mirror of
https://github.com/securego/gosec.git
synced 2024-12-26 04:25:52 +00:00
Merge pull request #91 from GoASTScanner/experimental
Update unsafe rule to match package explicitly
This commit is contained in:
commit
d30c5cde36
2 changed files with 11 additions and 6 deletions
|
@ -138,7 +138,6 @@ func (gas *Analyzer) process(filename string, source interface{}) error {
|
||||||
for _, pkg := range gas.context.Pkg.Imports() {
|
for _, pkg := range gas.context.Pkg.Imports() {
|
||||||
gas.context.Imports.Imported[pkg.Path()] = pkg.Name()
|
gas.context.Imports.Imported[pkg.Path()] = pkg.Name()
|
||||||
}
|
}
|
||||||
|
|
||||||
ast.Walk(gas, root)
|
ast.Walk(gas, root)
|
||||||
gas.Stats.NumFiles++
|
gas.Stats.NumFiles++
|
||||||
}
|
}
|
||||||
|
@ -203,8 +202,8 @@ func (gas *Analyzer) Visit(n ast.Node) ast.Visitor {
|
||||||
|
|
||||||
// Track aliased and initialization imports
|
// Track aliased and initialization imports
|
||||||
if imported, ok := n.(*ast.ImportSpec); ok {
|
if imported, ok := n.(*ast.ImportSpec); ok {
|
||||||
if imported.Name != nil {
|
|
||||||
path := strings.Trim(imported.Path.Value, `"`)
|
path := strings.Trim(imported.Path.Value, `"`)
|
||||||
|
if imported.Name != nil {
|
||||||
if imported.Name.Name == "_" {
|
if imported.Name.Name == "_" {
|
||||||
// Initialization import
|
// Initialization import
|
||||||
gas.context.Imports.InitOnly[path] = true
|
gas.context.Imports.InitOnly[path] = true
|
||||||
|
@ -213,7 +212,12 @@ func (gas *Analyzer) Visit(n ast.Node) ast.Visitor {
|
||||||
gas.context.Imports.Aliased[path] = imported.Name.Name
|
gas.context.Imports.Aliased[path] = imported.Name.Name
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
// unsafe is not included in Package.Imports()
|
||||||
|
if path == "unsafe" {
|
||||||
|
gas.context.Imports.Imported[path] = path
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if val, ok := gas.ruleset[reflect.TypeOf(n)]; ok {
|
if val, ok := gas.ruleset[reflect.TypeOf(n)]; ok {
|
||||||
for _, rule := range val {
|
for _, rule := range val {
|
||||||
ret, err := rule.Match(n, &gas.context)
|
ret, err := rule.Match(n, &gas.context)
|
||||||
|
|
|
@ -17,16 +17,16 @@ package rules
|
||||||
import (
|
import (
|
||||||
gas "github.com/GoASTScanner/gas/core"
|
gas "github.com/GoASTScanner/gas/core"
|
||||||
"go/ast"
|
"go/ast"
|
||||||
"regexp"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
type UsingUnsafe struct {
|
type UsingUnsafe struct {
|
||||||
gas.MetaData
|
gas.MetaData
|
||||||
pattern *regexp.Regexp
|
pkg string
|
||||||
|
calls []string
|
||||||
}
|
}
|
||||||
|
|
||||||
func (r *UsingUnsafe) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err error) {
|
func (r *UsingUnsafe) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err error) {
|
||||||
if node := gas.MatchCall(n, r.pattern); node != nil {
|
if _, matches := gas.MatchCallByPackage(n, c, r.pkg, r.calls...); matches {
|
||||||
return gas.NewIssue(c, n, r.What, r.Severity, r.Confidence), nil
|
return gas.NewIssue(c, n, r.What, r.Severity, r.Confidence), nil
|
||||||
}
|
}
|
||||||
return nil, nil
|
return nil, nil
|
||||||
|
@ -34,7 +34,8 @@ func (r *UsingUnsafe) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err erro
|
||||||
|
|
||||||
func NewUsingUnsafe(conf map[string]interface{}) (gas.Rule, []ast.Node) {
|
func NewUsingUnsafe(conf map[string]interface{}) (gas.Rule, []ast.Node) {
|
||||||
return &UsingUnsafe{
|
return &UsingUnsafe{
|
||||||
pattern: regexp.MustCompile(`unsafe\..*`),
|
pkg: "unsafe",
|
||||||
|
calls: []string{"Alignof", "Offsetof", "Sizeof", "Pointer"},
|
||||||
MetaData: gas.MetaData{
|
MetaData: gas.MetaData{
|
||||||
What: "Use of unsafe calls should be audited",
|
What: "Use of unsafe calls should be audited",
|
||||||
Severity: gas.Low,
|
Severity: gas.Low,
|
||||||
|
|
Loading…
Reference in a new issue