Commit graph

1103 commits

Author SHA1 Message Date
dan "smiley" murray
cdd3476f91
fix dead link to issue.go in README.md (#936) 2023-03-06 09:09:40 +01:00
Cosmin Cojocar
d5a9c73723
Remove rule G307 which checks when an error is not handled when a file or socket connection is closed (#935)
* Remove read only types from unsafe defer rules

* Remove rule G307 which checks when an error is not handled when a file or socket connection is closed

This doesn't seem to bring much value from security perspective, and it caused a lot of controversy since
is a very common pattern in Go.

* Mentioned in documentation that rule G307 is retired

* Clean up the test for rule G307
2023-02-24 14:04:13 +01:00
Cosmin Cojocar
27bf0e4f9b
Fix rule index reference into sarif report (#934) 2023-02-21 11:43:38 +01:00
dependabot[bot]
e7b896f234 Bump golang.org/x/net from 0.6.0 to 0.7.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.6.0 to 0.7.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.6.0...v0.7.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-20 08:58:52 +01:00
Cosmin Cojocar
4340efaa9a Format file 2023-02-16 09:45:28 +01:00
Cosmin Cojocar
f850069114 Use the gosec issue in the go analysers 2023-02-16 09:45:28 +01:00
Cosmin Cojocar
b1fd94881e Fix file formatting 2023-02-16 09:45:28 +01:00
Cosmin Cojocar
2071786199 Update Go version in CI builds 2023-02-16 09:45:28 +01:00
Cosmin Cojocar
1915717875 Fix method name in the comment 2023-02-16 09:45:28 +01:00
Cosmin Cojocar
de2c6a36fa Extract the issue in its own package 2023-02-16 09:45:28 +01:00
Cosmin Cojocar
31e63276f1 Add support for Go analysis framework and SSA code representation 2023-02-16 09:45:28 +01:00
renovate[bot]
e795d75a46
chore(deps): update all dependencies (#931)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-02-13 10:25:24 +01:00
Cosmin Cojocar
8aa00db022
Remove the version form ci github action 2023-02-08 11:33:30 +01:00
Cosmin Cojocar
392e53c8d0
Pin github action to latest release version 2.15.0 2023-02-08 11:29:30 +01:00
Cosmin Cojocar
ffe254e3a9
Revert the image tag in github action until a working solution is found 2023-02-08 10:47:46 +01:00
Cosmin Cojocar
a0eddfb4ab
Fix version interpolation in github action image 2023-02-08 10:45:57 +01:00
Cosmin Cojocar
d22a7b6ede
Add gosec version as an input parameter to GitHub action (#927)
* Add gosec version as a paramter to the Github action

* Run gosec as a github action as part of CI
2023-02-08 10:40:36 +01:00
Cosmin Cojocar
2d6b0a5b0f
Update release build script (#924)
* Remove deprecated goreleaser flag from release build script

* Update cosign version to v1.13.1
2023-02-06 14:39:25 +01:00
Cosmin Cojocar
a459eb0ba3
Fix dependencies after renovate update 2023-02-06 14:19:11 +01:00
renovate[bot]
54f56c7d6a
chore(deps): update all dependencies (#922)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-02-06 14:16:49 +01:00
Cosmin Cojocar
df14837174
Update to Go 1.20 and fix unit tests (#923)
* Fix unit tests for Go 1.20

* Update to Go 1.20 in the build scripts

* Remove support for 1.18 in the build

* Fix the golangci lint version according to Go version used

* Fix golangci version string

* Fix gci linter warning

* Remove golint in favour of golangci
2023-02-06 14:15:05 +01:00
Cosmin Cojocar
b4270dd020
Update Go to latest version (#920) 2023-01-31 10:00:24 +01:00
bean.zhang
a624254e39
Update hardcoded_credentials.go fix: adaper equal expr which const value at left (#917)
* Update hardcoded_credentials.go

adaper equal expr which const value at left.
```
if "Tr0ub4dour_UPL&&LOlo" == pwd
```

* Update hardcoded_credentials.go

check ident not equal nil

* adapter const == key hardcoded, add testcases
2023-01-31 09:52:37 +01:00
('o mo)y-˜
9432e676a8
Fix github latest URL (#918) 2023-01-30 11:30:08 +01:00
张祖建
e85e1a7234
Fix github release url (#916) 2023-01-30 09:32:09 +01:00
renovate[bot]
7dcb8c7436
chore(deps): update module github.com/onsi/ginkgo/v2 to v2.7.0 (#914)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-01-16 09:16:37 +01:00
Cosmin Cojocar
c5d217da7a
Update Go version in CI script (#913)
* Update Go version in CI script

* Introduce back an additional check for filepath clean to fix the unit tests
2023-01-09 16:49:02 +01:00
Cosmin Cojocar
5874e63c9e
Track back when a file path was sanitized with filepath.Clean (#912)
* Track back when a file path was sanitized with filepath.Clean

* Remove unused argument to fix lint warnings
2023-01-09 16:26:20 +01:00
Cosmin Cojocar
fd280360cd
Fix the TLS config rule when parsing the settings from a variable (#911) 2023-01-09 15:10:44 +01:00
Cosmin Cojocar
a522ae6f5f
Fix build after updating the dependencies (#910) 2023-01-09 09:42:20 +01:00
renovate[bot]
4cc97adbef
chore(deps): update all dependencies (#909)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-01-09 09:27:57 +01:00
Cosmin Cojocar
05a7bc585d
Fix dependencies after renovate update (#907) 2023-01-02 17:43:42 +01:00
renovate[bot]
11898d512a
chore(deps): update all dependencies (#906)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-01-02 17:35:12 +01:00
Cosmin Cojocar
f9a8bf0152
Update slack badge and link (#905) 2022-12-12 12:20:22 +01:00
Alexey Ivanov
dabc7dc27e
Auto-detect TLS MinVersion integer base (#903) 2022-12-12 09:30:06 +01:00
Dave Hay
c39bcdb989
Adding s390x support (#902)
- Updated .goreleaser.yaml to support Linux on IBM Z ( s390x )

Signed-off-by: Dave Hay <david_hay@uk.ibm.com>

Signed-off-by: Dave Hay <david_hay@uk.ibm.com>
2022-12-12 08:47:25 +01:00
renovate[bot]
e06bbf9175
chore(deps): update all dependencies (#904)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-12-12 08:46:48 +01:00
renovate[bot]
f79c584dbb
chore(deps): update all dependencies (#898)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-12-05 09:23:50 +01:00
Dmitry Golushko
44f484fdc7
Additional types for bad defer check (#897)
* Additional types for bad defer check

* Ignore new check in tlsconfig.go
2022-11-30 09:38:46 +01:00
renovate[bot]
2fe6c5b64a
chore(deps): update all dependencies (#894)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-11-27 17:44:24 +01:00
renovate[bot]
a0b7ebb312
chore(deps): update all dependencies (#892)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-11-14 09:16:07 +01:00
Cosmin Cojocar
0acfbb436c
Update Go version in CI scripts (#889) 2022-11-08 09:54:40 +01:00
renovate[bot]
6a964b2a86
chore(deps): update all dependencies (#888)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-11-08 09:37:54 +01:00
Bernhard M. Wiedemann
a7ad827c42
Allow to override build date with SOURCE_DATE_EPOCH (#887)
in order to make builds reproducible.
See https://reproducible-builds.org/ for why this is good
and https://reproducible-builds.org/specs/source-date-epoch/ for the definition of this variable.

This date call works with different variants of date.
Also use UTC to be independent of timezone.
2022-10-31 11:58:34 +01:00
renovate[bot]
26f038913f
chore(deps): update all dependencies (#886)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-10-31 09:23:49 +01:00
renovate[bot]
7f91d85b65
chore(deps): update all dependencies (#884)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-10-24 09:20:26 +02:00
pro-wh
cf63541008
fileperms: bitwise permission comparison (#883)
* fileperms: extract existing mode comparison logic

* fileperms: add failing test

* fileperms: bitwise permission comparison
2022-10-20 08:48:40 +02:00
Cosmin Cojocar
1af1d5bb49
Pin release build to Go version 1.19.2 (#882) 2022-10-17 11:06:43 +02:00
Sebastiaan van Stijn
0ae0174c25
Refactor to support duplicate imports with different aliases (#865)
The existing code assumed imports to be either imported, or imported with an
alias. Badly formatted files may have duplicate imports for a package, using
different aliases.

This patch refactors the code, and;

Introduces a new `GetImportedNames` function, which returns all name(s) and
aliase(s) for a package, which effectively combines `GetAliasedName` and
`GetImportedName`, but adding support for duplicate imports.

The old `GetAliasedName` and `GetImportedName` functions have been rewritten to
use the new function and marked deprecated, but could be removed if there are no
external consumers.

With this patch, the linter is able to detect issues in files such as;

    package main

    import (
        crand "crypto/rand"
        "math/big"
        "math/rand"
        rand2 "math/rand"
        rand3 "math/rand"
    )

    func main() {
        _, _ = crand.Int(crand.Reader, big.NewInt(int64(2))) // good

        _ = rand.Intn(2) // bad
        _ = rand2.Intn(2)  // bad
        _ = rand3.Intn(2)  // bad
    }

Before this patch, only a single issue would be detected:

    gosec --quiet .

    [main.go:14] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
        13:
      > 14: 	_ = rand.Intn(2) // bad
        15: 	_ = rand2.Intn(2)  // bad

With this patch, all issues are identified:

    gosec --quiet .

    [main.go:16] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
        15: 	_ = rand2.Intn(2)  // bad
      > 16: 	_ = rand3.Intn(2)  // bad
        17: }

    [main.go:15] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
        14: 	_ = rand.Intn(2) // bad
      > 15: 	_ = rand2.Intn(2)  // bad
        16: 	_ = rand3.Intn(2)  // bad

    [main.go:14] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
        13:
      > 14: 	_ = rand.Intn(2) // bad
        15: 	_ = rand2.Intn(2)  // bad

While working on this change, I noticed that ImportTracker.TrackFile() was not able
to find import aliases;  Analyser.Check() called both ImportTracker.TrackFile() and
ast.Walk(), which (with the updated ImportTracker) resulted in importes to be in-
correctly included multiple times (once with the correct alias, once with the default).

I updated ImportTracker.TrackFile() to fix this, but with the updated ImportTracker,
Analyser.Check() no longer has to call ImportTracker.TrackFile() separately, as ast.Walk()
already handles the file, and will find all imports.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-17 10:59:18 +02:00
renovate[bot]
a2719d3248
chore(deps): update all dependencies (#881)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-10-17 10:14:22 +02:00