mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 12:05:52 +00:00
Merge pull request #254 from kishaningithub/253
Add install.sh script and update readme
This commit is contained in:
commit
e0a150bfa3
3 changed files with 463 additions and 60 deletions
|
@ -1,3 +1,11 @@
|
||||||
|
---
|
||||||
|
project_name: gosec
|
||||||
|
|
||||||
|
release:
|
||||||
|
github:
|
||||||
|
owner: securego
|
||||||
|
name: gosec
|
||||||
|
|
||||||
builds:
|
builds:
|
||||||
- main : ./cmd/gosec/
|
- main : ./cmd/gosec/
|
||||||
binary: gosec
|
binary: gosec
|
||||||
|
|
134
README.md
134
README.md
|
@ -1,71 +1,84 @@
|
||||||
|
|
||||||
|
# gosec - Golang Security Checker
|
||||||
## gosec -Golang Security Checker
|
|
||||||
|
|
||||||
Inspects source code for security problems by scanning the Go AST.
|
Inspects source code for security problems by scanning the Go AST.
|
||||||
|
|
||||||
<img src="https://securego.io/img/gosec.png" width="320">
|
<img src="https://securego.io/img/gosec.png" width="320">
|
||||||
|
|
||||||
|
## License
|
||||||
### License
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
you may not use this file except in compliance with the License.
|
you may not use this file except in compliance with the License.
|
||||||
You may obtain a copy of the License [here](http://www.apache.org/licenses/LICENSE-2.0).
|
You may obtain a copy of the License [here](http://www.apache.org/licenses/LICENSE-2.0).
|
||||||
|
|
||||||
### Project status
|
## Project status
|
||||||
|
|
||||||
[![Build Status](https://travis-ci.org/securego/gosec.svg?branch=master)](https://travis-ci.org/securego/gosec)
|
[![Build Status](https://travis-ci.org/securego/gosec.svg?branch=master)](https://travis-ci.org/securego/gosec)
|
||||||
[![GoDoc](https://godoc.org/github.com/securego/gosec?status.svg)](https://godoc.org/github.com/securego/gosec)
|
[![GoDoc](https://godoc.org/github.com/securego/gosec?status.svg)](https://godoc.org/github.com/securego/gosec)
|
||||||
[![Slack](http://securego.herokuapp.com/badge.svg)](http://securego.herokuapp.com)
|
[![Slack](http://securego.herokuapp.com/badge.svg)](http://securego.herokuapp.com)
|
||||||
|
|
||||||
|
## Install
|
||||||
|
|
||||||
### Install
|
### CI Installation
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# binary will be $GOPATH/bin/gosec
|
||||||
|
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $GOPATH/bin vX.Y.Z
|
||||||
|
|
||||||
|
# or install it into ./bin/
|
||||||
|
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z
|
||||||
|
|
||||||
|
# In alpine linux (as it does not come with curl by default)
|
||||||
|
wget -O - -q https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z
|
||||||
|
|
||||||
|
gosec --help
|
||||||
|
```
|
||||||
|
|
||||||
|
### Local Installation
|
||||||
|
|
||||||
`$ go get github.com/securego/gosec/cmd/gosec/...`
|
`$ go get github.com/securego/gosec/cmd/gosec/...`
|
||||||
|
|
||||||
### Usage
|
## Usage
|
||||||
|
|
||||||
Gosec can be configured to only run a subset of rules, to exclude certain file
|
Gosec can be configured to only run a subset of rules, to exclude certain file
|
||||||
paths, and produce reports in different formats. By default all rules will be
|
paths, and produce reports in different formats. By default all rules will be
|
||||||
run against the supplied input files. To recursively scan from the current
|
run against the supplied input files. To recursively scan from the current
|
||||||
directory you can supply './...' as the input argument.
|
directory you can supply './...' as the input argument.
