Commit graph

237 commits

Author SHA1 Message Date
Oleksandr Redko
92de0ee7a2
Replace old golang.org links with new go.dev (#1271)
Some checks are pending
CI / test (map[go:1.22.10 golangci:latest]) (push) Waiting to run
CI / test (map[go:1.23.4 golangci:latest]) (push) Waiting to run
CI / coverage (push) Blocked by required conditions
Security Scan / build (push) Waiting to run
2024-12-16 15:18:51 +01:00
Oleksandr Redko
399e835157 Fix typos in comments and fields 2024-11-30 10:37:42 +01:00
Dimitar Banchev
7f8f654235 Updated analyzer to use new way of initialization
* Removed old way of initializing analyzers
* Added the new analyzer to the rest of the default analyzers
* Fixed small bug in the rule
* Removed the test for the new analyzer from the file responsible for testing the rules
* Merged the diffrent examples into 1 variable
* Added tests for the analyzer
* Removed code that was used for testing rules, but it was used to test the analyzer
2024-08-30 19:35:07 +02:00
Dimitar Banchev
a26215cf23 Migrated the rule to the analyzers folder 2024-08-30 19:35:07 +02:00
Dimitar Banchev
3f6e1e7326 Refractored code a little bit 2024-08-30 19:35:07 +02:00
Dimitar Banchev
0eb8143c23 Added new rule G407(hardcoded IV/nonce)
The rule is supposed to detect for the usage of hardcoded or static nonce/Iv in many encryption algorithms:

* The different modes of AES (mainly tested here)
* It should be able to work with ascon

Currently the rules doesn't check when constant variables are used.

TODO: Improve the rule, to detected for constatant variable usage
2024-08-30 19:35:07 +02:00
Rahul Gadi
81cda2f91f
Allow excluding analyzers globally (#1180)
* This change does not exclude analyzers for inline comment
* Changed the expected issues count for G103, G109 samples for test. Previously G115 has been included in the issue count
* Show analyzers IDs(G115, G602) in gosec usage help
* See #1175
2024-08-20 10:43:40 +02:00
Dimitar Banchev
9a4a741e6b Added more rules
* Rule G406 responsible for the usage of deprecated MD4 and RIPEMD160 added.
* Rules G506, G507 responsible for tracking the usage of the already mentioned libraries added.
* Slight changes in the Makefile(`make clean` wasn't removing all expected files)
* Added license to `analyzer_test.go`
2024-06-25 13:18:27 +02:00
Dimitar Banchev
fc0957f6a3 Minor changes
* Renamed the file responsible for rule G401
* Removed copyright of HP from the new rule
2024-06-24 15:25:54 +02:00
Dimitar Banchev
58e4fccc13 Split the G401 rule into two separate ones
Now the G401 rule is split into hashing and encryption algorithms.

G401 is responsible for checking the usage of MD5 and SHA1, with corresponding CWE of 328.
And G405(New rule) is responsible for checking the usege of DES and RC4, with corresponding CWE of 327.
2024-06-24 15:25:54 +02:00
Cosmin Cojocar
ed3f51e663 Add more types to templates rule
Add additional types such as CSS, JSStr and Srcset to the template rule.
These types are marked as a security risk in the godoc
https://pkg.go.dev/html/template.

Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-05-28 10:39:33 +02:00
Cosmin Cojocar
4bf5667f66 Add a new rule to detect integer overflow on integer types conversion
Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-05-27 13:03:01 +02:00
Cosmin Cojocar
6fbd381238 Catch os.ModePerm permissions in os.WriteFile
Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-05-14 15:33:23 +02:00
Cosmin Cojocar
417a44c73b Add filepath.EvalSymlinks to clean functions in rule G304
Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-05-13 17:19:29 +02:00
Hiroki Yorimitsu
be378e682f Add support for math/rand/v2 added in Go 1.22 2024-03-07 16:33:18 +01:00
Cosmin Cojocar
36878a9423 Skip the G601 tests for Go version 1.22
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2024-03-07 12:23:46 +01:00
Janusz Marcinkiewicz
f25ccd9fb5 Ignore 'implicit memory aliasing' rule for Go 1.22+
Signed-off-by: Janusz Marcinkiewicz <januszm@nvidia.com>
2024-03-04 10:24:32 +01:00
Quentin Laplanche
c824a5d308 fix(hardcoded): remove duplicated Stripe API Key 2024-02-13 10:02:03 +01:00
Cosmin Cojocar
616520f44f
Update the list of unsafe functions detected by the unsafe rule (#1033)
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-10-10 09:47:36 +02:00
Cosmin Cojocar
4def3a4eb0 Fix lint warning
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-09-25 13:24:34 +02:00
Cosmin Cojocar
0d332a1027 Add a new rule which detects when a file is created with os.Create but the configured permissions are less than 0666
It seems that the os.Create will create by default a file with 0666 permissions.

This should be detected when the configured permissions are less than 0666. By default will not detect this case
unless the more restrictive mode is configured.

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-09-25 13:24:34 +02:00
Cosmin Cojocar
e02e2f6d5b Redesign and reimplement the slice out of bounds check using SSA code representation
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-09-20 10:19:51 +02:00
Cosmin Cojocar
6c93653a29
Fix hardcoded_credentials rule to only match on more specific patterns (#1009)
* Fix hardcoded_credentials rule to only match on more specific patterns

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>

* Fix lint warnings

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>

* Fix double escape in regexps

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>

---------

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-09-05 18:00:02 +02:00
Cosmin Cojocar
beef1250a4
Exclude maps from slince bounce check rule (#1006)
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-08-23 17:17:14 +02:00
Alexander Yastrebov
21d13c9a9b
Ignore struct pointers in G601 (#1003)
Updates https://github.com/securego/gosec/issues/966

Signed-off-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
2023-08-18 17:05:17 +02:00
Audun
bf7feda2b9
fix: correctly identify infixed concats as potential SQL injections (#987) 2023-07-25 17:13:07 +02:00
Cosmin Cojocar
36f69332a4
Switch to a maintained fork of zxcvbn module (#984)
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-07-17 12:47:26 +02:00
Morgen Malinoski
a018cf0fbb
Feature: G602 Slice Bound Checking (#973)
* Added slice bounds testing for slice expressions.

* Added checking slice index.

* Added test for reassigning slice.

* Store capacities on reslicing.

* Scope change clears map. Func name used to track slices.

* Map CallExpr to check bounds when passing to functions.

* Fixed linter errors.

* Updated rulelist with CWE mapping.

* Added comment for NewSliceBoundCheck.

* Addressed nil cap runtime error.

* Replaced usage of nil in call arg map with dummy callexprs.

* Updated comments, wrapped error return, addressed other review concerns.
2023-06-21 09:56:36 +02:00
Morgen Malinoski
abeab1092d
Feature: G101 match variable values and names (#971)
* G101 now checks LHS of ValueAssignments for patternValue.

* Added matching string literals in equality check.

* Added patternValue matching for ValueSpec.

* Ran gci to fix linter error.

* Added tests and updated regex to be more inclusive.

* Addressed short-circuit eval for isHighEntropy and non-standard ok variable.

* Resolved unhandled error and added more tests.

* Flattened code to make it more readable.

* Added better comments.

* Added new regex for Google API Key, GitHub PAT, and GoogleOAuth.

* Gofmt'ed the test cases.
2023-06-15 10:18:03 +02:00
futuretea
bd58600acf Recognize struct field in G601
Signed-off-by: futuretea <1913508671@qq.com>
2023-06-02 17:17:10 +02:00
Oleksandr Redko
1f689968ec Fix typos in comments, vars and tests 2023-05-30 08:26:41 +02:00
Matthieu MOREL
d6aeaad931
correct gci linter (#946)
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
2023-03-30 09:31:24 +02:00
Cosmin Cojocar
6a73248135 Fix some linting warnings 2023-03-20 10:25:45 +01:00
Rick Moran
f823a7e92b
Check nil pointer when variable is declared in a different file 2023-03-08 14:42:45 +01:00
Cosmin Cojocar
d5a9c73723
Remove rule G307 which checks when an error is not handled when a file or socket connection is closed (#935)
* Remove read only types from unsafe defer rules

* Remove rule G307 which checks when an error is not handled when a file or socket connection is closed

This doesn't seem to bring much value from security perspective, and it caused a lot of controversy since
is a very common pattern in Go.

