.go", nosecSource)
-			err := nosecPackage.Build()
-			Expect(err).ShouldNot(HaveOccurred())
-			err = analyzer.Process(buildTags, nosecPackage.Path)
-			Expect(err).ShouldNot(HaveOccurred())
-			nosecIssues, _, _ := analyzer.Report()
-			Expect(nosecIssues).Should(HaveLen(sample.Errors))
-		})
-
 		It("should not report errors when an exclude comment is present for multiple rules, including the correct rule", func() {
 			sample := testutils.SampleCodeG401[0]
 			source := sample.Code[0]
@@ -610,25 +525,6 @@ var _ = Describe("Analyzer", func() {
 			Expect(nosecIssues).Should(BeEmpty())
 		})
 
-		It("should not report errors when an exclude comment is present for multiple rules, including the correct rule", func() {
-			sample := testutils.SampleCodeG407[0]
-			source := sample.Code[0]
-			analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G407")).RulesInfo())
-
-			nosecPackage := testutils.NewTestPackage()
-			defer nosecPackage.Close()
-			nosecSource := strings.Replace(source, "cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\"))", "cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\")) //#nosec G301 G407", 1)
-			nosecPackage.AddFile("aesOFB.go", nosecSource)
-			err := nosecPackage.Build()
-			Expect(err).ShouldNot(HaveOccurred())
-			err = analyzer.Process(buildTags, nosecPackage.Path)
-			Expect(err).ShouldNot(HaveOccurred())
-			err = analyzer.Process(buildTags, nosecPackage.Path)
-			Expect(err).ShouldNot(HaveOccurred())
-			nosecIssues, _, _ := analyzer.Report()
-			Expect(nosecIssues).Should(BeEmpty())
-		})
-
 		It("should pass the build tags", func() {
 			sample := testutils.SampleCodeBuildTag[0]
 			source := sample.Code[0]
@@ -725,29 +621,6 @@ var _ = Describe("Analyzer", func() {
 			Expect(nosecIssues).Should(HaveLen(sample.Errors))
 		})
 
-		It("should be possible to overwrite nosec comments, and report issues", func() {
-			// Rule for hardcoded IV/nonce
-			sample := testutils.SampleCodeG407[0]
-			source := sample.Code[0]
-
-			// overwrite nosec option
-			nosecIgnoreConfig := gosec.NewConfig()
-			nosecIgnoreConfig.SetGlobal(gosec.Nosec, "true")
-			customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig, tests, false, false, 1, logger)
-			customAnalyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G407")).RulesInfo())
-
-			nosecPackage := testutils.NewTestPackage()
-			defer nosecPackage.Close()
-			nosecSource := strings.Replace(source, "cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\"))", "cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\")) //#nosec", 1)
-			nosecPackage.AddFile("aesOFB.go", nosecSource)
-			err := nosecPackage.Build()
-			Expect(err).ShouldNot(HaveOccurred())
-			err = customAnalyzer.Process(buildTags, nosecPackage.Path)
-			Expect(err).ShouldNot(HaveOccurred())
-			nosecIssues, _, _ := customAnalyzer.Report()
-			Expect(nosecIssues).Should(HaveLen(sample.Errors))
-		})
-
 		It("should be possible to overwrite nosec comments, and report issues but they should not be counted", func() {
 			// Rule for MD5 weak crypto usage
 			sample := testutils.SampleCodeG401[0]
@@ -826,32 +699,6 @@ var _ = Describe("Analyzer", func() {
 			Expect(metrics.NumNosec).Should(Equal(1))
 		})
 