|
||||||
|
|
||||||
#### Selecting rules
|
### Selecting rules
|
||||||
|
|
||||||
By default gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the '-include=' flag,
|
By default gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the '-include=' flag,
|
||||||
or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
|
or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
|
||||||
|
|
||||||
##### Available rules
|
### Available rules
|
||||||
|
|
||||||
- G101: Look for hardcoded credentials
|
- G101: Look for hard coded credentials
|
||||||
- G102: Bind to all interfaces
|
- G102: Bind to all interfaces
|
||||||
- G103: Audit the use of unsafe block
|
- G103: Audit the use of unsafe block
|
||||||
- G104: Audit errors not checked
|
- G104: Audit errors not checked
|
||||||
- G105: Audit the use of math/big.Int.Exp
|
- G105: Audit the use of math/big.Int.Exp
|
||||||
- G106: Audit the use of ssh.InsecureIgnoreHostKey
|
- G106: Audit the use of ssh.InsecureIgnoreHostKey
|
||||||
- G107: Url provided to HTTP request as taint input
|
- G107: Url provided to HTTP request as taint input
|
||||||
- G201: SQL query construction using format string
|
- G201: SQL query construction using format string
|
||||||
- G202: SQL query construction using string concatenation
|
- G202: SQL query construction using string concatenation
|
||||||
- G203: Use of unescaped data in HTML templates
|
- G203: Use of unescaped data in HTML templates
|
||||||
- G204: Audit use of command execution
|
- G204: Audit use of command execution
|
||||||
- G301: Poor file permissions used when creating a directory
|
- G301: Poor file permissions used when creating a directory
|
||||||
- G302: Poor file permissions used with chmod
|
- G302: Poor file permissions used with chmod
|
||||||
- G303: Creating tempfile using a predictable path
|
- G303: Creating tempfile using a predictable path
|
||||||
- G304: File path provided as taint input
|
- G304: File path provided as taint input
|
||||||
- G305: File traversal when extracting zip archive
|
- G305: File traversal when extracting zip archive
|
||||||
- G401: Detect the usage of DES, RC4, MD5 or SHA1
|
- G401: Detect the usage of DES, RC4, MD5 or SHA1
|
||||||
- G402: Look for bad TLS connection settings
|
- G402: Look for bad TLS connection settings
|
||||||
- G403: Ensure minimum RSA key length of 2048 bits
|
- G403: Ensure minimum RSA key length of 2048 bits
|
||||||
- G404: Insecure random number source (rand)
|
- G404: Insecure random number source (rand)
|
||||||
- G501: Import blacklist: crypto/md5
|
- G501: Import blacklist: crypto/md5
|
||||||
- G502: Import blacklist: crypto/des
|
- G502: Import blacklist: crypto/des
|
||||||
- G503: Import blacklist: crypto/rc4
|
- G503: Import blacklist: crypto/rc4
|
||||||
- G504: Import blacklist: net/http/cgi
|
- G504: Import blacklist: net/http/cgi
|
||||||
- G505: Import blacklist: crypto/sha1
|
- G505: Import blacklist: crypto/sha1
|
||||||
|
|
||||||
|
```bash
|
||||||
```
|
|
||||||
# Run a specific set of rules
|
# Run a specific set of rules
|
||||||
$ gosec -include=G101,G203,G401 ./...
|
$ gosec -include=G101,G203,G401 ./...
|
||||||
|
|
||||||
|
@ -73,12 +86,12 @@ $ gosec -include=G101,G203,G401 ./...
|
||||||
$ gosec -exclude=G303 ./...
|
$ gosec -exclude=G303 ./...
