actions/gosec
1
0
Fork 0
mirror of https://github.com/securego/gosec.git synced 2024-11-05 11:35:51 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
1090 commits 2 branches 41 tags 20 MiB
Commit graph

1090 commits

This branch
This branch
All branches
Author SHA1 Message Date
Tim Kelsey
7e1d7ee0fe Merge pull request #33 from HewlettPackard/config_fix 
Fixing config
 2016-08-05 11:05:16 +01:00
Tim Kelsey
da55fd1326 Fixing config 
It should have been in the context object, not the analyzer
 2016-08-05 11:04:06 +01:00
Grant Murphy
84f0162a80 Merge pull request #32 from HewlettPackard/resolve_1 
Try to resolve all elements in an expression to a known const
 2016-08-03 09:32:56 -07:00
Tim Kelsey
d2d49f1c8c Try to resolve all elements in an expression to a known const 
This is used in the subprocess launching test but will be added to
others as applicable.

This also closes #28
 2016-08-03 17:21:48 +01:00
Grant Murphy
12d370b11b Merge pull request #31 from HewlettPackard/config 
Adding a config block to the analyzer, parsed from JSON
 2016-08-01 09:46:02 -07:00
Tim Kelsey
d4367de2e2 Adding a config block to the analyzer, parsed from JSON 
A CLI option can now be given to tell GAS it should parse data
from a JSON file. Fatal errors are given if the file is not
readable or is not valid JSON.
 2016-08-01 17:39:47 +01:00
Grant Murphy
8261ee58d6 Merge pull request #29 from HewlettPackard/fix_regexp 
Fix incorrect regexp matches
 2016-07-30 15:16:08 -07:00
Grant Murphy
cee5fad4c3 Fix incorrect regexp matches 
There are some cases where the '.' character would also match any
character and could lead to incorrect results. For example the
regular expression -  `^ioutils.WriteFile$' would match
ioutils.WriteFile, but also ioutils_WriteFile.

Additionally made sure that all regexp were declared using raw
strings to avoid any unnecesary string escaping that potentially
make the regexp difficult to read.
 2016-07-30 13:29:33 -07:00
Grant Murphy
0bf1ece211 Merge pull request #27 from cwkuo/fix-windows-file-contains 
Fix os.IsExist() condition in filelist.Contains()
 2016-07-29 08:50:28 -07:00
cwkuo
0737ea6b04 Fix os.IsExist() condition in filelist.Contains() 2016-07-29 22:40:47 +08:00
Grant Murphy
b659538aa8 Merge pull request #26 from HewlettPackard/fix_annotations 
Fixing annotations
 2016-07-29 07:24:05 -07:00
Tim Kelsey
68aac2539a Fixing annotations 
The logic around annotations (nosec) was broken, meaning they were
ignored by default and would not skip sub-blocks. This fixes the
problem and also adds a test to make sure it wont be broken in the
future. Closes #25
 2016-07-29 10:34:19 +01:00
Grant Murphy
28f0f1abe8 Merge pull request #23 from csstaub/cs/detect-math-rand 
Detect use of rand.Read from math/rand
 2016-07-28 13:20:38 -07:00
Cedric Staub
c53af75658
Detect use of rand.Read from math/rand 2016-07-28 11:26:34 -07:00
Tim Kelsey
c5d271566c Merge pull request #24 from csstaub/cs/smarter-creds-check 
Smarter hard-coded credentials check
 2016-07-28 10:31:33 +01:00
Tim Kelsey
e86addbfea Merge pull request #22 from csstaub/cs/csv 
Use encoding/csv for CSV output
 2016-07-28 10:25:27 +01:00
Cedric Staub
3cd0ebee96 Smarter hard-coded credentials check 
Check right-hand side expr for literals when looking for hard-coded
credentials. This is to avoid issuing warnings for cases where a
password, token, etc. is read from a file or a terminal.
 2016-07-27 22:51:34 -07:00
Cedric Staub
2ec102c7bf Use encoding/csv for CSV output 
The encoding/csv package will take care of quoting, double-quoting,
and other CSV quirks -- avoids having to fiddle with text templates.
 2016-07-27 20:55:09 -07:00
Grant Murphy
81b5e98828 Merge pull request #21 from HewlettPackard/better_sql 
Better SQLi testing
 2016-07-27 08:00:09 -07:00
Tim Kelsey
3e4d96ef3e Better SQLi testing 
This prevents the string concat tests flagging a false positive if
joining two literal strings (eg "SELECT * FROM " + " table" ... )
or with a constant (eg const tab = "name"; "SELECT * from " + tab)
 2016-07-27 15:47:07 +01:00
Tim Kelsey
2d0a26dafe Merge pull request #18 from HewlettPackard/issue16 
Expand cases accepted by -exclude
 2016-07-27 09:47:47 +01:00
Tim Kelsey
48910f5866 Merge pull request #20 from hyakuhei/Fix_Readme 
Fixed-up some language in README.md
 2016-07-27 09:45:52 +01:00
Robert Clark
9651a40525 Fixed-up some language in README.md 2016-07-27 09:36:13 +01:00
Grant Murphy
0dd7ec9c3c Merge pull request #19 from HewlettPackard/issue17 
Fix exclude documentation
 2016-07-26 21:54:43 -07:00
Grant Murphy
1cff72694b Fix exclude documentation 
Closes issue #17
 2016-07-26 21:53:45 -07:00
Grant Murphy
a7ebf35465 Expand cases accepted by -exclude 
The exclude flag was only using filepath.Match which isn't intuitive
compared with some other command line tools. Added a couple of
additional cases to handle relative paths.

