From e385ab872f78950708452976444af3411cd42491 Mon Sep 17 00:00:00 2001 From: Cosmin Cojocar Date: Sat, 10 Feb 2018 19:59:27 +0100 Subject: [PATCH 1/3] Update the build file with more checks Validate the tool from go version 1.7 onward --- .travis.yml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/.travis.yml b/.travis.yml index 37924cd..15dee58 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,15 +1,25 @@ language: go -before_script: - - go vet $(go list ./... | grep -v /vendor/) + go: - - 1.5 + - 1.7 + - 1.8 + - 1.9 - tip + install: + - go get -u github.com/golang/lint/golint - go get -v github.com/onsi/ginkgo/ginkgo - go get -v github.com/onsi/gomega - go get -v golang.org/x/crypto/ssh + - go get github.com/GoASTScanner/gas/cmd/gas/... - go get -v -t ./... - export PATH=$PATH:$HOME/gopath/bin +before_script: + - test -z "$(gofmt -s -l -w $(find . -type f -name '*.go' -not -path './vendor/*') | tee /dev/stderr)" + - test -z "$(golint . | tee /dev/stderr)" + - go vet $(go list ./... | grep -v /vendor/) + - gas ./... + script: ginkgo -r From 230d286f4ea2a8c74642763e09ef58e73ee6294d Mon Sep 17 00:00:00 2001 From: Cosmin Cojocar Date: Sat, 10 Feb 2018 20:04:58 +0100 Subject: [PATCH 2/3] Fix gofmt formatting --- import_tracker_test.go | 2 +- rules/rulelist.go | 42 +++++++++++++++++++++--------------------- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/import_tracker_test.go b/import_tracker_test.go index 492933c..a1a46f1 100644 --- a/import_tracker_test.go +++ b/import_tracker_test.go @@ -15,7 +15,7 @@ var _ = Describe("ImportTracker", func() { }) Context("when I have a valid go package", func() { It("should record all import specs", func() { - Expect(source).To(Equal(source)) + Expect(source).To(Equal(source)) Skip("Not implemented") }) diff --git a/rules/rulelist.go b/rules/rulelist.go index 6cc3ee6..2846368 100644 --- a/rules/rulelist.go +++ b/rules/rulelist.go @@ -60,35 +60,35 @@ func NewRuleFilter(action bool, ruleIDs ...string) RuleFilter { func Generate(filters ...RuleFilter) RuleList { rules := map[string]RuleDefinition{ // misc - "G101": RuleDefinition{"Look for hardcoded credentials", NewHardcodedCredentials}, - "G102": RuleDefinition{"Bind to all interfaces", NewBindsToAllNetworkInterfaces}, - "G103": RuleDefinition{"Audit the use of unsafe block", NewUsingUnsafe}, - "G104": RuleDefinition{"Audit errors not checked", NewNoErrorCheck}, - "G105": RuleDefinition{"Audit the use of big.Exp function", NewUsingBigExp}, - "G106": RuleDefinition{"Audit the use of ssh.InsecureIgnoreHostKey function", NewSSHHostKey}, + "G101": {"Look for hardcoded credentials", NewHardcodedCredentials}, + "G102": {"Bind to all interfaces", NewBindsToAllNetworkInterfaces}, + "G103": {"Audit the use of unsafe block", NewUsingUnsafe}, + "G104": {"Audit errors not checked", NewNoErrorCheck}, + "G105": {"Audit the use of big.Exp function", NewUsingBigExp}, + "G106": {"Audit the use of ssh.InsecureIgnoreHostKey function", NewSSHHostKey}, // injection - "G201": RuleDefinition{"SQL query construction using format string", NewSQLStrFormat}, - "G202": RuleDefinition{"SQL query construction using string concatenation", NewSQLStrConcat}, - "G203": RuleDefinition{"Use of unescaped data in HTML templates", NewTemplateCheck}, - "G204": RuleDefinition{"Audit use of command