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Excluding files:
|
### Excluding files
|
||||||
|
|
||||||
gosec will ignore dependencies in your vendor directory any files
|
gosec will ignore dependencies in your vendor directory any files
|
||||||
that are not considered build artifacts by the compiler (so test files).
|
that are not considered build artifacts by the compiler (so test files).
|
||||||
|
|
||||||
#### Annotating code
|
### Annotating code
|
||||||
|
|
||||||
As with all automated detection tools there will be cases of false positives. In cases where gosec reports a failure that has been manually verified as being safe it is possible to annotate the code with a '#nosec' comment.
|
As with all automated detection tools there will be cases of false positives. In cases where gosec reports a failure that has been manually verified as being safe it is possible to annotate the code with a '#nosec' comment.
|
||||||
|
|
||||||
|
@ -107,16 +120,17 @@ In some cases you may also want to revisit places where #nosec annotations
|
||||||
have been used. To run the scanner and ignore any #nosec annotations you
|
have been used. To run the scanner and ignore any #nosec annotations you
|
||||||
can do the following:
|
can do the following:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
gosec -nosec=true ./...
|
||||||
```
|
```
|
||||||
$ gosec -nosec=true ./...
|
|
||||||
```
|
### Build tags
|
||||||
#### Build tags
|
|
||||||
|
|
||||||
gosec is able to pass your [Go build tags](https://golang.org/pkg/go/build/) to the analyzer.
|
gosec is able to pass your [Go build tags](https://golang.org/pkg/go/build/) to the analyzer.
|
||||||
They can be provided as a comma separated list as follows:
|
They can be provided as a comma separated list as follows:
|
||||||
|
|
||||||
```
|
```bash
|
||||||
$ gosec -tag debug,ignore ./...
|
gosec -tag debug,ignore ./...
|
||||||
```
|
```
|
||||||
|
|
||||||
### Output formats
|
### Output formats
|
||||||
|
@ -125,34 +139,35 @@ gosec currently supports text, json, yaml, csv and JUnit XML output formats. By
|
||||||
results will be reported to stdout, but can also be written to an output
|
results will be reported to stdout, but can also be written to an output
|
||||||
file. The output format is controlled by the '-fmt' flag, and the output file is controlled by the '-out' flag as follows:
|
file. The output format is controlled by the '-fmt' flag, and the output file is controlled by the '-out' flag as follows:
|
||||||
|
|
||||||
```
|
```bash
|
||||||
# Write output in json format to results.json
|
# Write output in json format to results.json
|
||||||
$ gosec -fmt=json -out=results.json *.go
|
$ gosec -fmt=json -out=results.json *.go
|
||||||
```
|
```
|
||||||
### Development
|
|
||||||
|
|
||||||
#### Prerequisites
|
## Development
|
||||||
|
|
||||||
|
### Prerequisites
|
||||||
|
|
||||||
Install dep according to the instructions here: https://github.com/golang/dep
|
Install dep according to the instructions here: https://github.com/golang/dep
|
||||||
Install the latest version of golint: https://github.com/golang/lint
|
Install the latest version of golint: https://github.com/golang/lint
|
||||||
|
|
||||||
#### Build
|
### Build
|
||||||
|
|
||||||
```
|
```bash
|
||||||
make
|
make
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Tests
|
### Tests
|
||||||
|
|
||||||
```
|
```bash
|
||||||
make test
|
make test
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Release Build
|
### Release Build
|
||||||
|
|
||||||
Make sure you have installed the [goreleaser](https://github.com/goreleaser/goreleaser) tool and then you can release gosec as follows:
|
Make sure you have installed the [goreleaser](https://github.com/goreleaser/goreleaser) tool and then you can release gosec as follows:
|
||||||
|
|
||||||
```
|
```bash
|
||||||
git tag 1.0.0
|
git tag 1.0.0
|
||||||
export GITHUB_TOKEN=<YOUR GITHUB TOKEN>
|
export GITHUB_TOKEN=<YOUR GITHUB TOKEN>
|
||||||
make release
|
make release
|
||||||
|
@ -160,7 +175,7 @@ make release
|
||||||
|
|
||||||
The released version of the tool is available in the `dist` folder. The build information should be displayed in the usage text.
|
The released version of the tool is available in the `dist` folder. The build information should be displayed in the usage text.