Fixes issue #16
 2016-07-26 21:47:09 -07:00
Tim Kelsey
debb1f5b08 Merge pull request #14 from csstaub/cs/fix-json 
Use encoding/json for -fmt json output
 2016-07-26 17:50:44 +01:00
Cedric Staub
271cff19f7
Use encoding/json for -fmt json output 2016-07-25 16:40:49 -07:00
Grant Murphy
50fb7f4217 Merge pull request #10 from HewlettPackard/issue9 
Handle import error rather than panic on failure
 2016-07-25 16:17:02 -07:00
Grant Murphy
37cc56d425 Merge pull request #11 from csstaub/cs/fix-json 
Make sure -fmt json produces valid output
 2016-07-25 16:16:29 -07:00
Cedric Staub
c6e25a9b64
Make sure -fmt json produces valid output 2016-07-25 16:10:00 -07:00
Grant Murphy
2f84b67a47 Handle import error rather than panic on failure 
This should handle issue #9 more gracefully.
 2016-07-25 13:49:36 -07:00
Grant Murphy
9ce14dc683 Disclaimer about project status 2016-07-25 09:51:19 -07:00
Tim Kelsey
f9bf428e75 Merge pull request #6 from HewlettPackard/tools 
Check input files and handle panic condition
 2016-07-25 09:40:18 +01:00
Grant Murphy
0bd254c2eb Check input files and handle panic condition 2016-07-22 11:07:23 -07:00
Grant Murphy
e2caa921fe Merge pull request #5 from HewlettPackard/docs 
Update the README to include newer rules
 2016-07-22 07:55:53 -07:00
Grant Murphy
2cac3900fb Update the README to include newer rules 2016-07-22 07:50:30 -07:00
Grant Murphy
59deedb2f3 Merge pull request #4 from HewlettPackard/httpoxy 
Adding check for httpoxy
 2016-07-21 09:26:11 -07:00
Tim Kelsey
361593394e Adding check for httpoxy 
Go code running under CGI is vulnerable to httpoxy attack. See
https://httpoxy.org/ this checks for an import of net/http/cgi
that might indicate code may be run under CGI.

closes #1
 2016-07-21 16:30:09 +01:00
Tim Kelsey
4f3d620d37 Initial public release 2016-07-20 15:56:32 +01:00