Cosmin Cojocar
0ce4453ddd
Rollback the SARIF version to 2.1 since github doesn't support 2.2 ( #1210 )
...
Change-Id: If3500ec2c522339ca0a4e6c1f58574ce3cc870a9
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-09-04 16:56:15 +02:00
Cosmin Cojocar
ea26e8431f
Update gosec in github action to v2.21.0 ( #1208 )
...
Change-Id: Ia6a5cc01472103d435cd5931aaef98a71a0a89f2
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-09-04 16:49:35 +02:00
Cosmin Cojocar
b278b40c52
Update cosign version to v2.4.0 in release github workflow ( #1207 )
...
Change-Id: I78b4ad65597f6c10d9cc3113864fd73a25101b25
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-09-04 16:22:00 +02:00
czechbol
eaedce9a8b
Improvement the int conversion overflow logic to handle bound checks ( #1194 )
...
* add test cases
Signed-off-by: czechbol <adamludes@gmail.com>
* fix bounds check logic
Signed-off-by: czechbol <adamludes@gmail.com>
* tweak test cases
Signed-off-by: czechbol <adamludes@gmail.com>
* fix codestyle
Signed-off-by: czechbol <adamludes@gmail.com>
* improve bounds check logic
Signed-off-by: czechbol <adamludes@gmail.com>
* max recursion depth
Signed-off-by: czechbol <adamludes@gmail.com>
* add test case for len function
Signed-off-by: czechbol <adamludes@gmail.com>
* relax len function bounds checks
Co-authored-by: Ben Krieger <ben.krieger@intel.com>
* handle cases when convert instruction is after the if blocks
Signed-off-by: czechbol <adamludes@gmail.com>
* improve range check discovery, add tests
Signed-off-by: czechbol <adamludes@gmail.com>
* refactor for readability
Signed-off-by: czechbol <adamludes@gmail.com>
* add cap function test
Signed-off-by: czechbol <adamludes@gmail.com>
* calculate signed min without throwing overflow warnings
Signed-off-by: czechbol <adamludes@gmail.com>
* perform bounds checks int size calculations
Signed-off-by: czechbol <adamludes@gmail.com>
* basic equal operator logic
Signed-off-by: czechbol <adamludes@gmail.com>
* uintptr -> unsafe.Pointer test case
Signed-off-by: czechbol <adamludes@gmail.com>
* fix review comments
Signed-off-by: czechbol <adamludes@gmail.com>
* Rebase and fix go module
Change-Id: I8da6495eaaf25b1739389aa98492bd7df338085b
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
* fix false positive for negated value
Signed-off-by: czechbol <adamludes@gmail.com>
* fix range conditions
Signed-off-by: czechbol <adamludes@gmail.com>
* Ignore the golangci/gosec G115 warning
Change-Id: I0db56cb0a5f9ab6e815e2480ec0b66d7061b23d3
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
---------
Signed-off-by: czechbol <adamludes@gmail.com>
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
Co-authored-by: Ben Krieger <ben.krieger@intel.com>
Co-authored-by: Cosmin Cojocar <ccojocar@google.com>
2024-09-04 16:09:54 +02:00
William Bergeron-Drouin
ea5b2766bb
fix: G602 support for nested conditionals with bounds check ( #1201 )
...
* Recursive fix
* Add some more test cases
* Fix formatting
* Add depth check
2024-09-04 11:07:42 +02:00
Cosmin Cojocar
11d69032b0
Update go.mod to sue go 1.22.0 toolchain
2024-09-02 09:46:29 +02:00
renovate[bot]
655527dfb4
chore(deps): update all dependencies
2024-09-02 09:46:29 +02:00
Cosmin Cojocar
0898560169
Make variable name more clear
...
Change-Id: I5b863c0da6cc3d01efa527c60c93fdcbc8c5a53c
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-30 19:35:07 +02:00
Cosmin Cojocar
ac67231ec5
Make variable names more explicity and reduce duplications
...
Change-Id: Ifa141b70351136cfe7d0756a83e8166a24b5d538
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-30 19:35:07 +02:00
Cosmin Cojocar
e0414c4640
Fix formatting
...