|
||||||
|
|
||||||
```
|
```bash
|
||||||
./dist/darwin_amd64/gosec -h
|
./dist/darwin_amd64/gosec -h
|
||||||
gosec - Golang security checker
|
gosec - Golang security checker
|
||||||
|
|
||||||
|
@ -174,35 +189,34 @@ BUILD DATE: 2018-04-27T12:41:38Z
|
||||||
|
|
||||||
Note that all released archives are also uploaded to GitHub.
|
Note that all released archives are also uploaded to GitHub.
|
||||||
|
|
||||||
#### Docker image
|
### Docker image
|
||||||
|
|
||||||
You can build the docker image as follows:
|
You can build the docker image as follows:
|
||||||
|
|
||||||
```
|
```bash
|
||||||
make image
|
make image
|
||||||
```
|
```
|
||||||
|
|
||||||
You can run the `gosec` tool in a container against your local Go project. You just have to mount the project in the
|
You can run the `gosec` tool in a container against your local Go project. You just have to mount the project in the
|
||||||
`GOPATH` of the container:
|
`GOPATH` of the container:
|
||||||
|
|
||||||
```
|
```bash
|
||||||
docker run -it -v $GOPATH/src/<YOUR PROJECT PATH>:/go/src/<YOUR PROJECT PATH> securego/gosec ./...
|
docker run -it -v $GOPATH/src/<YOUR PROJECT PATH>:/go/src/<YOUR PROJECT PATH> securego/gosec ./...
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Generate TLS rule
|
### Generate TLS rule
|
||||||
|
|
||||||
The configuration of TLS rule can be generated from [Mozilla's TLS ciphers recommendation](https://statics.tls.security.mozilla.org/server-side-tls-conf.json).
|
The configuration of TLS rule can be generated from [Mozilla's TLS ciphers recommendation](https://statics.tls.security.mozilla.org/server-side-tls-conf.json).
|
||||||
|
|
||||||
|
|
||||||
First you need to install the generator tool:
|
First you need to install the generator tool:
|
||||||
|
|
||||||
```
|
```bash
|
||||||
go get github.com/securego/gosec/cmd/tlsconfig/...
|
go get github.com/securego/gosec/cmd/tlsconfig/...
|
||||||
```
|
```
|
||||||
|
|
||||||
You can invoke now the `go generate` in the root of the project:
|
You can invoke now the `go generate` in the root of the project:
|
||||||
|
|
||||||
```
|
```bash
|
||||||
go generate ./...
|
go generate ./...
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
381
install.sh
Normal file
381
install.sh
Normal file
|
@ -0,0 +1,381 @@
|
||||||
|
#!/bin/sh
|
||||||
|
set -e
|
||||||
|
# Code generated by godownloader on 2018-10-05T09:52:28Z. DO NOT EDIT.
|
||||||
|
#
|
||||||
|
|
||||||
|
usage() {
|
||||||
|
this=$1
|
||||||
|
cat <<EOF
|
||||||
|
$this: download go binaries for securego/gosec
|
||||||
|
|
||||||
|
Usage: $this [-b] bindir [-d] [tag]
|
||||||
|
-b sets bindir or installation directory, Defaults to ./bin
|
||||||
|
-d turns on debug logging
|
||||||
|
[tag] is a tag from
|
||||||
|
https://github.com/securego/gosec/releases
|
||||||
|
If tag is missing, then the latest will be used.
