actions/gosec
1
0
Fork 0
mirror of https://github.com/securego/gosec.git synced 2024-11-06 12:05:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
772 commits 2 branches 41 tags 20 MiB
Commit graph

772 commits

This branch
This branch
All branches
Author SHA1 Message Date
s7v7nislands
92dda9cc3b fix unsafe check 2016-10-25 11:57:05 +08:00
Cedric Staub
911c69646d Add support for HTML output 2016-10-21 13:18:56 -07:00
Grant Murphy
59fbf7446d Refactor path matching logic 
Effectively using filepath.Glob to build a set of files and directories
to exclude from the scan.

(ref: https://golang.org/pkg/path/filepath/#Glob)
 2016-09-10 14:55:12 -07:00
Tim Kelsey
a4fd848bfc Merge pull request #49 from gcmurphy/master 
Add godocs.org reference
 2016-09-06 10:19:50 +01:00
Tim Kelsey
7f4bdd5957 Merge pull request #48 from gcmurphy/godoc 
Fix typos in godocs
 2016-09-06 10:19:33 +01:00
Grant Murphy
d05a2416a2 MatcMatchCompLit should be MatchCompList 2016-08-28 11:44:14 -07:00
Grant Murphy
b5a98c12a8 Add godocs.org bagdge 2016-08-28 11:36:53 -07:00
Grant Murphy
9ca975d56f Add gas to .gitignore 2016-08-28 11:35:58 -07:00
Grant Murphy
0ee8e1bbab Merge pull request #47 from gcmurphy/readme 
Readme updates
 2016-08-28 11:24:44 -07:00
Grant Murphy
0bce1770b5 Fix typos in godocs 2016-08-28 11:22:08 -07:00
Grant Murphy
bb42840644 Merge pull request #42 from HewlettPackard/code_docs 
Adding some inline documentation  for godoc
 2016-08-28 11:17:05 -07:00
Grant Murphy
e4b1e28f53 Merge pull request #46 from drewwells/feature/exclusions 
prefix patterns with **/ to match subdirectories
 2016-08-28 11:15:29 -07:00
Grant Murphy
a2b7f3e0a2 Add LICENSE information to README.md 2016-08-28 11:09:52 -07:00
Grant Murphy
929edb490a Update README.md to use rule ID's 2016-08-28 11:07:28 -07:00
Drew Wells
365ae31b3a prefix patterns with **/ to match subdirectories 2016-08-24 12:36:00 -05:00
Tim Kelsey
223cded656 Adding some inline documentation for godoc 2016-08-12 14:17:28 +01:00
Tim Kelsey
37205e9afa Merge pull request #41 from HewlettPackard/usage 
Fix usage information
 2016-08-11 16:54:36 +01:00
Grant Murphy
df373b8659 Fix usage information 
Mostly a tidy up. Fixed a couple of spelling errors as well.
 2016-08-11 05:14:19 -07:00
Grant Murphy
82947bb1a8 Merge pull request #39 from HewlettPackard/rule_selection 
Rule selection rules
 2016-08-11 04:58:25 -07:00
Tim Kelsey
713949fe69 Rule selection rules 
This makes the following changes:
- riles are identified by an ID
- include / exclude list now work
- rules are selected based on these lists
- blacklist rules are broken out into methods
- rule constructors now take the config map
- config file can be used to select rules
- CLI options embelish config selection options
 2016-08-11 10:45:51 +01:00
Grant Murphy
51ffe1ba7e Merge pull request #40 from dragonndev/master 
Clarified output format options.
 2016-08-10 14:59:19 -07:00
Grant Murphy
b29e45fa7e Merge pull request #38 from HewlettPackard/cli_docs 
Updating docs for new CLI "skip" option
 2016-08-10 14:58:09 -07:00
Matthew Lapworth
5b867f204b
Clarified output format options. 2016-08-10 11:43:02 -07:00
Tim Kelsey
6d831c0923 Updating docs for new CLI "skip" option 2016-08-10 10:09:37 +01:00
Grant Murphy
235308f853 Merge pull request #35 from HewlettPackard/config_cli 
Configuration
 2016-08-08 08:27:02 -07:00
Tim Kelsey
e3b1d33b95 Configuration 
This re-works the way that CLI options are passed through to the
analyzer so that they can act as overrides for config options. If
not given on the CLI, options will come from a config file. If no
file is used then a default value is chosen.

