Commit graph

540 commits

Author SHA1 Message Date
Cosmin Cojocar
950e84c3fa Handle errors to fix lint warnings
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-27 08:20:18 +02:00
Cosmin Cojocar
ee73b9e94b Remove dep and Use only Go modules to manage dependencies
Update the depenendencies to latest versions

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-27 08:20:18 +02:00
Naoya Yoshizawa
85d180848d Go modules support for 1.12 (#297)
* support go module

* fix implement and uncommented out tests

* includes test package

* remove test environment go1.10 or older
2019-04-25 09:25:32 +02:00
kencrawford
eaba99df37 fix comment. 2019-03-21 07:30:14 +10:00
kencrawford
4cd14f9068 remove panic 2019-03-21 07:30:14 +10:00
kencrawford
66e7c8d8f8 Extract to a constant 2019-03-21 07:30:14 +10:00
kencrawford
1b28d323d8 fix sonarIssues struct 2019-03-21 07:30:14 +10:00
kencrawford
8eab50eb17 update README.md to add support of sonarqube. 2019-03-21 07:30:14 +10:00
kencrawford
989eb3ff88 Update Hound errors 2019-03-21 07:30:14 +10:00
kencrawford
ddfe54d0a0 Add sonarqube output 2019-03-21 07:30:14 +10:00
JulesDT
c5e6c4aedd fix no-fail flag logic 2019-03-19 08:11:02 +10:00
Cosmin Cojocar
2bd007e968 Update README 2019-03-06 17:18:50 +10:00
Cosmin Cojocar
8b27d1c091 Update go version to 1.11.5 in the docker file 2019-03-06 17:18:50 +10:00
Liam Galvin
9cd538fcf2 Fix README typo 2019-03-06 08:14:35 +10:00
Martin Vrachev
62b5195dd9 Report for Golang errors (#284)
* Report for Golang errors

Right now if you use Gosec to scan invalid go file and if you report the result in a text, JSON, CSV or another file format you will always receive 0 issues.
The reason for that is that Gosec can't parse the AST of invalid go files and thus will not report anything.

The real problem here is that the user will never know about the issue if he generates the output in a file.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-02-27 08:24:06 +10:00
Martin Vrachev
9cdfec40ca Change test
I thought that an example where the user inputs a URL is more realistic.
Because if your operating system is already hacked then you are already screwed.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-02-13 11:47:59 +01:00
Cosmin Cojocar
8048b15efa Add more badges in the README file 2019-02-13 11:46:36 +01:00
Joaquin L. Pereyra
e2752bc191 revert to default GOPATH if necessary (#279)
* revert to default GOPATH if necessary
2019-02-07 09:34:52 +10:00
JulesDT
04ce7baf6c add a no-fail flag 2019-01-28 09:38:18 +01:00
Joaquin L. Pereyra
a966ff760c Fix -conf example in README.md
1. Example config json included a trailing comma, even though as we obviously know this is how things should be, JSON does not agree and the parser fails miserably
2. Flag was incorrectly stated as -config in the README, the correct flag is -conf
3. Example command did not work as did not include final dot to examine the current pkg.
2019-01-22 15:33:45 +01:00
Cosmin Cojocar
b6626154df Fix typo 2019-01-18 11:09:41 +01:00
Cosmin Cojocar
5d33e6ebe1 Update the README with some details about the configuration file
fixes #269
2019-01-18 11:09:41 +01:00
Cosmin Cojocar
f87af5fa72 Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274)
* Define more explicit the global options in the configuration

* Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 21:37:40 +10:00
Cosmin Cojocar
14ed63d558 Do not flag the unhandled errors which are explicitly ignored
fixes #270
2019-01-14 10:06:30 +01:00
Cosmin Cojocar
12400f9a1c Update README with the code coverage batch 2018-12-11 18:15:58 +01:00
Cosmin Cojocar
72e95e88ac Geneate and upload the test coverage report to codecove.io 2018-12-11 17:08:31 +01:00
Cosmin Cojocar
24e3094d2a Extend the bind rule to handle the case when the net.Listen address in provided from a const 2018-12-04 09:22:06 +01:00
Cosmin Cojocar
9b32fcac16 Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call 2018-12-04 09:22:06 +01:00
Cosmin Cojocar
f14f17fb1d Add a helper function which extracts the string parameters values of a call expression 2018-12-04 09:22:06 +01:00
Cosmin Cojocar
2695567487 Build the code sample for string builder only fron Go 1.10 onwards 2018-11-11 09:57:28 +01:00
Cosmin Cojocar
ae82798b9c Fix the WriteSring test by handling the error 2018-11-11 09:57:28 +01:00
Edoardo Tenani
adb42220da whitelist strings.Builder method in rule G104 2018-11-11 09:57:28 +01:00
Edoardo Tenani
9b966a447e add test case for strings.Builder G104 whitelist inclusion 2018-11-11 09:57:28 +01:00
Yuki Ito
41809946d4 Make G201 ignore CallExpr with no args (#262) 2018-11-05 09:28:47 +01:00
Yuki Ito
443f84fd4d Fix golint link (#263) 2018-11-05 09:13:26 +01:00
Oleksandr Redko
3116b07de4 Fix typos in comments and rulelist (#256) 2018-10-11 14:45:31 +02:00
Cosmin Cojocar
e0a150bfa3
Merge pull request #254 from kishaningithub/253
Add install.sh script and update readme
2018-10-05 13:12:28 +02:00
Kishan B
97bc137c5b Add CI Installation steps and correct markdown lint errors 2018-10-05 15:27:14 +05:30
Kishan B
8c09a83248 Add install.sh script 2018-10-05 15:26:13 +05:30
Cosmin Cojocar
d032909e3f
Merge pull request #251 from NeverOddOrEven/fix-html-template
Fix the html template
2018-10-04 09:39:56 +02:00
NeverOddOrEven
027dc2b8a7 This fixes the html template when using '-fmt=html'
- resolves HTML escaping issues within the template
 - resolves reference issues to reportInfo struct i.e. issues -> Issues, metrics -> Stats
2018-10-03 13:31:59 -05:00
Cosmin Cojocar
f9b41874b1
Merge pull request #249 from andrewhsu/go
bump Dockerfile golang from 1.10 to 1.11
2018-10-03 08:35:47 +02:00
Andrew Hsu
1ecd47e007 bump Dockerfile golang from 1.10 to 1.11
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
2018-10-03 00:28:39 +00:00
Cosmin Cojocar
2cc6838ca3
Merge pull request #248 from ccojocar/code-samples-multiple-files
Refactor the test code sample to support multiple files per sample
2018-09-28 11:52:04 +03:00
Cosmin Cojocar
64d58c2e51 Refactor the test code sample to support multiple files per sample 2018-09-28 11:42:25 +03:00
Delon Wong Her Laang
d3f1980e7a Fix false positives for SQL string concatenation with constants from another file (#247)
* Allow for SQL concatenation of nodes that resolve to literals

If node.Y resolves to a literal, it will not be considered as an issue.

* Fix typo in comment.

* Go through all files in package to resolve that identifier

* Refactor code and added comments.

* Changed checking to not var or func.

* Allow for supporting code for test cases.

* Resolve merge conflict changes.
2018-09-28 10:46:59 +03:00
Andrew Hsu
5f98926a7b Refactor Dockerfile (#245)
* ignore the temporary image file used for builds

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* no need for GOPATH in the Dockerfile

It is already set in the golang:1.10.3-alpine3.8 image.

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* no need for GOROOT in Dockerfile

The correct value is embedded in the go tool.

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* bump Dockerfile golang to 1.10.4

The latest golang version thus far.

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* replace docker-entrypoint.sh with the gosec binary

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* git ignore gosec binary

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* refactor Dockerfile into multi-stage

First stage does the build in a pristine alpine environment. Second
stage is a minimal image with just the necessary stuff to run the
compiled binary. Also added packages for gcc and musl-dev so cgo can do
its thang.

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* fix the image execution example in README.md

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
2018-09-26 08:09:20 +03:00
Grant Murphy
7f6509a916
Update README.md (#246)
Add logo to README.md
2018-09-25 19:44:53 +10:00
Dale Hui
762ff3a709 Allow quoted strings to be used to format SQL queries (#240)
* Support stripping vendor paths when matching calls

* Factor out matching of formatter string

* Quoted strings are safe to use with SQL str formatted strings

* Add test for allowing quoted strings with string formatters

* Install the pq package for tests to pass
2018-09-25 10:40:05 +03:00
Dale Hui
ec32ce68d8 Support Go 1.11 (#239)
* Test with the latest minor version of each major Go version

* Support Go 1.11 and modules
2018-09-10 09:09:12 +02:00