|
||||||
|
|
||||||
|
Generated by godownloader
|
||||||
|
https://github.com/goreleaser/godownloader
|
||||||
|
|
||||||
|
EOF
|
||||||
|
exit 2
|
||||||
|
}
|
||||||
|
|
||||||
|
parse_args() {
|
||||||
|
#BINDIR is ./bin unless set be ENV
|
||||||
|
# over-ridden by flag below
|
||||||
|
|
||||||
|
BINDIR=${BINDIR:-./bin}
|
||||||
|
while getopts "b:dh?" arg; do
|
||||||
|
case "$arg" in
|
||||||
|
b) BINDIR="$OPTARG" ;;
|
||||||
|
d) log_set_priority 10 ;;
|
||||||
|
h | \?) usage "$0" ;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
shift $((OPTIND - 1))
|
||||||
|
TAG=$1
|
||||||
|
}
|
||||||
|
# this function wraps all the destructive operations
|
||||||
|
# if a curl|bash cuts off the end of the script due to
|
||||||
|
# network, either nothing will happen or will syntax error
|
||||||
|
# out preventing half-done work
|
||||||
|
execute() {
|
||||||
|
tmpdir=$(mktmpdir)
|
||||||
|
log_debug "downloading files into ${tmpdir}"
|
||||||
|
http_download "${tmpdir}/${TARBALL}" "${TARBALL_URL}"
|
||||||
|
http_download "${tmpdir}/${CHECKSUM}" "${CHECKSUM_URL}"
|
||||||
|
hash_sha256_verify "${tmpdir}/${TARBALL}" "${tmpdir}/${CHECKSUM}"
|
||||||
|
srcdir="${tmpdir}"
|
||||||
|
(cd "${tmpdir}" && untar "${TARBALL}")
|
||||||
|
install -d "${BINDIR}"
|
||||||
|
for binexe in "gosec" ; do
|
||||||
|
if [ "$OS" = "windows" ]; then
|
||||||
|
binexe="${binexe}.exe"
|
||||||
|
fi
|
||||||
|
install "${srcdir}/${binexe}" "${BINDIR}/"
|
||||||
|
log_info "installed ${BINDIR}/${binexe}"
|
||||||
|
done
|
||||||
|
}
|
||||||
|
is_supported_platform() {
|
||||||
|
platform=$1
|
||||||
|
found=1
|
||||||
|
case "$platform" in
|
||||||
|
darwin/amd64) found=0 ;;
|
||||||
|
linux/amd64) found=0 ;;
|
||||||
|
windows/amd64) found=0 ;;
|
||||||
|
esac
|
||||||
|
return $found
|
||||||
|
}
|
||||||
|
check_platform() {
|
||||||
|
if is_supported_platform "$PLATFORM"; then
|
||||||
|
# optional logging goes here
|
||||||
|
true
|
||||||
|
else
|
||||||
|
log_crit "platform $PLATFORM is not supported. Make sure this script is up-to-date and file request at https://github.com/${PREFIX}/issues/new"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
tag_to_version() {
|
||||||
|
if [ -z "${TAG}" ]; then
|
||||||
|
log_info "checking GitHub for latest tag"
|
||||||
|
else
|
||||||
|
log_info "checking GitHub for tag '${TAG}'"
|
||||||
|
fi
|
||||||
|
REALTAG=$(github_release "$OWNER/$REPO" "${TAG}") && true
|
||||||
|
if test -z "$REALTAG"; then
|
||||||
|
log_crit "unable to find '${TAG}' - use 'latest' or see https://github.com/${PREFIX}/releases for details"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
# if version starts with 'v', remove it
|
||||||
|
TAG="$REALTAG"
|
||||||
|
VERSION=${TAG#v}
|
||||||
|
}
|
||||||
|
adjust_format() {
|
||||||
|
# change format (tar.gz or zip) based on ARCH
|
||||||
|
true
|
||||||
|
}
|
||||||
|
adjust_os() {
|
||||||
|
# adjust archive name based on OS
|
||||||
|
true
|
||||||
|
}
|
||||||
|
adjust_arch() {
|
||||||
|
# adjust archive name based on ARCH
|
||||||
|
true
|
||||||
|
}
|
||||||
|
|
||||||
|
cat /dev/null <<EOF
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
https://github.com/client9/shlib - portable posix shell functions
|
||||||
|
Public domain - http://unlicense.org
|
||||||
|
https://github.com/client9/shlib/blob/master/LICENSE.md
|
||||||
|
but credit (and pull requests) appreciated.