execution", NewSubproc}, + "G201": {"SQL query construction using format string", NewSQLStrFormat}, + "G202": {"SQL query construction using string concatenation", NewSQLStrConcat}, + "G203": {"Use of unescaped data in HTML templates", NewTemplateCheck}, + "G204": {"Audit use of command execution", NewSubproc}, // filesystem - "G301": RuleDefinition{"Poor file permissions used when creating a directory", NewMkdirPerms}, - "G302": RuleDefinition{"Poor file permisions used when creation file or using chmod", NewFilePerms}, - "G303": RuleDefinition{"Creating tempfile using a predictable path", NewBadTempFile}, + "G301": {"Poor file permissions used when creating a directory", NewMkdirPerms}, + "G302": {"Poor file permisions used when creation file or using chmod", NewFilePerms}, + "G303": {"Creating tempfile using a predictable path", NewBadTempFile}, // crypto - "G401": RuleDefinition{"Detect the usage of DES, RC4, or MD5", NewUsesWeakCryptography}, - "G402": RuleDefinition{"Look for bad TLS connection settings", NewIntermediateTLSCheck}, - "G403": RuleDefinition{"Ensure minimum RSA key length of 2048 bits", NewWeakKeyStrength}, - "G404": RuleDefinition{"Insecure random number source (rand)", NewWeakRandCheck}, + "G401": {"Detect the usage of DES, RC4, or MD5", NewUsesWeakCryptography}, + "G402": {"Look for bad TLS connection settings", NewIntermediateTLSCheck}, + "G403": {"Ensure minimum RSA key length of 2048 bits", NewWeakKeyStrength}, + "G404": {"Insecure random number source (rand)", NewWeakRandCheck}, // blacklist - "G501": RuleDefinition{"Import blacklist: crypto/md5", NewBlacklistedImportMD5}, - "G502": RuleDefinition{"Import blacklist: crypto/des", NewBlacklistedImportDES}, - "G503": RuleDefinition{"Import blacklist: crypto/rc4", NewBlacklistedImportRC4}, - "G504": RuleDefinition{"Import blacklist: net/http/cgi", NewBlacklistedImportCGI}, + "G501": {"Import blacklist: crypto/md5", NewBlacklistedImportMD5}, + "G502": {"Import blacklist: crypto/des", NewBlacklistedImportDES}, + "G503": {"Import blacklist: crypto/rc4", NewBlacklistedImportRC4}, + "G504": {"Import blacklist: net/http/cgi", NewBlacklistedImportCGI}, } for rule := range rules { From 7355f0a119e7fc2a0adc83c19d443cfeaca6c736 Mon Sep 17 00:00:00 2001 From: Cosmin Cojocar Date: Sat, 10 Feb 2018 20:10:56 +0100 Subject: [PATCH 3/3] Fix some gas warnings --- analyzer.go | 5 ++++- issue.go | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/analyzer.go b/analyzer.go index e336869..b7a5e8f 100644 --- a/analyzer.go +++ b/analyzer.go @@ -102,7 +102,10 @@ func (gas *Analyzer) Process(packagePaths ...string) error { AllowErrors: true, } for _, packagePath := range packagePaths { - abspath, _ := filepath.Abs(packagePath) + abspath, err := filepath.Abs(packagePath) + if err != nil { + return err + } gas.logger.Println("Searching directory:", abspath) basePackage, err := build.Default.ImportDir(packagePath, build.ImportComment) diff --git a/issue.go b/issue.go index 1060f43..2113529 100644 --- a/issue.go +++ b/issue.go @@ -76,7 +76,7 @@ func codeSnippet(file *os.File, start int64, end int64, n ast.Node) (string, err } size := (int)(end - start) // Go bug, os.File.Read should return int64 ... - file.Seek(start, 0) + file.Seek(start, 0) // #nosec buf := make([]byte, size) if nread, err := file.Read(buf); err != nil || nread != size {