mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 03:55:54 +00:00
fix hound-ci errors
This commit is contained in:
parent
97cde35f32
commit
cfa432729c
9 changed files with 45 additions and 19 deletions
|
@ -124,7 +124,7 @@ func loadConfig(configFile string) (gas.Config, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func loadRules(include, exclude string) rules.RuleList {
|
func loadRules(include, exclude string) rules.RuleList {
|
||||||
filters := make([]rules.RuleFilter, 0)
|
var filters []rules.RuleFilter
|
||||||
if include != "" {
|
if include != "" {
|
||||||
including := strings.Split(include, ",")
|
including := strings.Split(include, ",")
|
||||||
filters = append(filters, rules.NewRuleFilter(false, including...))
|
filters = append(filters, rules.NewRuleFilter(false, including...))
|
||||||
|
|
|
@ -18,12 +18,16 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// ImportTracker is used to normalize the packages that have been imported
|
||||||
|
// by a source file. It is able to differentiate between plain imports, aliased
|
||||||
|
// imports and init only imports.
|
||||||
type ImportTracker struct {
|
type ImportTracker struct {
|
||||||
Imported map[string]string
|
Imported map[string]string
|
||||||
Aliased map[string]string
|
Aliased map[string]string
|
||||||
InitOnly map[string]bool
|
InitOnly map[string]bool
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// NewImportTracker creates an empty Import tracker instance
|
||||||
func NewImportTracker() *ImportTracker {
|
func NewImportTracker() *ImportTracker {
|
||||||
return &ImportTracker{
|
return &ImportTracker{
|
||||||
make(map[string]string),
|
make(map[string]string),
|
||||||
|
@ -32,6 +36,7 @@ func NewImportTracker() *ImportTracker {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TrackPackages tracks all the imports used by the supplied packages
|
||||||
func (t *ImportTracker) TrackPackages(pkgs ...*types.Package) {
|
func (t *ImportTracker) TrackPackages(pkgs ...*types.Package) {
|
||||||
for _, pkg := range pkgs {
|
for _, pkg := range pkgs {
|
||||||
t.Imported[pkg.Path()] = pkg.Name()
|
t.Imported[pkg.Path()] = pkg.Name()
|
||||||
|
@ -42,6 +47,7 @@ func (t *ImportTracker) TrackPackages(pkgs ...*types.Package) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TrackImport tracks imports and handles the 'unsafe' import
|
||||||
func (t *ImportTracker) TrackImport(n ast.Node) {
|
func (t *ImportTracker) TrackImport(n ast.Node) {
|
||||||
if imported, ok := n.(*ast.ImportSpec); ok {
|
if imported, ok := n.(*ast.ImportSpec); ok {
|
||||||
path := strings.Trim(imported.Path.Value, `"`)
|
path := strings.Trim(imported.Path.Value, `"`)
|
||||||
|
|
|
@ -52,6 +52,8 @@ type reportInfo struct {
|
||||||
Stats *gas.Metrics
|
Stats *gas.Metrics
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// CreateReport generates a report based for the supplied issues and metrics given
|
||||||
|
// the specified format. The formats currently accepted are: json, csv, html and text.
|
||||||
func CreateReport(w io.Writer, format string, issues []*gas.Issue, metrics *gas.Metrics) error {
|
func CreateReport(w io.Writer, format string, issues []*gas.Issue, metrics *gas.Metrics) error {
|
||||||
data := &reportInfo{
|
data := &reportInfo{
|
||||||
Issues: issues,
|
Issues: issues,
|
||||||
|
|
1
rule.go
1
rule.go
|
@ -30,6 +30,7 @@ type RuleBuilder func(c Config) (Rule, []ast.Node)
|
||||||
// type of AST node it is currently visiting.
|
// type of AST node it is currently visiting.
|
||||||
type RuleSet map[reflect.Type][]Rule
|
type RuleSet map[reflect.Type][]Rule
|
||||||
|
|
||||||
|
// NewRuleSet constructs a new RuleSet
|
||||||
func NewRuleSet() RuleSet {
|
func NewRuleSet() RuleSet {
|
||||||
return make(RuleSet)
|
return make(RuleSet)
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,13 +18,17 @@ import (
|
||||||
"github.com/GoASTScanner/gas"
|
"github.com/GoASTScanner/gas"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// RuleDefinition contains the description of a rule and a mechanism to
|
||||||
|
// create it.
