Commit graph

1028 commits

Author SHA1 Message Date
Grant Murphy
28f0f1abe8 Merge pull request #23 from csstaub/cs/detect-math-rand
Detect use of rand.Read from math/rand
2016-07-28 13:20:38 -07:00
Cedric Staub
c53af75658
Detect use of rand.Read from math/rand 2016-07-28 11:26:34 -07:00
Tim Kelsey
c5d271566c Merge pull request #24 from csstaub/cs/smarter-creds-check
Smarter hard-coded credentials check
2016-07-28 10:31:33 +01:00
Tim Kelsey
e86addbfea Merge pull request #22 from csstaub/cs/csv
Use encoding/csv for CSV output
2016-07-28 10:25:27 +01:00
Cedric Staub
3cd0ebee96 Smarter hard-coded credentials check
Check right-hand side expr for literals when looking for hard-coded
credentials. This is to avoid issuing warnings for cases where a
password, token, etc. is read from a file or a terminal.
2016-07-27 22:51:34 -07:00
Cedric Staub
2ec102c7bf Use encoding/csv for CSV output
The encoding/csv package will take care of quoting, double-quoting,
and other CSV quirks -- avoids having to fiddle with text templates.
2016-07-27 20:55:09 -07:00
Grant Murphy
81b5e98828 Merge pull request #21 from HewlettPackard/better_sql
Better SQLi testing
2016-07-27 08:00:09 -07:00
Tim Kelsey
3e4d96ef3e Better SQLi testing
This prevents the string concat tests flagging a false positive if
joining two literal strings (eg "SELECT * FROM " + " table" ... )
or with a constant (eg const tab = "name"; "SELECT * from " + tab)
2016-07-27 15:47:07 +01:00
Tim Kelsey
2d0a26dafe Merge pull request #18 from HewlettPackard/issue16
Expand cases accepted by -exclude
2016-07-27 09:47:47 +01:00
Tim Kelsey
48910f5866 Merge pull request #20 from hyakuhei/Fix_Readme
Fixed-up some language in README.md
2016-07-27 09:45:52 +01:00
Robert Clark
9651a40525 Fixed-up some language in README.md 2016-07-27 09:36:13 +01:00
Grant Murphy
0dd7ec9c3c Merge pull request #19 from HewlettPackard/issue17
Fix exclude documentation
2016-07-26 21:54:43 -07:00
Grant Murphy
1cff72694b Fix exclude documentation
Closes issue #17
2016-07-26 21:53:45 -07:00
Grant Murphy
a7ebf35465 Expand cases accepted by -exclude
The exclude flag was only using filepath.Match which isn't intuitive
compared with some other command line tools. Added a couple of
additional cases to handle relative paths.

Fixes issue #16
2016-07-26 21:47:09 -07:00
Tim Kelsey
debb1f5b08 Merge pull request #14 from csstaub/cs/fix-json
Use encoding/json for -fmt json output
2016-07-26 17:50:44 +01:00
Cedric Staub
271cff19f7
Use encoding/json for -fmt json output 2016-07-25 16:40:49 -07:00
Grant Murphy
50fb7f4217 Merge pull request #10 from HewlettPackard/issue9
Handle import error rather than panic on failure
2016-07-25 16:17:02 -07:00
Grant Murphy
37cc56d425 Merge pull request #11 from csstaub/cs/fix-json
Make sure -fmt json produces valid output
2016-07-25 16:16:29 -07:00
Cedric Staub
c6e25a9b64
Make sure -fmt json produces valid output 2016-07-25 16:10:00 -07:00
Grant Murphy
2f84b67a47 Handle import error rather than panic on failure
This should handle issue #9 more gracefully.
2016-07-25 13:49:36 -07:00
Grant Murphy
9ce14dc683 Disclaimer about project status 2016-07-25 09:51:19 -07:00
Tim Kelsey
f9bf428e75 Merge pull request #6 from HewlettPackard/tools
Check input files and handle panic condition
2016-07-25 09:40:18 +01:00
Grant Murphy
0bd254c2eb Check input files and handle panic condition 2016-07-22 11:07:23 -07:00
Grant Murphy
e2caa921fe Merge pull request #5 from HewlettPackard/docs
Update the README to include newer rules
2016-07-22 07:55:53 -07:00
Grant Murphy
2cac3900fb Update the README to include newer rules 2016-07-22 07:50:30 -07:00
Grant Murphy
59deedb2f3 Merge pull request #4 from HewlettPackard/httpoxy
Adding check for httpoxy
2016-07-21 09:26:11 -07:00
Tim Kelsey
361593394e Adding check for httpoxy
Go code running under CGI is vulnerable to httpoxy attack. See
https://httpoxy.org/ this checks for an import of net/http/cgi
that might indicate code may be run under CGI.

closes #1
2016-07-21 16:30:09 +01:00
Tim Kelsey
4f3d620d37 Initial public release 2016-07-20 15:56:32 +01:00