actions/gosec
1
0
Fork 0
mirror of https://github.com/securego/gosec.git synced 2024-11-05 19:45:51 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
270 commits 2 branches 41 tags 20 MiB
Commit graph

78 commits

Author SHA1 Message Date
Jon McClintock
1429033aca Add support for #excluding specific rules 2018-03-02 23:44:51 +00:00
Grant Murphy
c6183b4d5c
Add nil pointer check to rule. (#181) 
TypeOf returns the type of expression e, or nil if not found. We are
calling .String() on a value that may be nil in this clause.

Relates to #174
 2018-02-28 04:29:25 +10:00
cosmincojocar
edb362fc9d Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178) 
* Add a tool which generates the TLS rule configuration from Mozilla server side
TLS configuration

* Update README

* Remove trailing space in README

* Update dependencies

* Fix the commends of the generated functions
 2018-02-21 15:59:18 +10:00
cosmincojocar
1c58cbd378 Make the folder permissions more permissive to avoid false positives (#175) 2018-02-15 19:53:01 +10:00
Cosmin Cojocar
230d286f4e Fix gofmt formatting 2018-02-10 20:04:58 +01:00
Grant Murphy
6b28d5c0e6
Merge pull request #166 from cosmincojocar/fprint_whitelist 
Add Fprint, Fprintf, Fprintln to NoErrorCheck whitelist
 2018-02-08 11:54:44 +10:00
Cosmin Cojocar
6cd7a6d7fe Add Fprint, Fprintf, Fprintln to NoErrorCheck whitelist 2018-02-07 14:13:17 +01:00
Cosmin Cojocar
179c178924 Add some review fixes 2018-02-07 09:23:52 +01:00
Cosmin Cojocar
d3c3cd6419 Add a rule to detect the usage of ssh InsecureIgnoreHostKey function 2018-02-06 16:56:26 +01:00
Grant Murphy
a97a196160 Unused import 2018-01-30 09:35:35 +10:00
Grant Murphy
7c7fe752b6 Fix go vet errors in tests 2018-01-30 09:32:04 +10:00
Jon McClintock
1ca335016a Rebase to master 2018-01-22 18:45:07 +00:00
Jon McClintock
8eb9cc02a4 Adjust SQL format-string rules to ignore inherently safe formats 2018-01-22 18:34:57 +00:00
Grant Murphy
085e0f65af
Merge pull request #150 from GoASTScanner/experimental 
Use explicit packages in call lists
 2018-01-05 23:14:24 +10:00
Grant Murphy
aecbc873ef Use explicit packages in call lists 
By allowing partial matches of selectors there are chances of collisions
such as those in issue #145, this removes it to expect explicit packages
for each rule.

Closes #145
 2018-01-05 23:05:53 +10:00
Grant Murphy
9a2bec1cd0
Merge pull request #149 from GoASTScanner/experimental 
Fix nil pointer dereference in complit types
 2018-01-05 22:20:21 +10:00
Grant Murphy
b6f85d50da Fix nil pointer dereference in complit types 2018-01-05 22:19:08 +10:00
Grant Murphy
3520a5ae85
Merge pull request #146 from GoASTScanner/experimental 
Merge experimental / refactor
 2018-01-05 22:08:59 +10:00
Grant Murphy
e925d3c347 Migrated old test cases. 2017-12-28 16:54:10 +10:00
Grant Murphy
af25ac1f6e fix golint errors picked up by hound-ci 2017-12-13 22:35:47 +10:00
Grant Murphy
cfa432729c fix hound-ci errors 2017-12-13 17:39:00 +10:00
Grant Murphy
3caf7c3154 Add test cases 2017-09-16 10:12:27 +10:00
Cosmin Cojocar
c36954f04a Add the CHACHA20 to good ciphers in modern tls check 2017-08-30 16:00:56 +02:00
Grant Murphy
6943f9e5e4 Major rework of codebase 
- Get rid of 'core' and move CLI to cmd/gas directory
- Migrate (most) tests to use Ginkgo and testutils framework
- GAS now expects package to reside in $GOPATH
- GAS now can resolve dependencies for better type checking (if package
  on GOPATH)
- Simplified public API
 2017-07-19 15:17:00 -06:00
Grant Murphy
65b18da711 Hack to address circular dependency in rulelist 2017-05-09 21:26:12 -07:00
Grant Murphy
bf78d027a9 Restructure and introduce a standalone config 2017-04-28 14:46:26 -07:00
Grant Murphy
cacf21f3c0 Restructure to focus on lib rather than cli 2017-04-26 08:08:46 -07:00
Cosmin Cojocar
5b71c2b05f Add a test for math/big.Int.Exp rule 2017-04-10 16:10:24 +02:00
Cosmin Cojocar
65b8e74ecd Add a rule for big.Exp function call 2017-04-10 14:25:48 +02:00
mockturtl
b74c83e7e7 BindsToAllNetworkInterfaces should check TLS also 2017-03-28 13:24:22 -04:00
Grant Murphy
177fa7dde0 Merge pull request #122 from GoASTScanner/testfixes 
Correct bad test cases and intermitent failure
 2017-03-22 10:51:44 -07:00
Grant Murphy
622440f167 Correct bad test cases and intermitent failure 
The filelist test was non-deterministic and causing intermittent
failures due to ordering. This change will ensure that the file list
returns an ordered list of files in the String() method now.

