mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 03:55:54 +00:00
Update the README with some details about the CWE mapping (#407)
* Fix some typos in the README file Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> * Update the README with some details about the CWE mapping Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
This commit is contained in:
parent
53be8dd864
commit
99170e0d76
1 changed files with 19 additions and 13 deletions
32
README.md
32
README.md
|
@ -7,8 +7,8 @@ Inspects source code for security problems by scanning the Go AST.
|
||||||
|
|
||||||
## License
|
## License
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
Licensed under the Apache License, Version 2.0 (the "License").
|
||||||
you may not use this file except in compliance with the License.
|
You may not use this file except in compliance with the License.
|
||||||
You may obtain a copy of the License [here](http://www.apache.org/licenses/LICENSE-2.0).
|
You may obtain a copy of the License [here](http://www.apache.org/licenses/LICENSE-2.0).
|
||||||
|
|
||||||
## Project status
|
## Project status
|
||||||
|
@ -59,7 +59,7 @@ go get github.com/securego/gosec/cmd/gosec
|
||||||
Gosec can be configured to only run a subset of rules, to exclude certain file
|
Gosec can be configured to only run a subset of rules, to exclude certain file
|
||||||
paths, and produce reports in different formats. By default all rules will be
|
paths, and produce reports in different formats. By default all rules will be
|
||||||
run against the supplied input files. To recursively scan from the current
|
run against the supplied input files. To recursively scan from the current
|
||||||
directory you can supply './...' as the input argument.
|
directory you can supply `./...` as the input argument.
|
||||||
|
|
||||||
|
|
||||||
### Available rules
|
### Available rules
|
||||||
|
@ -96,8 +96,8 @@ directory you can supply './...' as the input argument.
|
||||||
|
|
||||||
### Selecting rules
|
### Selecting rules
|
||||||
|
|
||||||
By default gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the '-include=' flag,
|
By default, gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the `-include=` flag,
|
||||||
or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
|
or to specify a set of rules to explicitly exclude using the `-exclude=` flag.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Run a specific set of rules
|
# Run a specific set of rules
|
||||||
|
@ -106,6 +106,9 @@ $ gosec -include=G101,G203,G401 ./...
|
||||||
# Run everything except for rule G303
|
# Run everything except for rule G303
|
||||||
$ gosec -exclude=G303 ./...
|
$ gosec -exclude=G303 ./...
|
||||||
```
|
```
|
||||||
|
### CWE Mapping
|
||||||
|
|
||||||
|
Every issue detected by `gosec` is mapped to a [CWE (Common Weakness Enumeration)](http://cwe.mitre.org/data/index.html) which describes in more generic terms the vulnerability. The exact mapping can be found [here](https://github.com/securego/gosec/blob/53be8dd8644ee48802114178cff6eb7e29757414/issue.go#L49).
|
||||||
|
|
||||||
### Configuration
|
### Configuration
|
||||||
|
|
||||||
|
@ -140,7 +143,7 @@ of functions which will be skipped when auditing the not checked errors:
|
||||||
|
|
||||||
### Dependencies
|
### Dependencies
|
||||||
|
|
||||||
gosec will fetch automatically the dependencies of the code which is being analyzed when go modules are turned on (e.g.` GO111MODULE=on`). If this is not the case,
|
gosec will fetch automatically the dependencies of the code which is being analyzed when go module is turned on (e.g.` GO111MODULE=on`). If this is not the case,
|
||||||
the dependencies need to be explicitly downloaded by running the `go get -d` command before the scan.
|
the dependencies need to be explicitly downloaded by running the `go get -d` command before the scan.
|
||||||
|
|
||||||
### Excluding test files and folders
|
### Excluding test files and folders
|
||||||
|
@ -162,7 +165,8 @@ Also additional folders can be excluded as follows:
|
||||||
|
|
||||||
### Annotating code
|
### Annotating code
|
||||||
|
|
||||||
As with all automated detection tools there will be cases of false positives. In cases where gosec reports a failure that has been manually verified as being safe it is possible to annotate the code with a '#nosec' comment.
|
As with all automated detection tools, there will be cases of false positives. In cases where gosec reports a failure that has been manually verified as being safe,
|
||||||
|
it is possible to annotate the code with a `#nosec` comment.
|
||||||
|
|
||||||
The annotation causes gosec to stop processing any further nodes within the
|
The annotation causes gosec to stop processing any further nodes within the
|
||||||
AST so can apply to a whole block or more granularly to a single expression.
|
AST so can apply to a whole block or more granularly to a single expression.
|
||||||
|
@ -183,10 +187,12 @@ func main(){
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
When a specific false positive has been identified and verified as safe, you may wish to suppress only that single rule (or a specific set of rules) within a section of code, while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within the `#nosec` annotation, e.g: `/* #nosec G401 */` or `// #nosec G201 G202 G203 `
|
When a specific false positive has been identified and verified as safe, you may wish to suppress only that single rule (or a specific set of rules)
|
||||||
|
within a section of code, while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within
|
||||||
|
the `#nosec` annotation, e.g: `/* #nosec G401 */` or `// #nosec G201 G202 G203`
|
||||||
|
|
||||||
In some cases you may also want to revisit places where #nosec annotations
|
In some cases you may also want to revisit places where `#nosec` annotations
|
||||||
have been used. To run the scanner and ignore any #nosec annotations you
|
have been used. To run the scanner and ignore any `#nosec` annotations you
|
||||||
can do the following:
|
can do the following:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
@ -244,7 +250,7 @@ The released version of the tool is available in the `dist` folder. The build in
|
||||||
gosec - Golang security checker
|
gosec - Golang security checker
|
||||||
|
|
||||||
gosec analyzes Go source code to look for common programming mistakes that
|
gosec analyzes Go source code to look for common programming mistakes that
|
||||||
can lead to security problems.
|
|
||||||
|
|
||||||
VERSION: 1.0.0
|
VERSION: 1.0.0
|
||||||
GIT TAG: v1.0.0
|
GIT TAG: v1.0.0
|
||||||
|
@ -262,7 +268,7 @@ make image
|
||||||
```
|
```
|
||||||
|
|
||||||
You can run the `gosec` tool in a container against your local Go project. You just have to mount the project
|
You can run the `gosec` tool in a container against your local Go project. You just have to mount the project
|
||||||
into a volume as follow:
|
into a volume as follows:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
docker run -it -v <YOUR PROJECT PATH>/<PROJECT>:/<PROJECT> securego/gosec /<PROJECT>/...
|
docker run -it -v <YOUR PROJECT PATH>/<PROJECT>:/<PROJECT> securego/gosec /<PROJECT>/...
|
||||||
|
@ -284,4 +290,4 @@ You can invoke now the `go generate` in the root of the project:
|
||||||
go generate ./...
|
go generate ./...
|
||||||
```
|
```
|
||||||
|
|
||||||
This will generate the `rules/tls_config.go` file with will contain the current ciphers recommendation from Mozilla.
|
This will generate the `rules/tls_config.go` file which will contain the current ciphers recommendation from Mozilla.
|
||||||
|
|
Loading…
Reference in a new issue