-		It("should be possible to overwrite nosec comments, and report issues but they should not be counted", func() {
-			// Rule for hardcoded nonce/IV
-			sample := testutils.SampleCodeG407[0]
-			source := sample.Code[0]
-
-			// overwrite nosec option
-			nosecIgnoreConfig := gosec.NewConfig()
-			nosecIgnoreConfig.SetGlobal(gosec.Nosec, "mynosec")
-			nosecIgnoreConfig.SetGlobal(gosec.ShowIgnored, "true")
-			customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig, tests, false, false, 1, logger)
-			customAnalyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G407")).RulesInfo())
-
-			nosecPackage := testutils.NewTestPackage()
-			defer nosecPackage.Close()
-			nosecSource := strings.Replace(source, "cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\"))", "cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\")) // #mynosec", 1)
-			nosecPackage.AddFile("aesOFB.go", nosecSource)
-			err := nosecPackage.Build()
-			Expect(err).ShouldNot(HaveOccurred())
-			err = customAnalyzer.Process(buildTags, nosecPackage.Path)
-			Expect(err).ShouldNot(HaveOccurred())
-			nosecIssues, metrics, _ := customAnalyzer.Report()
-			Expect(nosecIssues).Should(HaveLen(sample.Errors))
-			Expect(metrics.NumFound).Should(Equal(0))
-			Expect(metrics.NumNosec).Should(Equal(1))
-		})
-
 		It("should not report errors when nosec tag is in front of a line", func() {
 			sample := testutils.SampleCodeG401[0]
 			source := sample.Code[0]
@@ -903,23 +750,6 @@ var _ = Describe("Analyzer", func() {
 			Expect(nosecIssues).Should(BeEmpty())
 		})
 
-		It("should not report errors when nosec tag is in front of a line", func() {
-			sample := testutils.SampleCodeG407[0]
-			source := sample.Code[0]
-			analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G407")).RulesInfo())
-
-			nosecPackage := testutils.NewTestPackage()
-			defer nosecPackage.Close()
-			nosecSource := strings.Replace(source, "aesOFB := cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\"))", "//Some description\n//#nosec G407\naesOFB := cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\"))", 1)
-			nosecPackage.AddFile("aesOFB.go", nosecSource)
-			err := nosecPackage.Build()
-			Expect(err).ShouldNot(HaveOccurred())
-			err = analyzer.Process(buildTags, nosecPackage.Path)
-			Expect(err).ShouldNot(HaveOccurred())
-			nosecIssues, _, _ := analyzer.Report()
-			Expect(nosecIssues).Should(BeEmpty())
-		})
-
 		It("should report errors when nosec tag is not in front of a line", func() {
 			sample := testutils.SampleCodeG401[0]
 			source := sample.Code[0]
@@ -971,23 +801,6 @@ var _ = Describe("Analyzer", func() {
 			Expect(nosecIssues).Should(HaveLen(sample.Errors))
 		})
 
-		It("should report errors when nosec tag is not in front of a line", func() {
-			sample := testutils.SampleCodeG407[0]
-			source := sample.Code[0]
-			analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G407")).RulesInfo())
-
-			nosecPackage := testutils.NewTestPackage()
-			defer nosecPackage.Close()
-			nosecSource := strings.Replace(source, "aesOFB := cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\"))", "//Some description\n//Another description #nosec G407\naesOFB := cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\"))", 1)
-			nosecPackage.AddFile("aesOFB.go", nosecSource)
-			err := nosecPackage.Build()
-			Expect(err).ShouldNot(HaveOccurred())
-			err = analyzer.Process(buildTags, nosecPackage.Path)
-			Expect(err).ShouldNot(HaveOccurred())
-			nosecIssues, _, _ := analyzer.Report()
-			Expect(nosecIssues).Should(HaveLen(sample.Errors))
-		})
-
 		It("should not report errors when rules are in front of nosec tag even rules are wrong", func() {
 			sample := testutils.SampleCodeG401[0]
 			source := sample.Code[0]
@@ -1039,23 +852,6 @@ var _ = Describe("Analyzer", func() {
 			Expect(nosecIssues).Should(BeEmpty())
 		})
 
-		It("should not report errors when rules are in front of nosec tag even rules are wrong", func() {
-			sample := testutils.SampleCodeG407[0]
-			source := sample.Code[0]
-			analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G407")).RulesInfo())
-
-			nosecPackage := testutils.NewTestPackage()
-			defer nosecPackage.Close()
-			nosecSource := strings.Replace(source, "aesOFB := cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\"))", "//G301\n//#nosec\naesOFB := cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\"))", 1)
-			nosecPackage.AddFile("aesOFB.go", nosecSource)
-			err := nosecPackage.Build()
-			Expect(err).ShouldNot(HaveOccurred())
-			err = analyzer.Process(buildTags, nosecPackage.Path)
-			Expect(err).ShouldNot(HaveOccurred())
-			nosecIssues, _, _ := analyzer.Report()
-			Expect(nosecIssues).Should(BeEmpty())
-		})
-
 		It("should report errors when there are nosec tags after a #nosec WrongRuleList annotation", func() {
 			sample := testutils.SampleCodeG401[0]
 			source := sample.Code[0]
@@ -1107,23 +903,6 @@ var _ = Describe("Analyzer", func() {
 			Expect(nosecIssues).Should(HaveLen(sample.Errors))
 		})
 