|
||||||
type RuleDefinition struct {
|
type RuleDefinition struct {
|
||||||
Description string
|
Description string
|
||||||
Create gas.RuleBuilder
|
Create gas.RuleBuilder
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// RuleList is a mapping of rule ID's to rule definitions
|
||||||
type RuleList map[string]RuleDefinition
|
type RuleList map[string]RuleDefinition
|
||||||
|
|
||||||
|
// Builders returns all the create methods for a given rule list
|
||||||
func (rl RuleList) Builders() []gas.RuleBuilder {
|
func (rl RuleList) Builders() []gas.RuleBuilder {
|
||||||
builders := make([]gas.RuleBuilder, 0, len(rl))
|
builders := make([]gas.RuleBuilder, 0, len(rl))
|
||||||
for _, def := range rl {
|
for _, def := range rl {
|
||||||
|
@ -33,8 +37,12 @@ func (rl RuleList) Builders() []gas.RuleBuilder {
|
||||||
return builders
|
return builders
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// RuleFilter can be used to include or exclude a rule depending on the return
|
||||||
|
// value of the function
|
||||||
type RuleFilter func(string) bool
|
type RuleFilter func(string) bool
|
||||||
|
|
||||||
|
// NewRuleFilter is a closure that will include/exclude the rule ID's based on
|
||||||
|
// the supplied boolean value.
|
||||||
func NewRuleFilter(action bool, ruleIDs ...string) RuleFilter {
|
func NewRuleFilter(action bool, ruleIDs ...string) RuleFilter {
|
||||||
rulelist := make(map[string]bool)
|
rulelist := make(map[string]bool)
|
||||||
for _, rule := range ruleIDs {
|
for _, rule := range ruleIDs {
|
||||||
|
|
|
@ -20,12 +20,12 @@ import (
|
||||||
"github.com/GoASTScanner/gas"
|
"github.com/GoASTScanner/gas"
|
||||||
)
|
)
|
||||||
|
|
||||||
type TemplateCheck struct {
|
type templateCheck struct {
|
||||||
gas.MetaData
|
gas.MetaData
|
||||||
calls gas.CallList
|
calls gas.CallList
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t *TemplateCheck) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
|
func (t *templateCheck) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
|
||||||
if node := t.calls.ContainsCallExpr(n, c); node != nil {
|
if node := t.calls.ContainsCallExpr(n, c); node != nil {
|
||||||
for _, arg := range node.Args {
|
for _, arg := range node.Args {
|
||||||
if _, ok := arg.(*ast.BasicLit); !ok { // basic lits are safe
|
if _, ok := arg.(*ast.BasicLit); !ok { // basic lits are safe
|
||||||
|
@ -36,9 +36,15 @@ func (t *TemplateCheck) Match(n ast.Node, c *gas.Context) (*gas.Issue, error) {
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// NewTemplateCheck constructs the template check rule. This rule is used to
|
||||||
|
// find use of tempaltes where HTML/JS escaping is not being used
|
||||||
func NewTemplateCheck(conf gas.Config) (gas.Rule, []ast.Node) {
|
func NewTemplateCheck(conf gas.Config) (gas.Rule, []ast.Node) {
|
||||||
|
|
||||||
return &TemplateCheck{
|
calls := gas.NewCallList()
|
||||||
|
calls.Add("template", "HTML")
|
||||||
|
calls.Add("template", "HTMLAttr")
|
||||||
|
calls.Add("template", "JS")
|
||||||
|
return &templateCheck{
|
||||||
calls: gas.NewCallList(),
|
calls: gas.NewCallList(),
|
||||||
MetaData: gas.MetaData{
|
MetaData: gas.MetaData{
|
||||||
Severity: gas.Medium,
|
Severity: gas.Medium,
|
||||||
|
|
20
rules/tls.go
20
rules/tls.go
|
@ -21,7 +21,7 @@ import (
|
||||||
"github.com/GoASTScanner/gas"
|
"github.com/GoASTScanner/gas"
|
||||||
)
|
)
|
||||||
|
|
||||||
type InsecureConfigTLS struct {
|
type insecureConfigTLS struct {
|
||||||
MinVersion int16
|
MinVersion int16
|
||||||
MaxVersion int16
|
MaxVersion int16
|
||||||
requiredType string