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
EOF
|
||||||
|
is_command() {
|
||||||
|
command -v "$1" >/dev/null
|
||||||
|
}
|
||||||
|
echoerr() {
|
||||||
|
echo "$@" 1>&2
|
||||||
|
}
|
||||||
|
log_prefix() {
|
||||||
|
echo "$0"
|
||||||
|
}
|
||||||
|
_logp=6
|
||||||
|
log_set_priority() {
|
||||||
|
_logp="$1"
|
||||||
|
}
|
||||||
|
log_priority() {
|
||||||
|
if test -z "$1"; then
|
||||||
|
echo "$_logp"
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
[ "$1" -le "$_logp" ]
|
||||||
|
}
|
||||||
|
log_tag() {
|
||||||
|
case $1 in
|
||||||
|
0) echo "emerg" ;;
|
||||||
|
1) echo "alert" ;;
|
||||||
|
2) echo "crit" ;;
|
||||||
|
3) echo "err" ;;
|
||||||
|
4) echo "warning" ;;
|
||||||
|
5) echo "notice" ;;
|
||||||
|
6) echo "info" ;;
|
||||||
|
7) echo "debug" ;;
|
||||||
|
*) echo "$1" ;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
log_debug() {
|
||||||
|
log_priority 7 || return 0
|
||||||
|
echoerr "$(log_prefix)" "$(log_tag 7)" "$@"
|
||||||
|
}
|
||||||
|
log_info() {
|
||||||
|
log_priority 6 || return 0
|
||||||
|
echoerr "$(log_prefix)" "$(log_tag 6)" "$@"
|
||||||
|
}
|
||||||
|
log_err() {
|
||||||
|
log_priority 3 || return 0
|
||||||
|
echoerr "$(log_prefix)" "$(log_tag 3)" "$@"
|
||||||
|
}
|
||||||
|
log_crit() {
|
||||||
|
log_priority 2 || return 0
|
||||||
|
echoerr "$(log_prefix)" "$(log_tag 2)" "$@"
|
||||||
|
}
|
||||||
|
uname_os() {
|
||||||
|
os=$(uname -s | tr '[:upper:]' '[:lower:]')
|
||||||
|
case "$os" in
|
||||||
|
msys_nt) os="windows" ;;
|
||||||
|
esac
|
||||||
|
echo "$os"
|
||||||
|
}
|
||||||
|
uname_arch() {
|
||||||
|
arch=$(uname -m)
|
||||||
|
case $arch in
|
||||||
|
x86_64) arch="amd64" ;;
|
||||||
|
x86) arch="386" ;;
|
||||||
|
i686) arch="386" ;;
|
||||||
|
i386) arch="386" ;;
|
||||||
|
aarch64) arch="arm64" ;;
|
||||||
|
armv5*) arch="armv5" ;;
|
||||||
|
armv6*) arch="armv6" ;;
|
||||||
|
armv7*) arch="armv7" ;;
|
||||||
|
esac
|
||||||
|
echo ${arch}
|
||||||
|
}
|
||||||
|
uname_os_check() {
|
||||||
|
os=$(uname_os)
|
||||||
|
case "$os" in
|
||||||
|
darwin) return 0 ;;
|
||||||
|
dragonfly) return 0 ;;
|
||||||
|
freebsd) return 0 ;;
|
||||||
|
linux) return 0 ;;
|
||||||
|
android) return 0 ;;
|
||||||
|
nacl) return 0 ;;
|
||||||
|
netbsd) return 0 ;;
|
||||||
|
openbsd) return 0 ;;
|
||||||
|
plan9) return 0 ;;
|
||||||
|
solaris) return 0 ;;
|
||||||
|
windows) return 0 ;;
|
||||||
|
esac
|
||||||
|
log_crit "uname_os_check '$(uname -s)' got converted to '$os' which is not a GOOS value. Please file bug at https://github.com/client9/shlib"
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
uname_arch_check() {
|
||||||
|
arch=$(uname_arch)
|
||||||
|
case "$arch" in
|
||||||
|
386) return 0 ;;
|
||||||
|
amd64) return 0 ;;
|
||||||
|
arm64) return 0 ;;
|
||||||
|
armv5) return 0 ;;
|
||||||
|
armv6) return 0 ;;
|
||||||
|
armv7) return 0 ;;
|
||||||
|
ppc64) return 0 ;;
|
||||||
|
ppc64le) return 0 ;;
|
||||||
|
mips) return 0 ;;
|
||||||
|
mipsle) return 0 ;;
|
||||||
|
mips64) return 0 ;;
|
||||||
|
mips64le) return 0 ;;
|
||||||
|
s390x) return 0 ;;
|
||||||
|
amd64p32) return 0 ;;
|
||||||
|
esac
|
||||||
|
log_crit "uname_arch_check '$(uname -m)' got converted to '$arch' which is not a GOARCH value. Please file bug report at https://github.com/client9/shlib"
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
untar() {
|
||||||
|
tarball=$1
|
||||||
|
case "${tarball}" in
|
||||||
|
*.tar.gz | *.tgz) tar -xzf "${tarball}" ;;
|
||||||
|
*.tar) tar -xf "${tarball}" ;;
|
||||||
|
*.zip) unzip "${tarball}" ;;
|
||||||
|
*)
|
||||||
|
log_err "untar unknown archive format for ${tarball}"
|
||||||
|
return 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
mktmpdir() {
|
||||||
|
test -z "$TMPDIR" && TMPDIR="$(mktemp -d)"
|
||||||
|
mkdir -p "${TMPDIR}"
|
||||||
|
echo "${TMPDIR}"
|
||||||
|
}
|
||||||
|
http_download_curl() {
|
||||||
|
local_file=$1
|
||||||
|
source_url=$2
|
||||||
|
header=$3
|
||||||
|
if [ -z "$header" ]; then
|
||||||
|
code=$(curl -w '%{http_code}' -sL -o "$local_file" "$source_url")
|
||||||
|
else
|
||||||
|
code=$(curl -w '%{http_code}' -sL -H "$header" -o "$local_file" "$source_url")
|
||||||
|
fi
|
||||||
|
if [ "$code" != "200" ]; then
|
||||||
|
log_debug "http_download_curl received HTTP status $code"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
http_download_wget() {
|
||||||
|
local_file=$1
|
||||||
|
source_url=$2
|
||||||
|
header=$3
|
||||||
|
if [ -z "$header" ]; then
|
||||||
|
wget -q -O "$local_file" "$source_url"
|
||||||
|
else
|
||||||
|
wget -q --header "$header" -O "$local_file" "$source_url"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
http_download() {
|
||||||
|
log_debug "http_download $2"
|
||||||
|
if is_command curl; then
|
||||||
|
http_download_curl "$@"
|
||||||
|
return
|
||||||
|
elif is_command wget; then
|
||||||
|
http_download_wget "$@"
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
log_crit "http_download unable to find wget or curl"
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
http_copy() {
|
||||||
|
tmp=$(mktemp)
|
||||||
|
http_download "${tmp}" "$1" "$2" || return 1
|
||||||
|
body=$(cat "$tmp")
|
||||||
|
rm -f "${tmp}"
|
||||||
|
echo "$body"
|
||||||
|
}
|
||||||
|
github_release() {
|
||||||
|
owner_repo=$1
|
||||||
|
version=$2
|
||||||
|
test -z "$version" && version="latest"
|
||||||
|
giturl="https://github.com/${owner_repo}/releases/${version}"
|
||||||
|
json=$(http_copy "$giturl" "Accept:application/json")
|
||||||
|
test -z "$json" && return 1
|
||||||
|
version=$(echo "$json" | tr -s '\n' ' ' | sed 's/.*"tag_name":"//' | sed 's/".*//')
|
||||||
|
test -z "$version" && return 1
|
||||||
|
echo "$version"
|
||||||
|
}
|
||||||
|
hash_sha256() {
|
||||||
|
TARGET=${1:-/dev/stdin}
|
||||||
|
if is_command gsha256sum; then
|
||||||
|
hash=$(gsha256sum "$TARGET") || return 1
|
||||||
|
echo "$hash" | cut -d ' ' -f 1
|
||||||
|
elif is_command sha256sum; then
|
||||||
|
hash=$(sha256sum "$TARGET") || return 1
|
||||||
|
echo "$hash" | cut -d ' ' -f 1
|
||||||
|
elif is_command shasum; then
|
||||||
|
hash=$(shasum -a 256 "$TARGET" 2>/dev/null) || return 1
|
||||||
|
echo "$hash" | cut -d ' ' -f 1
|
||||||
|
elif is_command openssl; then
|
||||||
|
hash=$(openssl -dst openssl dgst -sha256 "$TARGET") || return 1
|
||||||
|
echo "$hash" | cut -d ' ' -f a
|
||||||
|
else
|
||||||
|
log_crit "hash_sha256 unable to find command to compute sha-256 hash"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
hash_sha256_verify() {
|
||||||
|
TARGET=$1
|
||||||
|
checksums=$2
|
||||||
|
if [ -z "$checksums" ]; then
|
||||||
|
log_err "hash_sha256_verify checksum file not specified in arg2"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
BASENAME=${TARGET##*/}
|
||||||
|
want=$(grep "${BASENAME}" "${checksums}" 2>/dev/null | tr '\t' ' ' | cut -d ' ' -f 1)
|
||||||
|
if [ -z "$want" ]; then
|
||||||
|
log_err "hash_sha256_verify unable to find checksum for '${TARGET}' in '${checksums}'"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
got=$(hash_sha256 "$TARGET")
|
||||||
|
if [ "$want" != "$got" ]; then
|
||||||
|
log_err "hash_sha256_verify checksum for '$TARGET' did not verify ${want} vs $got"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
cat /dev/null <<EOF
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
End of functions from https://github.com/client9/shlib
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
EOF
|
||||||
|
|
||||||
|
PROJECT_NAME="gosec"
|
||||||
|
OWNER=securego
|
||||||
|
REPO="gosec"
|
||||||
|
BINARY=gosec
|
||||||
|
FORMAT=tar.gz
|
||||||
|
OS=$(uname_os)
|
||||||
|
ARCH=$(uname_arch)
|
||||||
|
PREFIX="$OWNER/$REPO"
|
||||||
|
|
||||||
|
# use in logging routines
|
||||||
|
log_prefix() {
|
||||||
|
echo "$PREFIX"
|
||||||
|
}
|
||||||
|
PLATFORM="${OS}/${ARCH}"
|
||||||
|
GITHUB_DOWNLOAD=https://github.com/${OWNER}/${REPO}/releases/download
|
||||||
|
|
||||||
|
uname_os_check "$OS"
|
||||||
|
uname_arch_check "$ARCH"
|
||||||
|
|
||||||
|
parse_args "$@"
|
||||||
|
|
||||||
|
check_platform
|
||||||
|
|
||||||
|
tag_to_version
|
||||||
|
|
||||||
|
adjust_format
|
||||||
|
|
||||||
|
adjust_os
|
||||||
|
|
||||||
|
adjust_arch
|
||||||
|
|
||||||
|
log_info "found version: ${VERSION} for ${TAG}/${OS}/${ARCH}"
|
||||||
|
|
||||||
|
NAME=${PROJECT_NAME}_${VERSION}_${OS}_${ARCH}
|
||||||
|
TARBALL=${NAME}.${FORMAT}
|
||||||
|
TARBALL_URL=${GITHUB_DOWNLOAD}/${TAG}/${TARBALL}
|
||||||
|
CHECKSUM=${PROJECT_NAME}_${VERSION}_checksums.txt
|
||||||
|
CHECKSUM_URL=${GITHUB_DOWNLOAD}/${TAG}/${CHECKSUM}
|
||||||
|
|
||||||
|
|
||||||
|
execute
|
Loading…
Reference in a new issue