Change-Id: I49caeb75f1bd7ecdb9b4f99466d96ad81e2e95ac
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-30 19:35:07 +02:00
Cosmin Cojocar
c7003fc7e5
Refactor to reduce some fuctions and variable names
...
Change-Id: I7f42c1de4e39dceb8e8144037d5af9223331ff06
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-30 19:35:07 +02:00
Cosmin Cojocar
2401936458
Pass the value argument directly since is an interface
...
The value doens't require to be passed as a pointer since is a
interface.
Change-Id: Ia21bceb5f315f4c30bd28425d62f678e9203e93f
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-30 19:35:07 +02:00
Dimitar Banchev
f5d312825f
Added suggested changes
2024-08-30 19:35:07 +02:00
Dimitar Banchev
a14ca4ac59
Added another test case in order to increase code coverage
2024-08-30 19:35:07 +02:00
Dimitar Banchev
a6dd589bae
Removed function parameter which is always the same
2024-08-30 19:35:07 +02:00
Dimitar Banchev
b4c746962f
Formatting problems(CI was not passing)
2024-08-30 19:35:07 +02:00
Dimitar Banchev
7f8f654235
Updated analyzer to use new way of initialization
...
* Removed old way of initializing analyzers
* Added the new analyzer to the rest of the default analyzers
* Fixed small bug in the rule
* Removed the test for the new analyzer from the file responsible for testing the rules
* Merged the diffrent examples into 1 variable
* Added tests for the analyzer
* Removed code that was used for testing rules, but it was used to test the analyzer
2024-08-30 19:35:07 +02:00
Dimitar Banchev
a26215cf23
Migrated the rule to the analyzers folder
2024-08-30 19:35:07 +02:00
Dimitar Banchev
3f6e1e7326
Refractored code a little bit
2024-08-30 19:35:07 +02:00
Dimitar Banchev
0eb8143c23
Added new rule G407(hardcoded IV/nonce)
...
The rule is supposed to detect for the usage of hardcoded or static nonce/Iv in many encryption algorithms:
* The different modes of AES (mainly tested here)
* It should be able to work with ascon
Currently the rules doesn't check when constant variables are used.
TODO: Improve the rule, to detected for constatant variable usage
2024-08-30 19:35:07 +02:00
Ben Krieger
4ae73c8ba3
Fix conversion overflow false positive when using ParseUint
2024-08-28 08:58:42 +02:00
Cosmin Cojocar
c52dc0ea4e
Add a build step to measure the scan perfomance
...
This step will measure the scan performance difference against the
master version.
Change-Id: I1b9196ef3348350cf818471f55d9024d14064ac6
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-26 19:08:32 +02:00
czechbol
bcec04e784
Fix conversion overflow false positives when they are checked or pre-determined
...
Signed-off-by: czechbol <adamludes@gmail.com>
2024-08-26 16:57:12 +02:00
Cosmin Cojocar
71e397b994
Update go.mod
2024-08-26 16:47:36 +02:00
renovate[bot]
aec45b0b7d
chore(deps): update all dependencies
2024-08-26 16:47:36 +02:00
Cosmin Cojocar
ab3f6c1c83
Fix false positive in conversion overflow check from uint8/int8 type
...
Change-Id: I543545e22fa12de0d85dcf92664a0a54e8f7244a
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-22 09:47:52 +02:00
Cosmin Cojocar
a39ec5a16b
Disable staticcheck SA1019 rule
...
Change-Id: Ia9db0083f5ffb34d911b5ca491ef0ce23be979f8
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-21 15:00:06 +02:00
Cosmin Cojocar
a1b2ab80af
Update the golangci linters
...
Change-Id: I8938d57e9751913f65b4825a44c252b31888f9e8
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-21 15:00:06 +02:00
Cosmin Cojocar
8467f012e0
Add more test to cover more use cases for G115 rule
...
Change-Id: Icb60fe14ae12439c1ee0e507a407a23ce4c64c85
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-21 15:00:06 +02:00
Rahul Gadi
81cda2f91f
Allow excluding analyzers globally ( #1180 )
...
* This change does not exclude analyzers for inline comment
* Changed the expected issues count for G103, G109 samples for test. Previously G115 has been included in the issue count
* Show analyzers IDs(G115, G602) in gosec usage help
* See #1175
2024-08-20 10:43:40 +02:00
Cosmin Cojocar
18135b439c
Update to Go 1.23.0 ( #1183 )
...
Change-Id: I11a6402e85ac543305e8bad4ea35239779424dd6
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-19 09:17:50 +02:00
renovate[bot]
91c708a620
chore(deps): update all dependencies ( #1182 )
...
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-19 08:58:30 +02:00
Cosmin Cojocar
92bac42afc
Read the AI API key also from an environment variable ( #1181 )
...
* Read the AI API key also from an environment variable
Change-Id: If18fd025ab2ef68a3690f8a69d1c8894e44a87ef
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
* Fix lint warning
Change-Id: Icd3eb8a029764db76596c3e171275c03a23f8cef
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
---------
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-18 17:59:45 +02:00
Tran The Lam
56f943b802
Add support to generate auto fixes using LLM (AI) ( #1177 )
...
This feature adds support to generate auto fixes for Go scanning findings using LLM (AI). In a first instance, it relies on Gemini API to get a suggestion for a solution. This can be later extended, to integrate also other AI providers.
---------
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
Co-authored-by: ccoVeille <3875889+ccoVeille@users.noreply.github.com>
Co-authored-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-12 12:52:41 +02:00
renovate[bot]
f33fd4bf29
chore(deps): update all dependencies
2024-08-12 10:21:07 +02:00
renovate[bot]
55a47f3774
chore(deps): update all dependencies
2024-08-05 17:38:32 +02:00
renovate[bot]
a5d9ef67e2
chore(deps): update all dependencies
2024-07-29 10:58:28 +02:00
renovate[bot]
68424445af
chore(deps): update dependency babel-standalone to v7.24.10
2024-07-23 11:43:16 +02:00
Alex Gartner
08b94f9392
Resolve underlying type to detect overflows in type aliases
2024-07-20 10:06:43 +02:00
renovate[bot]
4487a0c5a2
chore(deps): update dependency babel-standalone to v7.24.8
2024-07-15 09:13:59 +02:00
Alex Gartner
007626773c
Fix multifile ignores
2024-07-15 09:00:36 +02:00
Alex Gartner
2f1b81b889
Add -enable-audit cli flag
2024-07-13 11:25:25 +02:00
Cosmin Cojocar
87fcb9b95b
Update to go 1.22.5 and 1.21.12
...
Change-Id: I3334016ed2714ce4aed959d7f19a33e220c000e4
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-07-08 16:00:12 +02:00
renovate[bot]
466992feca
chore(deps): update all dependencies
2024-07-08 15:49:41 +02:00
Dimitar Banchev
9a4a741e6b
Added more rules
...
* Rule G406 responsible for the usage of deprecated MD4 and RIPEMD160 added.
* Rules G506, G507 responsible for tracking the usage of the already mentioned libraries added.
* Slight changes in the Makefile(`make clean` wasn't removing all expected files)
* Added license to `analyzer_test.go`
2024-06-25 13:18:27 +02:00
Dimitar Banchev
6382394ce8
Fixed coverage workflow
...
* Renamed file(removed space)
* Changed the expected issues ( 1 -> 2)
2024-06-24 15:25:54 +02:00
Dimitar Banchev
5666ea35ba
Fixed CI workflow
...
The CI workflow wasn't able to complete succesfully.
* Formatted the call_list_test.go file
2024-06-24 15:25:54 +02:00
Dimitar Banchev
fc0957f6a3
Minor changes
...
* Renamed the file responsible for rule G401
* Removed copyright of HP from the new rule
2024-06-24 15:25:54 +02:00
Dimitar Banchev
58e4fccc13
Split the G401 rule into two separate ones
...
Now the G401 rule is split into hashing and encryption algorithms.
G401 is responsible for checking the usage of MD5 and SHA1, with corresponding CWE of 328.
And G405(New rule) is responsible for checking the usege of DES and RC4, with corresponding CWE of 327.
2024-06-24 15:25:54 +02:00
Dimitar Banchev
2e71f37efd
Updated G401 corresponding CWE
...
The corresponding CWE from G401 rule was changed from CWE-326 -> CWE-328.
In my opinion, this CWE suits better the rule.
2024-06-24 15:25:54 +02:00