|
requiredType string
|
||||||
|
@ -37,7 +37,7 @@ func stringInSlice(a string, list []string) bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t *InsecureConfigTLS) processTLSCipherSuites(n ast.Node, c *gas.Context) *gas.Issue {
|
func (t *insecureConfigTLS) processTLSCipherSuites(n ast.Node, c *gas.Context) *gas.Issue {
|
||||||
tlsConfig := gas.MatchCompLit(n, c, t.requiredType)
|
tlsConfig := gas.MatchCompLit(n, c, t.requiredType)
|
||||||
if tlsConfig == nil {
|
if tlsConfig == nil {
|
||||||
return nil
|
return nil
|
||||||
|
@ -62,7 +62,7 @@ func (t *InsecureConfigTLS) processTLSCipherSuites(n ast.Node, c *gas.Context) *
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t *InsecureConfigTLS) processTlsConfVal(n *ast.KeyValueExpr, c *gas.Context) *gas.Issue {
|
func (t *insecureConfigTLS) processTlsConfVal(n *ast.KeyValueExpr, c *gas.Context) *gas.Issue {
|
||||||
if ident, ok := n.Key.(*ast.Ident); ok {
|
if ident, ok := n.Key.(*ast.Ident); ok {
|
||||||
switch ident.Name {
|
switch ident.Name {
|
||||||
case "InsecureSkipVerify":
|
case "InsecureSkipVerify":
|
||||||
|
@ -114,7 +114,7 @@ func (t *InsecureConfigTLS) processTlsConfVal(n *ast.KeyValueExpr, c *gas.Contex
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t *InsecureConfigTLS) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err error) {
|
func (t *insecureConfigTLS) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err error) {
|
||||||
if node := gas.MatchCompLit(n, c, t.requiredType); node != nil {
|
if node := gas.MatchCompLit(n, c, t.requiredType); node != nil {
|
||||||
for _, elt := range node.Elts {
|
for _, elt := range node.Elts {
|
||||||
if kve, ok := elt.(*ast.KeyValueExpr); ok {
|
if kve, ok := elt.(*ast.KeyValueExpr); ok {
|
||||||
|
@ -128,9 +128,9 @@ func (t *InsecureConfigTLS) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, er
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// NewModernTlsCheck see: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
|
||||||
func NewModernTlsCheck(conf gas.Config) (gas.Rule, []ast.Node) {
|
func NewModernTlsCheck(conf gas.Config) (gas.Rule, []ast.Node) {
|
||||||
// https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
|
return &insecureConfigTLS{
|
||||||
return &InsecureConfigTLS{
|
|
||||||
requiredType: "tls.Config",
|
requiredType: "tls.Config",
|
||||||
MinVersion: 0x0303, // TLS 1.2 only
|
MinVersion: 0x0303, // TLS 1.2 only
|
||||||
MaxVersion: 0x0303,
|
MaxVersion: 0x0303,
|
||||||
|
@ -143,9 +143,9 @@ func NewModernTlsCheck(conf gas.Config) (gas.Rule, []ast.Node) {
|
||||||
}, []ast.Node{(*ast.CompositeLit)(nil)}
|
}, []ast.Node{(*ast.CompositeLit)(nil)}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// NewIntermediateTlsCheck see: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
|
||||||
func NewIntermediateTlsCheck(conf gas.Config) (gas.Rule, []ast.Node) {
|
func NewIntermediateTlsCheck(conf gas.Config) (gas.Rule, []ast.Node) {
|
||||||
// https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
|
return &insecureConfigTLS{
|
||||||
return &InsecureConfigTLS{
|
|
||||||
requiredType: "tls.Config",
|
requiredType: "tls.Config",
|
||||||
MinVersion: 0x0301, // TLS 1.2, 1.1, 1.0
|
MinVersion: 0x0301, // TLS 1.2, 1.1, 1.0
|
||||||
MaxVersion: 0x0303,
|
MaxVersion: 0x0303,
|
||||||
|
@ -169,9 +169,9 @@ func NewIntermediateTlsCheck(conf gas.Config) (gas.Rule, []ast.Node) {
|
||||||
}, []ast.Node{(*ast.CompositeLit)(nil)}
|
}, []ast.Node{(*ast.CompositeLit)(nil)}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// NewCompatTlsCheck see: https://wiki.mozilla.org/Security/Server_Side_TLS#Old_compatibility_.28default.29