-		It("should report errors when there are nosec tags after a #nosec WrongRuleList annotation", func() {
-			sample := testutils.SampleCodeG407[0]
-			source := sample.Code[0]
-			analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G407")).RulesInfo())
-
-			nosecPackage := testutils.NewTestPackage()
-			defer nosecPackage.Close()
-			nosecSource := strings.Replace(source, "aesOFB := cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\"))", "//#nosec\n//G301\n//#nosec\naesOFB := cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\"))", 1)
-			nosecPackage.AddFile("aesOFB.go", nosecSource)
-			err := nosecPackage.Build()
-			Expect(err).ShouldNot(HaveOccurred())
-			err = analyzer.Process(buildTags, nosecPackage.Path)
-			Expect(err).ShouldNot(HaveOccurred())
-			nosecIssues, _, _ := analyzer.Report()
-			Expect(nosecIssues).Should(HaveLen(sample.Errors))
-		})
-
 		It("should be possible to use an alternative nosec tag", func() {
 			// Rule for MD5 weak crypto usage
 			sample := testutils.SampleCodeG401[0]
@@ -1193,29 +972,6 @@ var _ = Describe("Analyzer", func() {
 			Expect(nosecIssues).Should(BeEmpty())
 		})
 
-		It("should be possible to use an alternative nosec tag", func() {
-			// Rule for hardcoded nonce/IV
-			sample := testutils.SampleCodeG407[0]
-			source := sample.Code[0]
-
-			// overwrite nosec option
-			nosecIgnoreConfig := gosec.NewConfig()
-			nosecIgnoreConfig.SetGlobal(gosec.NoSecAlternative, "falsePositive")
-			customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig, tests, false, false, 1, logger)
-			customAnalyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G407")).RulesInfo())
-
-			nosecPackage := testutils.NewTestPackage()
-			defer nosecPackage.Close()
-			nosecSource := strings.Replace(source, "cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\"))", "cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\")) // #falsePositive", 1)
-			nosecPackage.AddFile("aesOFB.go", nosecSource)
-			err := nosecPackage.Build()
-			Expect(err).ShouldNot(HaveOccurred())
-			err = customAnalyzer.Process(buildTags, nosecPackage.Path)
-			Expect(err).ShouldNot(HaveOccurred())
-			nosecIssues, _, _ := customAnalyzer.Report()
-			Expect(nosecIssues).Should(BeEmpty())
-		})
-
 		It("should ignore vulnerabilities when the default tag is found", func() {
 			// Rule for MD5 weak crypto usage
 			sample := testutils.SampleCodeG401[0]
@@ -1285,29 +1041,6 @@ var _ = Describe("Analyzer", func() {
 			Expect(nosecIssues).Should(BeEmpty())
 		})
 
-		It("should ignore vulnerabilities when the default tag is found", func() {
-			// Rule for hardcoded nonce/IV
-			sample := testutils.SampleCodeG407[0]
-			source := sample.Code[0]
-
-			// overwrite nosec option
-			nosecIgnoreConfig := gosec.NewConfig()
-			nosecIgnoreConfig.SetGlobal(gosec.NoSecAlternative, "falsePositive")
-			customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig, tests, false, false, 1, logger)
-			customAnalyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G407")).RulesInfo())
-
-			nosecPackage := testutils.NewTestPackage()
-			defer nosecPackage.Close()
-			nosecSource := strings.Replace(source, "cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\"))", "cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\")) //#nosec", 1)
-			nosecPackage.AddFile("aesOFB.go", nosecSource)
-			err := nosecPackage.Build()
-			Expect(err).ShouldNot(HaveOccurred())
-			err = customAnalyzer.Process(buildTags, nosecPackage.Path)
-			Expect(err).ShouldNot(HaveOccurred())
-			nosecIssues, _, _ := customAnalyzer.Report()
-			Expect(nosecIssues).Should(BeEmpty())
-		})
-
 		It("should be able to analyze Go test package", func() {
 			customAnalyzer := gosec.NewAnalyzer(nil, true, false, false, 1, logger)
 			customAnalyzer.LoadRules(rules.Generate(false).RulesInfo())
@@ -1671,26 +1404,6 @@ var _ = Describe("Analyzer", func() {
 			Expect(issues[0].Suppressions[0].Justification).To(Equal("Justification"))
 		})
 
