* Removed old way of initializing analyzers
* Added the new analyzer to the rest of the default analyzers
* Fixed small bug in the rule
* Removed the test for the new analyzer from the file responsible for testing the rules
* Merged the diffrent examples into 1 variable
* Added tests for the analyzer
* Removed code that was used for testing rules, but it was used to test the analyzer
The rule is supposed to detect for the usage of hardcoded or static nonce/Iv in many encryption algorithms:
* The different modes of AES (mainly tested here)
* It should be able to work with ascon
Currently the rules doesn't check when constant variables are used.
TODO: Improve the rule, to detected for constatant variable usage
* This change does not exclude analyzers for inline comment
* Changed the expected issues count for G103, G109 samples for test. Previously G115 has been included in the issue count
* Show analyzers IDs(G115, G602) in gosec usage help
* See #1175
* Rule G406 responsible for the usage of deprecated MD4 and RIPEMD160 added.
* Rules G506, G507 responsible for tracking the usage of the already mentioned libraries added.
* Slight changes in the Makefile(`make clean` wasn't removing all expected files)
* Added license to `analyzer_test.go`
Now the G401 rule is split into hashing and encryption algorithms.
G401 is responsible for checking the usage of MD5 and SHA1, with corresponding CWE of 328.
And G405(New rule) is responsible for checking the usege of DES and RC4, with corresponding CWE of 327.
Add additional types such as CSS, JSStr and Srcset to the template rule.
These types are marked as a security risk in the godoc
https://pkg.go.dev/html/template.
Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
It seems that the os.Create will create by default a file with 0666 permissions.
This should be detected when the configured permissions are less than 0666. By default will not detect this case
unless the more restrictive mode is configured.
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
* Added slice bounds testing for slice expressions.
* Added checking slice index.
* Added test for reassigning slice.
* Store capacities on reslicing.
* Scope change clears map. Func name used to track slices.
* Map CallExpr to check bounds when passing to functions.
* Fixed linter errors.
* Updated rulelist with CWE mapping.
* Added comment for NewSliceBoundCheck.
* Addressed nil cap runtime error.
* Replaced usage of nil in call arg map with dummy callexprs.
* Updated comments, wrapped error return, addressed other review concerns.
* G101 now checks LHS of ValueAssignments for patternValue.
* Added matching string literals in equality check.
* Added patternValue matching for ValueSpec.
* Ran gci to fix linter error.
* Added tests and updated regex to be more inclusive.
* Addressed short-circuit eval for isHighEntropy and non-standard ok variable.
* Resolved unhandled error and added more tests.
* Flattened code to make it more readable.
* Added better comments.
* Added new regex for Google API Key, GitHub PAT, and GoogleOAuth.
* Gofmt'ed the test cases.
* Remove read only types from unsafe defer rules
* Remove rule G307 which checks when an error is not handled when a file or socket connection is closed
This doesn't seem to bring much value from security perspective, and it caused a lot of controversy since
is a very common pattern in Go.
* Mentioned in documentation that rule G307 is retired
* Clean up the test for rule G307
* Add check for usage of Rat.SetString in math/big with an overflow error
Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7
has an overflow that can lead to Uncontrolled Memory Consumption.
It is the CVE-2022-23772.
* Use ContainsPkgCallExpr instead of manual parsing
