Commit graph

1071 commits

Author SHA1 Message Date
Cosmin Cojocar
0396179112
Update go version to 1.23.1 and 1.22.7 (#1216)
Change-Id: I2c5ad3b96a96470ce663de84d767590b842990ac

Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-09-09 15:29:43 +02:00
renovate[bot]
5e53c8b9f7
chore(deps): update all dependencies (#1215)
* chore(deps): update all dependencies

* Update go.mod

* Update go.mod

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-09-09 15:20:27 +02:00
Cosmin Cojocar
014751c91c
Update gosec version to v2.21.1 in github action (#1213)
Change-Id: I0dda98f91eabc1881c55cb886425acf62a000002

Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-09-04 17:22:49 +02:00
Cosmin Cojocar
0ce4453ddd
Rollback the SARIF version to 2.1 since github doesn't support 2.2 (#1210)
Change-Id: If3500ec2c522339ca0a4e6c1f58574ce3cc870a9

Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-09-04 16:56:15 +02:00
Cosmin Cojocar
ea26e8431f
Update gosec in github action to v2.21.0 (#1208)
Change-Id: Ia6a5cc01472103d435cd5931aaef98a71a0a89f2

Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-09-04 16:49:35 +02:00
Cosmin Cojocar
b278b40c52
Update cosign version to v2.4.0 in release github workflow (#1207)
Change-Id: I78b4ad65597f6c10d9cc3113864fd73a25101b25

Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-09-04 16:22:00 +02:00
czechbol
eaedce9a8b
Improvement the int conversion overflow logic to handle bound checks (#1194)
* add test cases

Signed-off-by: czechbol <adamludes@gmail.com>

* fix bounds check logic

Signed-off-by: czechbol <adamludes@gmail.com>

* tweak test cases

Signed-off-by: czechbol <adamludes@gmail.com>

* fix codestyle

Signed-off-by: czechbol <adamludes@gmail.com>

* improve bounds check logic

Signed-off-by: czechbol <adamludes@gmail.com>

* max recursion depth

Signed-off-by: czechbol <adamludes@gmail.com>

* add test case for len function

Signed-off-by: czechbol <adamludes@gmail.com>

* relax len function bounds checks

Co-authored-by: Ben Krieger <ben.krieger@intel.com>

* handle cases when convert instruction is after the if blocks

Signed-off-by: czechbol <adamludes@gmail.com>

* improve range check discovery, add tests

Signed-off-by: czechbol <adamludes@gmail.com>

* refactor for readability

Signed-off-by: czechbol <adamludes@gmail.com>

* add cap function test

Signed-off-by: czechbol <adamludes@gmail.com>

* calculate signed min without throwing overflow warnings

Signed-off-by: czechbol <adamludes@gmail.com>

* perform bounds checks int size calculations

Signed-off-by: czechbol <adamludes@gmail.com>

* basic equal operator logic

Signed-off-by: czechbol <adamludes@gmail.com>

* uintptr -> unsafe.Pointer test case

Signed-off-by: czechbol <adamludes@gmail.com>

* fix review comments

Signed-off-by: czechbol <adamludes@gmail.com>

* Rebase and fix go module

Change-Id: I8da6495eaaf25b1739389aa98492bd7df338085b
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>

* fix false positive for negated value

Signed-off-by: czechbol <adamludes@gmail.com>

* fix range conditions

Signed-off-by: czechbol <adamludes@gmail.com>

* Ignore the golangci/gosec G115 warning

Change-Id: I0db56cb0a5f9ab6e815e2480ec0b66d7061b23d3
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>

---------

Signed-off-by: czechbol <adamludes@gmail.com>
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
Co-authored-by: Ben Krieger <ben.krieger@intel.com>
Co-authored-by: Cosmin Cojocar <ccojocar@google.com>
2024-09-04 16:09:54 +02:00
William Bergeron-Drouin
ea5b2766bb
fix: G602 support for nested conditionals with bounds check (#1201)
* Recursive fix

