diff --git a/rules/errors_test.go b/rules/errors_test.go index d4a07a0..a0d82c9 100644 --- a/rules/errors_test.go +++ b/rules/errors_test.go @@ -32,12 +32,13 @@ func TestErrorsMulti(t *testing.T) { "fmt" ) - func test() (val int, err error) { + func test() (int,error) { return 0, nil } func main() { v, _ := test() + fmt.Println(v) }`, analyzer) checkTestResults(t, issues, 1, "Errors unhandled") @@ -130,6 +131,9 @@ func TestErrorsWhitelisted(t *testing.T) { var b bytes.Buffer // Default whitelist nbytes, _ := b.Write([]byte("Hello ")) + if nbytes <= 0 { + os.Exit(1) + } // Whitelisted via configuration r, _ := zlib.NewReader(&b) diff --git a/rules/fileperms_test.go b/rules/fileperms_test.go index c333f57..278c29e 100644 --- a/rules/fileperms_test.go +++ b/rules/fileperms_test.go @@ -27,12 +27,12 @@ func TestChmod(t *testing.T) { issues := gasTestRunner(` package main - import "os" + import "os" func main() { os.Chmod("/tmp/somefile", 0777) os.Chmod("/tmp/someotherfile", 0600) - f := os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0666) - f := os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0600) + os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0666) + os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0600) }`, analyzer) checkTestResults(t, issues, 2, "Expect file permissions") diff --git a/rules/hardcoded_credentials_test.go b/rules/hardcoded_credentials_test.go index 966ee10..fa164dc 100644 --- a/rules/hardcoded_credentials_test.go +++ b/rules/hardcoded_credentials_test.go @@ -90,7 +90,10 @@ func TestHardcodedConstantMulti(t *testing.T) { import "fmt" - const username, password = "secret" + const ( + username = "user" + password = "secret" + ) func main() { fmt.Println("Doing something with: ", username, password) @@ -104,7 +107,7 @@ func TestHardecodedVarsNotAssigned(t *testing.T) { analyzer := gas.NewAnalyzer(config, nil) analyzer.AddRule(NewHardcodedCredentials(config)) issues := gasTestRunner(` - package main + package main var password string func init() { password = "this is a secret string" diff --git a/rules/httpoxy_test.go b/rules/httpoxy_test.go index 690794e..b666fdf 100644 --- a/rules/httpoxy_test.go +++ b/rules/httpoxy_test.go @@ -29,8 +29,11 @@ func TestHttpoxy(t *testing.T) { package main import ( "net/http/cgi" + "net/http" ) - func main() {}`, analyzer) + func main() { + cgi.Serve(http.FileServer(http.Dir("/usr/share/doc"))) + }`, analyzer) checkTestResults(t, issues, 1, "Go versions < 1.6.3 are vulnerable to Httpoxy") } diff --git a/rules/nosec_test.go b/rules/nosec_test.go index 29c8fe6..81aa6b8 100644 --- a/rules/nosec_test.go +++ b/rules/nosec_test.go @@ -27,14 +27,15 @@ func TestNosec(t *testing.T) { issues := gasTestRunner( `package main + import ( + "os" + "os/exec" + ) - import ( - "fmt" - ) - - func main() { - cmd := exec.Command("sh", "-c", config.Command) // #nosec - }`, analyzer) + func main() { + cmd := exec.Command("sh", "-c", os.Getenv("BLAH")) // #nosec + cmd.Run() + }`, analyzer) checkTestResults(t, issues, 0, "None") } @@ -46,17 +47,18 @@ func TestNosecBlock(t *testing.T) { issues := gasTestRunner( `package main + import ( + "os" + "os/exect" + ) - import ( - "fmt" - ) - - func main() { + func main() { // #nosec if true { - cmd := exec.Command("sh", "-c", config.Command) + cmd := exec.Command("sh", "-c", os.Getenv("BLAH")) + cmd.Run() } - }`, analyzer) + }`, analyzer) checkTestResults(t, issues, 0, "None") } @@ -69,13 +71,15 @@ func TestNosecIgnore(t *testing.T) { issues := gasTestRunner( `package main - import ( - "fmt" - ) + import ( + "os" + "os/exec" + ) - func main() { - cmd := exec.Command("sh", "-c", config.Command) // #nosec - }`, analyzer) + func main() { + cmd := exec.Command("sh", "-c", os.Args[1]) // #nosec + cmd.Run() + }`, analyzer) checkTestResults(t, issues, 1, "Subprocess launching with variable.") } diff --git a/rules/rand_test.go b/rules/rand_test.go index 8652e59..c9cd976 100644 --- a/rules/rand_test.go +++ b/rules/rand_test.go @@ -32,7 +32,8 @@ func TestRandOk(t *testing.T) { import "crypto/rand" func main() { - good, err := rand.Read(nil) + good, _ := rand.Read(nil) + println(good) }`, analyzer) checkTestResults(t, issues, 0, "Not expected to match") @@ -50,7 +51,9 @@ func TestRandBad(t *testing.T) { import "math/rand" func main() { - bad, err := rand.Read(nil) + bad, _ := rand.Read(nil) + println(bad) + }`, analyzer) checkTestResults(t, issues, 1, "Use of weak random number generator (math/rand instead of crypto/rand)") @@ -72,8 +75,10 @@ func TestRandRenamed(t *testing.T) { func main() { - good, err := rand.Read(nil) + good, _ := rand.Read(nil) + println(good) i := mrand.Int() + println(i) }`, analyzer) checkTestResults(t, issues, 0, "Not expected to match") diff --git a/rules/sql_test.go b/rules/sql_test.go index 911db10..6c250d1 100644 --- a/rules/sql_test.go +++ b/rules/sql_test.go @@ -29,8 +29,8 @@ func TestSQLInjectionViaConcatenation(t *testing.T) { package main import ( "database/sql" + //_ "github.com/mattn/go-sqlite3" "os" - _ "github.com/mattn/go-sqlite3" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") @@ -59,7 +59,7 @@ func TestSQLInjectionViaIntepolation(t *testing.T) { "database/sql" "fmt" "os" - _ "github.com/mattn/go-sqlite3" + //_ "github.com/mattn/go-sqlite3" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") @@ -91,7 +91,7 @@ func TestSQLInjectionFalsePositiveA(t *testing.T) { "database/sql" "fmt" "os" - _ "github.com/mattn/go-sqlite3" + //_ "github.com/mattn/go-sqlite3" ) var staticQuery = "SELECT * FROM foo WHERE age < 32" @@ -127,7 +127,7 @@ func TestSQLInjectionFalsePositiveB(t *testing.T) { "database/sql" "fmt" "os" - _ "github.com/mattn/go-sqlite3" + //_ "github.com/mattn/go-sqlite3" ) var staticQuery = "SELECT * FROM foo WHERE age < 32" @@ -163,7 +163,7 @@ func TestSQLInjectionFalsePositiveC(t *testing.T) { "database/sql" "fmt" "os" - _ "github.com/mattn/go-sqlite3" + //_ "github.com/mattn/go-sqlite3" ) var staticQuery = "SELECT * FROM foo WHERE age < " @@ -199,7 +199,7 @@ func TestSQLInjectionFalsePositiveD(t *testing.T) { "database/sql" "fmt" "os" - _ "github.com/mattn/go-sqlite3" + //_ "github.com/mattn/go-sqlite3" ) const age = "32" diff --git a/rules/subproc_test.go b/rules/subproc_test.go index 6e9f0fc..13c79df 100644 --- a/rules/subproc_test.go +++ b/rules/subproc_test.go @@ -58,11 +58,12 @@ func TestSubprocessVar(t *testing.T) { import ( "log" + "os" "os/exec" ) func main() { - run := "sleep" + someFunc() + run := "sleep" + os.Getenv("SOMETHING") cmd := exec.Command(run, "5") err := cmd.Start() if err != nil { @@ -112,8 +113,7 @@ func TestSubprocessSyscall(t *testing.T) { package main import ( - "log" - "os/exec" + "syscall" ) func main() { diff --git a/rules/tls_test.go b/rules/tls_test.go index 1f59759..7443d4f 100644 --- a/rules/tls_test.go +++ b/rules/tls_test.go @@ -124,7 +124,7 @@ func TestInsecureCipherSuite(t *testing.T) { func main() { tr := &http.Transport{ TLSClientConfig: &tls.Config{CipherSuites: []uint16{ - tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_DERP, + tls.TLS_RSA_WITH_RC4_128_SHA, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, },}, } @@ -136,5 +136,5 @@ func TestInsecureCipherSuite(t *testing.T) { } `, analyzer) - checkTestResults(t, issues, 1, "TLS Bad Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_DERP") + checkTestResults(t, issues, 1, "TLS Bad Cipher Suite: TLS_RSA_WITH_RC4_128_SHA") }