-		It("should not report an error if the violation is suppressed", func() {
-			sample := testutils.SampleCodeG407[0]
-			source := sample.Code[0]
-			analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G407")).RulesInfo())
-
-			nosecPackage := testutils.NewTestPackage()
-			defer nosecPackage.Close()
-			nosecSource := strings.Replace(source, "cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\"))", "cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\")) //#nosec G407 -- Justification", 1)
-			nosecPackage.AddFile("aesOFB.go", nosecSource)
-			err := nosecPackage.Build()
-			Expect(err).ShouldNot(HaveOccurred())
-			err = analyzer.Process(buildTags, nosecPackage.Path)
-			Expect(err).ShouldNot(HaveOccurred())
-			issues, _, _ := analyzer.Report()
-			Expect(issues).To(HaveLen(sample.Errors))
-			Expect(issues[0].Suppressions).To(HaveLen(1))
-			Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource"))
-			Expect(issues[0].Suppressions[0].Justification).To(Equal("Justification"))
-		})
-
 		It("should not report an error if the violation is suppressed without certain rules", func() {
 			sample := testutils.SampleCodeG401[0]
 			source := sample.Code[0]
@@ -1751,26 +1464,6 @@ var _ = Describe("Analyzer", func() {
 			Expect(issues[0].Suppressions[0].Justification).To(Equal(""))
 		})
 
-		It("should not report an error if the violation is suppressed without certain rules", func() {
-			sample := testutils.SampleCodeG407[0]
-			source := sample.Code[0]
-			analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G407")).RulesInfo())
-
-			nosecPackage := testutils.NewTestPackage()
-			defer nosecPackage.Close()
-			nosecSource := strings.Replace(source, "cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\"))", "cipher.NewOFB(block, []byte(\"ILoveMyNonceAlot\")) //#nosec", 1)
-			nosecPackage.AddFile("aesOFB.go", nosecSource)
-			err := nosecPackage.Build()
-			Expect(err).ShouldNot(HaveOccurred())
-			err = analyzer.Process(buildTags, nosecPackage.Path)
-			Expect(err).ShouldNot(HaveOccurred())
-			issues, _, _ := analyzer.Report()
-			Expect(issues).To(HaveLen(sample.Errors))
-			Expect(issues[0].Suppressions).To(HaveLen(1))
-			Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource"))
-			Expect(issues[0].Suppressions[0].Justification).To(Equal(""))
-		})
-
 		It("should not report an error if the rule is not included", func() {
 			sample := testutils.SampleCodeG101[0]
 			source := sample.Code[0]
@@ -1809,6 +1502,45 @@ var _ = Describe("Analyzer", func() {
 			Expect(issues[0].Suppressions[0].Justification).To(Equal("Globally suppressed."))
 		})
 
+		It("should not report an error if the analyzer is not included", func() {
+			sample := testutils.SampleCodeG407[0]
+			source := sample.Code[0]
+			analyzer.LoadAnalyzers(analyzers.Generate(true, analyzers.NewAnalyzerFilter(false, "G115")).AnalyzersInfo())
+
+			controlPackage := testutils.NewTestPackage()
+			defer controlPackage.Close()
+			controlPackage.AddFile("cipher.go", source)
+			err := controlPackage.Build()
+			Expect(err).ShouldNot(HaveOccurred())
+			err = analyzer.Process(buildTags, controlPackage.Path)
+			Expect(err).ShouldNot(HaveOccurred())
+			controlIssues, _, _ := analyzer.Report()
+			Expect(controlIssues).Should(HaveLen(sample.Errors))
+			Expect(controlIssues[0].Suppressions).To(HaveLen(1))
+			Expect(controlIssues[0].Suppressions[0].Kind).To(Equal("external"))
+			Expect(controlIssues[0].Suppressions[0].Justification).To(Equal("Globally suppressed."))
+		})
+
+
+		It("should not report an error if the analyzer is excluded", func() {
+			sample := testutils.SampleCodeG407[0]
+			source := sample.Code[0]
+			analyzer.LoadAnalyzers(analyzers.Generate(true, analyzers.NewAnalyzerFilter(true, "G407")).AnalyzersInfo())
+
+			controlPackage := testutils.NewTestPackage()
+			defer controlPackage.Close()
+			controlPackage.AddFile("cipher.go", source)
+			err := controlPackage.Build()
+			Expect(err).ShouldNot(HaveOccurred())
+			err = analyzer.Process(buildTags, controlPackage.Path)
+			Expect(err).ShouldNot(HaveOccurred())
+			issues, _, _ := analyzer.Report()
+			Expect(issues).Should(HaveLen(sample.Errors))
+			Expect(issues[0].Suppressions).To(HaveLen(1))
+			Expect(issues[0].Suppressions[0].Kind).To(Equal("external"))
+			Expect(issues[0].Suppressions[0].Justification).To(Equal("Globally suppressed."))
+		})
+
 		It("should not report an error if the analyzer is not included", func() {
 			sample := testutils.SampleCodeG602[0]
 			source := sample.Code[0]