Two lists are also populated with tests to include or exclude.
These lists are not used for now but will eventually replace the
way we select test to run in a future patch to follow.
 2016-08-08 16:18:46 +01:00
Tim Kelsey
4e30ca3866 Merge pull request #37 from HewlettPackard/travis_ci 
Add build status to README.md
 2016-08-08 09:24:58 +01:00
Grant Murphy
9521472897 Add build status to README.md 2016-08-05 09:54:29 -07:00
Tim Kelsey
58e6823122 Merge pull request #36 from HewlettPackard/travis_ci 
Add travis ci profile
 2016-08-05 17:10:50 +01:00
Grant Murphy
f36388aa67 Merge pull request #34 from HewlettPackard/blacklist 
Creating blacklist import rules
 2016-08-05 09:08:29 -07:00
Grant Murphy
9bd62d1a4a Add travis ci profile 2016-08-05 08:59:01 -07:00
Tim Kelsey
45f3b5f671 Creating blacklist import rules 
Creating a new generic blacklist rule and removing the older
specific ones. This will need configuration integration when
we have some.

The new test is immune to import aliasing but not shadowing
 2016-08-05 12:58:27 +01:00
Tim Kelsey
7e1d7ee0fe Merge pull request #33 from HewlettPackard/config_fix 
Fixing config
 2016-08-05 11:05:16 +01:00
Tim Kelsey
da55fd1326 Fixing config 
It should have been in the context object, not the analyzer
 2016-08-05 11:04:06 +01:00
Grant Murphy
84f0162a80 Merge pull request #32 from HewlettPackard/resolve_1 
Try to resolve all elements in an expression to a known const
 2016-08-03 09:32:56 -07:00
Tim Kelsey
d2d49f1c8c Try to resolve all elements in an expression to a known const 
This is used in the subprocess launching test but will be added to
others as applicable.

This also closes #28
 2016-08-03 17:21:48 +01:00
Grant Murphy
12d370b11b Merge pull request #31 from HewlettPackard/config 
Adding a config block to the analyzer, parsed from JSON
 2016-08-01 09:46:02 -07:00
Tim Kelsey
d4367de2e2 Adding a config block to the analyzer, parsed from JSON 
A CLI option can now be given to tell GAS it should parse data
from a JSON file. Fatal errors are given if the file is not
readable or is not valid JSON.
 2016-08-01 17:39:47 +01:00
Grant Murphy
8261ee58d6 Merge pull request #29 from HewlettPackard/fix_regexp 
Fix incorrect regexp matches
 2016-07-30 15:16:08 -07:00
Grant Murphy
cee5fad4c3 Fix incorrect regexp matches 
There are some cases where the '.' character would also match any
character and could lead to incorrect results. For example the
regular expression -  `^ioutils.WriteFile$' would match
ioutils.WriteFile, but also ioutils_WriteFile.

Additionally made sure that all regexp were declared using raw
strings to avoid any unnecesary string escaping that potentially
make the regexp difficult to read.
 2016-07-30 13:29:33 -07:00
Grant Murphy
0bf1ece211 Merge pull request #27 from cwkuo/fix-windows-file-contains 
Fix os.IsExist() condition in filelist.Contains()
 2016-07-29 08:50:28 -07:00
cwkuo
0737ea6b04 Fix os.IsExist() condition in filelist.Contains() 2016-07-29 22:40:47 +08:00
Grant Murphy
b659538aa8 Merge pull request #26 from HewlettPackard/fix_annotations 
Fixing annotations
 2016-07-29 07:24:05 -07:00
Tim Kelsey
68aac2539a Fixing annotations 
The logic around annotations (nosec) was broken, meaning they were
ignored by default and would not skip sub-blocks. This fixes the
problem and also adds a test to make sure it wont be broken in the
future. Closes #25
 2016-07-29 10:34:19 +01:00
Grant Murphy
28f0f1abe8 Merge pull request #23 from csstaub/cs/detect-math-rand 
Detect use of rand.Read from math/rand
 2016-07-28 13:20:38 -07:00
Cedric Staub
c53af75658
Detect use of rand.Read from math/rand 2016-07-28 11:26:34 -07:00
Tim Kelsey
c5d271566c Merge pull request #24 from csstaub/cs/smarter-creds-check 
Smarter hard-coded credentials check
 2016-07-28 10:31:33 +01:00
Tim Kelsey
e86addbfea Merge pull request #22 from csstaub/cs/csv 
Use encoding/csv for CSV output
 2016-07-28 10:25:27 +01:00
Cedric Staub
3cd0ebee96 Smarter hard-coded credentials check 
Check right-hand side expr for literals when looking for hard-coded
credentials. This is to avoid issuing warnings for cases where a
password, token, etc. is read from a file or a terminal.
 2016-07-27 22:51:34 -07:00
Cedric Staub
2ec102c7bf Use encoding/csv for CSV output 
The encoding/csv package will take care of quoting, double-quoting,
and other CSV quirks -- avoids having to fiddle with text templates.
 2016-07-27 20:55:09 -07:00