* Add some more test cases

* Fix formatting

* Add depth check
2024-09-04 11:07:42 +02:00
Cosmin Cojocar
11d69032b0 Update go.mod to sue go 1.22.0 toolchain 2024-09-02 09:46:29 +02:00
renovate[bot]
655527dfb4 chore(deps): update all dependencies 2024-09-02 09:46:29 +02:00
Cosmin Cojocar
0898560169 Make variable name more clear
Change-Id: I5b863c0da6cc3d01efa527c60c93fdcbc8c5a53c
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-30 19:35:07 +02:00
Cosmin Cojocar
ac67231ec5 Make variable names more explicity and reduce duplications
Change-Id: Ifa141b70351136cfe7d0756a83e8166a24b5d538
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-30 19:35:07 +02:00
Cosmin Cojocar
e0414c4640 Fix formatting
Change-Id: I49caeb75f1bd7ecdb9b4f99466d96ad81e2e95ac
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-30 19:35:07 +02:00
Cosmin Cojocar
c7003fc7e5 Refactor to reduce some fuctions and variable names
Change-Id: I7f42c1de4e39dceb8e8144037d5af9223331ff06
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-30 19:35:07 +02:00
Cosmin Cojocar
2401936458 Pass the value argument directly since is an interface
The value doens't require to be passed as a pointer since is a
interface.

Change-Id: Ia21bceb5f315f4c30bd28425d62f678e9203e93f
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-30 19:35:07 +02:00
Dimitar Banchev
f5d312825f Added suggested changes 2024-08-30 19:35:07 +02:00
Dimitar Banchev
a14ca4ac59 Added another test case in order to increase code coverage 2024-08-30 19:35:07 +02:00
Dimitar Banchev
a6dd589bae Removed function parameter which is always the same 2024-08-30 19:35:07 +02:00
Dimitar Banchev
b4c746962f Formatting problems(CI was not passing) 2024-08-30 19:35:07 +02:00
Dimitar Banchev
7f8f654235 Updated analyzer to use new way of initialization
* Removed old way of initializing analyzers
* Added the new analyzer to the rest of the default analyzers
* Fixed small bug in the rule
* Removed the test for the new analyzer from the file responsible for testing the rules
* Merged the diffrent examples into 1 variable
* Added tests for the analyzer
* Removed code that was used for testing rules, but it was used to test the analyzer
2024-08-30 19:35:07 +02:00
Dimitar Banchev
a26215cf23 Migrated the rule to the analyzers folder 2024-08-30 19:35:07 +02:00
Dimitar Banchev
3f6e1e7326 Refractored code a little bit 2024-08-30 19:35:07 +02:00
Dimitar Banchev
0eb8143c23 Added new rule G407(hardcoded IV/nonce)
The rule is supposed to detect for the usage of hardcoded or static nonce/Iv in many encryption algorithms:

* The different modes of AES (mainly tested here)
* It should be able to work with ascon

Currently the rules doesn't check when constant variables are used.

TODO: Improve the rule, to detected for constatant variable usage
2024-08-30 19:35:07 +02:00
Ben Krieger
4ae73c8ba3 Fix conversion overflow false positive when using ParseUint 2024-08-28 08:58:42 +02:00
Cosmin Cojocar
c52dc0ea4e Add a build step to measure the scan perfomance
This step will measure the scan performance difference against the
master version.