|
||||||
func NewCompatTlsCheck(conf gas.Config) (gas.Rule, []ast.Node) {
|
func NewCompatTlsCheck(conf gas.Config) (gas.Rule, []ast.Node) {
|
||||||
// https://wiki.mozilla.org/Security/Server_Side_TLS#Old_compatibility_.28default.29
|
return &insecureConfigTLS{
|
||||||
return &InsecureConfigTLS{
|
|
||||||
requiredType: "tls.Config",
|
requiredType: "tls.Config",
|
||||||
MinVersion: 0x0301, // TLS 1.2, 1.1, 1.0
|
MinVersion: 0x0301, // TLS 1.2, 1.1, 1.0
|
||||||
MaxVersion: 0x0303,
|
MaxVersion: 0x0303,
|
||||||
|
|
|
@ -20,21 +20,23 @@ import (
|
||||||
"github.com/GoASTScanner/gas"
|
"github.com/GoASTScanner/gas"
|
||||||
)
|
)
|
||||||
|
|
||||||
type UsingUnsafe struct {
|
type usingUnsafe struct {
|
||||||
gas.MetaData
|
gas.MetaData
|
||||||
pkg string
|
pkg string
|
||||||
calls []string
|
calls []string
|
||||||
}
|
}
|
||||||
|
|
||||||
func (r *UsingUnsafe) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err error) {
|
func (r *usingUnsafe) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err error) {
|
||||||
if _, matches := gas.MatchCallByPackage(n, c, r.pkg, r.calls...); matches {
|
if _, matches := gas.MatchCallByPackage(n, c, r.pkg, r.calls...); matches {
|
||||||
return gas.NewIssue(c, n, r.What, r.Severity, r.Confidence), nil
|
return gas.NewIssue(c, n, r.What, r.Severity, r.Confidence), nil
|
||||||
}
|
}
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// NewUsingUnsafe rule detects the use of the unsafe package. This is only
|
||||||
|
// really useful for auditing purposes.
|
||||||
func NewUsingUnsafe(conf gas.Config) (gas.Rule, []ast.Node) {
|
func NewUsingUnsafe(conf gas.Config) (gas.Rule, []ast.Node) {
|
||||||
return &UsingUnsafe{
|
return &usingUnsafe{
|
||||||
pkg: "unsafe",
|
pkg: "unsafe",
|
||||||
calls: []string{"Alignof", "Offsetof", "Sizeof", "Pointer"},
|
calls: []string{"Alignof", "Offsetof", "Sizeof", "Pointer"},
|
||||||
MetaData: gas.MetaData{
|
MetaData: gas.MetaData{
|
||||||
|
|
|
@ -20,6 +20,7 @@ type buildObj struct {
|
||||||
program *loader.Program
|
program *loader.Program
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TestPackage is a mock package for testing purposes
|
||||||
type TestPackage struct {
|
type TestPackage struct {
|
||||||
Path string
|
Path string
|
||||||
Files map[string]string
|
Files map[string]string
|
||||||
|
@ -27,7 +28,7 @@ type TestPackage struct {
|
||||||
build *buildObj
|
build *buildObj
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewPackage will create a new and empty package. Must call Close() to cleanup
|
// NewTestPackage will create a new and empty package. Must call Close() to cleanup
|
||||||
// auxilary files
|
// auxilary files
|
||||||
func NewTestPackage() *TestPackage {
|
func NewTestPackage() *TestPackage {
|
||||||
// Files must exist in $GOPATH
|
// Files must exist in $GOPATH
|
||||||
|
@ -76,8 +77,8 @@ func (p *TestPackage) Build() error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var packageFiles []string
|
||||||
packageConfig := loader.Config{Build: &build.Default, ParserMode: parser.ParseComments}
|
packageConfig := loader.Config{Build: &build.Default, ParserMode: parser.ParseComments}
|
||||||
packageFiles := make([]string, 0)
|
|
||||||
for _, filename := range basePackage.GoFiles {
|
for _, filename := range basePackage.GoFiles {
|
||||||
packageFiles = append(packageFiles, path.Join(p.Path, filename))
|
packageFiles = append(packageFiles, path.Join(p.Path, filename))
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue