Commit graph

993 commits

Author SHA1 Message Date
renovate[bot]
180fc23b72 chore(deps): update all dependencies 2022-09-12 09:35:57 +02:00
Sebastiaan van Stijn
dfde579243 Fix false positives for G404 with aliased packages
It appears that `GetImportedName` returns _both_ aliased and non-aliased imports.
As a result, a file having both crypto/rand and math/rand (but aliased) would
trigger false positives on G404. Given the following file;

```go
package main

import (
	"crypto/rand"
	"math/big"
	rnd "math/rand"
)

func main() {
	_, _ = rand.Int(rand.Reader, big.NewInt(int64(2)))
	_ = rnd.Intn(2)
}
```

And patching for debugging;

```patch
diff --git a/helpers.go b/helpers.go
index 437d032..80f4233 100644
--- a/helpers.go
+++ b/helpers.go
@@ -250,6 +250,8 @@ func GetBinaryExprOperands(be *ast.BinaryExpr) []ast.Node {
 // GetImportedName returns the name used for the package within the
 // code. It will ignore initialization only imports.
 func GetImportedName(path string, ctx *Context) (string, bool) {
+       fmt.Printf("%+v", ctx.Imports.Imported)
+       os.Exit(1)
        importName, imported := ctx.Imports.Imported[path]
        if !imported {
                return "", false
```

Would show that `math/rand` was included in the list, using it's non-aliased
name (`:rand`).

    gosec -quiet .
    map[crypto/rand:rand math/big:big math/rand:rand]

This patch works around this problem by reversing the order in which imports
are resolved in `MatchCallByPackage()`. Aliased packages are tried first, after
which non-aliased imports are tried.

Given the example application mentioned above:

Before this patch:

```bash
gosec -quiet .
Results:

[/Users/sebastiaan/Projects/test/gosec-issue/main.go:10] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    9: func main() {
  > 10: 	_, _ = rand.Int(rand.Reader, big.NewInt(int64(2)))
    11: 	_ = rnd.Intn(2)
```

With this patch applied:

```bash
    gosec --quiet .
    Results:

    [/Users/sebastiaan/Projects/test/gosec-issue/main.go:11] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
        10: 	_, _ = rand.Int(rand.Reader, big.NewInt(int64(2)))
      > 11: 	_ = rnd.Intn(2)
        12: }
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-05 09:49:02 +02:00
renovate[bot]
aaaf80c9a7 chore(deps): update all dependencies 2022-09-05 09:42:37 +02:00
renovate[bot]
ae58325bfe chore(deps): update all dependencies 2022-08-29 10:21:47 +02:00
Cosmin Cojocar
a892be9827 fix: add a CWE ID mapping to rule G114
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2022-08-22 10:23:10 +02:00
renovate[bot]
a319b668cd chore(deps): update golang.org/x/crypto digest to bc19a97 2022-08-22 09:57:21 +02:00
Cosmin Cojocar
19fa856bad fix: make sure that nil Cwe pointer is handled when getting the CWE ID 2022-08-20 13:32:31 +02:00
Cosmin Cojocar
62fa4b4e9b test: remove white spaces from template 2022-08-20 13:08:50 +02:00
Cosmin Cojocar
074dc71087 fix: handle nil CWE pointer in text template 2022-08-20 13:08:50 +02:00
renovate[bot]
79a5b13bdb chore(deps): update dependency babel-standalone to v7 2022-08-15 09:17:13 +02:00
Cosmin Cojocar
97f03d9939 chore: update module go to 1.19
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2022-08-08 10:56:19 +02:00
Cosmin Cojocar
0ba05e160a chore: fix lint warnings
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2022-08-08 10:56:19 +02:00
Cosmin Cojocar
d3933f9e14 chore: add support for Go 1.19
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2022-08-08 10:56:19 +02:00
Ludovic Fernandez
4e68fb5b15
fix: parsing of the Go version (#844)
* fix: parsing of the Go version

* fix: convert pseudo directive to comment
2022-08-08 09:28:41 +02:00
Ville Skyttä
0c8e63ed86
Detect use of net/http functions that have no support for setting timeouts (#842)
https://blog.cloudflare.com/the-complete-guide-to-golang-net-http-timeouts/
https://blog.cloudflare.com/exposing-go-on-the-internet/

Closes https://github.com/securego/gosec/issues/833
2022-08-02 17:16:44 +02:00
Ville Skyttä
6a26c231fc
Refactor SQL rules for better extensibility (#841)
Remove hardwired assumption and heuristics on index of arg taking a SQL
string, be explicit about it instead.
2022-08-02 15:25:30 +02:00
renovate[bot]
1b0873a235
chore(deps): update module golang.org/x/tools to v0.1.12 (#840)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-08-02 08:08:23 +02:00
Cosmin Cojocar
845483e0b1 Fix lint warning
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2022-07-28 11:10:00 +02:00
Cosmin Cojocar
45bf9a6095 Check the suppressed issues when generating the exit code
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2022-07-28 11:10:00 +02:00
Dmitry Golushko
a5982fb6a6
Fix for G402. Check package path instead of package name (#838) 2022-07-28 08:51:30 +02:00
Ziqi Zhao
ea6d49d1b5
fix G204 bugs (#835)
Signed-off-by: Ziqi Zhao <zhaoziqi9146@gmail.com>
2022-07-26 11:08:43 +02:00
Cosmin Cojocar
21fcd2f904
Phase out support for Go 1.16 since is not supported anymore by Go team (#837)
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2022-07-26 11:08:30 +02:00
renovate[bot]
3cda47a9b8
chore(deps): update all dependencies (#836)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-07-26 10:57:36 +02:00
renovate[bot]
0212c83699
chore(deps): update dependency highlight.js to v11.6.0 (#830)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-07-18 16:20:54 +02:00
Tim Costa
9a25f4ed2d
fix: filepaths with git anywhere in them being erroneously excluded (#828)
Co-authored-by: Tim Costa <timcosta@amazon.com>
2022-07-06 06:46:49 +02:00
云微
602ced7e71
Fix wrong location for G109 (#829)
Before this commit, G109 will report on `strconv.Atoi`.
After this, it will report on the convertion like`int32(a)`.
2022-07-06 06:37:11 +02:00
renovate[bot]
7dd9ddd583
chore(deps): update golang.org/x/crypto digest to 0559593 (#826)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-07-06 06:34:31 +02:00
云微
b0f3e78e07
fix ReadTimeout for G112 rule 2022-06-23 14:58:13 +02:00
Sascha Grunert
05f3ca80f9
Pin cosign-installer to v2 (#824)
We now have tags available in the cosign-installer, which allows us to
pin the latest release via `v2`.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2022-06-23 14:50:50 +02:00
renovate[bot]
a9b0ef0a11
chore(deps): update all dependencies (#822)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-06-13 19:48:12 +02:00
Vladimir Severov
9c19cb6501
Add check for usage of Rat.SetString in math/big with an overflow error (#819)
* Add check for usage of Rat.SetString in math/big with an overflow error

Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7
has an overflow that can lead to Uncontrolled Memory Consumption.

It is the CVE-2022-23772.

* Use ContainsPkgCallExpr instead of manual parsing
2022-06-03 00:19:51 +02:00
Peter Dave Hello
fb587c1d10
Remove additional --update for apk in Dockerfile (#818)
There is no need to use --update with --no-cache when using apk on
Alpine Linux, as using --no-cache will fetch the index every time and
leave no local cache, so the index will always be the latest without
temporary files remain in the image.
2022-05-31 15:06:52 +02:00
Thomas Gorham
c3ede62822
Update x/tools to pick up fix for golang/go#51629 (#817) 2022-05-29 17:41:10 +02:00
renovate[bot]
0a929c7b6c
chore(deps): update all dependencies (#816)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-05-29 17:36:29 +02:00
renovate[bot]
12be14859b
chore(deps): update all dependencies (#812)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-05-09 12:02:57 +02:00
renovate[bot]
0dcc3362ae
chore(deps): update all dependencies (#811)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-05-02 21:00:33 +02:00
云微
34d144b3fa
Add new rule for Slowloris Attack 2022-04-30 12:38:50 +02:00
Cosmin Cojocar
a64cde55a4
Fix the dependencies after renovate upate (#806) 2022-04-11 20:21:09 +02:00
renovate[bot]
b69c3d48c8
chore(deps): update all dependencies (#805)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-04-11 20:12:37 +02:00
Cosmin Cojocar
89dfdc0c97
Update the description message of template rule (#803) 2022-04-05 07:41:36 +02:00
Gautam Mehta
0791d31471
Fix typo in ReadMe (#802) 2022-04-05 07:15:22 +02:00
Cosmin Cojocar
2ef1d9a037
Fix build after renovate update (#800) 2022-03-28 20:38:14 +02:00
robot-5
afc9903ba9
Fix use rule IDs to retrieve the rule config 2022-03-28 20:28:02 +02:00
renovate[bot]
82eaa12696
chore(deps): update all dependencies (#796)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-03-28 20:23:59 +02:00
Cosmin Cojocar
607d607b51
Enable Go 1.18 in the ci and release workflows
* Enable Go 1.18 in the ci and release workflows

* Fix lint warning

* Add golangci as a make target
2022-03-21 16:53:22 +01:00
Cosmin Cojocar
b99b5f7838
Fix the lint action after upgrade (#790) 2022-03-14 14:19:29 +01:00
renovate[bot]
8af0af7611
chore(deps): update all dependencies (#789)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-03-14 14:10:28 +01:00
Per Arn
ea5d31f7f5
Add a recursive flag -r to skip specifying ./... path
* added recursive flag to skip specifying ./... path

* refactored to remove code duplication
2022-03-07 10:31:22 +01:00
Calin Capitanu
48bbf96b56
Adds directory traversal for Http.Dir("/") 2022-03-06 10:58:47 +01:00
Cosmin Cojocar
26f10e0a7a
Extend the release action to sign the docker image and binary files with cosign (#781)
* Extend the release action to sign the docker image and binary files with cosign

* Fix lint warnings

* Fix the ling warnings

* Fix the lint warnings
2022-02-22 21:33:42 +01:00