* Mentioned in documentation that rule G307 is retired

* Clean up the test for rule G307
2023-02-24 14:04:13 +01:00
Cosmin Cojocar
de2c6a36fa Extract the issue in its own package 2023-02-16 09:45:28 +01:00
bean.zhang
a624254e39
Update hardcoded_credentials.go fix: adaper equal expr which const value at left (#917)
* Update hardcoded_credentials.go

adaper equal expr which const value at left.
```
if "Tr0ub4dour_UPL&&LOlo" == pwd
```

* Update hardcoded_credentials.go

check ident not equal nil

* adapter const == key hardcoded, add testcases
2023-01-31 09:52:37 +01:00
Cosmin Cojocar
c5d217da7a
Update Go version in CI script (#913)
* Update Go version in CI script

* Introduce back an additional check for filepath clean to fix the unit tests
2023-01-09 16:49:02 +01:00
Cosmin Cojocar
5874e63c9e
Track back when a file path was sanitized with filepath.Clean (#912)
* Track back when a file path was sanitized with filepath.Clean

* Remove unused argument to fix lint warnings
2023-01-09 16:26:20 +01:00
Cosmin Cojocar
fd280360cd
Fix the TLS config rule when parsing the settings from a variable (#911) 2023-01-09 15:10:44 +01:00
Alexey Ivanov
dabc7dc27e
Auto-detect TLS MinVersion integer base (#903) 2022-12-12 09:30:06 +01:00
Dmitry Golushko
44f484fdc7
Additional types for bad defer check (#897)
* Additional types for bad defer check

* Ignore new check in tlsconfig.go
2022-11-30 09:38:46 +01:00
pro-wh
cf63541008
fileperms: bitwise permission comparison (#883)
* fileperms: extract existing mode comparison logic

* fileperms: add failing test

* fileperms: bitwise permission comparison
2022-10-20 08:48:40 +02:00
Ville Skyttä
0c8e63ed86
Detect use of net/http functions that have no support for setting timeouts (#842)
https://blog.cloudflare.com/the-complete-guide-to-golang-net-http-timeouts/
https://blog.cloudflare.com/exposing-go-on-the-internet/

Closes https://github.com/securego/gosec/issues/833
2022-08-02 17:16:44 +02:00
Ville Skyttä
6a26c231fc
Refactor SQL rules for better extensibility (#841)
Remove hardwired assumption and heuristics on index of arg taking a SQL
string, be explicit about it instead.
2022-08-02 15:25:30 +02:00
Dmitry Golushko
a5982fb6a6
Fix for G402. Check package path instead of package name (#838) 2022-07-28 08:51:30 +02:00
Ziqi Zhao
ea6d49d1b5
fix G204 bugs (#835)
Signed-off-by: Ziqi Zhao <zhaoziqi9146@gmail.com>
2022-07-26 11:08:43 +02:00
云微
602ced7e71
Fix wrong location for G109 (#829)
Before this commit, G109 will report on `strconv.Atoi`.
After this, it will report on the convertion like`int32(a)`.
2022-07-06 06:37:11 +02:00
云微
b0f3e78e07
fix ReadTimeout for G112 rule 2022-06-23 14:58:13 +02:00
Vladimir Severov
9c19cb6501
Add check for usage of Rat.SetString in math/big with an overflow error (#819)
* Add check for usage of Rat.SetString in math/big with an overflow error

Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7
has an overflow that can lead to Uncontrolled Memory Consumption.

It is the CVE-2022-23772.

* Use ContainsPkgCallExpr instead of manual parsing
2022-06-03 00:19:51 +02:00