Commit graph

207 commits

Author SHA1 Message Date
Oleksandr Redko
1f689968ec Fix typos in comments, vars and tests 2023-05-30 08:26:41 +02:00
Matthieu MOREL
d6aeaad931
correct gci linter (#946)
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
2023-03-30 09:31:24 +02:00
Cosmin Cojocar
6a73248135 Fix some linting warnings 2023-03-20 10:25:45 +01:00
Rick Moran
f823a7e92b
Check nil pointer when variable is declared in a different file 2023-03-08 14:42:45 +01:00
Cosmin Cojocar
d5a9c73723
Remove rule G307 which checks when an error is not handled when a file or socket connection is closed (#935)
* Remove read only types from unsafe defer rules

* Remove rule G307 which checks when an error is not handled when a file or socket connection is closed

This doesn't seem to bring much value from security perspective, and it caused a lot of controversy since
is a very common pattern in Go.

* Mentioned in documentation that rule G307 is retired

* Clean up the test for rule G307
2023-02-24 14:04:13 +01:00
Cosmin Cojocar
de2c6a36fa Extract the issue in its own package 2023-02-16 09:45:28 +01:00
bean.zhang
a624254e39
Update hardcoded_credentials.go fix: adaper equal expr which const value at left (#917)
* Update hardcoded_credentials.go

adaper equal expr which const value at left.
```
if "Tr0ub4dour_UPL&&LOlo" == pwd
```

* Update hardcoded_credentials.go

check ident not equal nil

* adapter const == key hardcoded, add testcases
2023-01-31 09:52:37 +01:00
Cosmin Cojocar
c5d217da7a
Update Go version in CI script (#913)
* Update Go version in CI script

* Introduce back an additional check for filepath clean to fix the unit tests
2023-01-09 16:49:02 +01:00
Cosmin Cojocar
5874e63c9e
Track back when a file path was sanitized with filepath.Clean (#912)
* Track back when a file path was sanitized with filepath.Clean

* Remove unused argument to fix lint warnings
2023-01-09 16:26:20 +01:00
Cosmin Cojocar
fd280360cd
Fix the TLS config rule when parsing the settings from a variable (#911) 2023-01-09 15:10:44 +01:00
Alexey Ivanov
dabc7dc27e
Auto-detect TLS MinVersion integer base (#903) 2022-12-12 09:30:06 +01:00
Dmitry Golushko
44f484fdc7
Additional types for bad defer check (#897)
* Additional types for bad defer check

* Ignore new check in tlsconfig.go
2022-11-30 09:38:46 +01:00
pro-wh
cf63541008
fileperms: bitwise permission comparison (#883)
* fileperms: extract existing mode comparison logic

* fileperms: add failing test

* fileperms: bitwise permission comparison
2022-10-20 08:48:40 +02:00
Ville Skyttä
0c8e63ed86
Detect use of net/http functions that have no support for setting timeouts (#842)
https://blog.cloudflare.com/the-complete-guide-to-golang-net-http-timeouts/
https://blog.cloudflare.com/exposing-go-on-the-internet/

Closes https://github.com/securego/gosec/issues/833
2022-08-02 17:16:44 +02:00
Ville Skyttä
6a26c231fc
Refactor SQL rules for better extensibility (#841)
Remove hardwired assumption and heuristics on index of arg taking a SQL
string, be explicit about it instead.
2022-08-02 15:25:30 +02:00
Dmitry Golushko
a5982fb6a6
Fix for G402. Check package path instead of package name (#838) 2022-07-28 08:51:30 +02:00
Ziqi Zhao
ea6d49d1b5
fix G204 bugs (#835)
Signed-off-by: Ziqi Zhao <zhaoziqi9146@gmail.com>
2022-07-26 11:08:43 +02:00
云微
602ced7e71
Fix wrong location for G109 (#829)
Before this commit, G109 will report on `strconv.Atoi`.
After this, it will report on the convertion like`int32(a)`.
2022-07-06 06:37:11 +02:00
云微
b0f3e78e07
fix ReadTimeout for G112 rule 2022-06-23 14:58:13 +02:00
Vladimir Severov
9c19cb6501
Add check for usage of Rat.SetString in math/big with an overflow error (#819)
* Add check for usage of Rat.SetString in math/big with an overflow error

Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7
has an overflow that can lead to Uncontrolled Memory Consumption.

It is the CVE-2022-23772.