analyzers/analyzers_test.go

@@ -55,6 +55,10 @@ var _ = Describe("gosec analyzers", func() {
 			runner("G115", testutils.SampleCodeG115)
 		})
 
+		It("should detect hardcoded nonce/IV", func() {
+			runner("G407", testutils.SampleCodeG407)
+		})
+
 		It("should detect out of bounds slice access", func() {
 			runner("G602", testutils.SampleCodeG602)
 		})

analyzers/analyzerslist.go

@@ -68,6 +68,7 @@ func NewAnalyzerFilter(action bool, analyzerIDs ...string) AnalyzerFilter {
 var defaultAnalyzers = []AnalyzerDefinition{
 	{"G115", "Type conversion which leads to integer overflow", newConversionOverflowAnalyzer},
 	{"G602", "Possible slice bounds out of range", newSliceBoundsAnalyzer},
+	{"G407", "Use of hardcoded IV/nonce for encryption", newHardCodedNonce},
 }
 
 // Generate the list of analyzers to use

analyzers/hardcodedNonce.go

@@ -98,11 +98,13 @@ func raiseIssue(val *ssa.Value, funcsToTrack *map[string][]int, ssaFuncs []*ssa.
 	// It goes and check if this function contains call to crypto/rand.Read in it's body(Assuming that calling crypto/rand.Read in a function, is used for the generation of nonce/iv )
 	case *ssa.Call:
 		if calledFunction, ok := valType.Call.Value.(*ssa.Function); ok {
-			if contains, funcErr := isFuncContainsCryptoRand(calledFunction); !contains && funcErr != nil {
+			if contains, funcErr := isFuncContainsCryptoRand(calledFunction); !contains && funcErr == nil {
 				issueDescription += " by passing a value from function which doesn't use crypto/rand"
 				tmp, hasErr := iterateThroughReferrers(val, funcsToTrack, pass.Analyzer.Name, issueDescription, pass.Fset, issue.High, issue.Medium)
 				gosecIssue = append(gosecIssue, tmp...)
 				err = hasErr
+			} else if funcErr != nil {
+				err = funcErr
 			}
 		}
 

rules/rules_test.go

@@ -187,82 +187,6 @@ var _ = Describe("gosec rules", func() {
 			runner("G406", testutils.SampleCodeG406b)
 		})
 
-		It("should detect hardcoded nonce/IV", func() {
-			runner("G407", testutils.SampleCodeG407)
-		})
-
-		It("should detect hardcoded nonce/IV", func() {
-			runner("G407", testutils.SampleCodeG407b)
-		})
-
-		It("should detect hardcoded nonce/IV", func() {
-			runner("G407", testutils.SampleCodeG407c)
-		})
-
-		It("should detect hardcoded nonce/IV", func() {
-			runner("G407", testutils.SampleCodeG407d)
-		})
-
-		It("should detect hardcoded nonce/IV", func() {
-			runner("G407", testutils.SampleCodeG407e)
-		})
-
-		It("should detect hardcoded nonce/IV", func() {
-			runner("G407", testutils.SampleCodeG407f)
-		})
-
-		It("should detect hardcoded nonce/IV", func() {
-			runner("G407", testutils.SampleCodeG407g)
-		})
-
-		It("should detect hardcoded nonce/IV", func() {
-			runner("G407", testutils.SampleCodeG407h)
-		})
-
-		It("should detect hardcoded nonce/IV", func() {
-			runner("G407", testutils.SampleCodeG407i)
-		})
-
-		It("should detect hardcoded nonce/IV", func() {
-			runner("G407", testutils.SampleCodeG407j)
-		})
-
-		It("should detect hardcoded nonce/IV", func() {
-			runner("G407", testutils.SampleCodeG407k)
-		})
-
-		It("should detect hardcoded nonce/IV", func() {
-			runner("G407", testutils.SampleCodeG407l)
-		})
-
-		It("should detect hardcoded nonce/IV", func() {
-			runner("G407", testutils.SampleCodeG407m)
-		})
-
-		It("should detect hardcoded nonce/IV", func() {
-			runner("G407", testutils.SampleCodeG407n)
-		})
-
-		It("should detect hardcoded nonce/IV", func() {
-			runner("G407", testutils.SampleCodeG407o)
-		})
-
-		It("should detect hardcoded nonce/IV", func() {
-			runner("G407", testutils.SampleCodeG407p)
-		})
-
-		It("should detect hardcoded nonce/IV", func() {
-			runner("G407", testutils.SampleCodeG407q)
-		})
-
-		It("should detect hardcoded nonce/IV", func() {
-			runner("G407", testutils.SampleCodeG407r)
-		})
-
-		It("should detect hardcoded nonce/IV", func() {
-			runner("G407", testutils.SampleCodeG407s)
-		})
-		
 		It("should detect blocklisted imports - MD5", func() {
 			runner("G501", testutils.SampleCodeG501)
 		})

