mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 03:55:54 +00:00
Fix for G402. Check package path instead of package name (#838)
This commit is contained in:
parent
ea6d49d1b5
commit
a5982fb6a6
3 changed files with 48 additions and 9 deletions
32
helpers.go
32
helpers.go
|
@ -39,7 +39,10 @@ import (
|
||||||
func MatchCallByPackage(n ast.Node, c *Context, pkg string, names ...string) (*ast.CallExpr, bool) {
|
func MatchCallByPackage(n ast.Node, c *Context, pkg string, names ...string) (*ast.CallExpr, bool) {
|
||||||
importedName, found := GetImportedName(pkg, c)
|
importedName, found := GetImportedName(pkg, c)
|
||||||
if !found {
|
if !found {
|
||||||
return nil, false
|
importedName, found = GetAliasedName(pkg, c)
|
||||||
|
if !found {
|
||||||
|
return nil, false
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if callExpr, ok := n.(*ast.CallExpr); ok {
|
if callExpr, ok := n.(*ast.CallExpr); ok {
|
||||||
|
@ -245,7 +248,7 @@ func GetBinaryExprOperands(be *ast.BinaryExpr) []ast.Node {
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetImportedName returns the name used for the package within the
|
// GetImportedName returns the name used for the package within the
|
||||||
// code. It will resolve aliases and ignores initialization only imports.
|
// code. It will ignore initialization only imports.
|
||||||
func GetImportedName(path string, ctx *Context) (string, bool) {
|
func GetImportedName(path string, ctx *Context) (string, bool) {
|
||||||
importName, imported := ctx.Imports.Imported[path]
|
importName, imported := ctx.Imports.Imported[path]
|
||||||
if !imported {
|
if !imported {
|
||||||
|
@ -256,20 +259,39 @@ func GetImportedName(path string, ctx *Context) (string, bool) {
|
||||||
return "", false
|
return "", false
|
||||||
}
|
}
|
||||||
|
|
||||||
if alias, ok := ctx.Imports.Aliased[path]; ok {
|
return importName, true
|
||||||
importName = alias
|
}
|
||||||
|
|
||||||
|
// GetAliasedName returns the aliased name used for the package within the
|
||||||
|
// code. It will ignore initialization only imports.
|
||||||
|
func GetAliasedName(path string, ctx *Context) (string, bool) {
|
||||||
|
importName, imported := ctx.Imports.Aliased[path]
|
||||||
|
if !imported {
|
||||||
|
return "", false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if _, initonly := ctx.Imports.InitOnly[path]; initonly {
|
||||||
|
return "", false
|
||||||
|
}
|
||||||
|
|
||||||
return importName, true
|
return importName, true
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetImportPath resolves the full import path of an identifier based on
|
// GetImportPath resolves the full import path of an identifier based on
|
||||||
// the imports in the current context.
|
// the imports in the current context(including aliases).
|
||||||
func GetImportPath(name string, ctx *Context) (string, bool) {
|
func GetImportPath(name string, ctx *Context) (string, bool) {
|
||||||
for path := range ctx.Imports.Imported {
|
for path := range ctx.Imports.Imported {
|
||||||
if imported, ok := GetImportedName(path, ctx); ok && imported == name {
|
if imported, ok := GetImportedName(path, ctx); ok && imported == name {
|
||||||
return path, true
|
return path, true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
for path := range ctx.Imports.Aliased {
|
||||||
|
if imported, ok := GetAliasedName(path, ctx); ok && imported == name {
|
||||||
|
return path, true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return "", false
|
return "", false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
12
rules/tls.go
12
rules/tls.go
|
@ -122,8 +122,10 @@ func (t *insecureConfigTLS) processTLSConfVal(n *ast.KeyValueExpr, c *gosec.Cont
|
||||||
t.actualMinVersion = ival
|
t.actualMinVersion = ival
|
||||||
} else {
|
} else {
|
||||||
if se, ok := n.Value.(*ast.SelectorExpr); ok {
|
if se, ok := n.Value.(*ast.SelectorExpr); ok {
|
||||||
if pkg, ok := se.X.(*ast.Ident); ok && pkg.Name == "tls" {
|
if pkg, ok := se.X.(*ast.Ident); ok {
|
||||||
t.actualMinVersion = t.mapVersion(se.Sel.Name)
|
if ip, ok := gosec.GetImportPath(pkg.Name, c); ok && ip == "crypto/tls" {
|
||||||
|
t.actualMinVersion = t.mapVersion(se.Sel.Name)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -133,8 +135,10 @@ func (t *insecureConfigTLS) processTLSConfVal(n *ast.KeyValueExpr, c *gosec.Cont
|
||||||
t.actualMaxVersion = ival
|
t.actualMaxVersion = ival
|
||||||
} else {
|
} else {
|
||||||
if se, ok := n.Value.(*ast.SelectorExpr); ok {
|
if se, ok := n.Value.(*ast.SelectorExpr); ok {
|
||||||
if pkg, ok := se.X.(*ast.Ident); ok && pkg.Name == "tls" {
|
if pkg, ok := se.X.(*ast.Ident); ok {
|
||||||
t.actualMaxVersion = t.mapVersion(se.Sel.Name)
|
if ip, ok := gosec.GetImportPath(pkg.Name, c); ok && ip == "crypto/tls" {
|
||||||
|
t.actualMaxVersion = t.mapVersion(se.Sel.Name)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -3008,6 +3008,19 @@ package main
|
||||||
import "crypto/tls"
|
import "crypto/tls"
|
||||||
|
|
||||||
const MinVer = tls.VersionTLS13
|
const MinVer = tls.VersionTLS13
|
||||||
|
`}, 0, gosec.NewConfig()},
|
||||||
|
{[]string{`
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/tls"
|
||||||
|
cryptotls "crypto/tls"
|
||||||
|
)
|
||||||
|
|
||||||
|
func main() {
|
||||||
|
_ = tls.Config{MinVersion: tls.VersionTLS12}
|
||||||
|
_ = cryptotls.Config{MinVersion: cryptotls.VersionTLS12}
|
||||||
|
}
|
||||||
`}, 0, gosec.NewConfig()},
|
`}, 0, gosec.NewConfig()},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue