diff --git a/rules/subproc.go b/rules/subproc.go index 2513ec1..be100ad 100644 --- a/rules/subproc.go +++ b/rules/subproc.go @@ -62,5 +62,7 @@ func NewSubproc(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { rule.Add("os/exec", "Command") rule.Add("os/exec", "CommandContext") rule.Add("syscall", "Exec") + rule.Add("syscall", "ForkExec") + rule.Add("syscall", "StartProcess") return rule, []ast.Node{(*ast.CallExpr)(nil)} } diff --git a/testutils/source.go b/testutils/source.go index af69b27..66cb814 100644 --- a/testutils/source.go +++ b/testutils/source.go @@ -1066,6 +1066,44 @@ func main() { } }`}, 0, gosec.NewConfig()}, {[]string{` +package main + +import ( + "fmt" + "syscall" +) + +func RunCmd(command string) { + _, err := syscall.ForkExec(command, []string{}, nil) + if err != nil { + fmt.Printf("Error: %v\n", err) + } +} + +func main() { + RunCmd("sleep") +}`}, 1, gosec.NewConfig(), + }, + {[]string{` +package main + +import ( + "fmt" + "syscall" +) + +func RunCmd(command string) { + _, err := syscall.StartProcess(command, []string{}, nil) + if err != nil { + fmt.Printf("Error: %v\n", err) + } +} + +func main() { + RunCmd("sleep") +}`}, 1, gosec.NewConfig(), + }, + {[]string{` // starting a process with a variable as an argument // even if not constant is not considered as dangerous // because it has harcoded value