Additionally there were a number of test cases that the sample code
was incorrect, or would not compile. These have also been corrected.
 2017-03-15 08:47:40 -07:00
Cosmin Cojocar
2262f5d474 Add a check for PreferServerCipherSuites flag of tls.Config 2017-03-15 15:05:44 +01:00
Grant Murphy
4099783722 Go 1.5 does not support width precision specifier 2017-01-14 14:39:22 -08:00
Grant Murphy
9bc02396e8 Introduce entropy checking of string 
This will hopefully reduce the number of false positives when it comes
to hard coded credentials. The zxcvbn library is used to calculate the
entropy of the string. By default the first 16 characters are considered
as doing the entropy check for strings much longer than that introduces
a fairly significant performance hit.
 2017-01-14 13:45:34 -08:00
Grant Murphy
a7ec9ccc63 Backport test case for 1.5 
Go 1.5 does not have a rand.Read function so need to adjust test
definitions accordingly.
 2017-01-13 13:31:22 -08:00
Grant Murphy
f9868aa8c8 Fix additional test case 2017-01-13 12:46:16 -08:00
Grant Murphy
ab4867bc76 Fix test cases with invalid sample code 2017-01-13 12:40:49 -08:00
Grant Murphy
d1303fee0b Improve specitivity of error message for GenDecl 2017-01-11 10:12:11 -08:00
Grant Murphy
1e736c8838 Fix test case (invalid sample code) 2017-01-11 09:51:25 -08:00
Grant Murphy
d1e67fc995 Ensure hardcoded credentials only examines strings 
The hardcoded credentials test should only consider assignment of const strings.

Related to issue #108
 2017-01-11 09:43:05 -08:00
Grant Murphy
191750f44c Recreate fileset each time we process a file 
Some files were being counted multiple times here and giving a skewed
result for line numbers processed.

Closes #100
 2016-12-02 15:21:13 -08:00
Grant Murphy
6ace60b950 Address unhandled error conditions 
Closes #95
 2016-12-02 10:20:23 -08:00
Grant Murphy
129be1561b Update error test case 
There were several issues with the error test case that have been
addressed in this commit.

- It is possible to specify a whitelist of calls that error handling
  should be ignored for.
- Additional support for ast.ExprStmt for cases where the error is
  implicitly ignored.

There were several other additions to the helpers and call list in order
to support this type of functionality.

Fixes #54
 2016-11-18 14:09:10 -08:00
Grant Murphy
63e8b1af23 Update unsafe rule to match package explicitly 
Unsafe is not tracked in Package.Imports(), the regexp was not explicit
enough and foounsafe.Blah() would trigger an error.
 2016-11-15 13:53:36 -08:00
Grant Murphy
39b18a1539 Remove debug print messages 2016-11-15 12:36:02 -08:00
Grant Murphy
ca42de24ba Initialize fresh import info for each file 
The import information was being persisted between files. This was
causing false positives.

Fixes #87
 2016-11-15 11:58:28 -08:00
Grant Murphy
c7bb2dd3b7 Fix additional crash condition 
A var GenDecl may not have a value assigned. This error case must be
handled.
 2016-11-14 15:15:17 -08:00
Grant Murphy
5012c34d48 Handle inbalanced declaration of constants 
The following code would create a panic condition:

const foo, bar = "some thing"

Fixes #84
 2016-11-14 13:57:55 -08:00
Grant Murphy
a3fcd96f57 Update hardcoded credentials rule for GenDecls 
The hardcoded credentials rule will now also examine GenDecls so will
work with global vars and constants.

Fixes #74
 2016-11-13 12:57:59 -08:00