testutils/g407_samples.go

@@ -5,6 +5,7 @@ import "github.com/securego/gosec/v2"
 var (
 	// SampleCodeG407 - Use of hardcoded nonce/IV
 	SampleCodeG407 = []CodeSample{
+
 		{[]string{`package main
 
 import (
@@ -21,11 +22,63 @@ func main() {
 	aesOFB.XORKeyStream(output, []byte("Very Cool thing!"))
 	fmt.Println(string(output))
 
-}`}, 1, gosec.NewConfig()},
+}
-	}
+`}, 1, gosec.NewConfig()},
+
+		{[]string{`package main
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"fmt"
+)
+
+func main() {
+
+	block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1})
+	aesOFB := cipher.NewOFB(block, []byte("ILoveMyNonceAlot")) // #nosec G407
+	var output = make([]byte, 16)
+	aesOFB.XORKeyStream(output, []byte("Very Cool thing!"))
+	fmt.Println(string(output))
+
+}
+
+`}, 0, gosec.NewConfig()},
+
+		{[]string{`package main
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"fmt"
+)
+
+func main() {
+
+	block, _ := aes.NewCipher( []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1})
+	aesGCM, _ := cipher.NewGCM(block)
+
+	cipherText := aesGCM.Seal(nil, func() []byte {
+		if true {
+			return []byte("ILoveMyNonce")
+		} else {
+			return []byte("IDont'Love..")
+		}
+	}(), []byte("My secret message"), nil) // #nosec G407
+	fmt.Println(string(cipherText))
+
+	cipherText, _ = aesGCM.Open(nil, func() []byte {
+		if true {
+			return []byte("ILoveMyNonce")
+		} else {
+			return []byte("IDont'Love..")
+		}
+	}(), cipherText, nil) // #nosec G407
+
+	fmt.Println(string(cipherText))
+}
+`}, 0, gosec.NewConfig()},
 
-	// SampleCodeG407b - Use of hardcoded nonce/IV
-	SampleCodeG407b = []CodeSample{
 		{[]string{`package main
 
 import (
@@ -43,10 +96,7 @@ func main() {
 	fmt.Println(string(output))
 
 }`}, 1, gosec.NewConfig()},
-	}
 
-	// SampleCodeG407c - Use of hardcoded nonce/IV
-	SampleCodeG407c = []CodeSample{
 		{[]string{`package main
 
 import (
@@ -64,10 +114,7 @@ func main() {
 	fmt.Println(string(output))
 
 }`}, 1, gosec.NewConfig()},
-	}
 
-	// SampleCodeG407d - Use of hardcoded nonce/IV
-	SampleCodeG407d = []CodeSample{
 		{[]string{`package main
 
 import (
@@ -86,10 +133,7 @@ func main() {
 
 }
 `}, 1, gosec.NewConfig()},
-	}
 
-	// SampleCodeG407e - Use of hardcoded nonce/IV
-	SampleCodeG407e = []CodeSample{
 		{[]string{`package main
 
 import (
@@ -109,10 +153,7 @@ func main() {
 	fmt.Println(string(cipherText))
 }
 `}, 2, gosec.NewConfig()},
-	}
 
