* Removed old way of initializing analyzers
* Added the new analyzer to the rest of the default analyzers
* Fixed small bug in the rule
* Removed the test for the new analyzer from the file responsible for testing the rules
* Merged the diffrent examples into 1 variable
* Added tests for the analyzer
* Removed code that was used for testing rules, but it was used to test the analyzer
The rule is supposed to detect for the usage of hardcoded or static nonce/Iv in many encryption algorithms:
* The different modes of AES (mainly tested here)
* It should be able to work with ascon
Currently the rules doesn't check when constant variables are used.
TODO: Improve the rule, to detected for constatant variable usage
* This change does not exclude analyzers for inline comment
* Changed the expected issues count for G103, G109 samples for test. Previously G115 has been included in the issue count
* Show analyzers IDs(G115, G602) in gosec usage help
* See #1175
* Rule G406 responsible for the usage of deprecated MD4 and RIPEMD160 added.
* Rules G506, G507 responsible for tracking the usage of the already mentioned libraries added.
* Slight changes in the Makefile(`make clean` wasn't removing all expected files)
* Added license to `analyzer_test.go`
Now the G401 rule is split into hashing and encryption algorithms.
G401 is responsible for checking the usage of MD5 and SHA1, with corresponding CWE of 328.
And G405(New rule) is responsible for checking the usege of DES and RC4, with corresponding CWE of 327.
* Added slice bounds testing for slice expressions.
* Added checking slice index.
* Added test for reassigning slice.
* Store capacities on reslicing.
* Scope change clears map. Func name used to track slices.
* Map CallExpr to check bounds when passing to functions.
* Fixed linter errors.
* Updated rulelist with CWE mapping.
* Added comment for NewSliceBoundCheck.
* Addressed nil cap runtime error.
* Replaced usage of nil in call arg map with dummy callexprs.
* Updated comments, wrapped error return, addressed other review concerns.
* G101 now checks LHS of ValueAssignments for patternValue.
* Added matching string literals in equality check.
* Added patternValue matching for ValueSpec.
* Ran gci to fix linter error.
* Added tests and updated regex to be more inclusive.
* Addressed short-circuit eval for isHighEntropy and non-standard ok variable.
* Resolved unhandled error and added more tests.
* Flattened code to make it more readable.
* Added better comments.
* Added new regex for Google API Key, GitHub PAT, and GoogleOAuth.
* Gofmt'ed the test cases.
* Remove read only types from unsafe defer rules
* Remove rule G307 which checks when an error is not handled when a file or socket connection is closed
This doesn't seem to bring much value from security perspective, and it caused a lot of controversy since
is a very common pattern in Go.
* Mentioned in documentation that rule G307 is retired
* Clean up the test for rule G307
* Add check for usage of Rat.SetString in math/big with an overflow error
Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7
has an overflow that can lead to Uncontrolled Memory Consumption.
It is the CVE-2022-23772.
* Use ContainsPkgCallExpr instead of manual parsing
* feat: add concurrency option to parallelize package loading
* refactor: move wg.add inside the for loop
* fix: gracefully stop the workers on error
* test: add test for concurrent scan
The big#Int.Exp used to be vulnerable in older versions of Go, but in the
meantime has been fixed (https://github.com/golang/go/issues/15184).
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
* Report for Golang errors
Right now if you use Gosec to scan invalid go file and if you report the result in a text, JSON, CSV or another file format you will always receive 0 issues.
The reason for that is that Gosec can't parse the AST of invalid go files and thus will not report anything.
The real problem here is that the user will never know about the issue if he generates the output in a file.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
* Allow for SQL concatenation of nodes that resolve to literals
If node.Y resolves to a literal, it will not be considered as an issue.
* Fix typo in comment.
* Go through all files in package to resolve that identifier
* Refactor code and added comments.
* Changed checking to not var or func.
* Allow for supporting code for test cases.
* Resolve merge conflict changes.
* Add a rule which detects file path traversal when extracting zip archive
* Detect if any argument is derived from zip.File
* Drop support for Go version 1.8
* Add a semantic version to the usage text
* Add a comment to the version function
* Inject the version, git tag and build date as build variables
* Update README
* Fix lint warnings
* Update README
* Manage dependencies with dep tool instead of godep
* Add a Makefile for common build tasks
* Update the build file to use the make tool
* Update Dockerfile
* Add docker entry point in to make the passing of arguments easy
* Update README
* Add missing tools to the build
* Drop 1.7 support and add 1.10
* Fix Go 1.10 according with the travis guidelines
https://docs.travis-ci.com/user/languages/go/
* Update the tls-observatory package
* Fix lint warnings
* Change the output of the tests to be more verbose
* Check if the are build errors before executing the rule test
* Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178)
* Add a tool which generates the TLS rule configuration from Mozilla server side
TLS configuration
* Update README
* Remove trailing space in README
* Update dependencies
* Fix the commends of the generated functions
* Add nil pointer check to rule. (#181)
TypeOf returns the type of expression e, or nil if not found. We are
calling .String() on a value that may be nil in this clause.
Relates to #174
* Add support for YAML output format (#177)
* Add YAML output format
* Update README
* added rule to check for tainted file path
* added #nosec to main/issue.go
* updated test case import
