Add a flag which allows to scan also the tests files

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>

analyzer.go

@@ -66,10 +66,11 @@ type Analyzer struct {
 	issues      []*Issue
 	stats       *Metrics
 	errors      map[string][]Error // keys are file paths; values are the golang errors in those files
+	tests       bool
 }
 
 // NewAnalyzer builds a new analyzer.
-func NewAnalyzer(conf Config, logger *log.Logger) *Analyzer {
+func NewAnalyzer(conf Config, tests bool, logger *log.Logger) *Analyzer {
 	ignoreNoSec := false
 	if enabled, err := conf.IsGlobalEnabled(Nosec); err == nil {
 		ignoreNoSec = enabled
@@ -86,6 +87,7 @@ func NewAnalyzer(conf Config, logger *log.Logger) *Analyzer {
 		issues:      make([]*Issue, 0, 16),
 		stats:       &Metrics{},
 		errors:      make(map[string][]Error),
+		tests:       tests,
 	}
 }
 
@@ -123,7 +125,7 @@ func (gosec *Analyzer) pkgConfig(buildTags []string) *packages.Config {
 	return &packages.Config{
 		Mode:       packages.LoadSyntax,
 		BuildFlags: []string{tagsFlag},
-		Tests:      true,
+		Tests:      gosec.tests,
 	}
 }
 
@@ -145,6 +147,15 @@ func (gosec *Analyzer) load(pkgPath string, conf *packages.Config) ([]*packages.
 		packageFiles = append(packageFiles, path.Join(pkgPath, filename))
 	}
 
+	if gosec.tests {
+		testsFiles := []string{}
+		testsFiles = append(testsFiles, basePackage.TestGoFiles...)
+		testsFiles = append(testsFiles, basePackage.XTestGoFiles...)
+		for _, filename := range testsFiles {
+			packageFiles = append(packageFiles, path.Join(pkgPath, filename))
+		}
+	}
+
 	pkgs, err := packages.Load(conf, packageFiles...)
 	if err != nil {
 		return []*packages.Package{}, err

analyzer_test.go

@@ -20,10 +20,11 @@ var _ = Describe("Analyzer", func() {
 		analyzer  *gosec.Analyzer
 		logger    *log.Logger
 		buildTags []string
+		tests     bool
 	)
 	BeforeEach(func() {
 		logger, _ = testutils.NewLogger()
-		analyzer = gosec.NewAnalyzer(nil, logger)
+		analyzer = gosec.NewAnalyzer(nil, tests, logger)
 	})
 
 	Context("when processing a package", func() {
@@ -226,7 +227,7 @@ var _ = Describe("Analyzer", func() {
 		// overwrite nosec option
 		nosecIgnoreConfig := gosec.NewConfig()
 		nosecIgnoreConfig.SetGlobal(gosec.Nosec, "true")
-		customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig, logger)
+		customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig, tests, logger)
 		customAnalyzer.LoadRules(rules.Generate(rules.NewRuleFilter(false, "G401")).Builders())
 
 		nosecPackage := testutils.NewTestPackage()

cmd/gosec/main.go

@@ -98,12 +98,14 @@ var (
 	// do not fail
 	flagNoFail = flag.Bool("no-fail", false, "Do not fail the scanning, even if issues were found")
 
+	// scan tests files
+	flagScanTests = flag.Bool("tests", false, "Scan tests files")
+
 	logger *log.Logger
 )
 
 // #nosec
 func usage() {
-
 	usageText := fmt.Sprintf(usageText, Version, GitTag, BuildDate)
 	fmt.Fprintln(os.Stderr, usageText)
 	fmt.Fprint(os.Stderr, "OPTIONS:\n\n")
@@ -198,7 +200,6 @@ func convertToScore(severity string) (gosec.Score, error) {
 }
 
 func main() {
-
 	// Setup usage description
 	flag.Usage = usage
 
@@ -247,7 +248,7 @@ func main() {
 	}
 
 	// Create the analyzer
-	analyzer := gosec.NewAnalyzer(config, logger)
+	analyzer := gosec.NewAnalyzer(config, *flagScanTests, logger)
 	analyzer.LoadRules(ruleDefinitions.Builders())
 
 	var vendor *regexp.Regexp

rules/rules_test.go

@@ -25,12 +25,13 @@ var _ = Describe("gosec rules", func() {
 		analyzer  *gosec.Analyzer
 		runner    func(string, []testutils.CodeSample, ...option)
 		buildTags []string
+		tests     bool
 	)
 
 	BeforeEach(func() {
 		logger, _ = testutils.NewLogger()
 		config = gosec.NewConfig()
-		analyzer = gosec.NewAnalyzer(config, logger)
+		analyzer = gosec.NewAnalyzer(config, tests, logger)
 		runner = func(rule string, samples []testutils.CodeSample, options ...option) {
 			for _, o := range options {
 				config.SetGlobal(o.name, o.value)