-	// SampleCodeG407f - Use of hardcoded nonce/IV
-	SampleCodeG407f = []CodeSample{
 		{[]string{`package main
 
 import (
@@ -132,10 +173,7 @@ func main() {
 	fmt.Println(string(cipherText))
 }
 `}, 2, gosec.NewConfig()},
-	}
 
-	// SampleCodeG407g - Use of hardcoded nonce/IV
-	SampleCodeG407g = []CodeSample{
 		{[]string{`package main
 
 import (
@@ -156,10 +194,7 @@ func main() {
 	fmt.Println(string(cipherText))
 }
 `}, 2, gosec.NewConfig()},
-	}
 
-	// SampleCodeG407h - Use of hardcoded nonce/IV
-	SampleCodeG407h = []CodeSample{
 		{[]string{`package main
 
 import (
@@ -193,10 +228,7 @@ func main() {
 	fmt.Println(string(cipherText))
 }
 `}, 2, gosec.NewConfig()},
-	}
 
-	// SampleCodeG407I - Use of hardcoded nonce/IV
-	SampleCodeG407i = []CodeSample{
 		{[]string{`package main
 
 import (
@@ -229,10 +261,7 @@ func main() {
 	fmt.Println(string(cipherText))
 }
 `}, 2, gosec.NewConfig()},
-	}
 
-	// SampleCodeG407j - Use of hardcoded nonce/IV
-	SampleCodeG407j = []CodeSample{
 		{[]string{`package main
 
 import (
@@ -252,10 +281,7 @@ func main() {
 
 }
 `}, 2, gosec.NewConfig()},
-	}
 
-	// SampleCodeG407k - Use of hardcoded nonce/IV
-	SampleCodeG407k = []CodeSample{
 		{[]string{`package main
 
 import (
@@ -275,10 +301,7 @@ func main() {
 
 }
 `}, 2, gosec.NewConfig()},
-	}
 
-	// SampleCodeG407l - Use of hardcoded nonce/IV
-	SampleCodeG407l = []CodeSample{
 		{[]string{`package main
 
 import (
@@ -299,10 +322,7 @@ func main() {
 	fmt.Println(string(output))
 
 }`}, 2, gosec.NewConfig()},
-	}
 
-	// SampleCodeG407m - Use of hardcoded nonce/IV
-	SampleCodeG407m = []CodeSample{
 		{[]string{`package main
 
 import (
@@ -323,10 +343,7 @@ func main() {
 	fmt.Println(string(output))
 
 }`}, 2, gosec.NewConfig()},
-	}
 
-	// SampleCodeG407n - Use of hardcoded nonce/IV
-	SampleCodeG407n = []CodeSample{
 		{[]string{`package main
 
 import (
@@ -349,10 +366,7 @@ func main() {
 	fmt.Println(string(output))
 
 }`}, 2, gosec.NewConfig()},
-	}
 
-	// SampleCodeG407o - Use of hardcoded nonce/IV
-	SampleCodeG407o = []CodeSample{
 		{[]string{`package main
 
 import (
@@ -376,10 +390,7 @@ func main() {
 
 }
 `}, 2, gosec.NewConfig()},
-	}
 
-	// SampleCodeG407p - Use of hardcoded nonce/IV
-	SampleCodeG407p = []CodeSample{
 		{[]string{`package main
 
 import (
@@ -396,10 +407,7 @@ func main() {
 	fmt.Println(string(aesGCM.Seal(nil, nonce, []byte("My secret message"), nil)))
 }
 `}, 1, gosec.NewConfig()},
-	}
 
-	// SampleCodeG407q - Use of hardcoded nonce/IV
-	SampleCodeG407q = []CodeSample{
 		{[]string{`package main
 
 import (
@@ -418,10 +426,7 @@ func main() {
 	fmt.Println(string(output))
 }
 `}, 1, gosec.NewConfig()},
-	}
 
-	// SampleCodeG407r - Use of hardcoded nonce/IV
-	SampleCodeG407r = []CodeSample{
 		{[]string{`package main
 
 import (
@@ -447,15 +452,12 @@ func main() {
 	fmt.Println(string(output))
 }
 `}, 0, gosec.NewConfig()},
-	}
+
-	// SampleCodeG407s - Use of hardcoded nonce/IV
-	SampleCodeG407s = []CodeSample{
 		{[]string{`package main
 
 import (
 	"crypto/aes"
 	"crypto/cipher"
-	"crypto/rand"
 	"fmt"
 )