Change-Id: I1b9196ef3348350cf818471f55d9024d14064ac6
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-26 19:08:32 +02:00
czechbol
bcec04e784 Fix conversion overflow false positives when they are checked or pre-determined
Signed-off-by: czechbol <adamludes@gmail.com>
2024-08-26 16:57:12 +02:00
Cosmin Cojocar
71e397b994 Update go.mod 2024-08-26 16:47:36 +02:00
renovate[bot]
aec45b0b7d chore(deps): update all dependencies 2024-08-26 16:47:36 +02:00
Cosmin Cojocar
ab3f6c1c83 Fix false positive in conversion overflow check from uint8/int8 type
Change-Id: I543545e22fa12de0d85dcf92664a0a54e8f7244a
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-22 09:47:52 +02:00
Cosmin Cojocar
a39ec5a16b Disable staticcheck SA1019 rule
Change-Id: Ia9db0083f5ffb34d911b5ca491ef0ce23be979f8
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-21 15:00:06 +02:00
Cosmin Cojocar
a1b2ab80af Update the golangci linters
Change-Id: I8938d57e9751913f65b4825a44c252b31888f9e8
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-21 15:00:06 +02:00
Cosmin Cojocar
8467f012e0 Add more test to cover more use cases for G115 rule
Change-Id: Icb60fe14ae12439c1ee0e507a407a23ce4c64c85
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-21 15:00:06 +02:00
Rahul Gadi
81cda2f91f
Allow excluding analyzers globally (#1180)
* This change does not exclude analyzers for inline comment
* Changed the expected issues count for G103, G109 samples for test. Previously G115 has been included in the issue count
* Show analyzers IDs(G115, G602) in gosec usage help
* See #1175
2024-08-20 10:43:40 +02:00
Cosmin Cojocar
18135b439c
Update to Go 1.23.0 (#1183)
Change-Id: I11a6402e85ac543305e8bad4ea35239779424dd6

Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-19 09:17:50 +02:00
renovate[bot]
91c708a620
chore(deps): update all dependencies (#1182)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-19 08:58:30 +02:00
Cosmin Cojocar
92bac42afc
Read the AI API key also from an environment variable (#1181)
* Read the AI API key also from an environment variable

Change-Id: If18fd025ab2ef68a3690f8a69d1c8894e44a87ef
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>

* Fix lint warning

Change-Id: Icd3eb8a029764db76596c3e171275c03a23f8cef
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>

---------

Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-18 17:59:45 +02:00
Tran The Lam
56f943b802
Add support to generate auto fixes using LLM (AI) (#1177)
This feature adds support to generate auto fixes for Go scanning findings using LLM (AI). In a first instance, it relies on Gemini API to get a suggestion for a solution. This can be later extended, to integrate also other AI providers.

---------

Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
Co-authored-by: ccoVeille <3875889+ccoVeille@users.noreply.github.com>
Co-authored-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-12 12:52:41 +02:00
renovate[bot]
f33fd4bf29 chore(deps): update all dependencies 2024-08-12 10:21:07 +02:00
renovate[bot]
55a47f3774 chore(deps): update all dependencies 2024-08-05 17:38:32 +02:00
renovate[bot]
a5d9ef67e2 chore(deps): update all dependencies 2024-07-29 10:58:28 +02:00
renovate[bot]
68424445af chore(deps): update dependency babel-standalone to v7.24.10 2024-07-23 11:43:16 +02:00
Alex Gartner
08b94f9392 Resolve underlying type to detect overflows in type aliases 2024-07-20 10:06:43 +02:00
renovate[bot]
4487a0c5a2 chore(deps): update dependency babel-standalone to v7.24.8 2024-07-15 09:13:59 +02:00
Alex Gartner
007626773c Fix multifile ignores 2024-07-15 09:00:36 +02:00
Alex Gartner
2f1b81b889 Add -enable-audit cli flag 2024-07-13 11:25:25 +02:00
Cosmin Cojocar
87fcb9b95b Update to go 1.22.5 and 1.21.12
Change-Id: I3334016ed2714ce4aed959d7f19a33e220c000e4
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-07-08 16:00:12 +02:00
renovate[bot]
466992feca chore(deps): update all dependencies 2024-07-08 15:49:41 +02:00
Dimitar Banchev
9a4a741e6b Added more rules
* Rule G406 responsible for the usage of deprecated MD4 and RIPEMD160 added.
* Rules G506, G507 responsible for tracking the usage of the already mentioned libraries added.
* Slight changes in the Makefile(`make clean` wasn't removing all expected files)
* Added license to `analyzer_test.go`
2024-06-25 13:18:27 +02:00
Dimitar Banchev
6382394ce8 Fixed coverage workflow
* Renamed file(removed space)
* Changed the expected issues ( 1 -> 2)
2024-06-24 15:25:54 +02:00
Dimitar Banchev
5666ea35ba Fixed CI workflow
The CI workflow wasn't able to complete succesfully.

* Formatted the call_list_test.go file
2024-06-24 15:25:54 +02:00