* Use ContainsPkgCallExpr instead of manual parsing
2022-06-03 00:19:51 +02:00
云微
34d144b3fa
Add new rule for Slowloris Attack 2022-04-30 12:38:50 +02:00
Cosmin Cojocar
89dfdc0c97
Update the description message of template rule (#803) 2022-04-05 07:41:36 +02:00
robot-5
afc9903ba9
Fix use rule IDs to retrieve the rule config 2022-03-28 20:28:02 +02:00
Calin Capitanu
48bbf96b56
Adds directory traversal for Http.Dir("/") 2022-03-06 10:58:47 +01:00
kruskal
7d539ed494
feat: add concurrency option to parallelize package loading (#778)
* feat: add concurrency option to parallelize package loading

* refactor: move wg.add inside the for loop

* fix: gracefully stop the workers on error

* test: add test for concurrent scan
2022-02-16 18:23:37 +01:00
Cosmin Cojocar
2fad8a4193 Resolve the TLS min version when is declarted in the same package but in a different file 2022-01-26 19:27:26 +01:00
Cosmin Cojocar
1fbcf10e18 Add a test for tls min version defined in a different file 2022-01-26 19:27:26 +01:00
kaiili
1d909e2687
Add db.Exec and db.Prepare to the sql rule (#763)
* Add db.Exec and db.Prepare to the sql rule

* add test cases for G201,G202
2022-01-17 13:50:37 +01:00
Cosmin Cojocar
7be6d4efb5
Add os.Create to the readfile rule (#761) 2022-01-12 19:33:17 +01:00
kaiili
75cc7dcd51
Fix false negative for SQL injection when using DB.QueryRow.Scan() (#759) 2022-01-12 16:33:39 +01:00
kaiili
9d66b0d346
Fix false negatives for SQL injection in multi-line queries 2022-01-05 12:05:53 +01:00
Ville Skyttä
4c1afaa492
Find G303 with filepath.Join'd temp dirs (#754) 2022-01-04 14:48:02 +01:00
Ville Skyttä
19bda8d15f
Find more tempdirs
* Find G303 in string concatenations, with os.TempDir, and in path.Join args

* Find G303 with /usr/tmp, too

/usr/tmp is commonly found e.g. on Solaris.
2022-01-03 21:58:25 +01:00
Cosmin Cojocar
ad5d74d5a1
Update to ginkgo v2 (#753) 2022-01-03 18:11:35 +01:00
Yiwei Ding
b45f95f6ad
Add support for suppressing the findings 2021-12-09 11:53:36 +01:00
Lars
6a41fb9e61
Fix https://github.com/securego/gosec/issues/714 (#733) 2021-11-24 16:34:42 +01:00
Cosmin Cojocar
e57efa8482
Fix a panic in suproc rule when the declaration of the variable is not available in the AST (#728) 2021-11-16 21:41:26 +01:00
Cosmin Cojocar
55c6ceaaa6
Fix crash when parsing the TLS min version value (#724) 2021-11-09 21:59:53 +01:00
Ville Skyttä
40fa36d1de
G303: catch with os.WriteFile, add os.Create test case (#718)
* Add G303 os.Create test case

* Catch G303 with os.WriteFile too
2021-11-09 21:13:45 +01:00
Eng Zer Jun
7fd4aef9dc
feat: add os.ReadFile to G304 (#706)
In Go 1.16 or higher, the `io/ioutil` has been deprecated and the
`ioutil.ReadFile` function now calls `os.ReadFile`.

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2021-10-14 09:53:26 +02:00
Yuval Kashtan
1933cba5b5
Add os.Unsetenv to NoErrorCheck whitelist (#702)
it always return nil err
2021-10-05 19:30:34 +02:00
Matthieu MOREL
bfb0f422fe
chore(lint): enable errorlint and gci (#698) 2021-09-13 09:40:10 +02:00
Cosmin Cojocar
d3309fb4f5
Add a more generic message for rule g204 (#688) 2021-08-19 15:18:20 +02:00
Cosmin Cojocar
f285d612b5
Fix formatting issues with gofumpt (#685)
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2021-08-18 13:16:21 +02:00
Nanik
5a131be2ec
fix: add more rules for G204 (#677)
* fix: add more rules for G204

* fix: add extra test and comment
2021-08-16 11:31:51 +02:00
Marc Brugger
62db81342e
Allow excluding generated files 2021-08-04 17:33:20 +02:00
Lars
d4dc2d2df5
Improve the G307 rule
* Add G307 sample code.
The sample should reflect a defered close that leads to data loss.
Due to IDE auto-complete people tend at least log errors, but not
really care about handling.

* Add more G307 sample code. Propose a way to implement

* Remove unused code. Add example that should not return an error but does

* Remove test for synced closed file for now.
Will add this later

Co-authored-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2021-07-31 23:03:09 +02:00
Nanik
9535c9e3e1
fix: add variable assignment checking as part of MinVersion (#669)
* fix: add variable assignment checking as part of MinVersion

* fix: add more code to allow assignment with const

* fix: rework the code and add more test cases for MinVersion

* fix: format linting issue using gofumpt
2021-07-27 22:03:59 +02:00
Nanik
2a4064d45d
feat: adding new keyword for hardcoded credentials (#666) 2021-07-19 11:23:39 +02:00
Josh Kaufman
514f65f3c3
Add G204 rule for sys/execabs (#660)
* Add G204 rule for sys/execabs

* syntax error in testutils/sources.go
2021-07-01 17:43:25 +02:00