actions/gosec
1
0
Fork 0
mirror of https://github.com/securego/gosec.git synced 2024-11-06 03:55:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
631 commits 2 branches 41 tags 20 MiB
Commit graph

155 commits

Author SHA1 Message Date
Matthieu MOREL
4df7f1c3e9
Fix typos, Go Report link and Gofmt 2021-05-07 18:04:01 +02:00
Chris Bandy
27a5ffb5c8
Quiet warnings about integer truncation (#586) 
Both MinVersion and MaxVersion of crypto/tls.Config are uint16, so the
int16 fields of rules.insecureConfigTLS are too small. GetInt()
interprets integer literals as fitting within 64-bits, so simplify
things by using int64.
 2021-03-03 10:05:33 +01:00
Matouš Dzivjak
1fce46151c
fix: WriteParams rule to work also with golang 1.16 (#577) 
In go 1.16 the `ioutil` package was deprecated and
the functions should be replaced by their equivalents
in either `io` or `os` packages. This means,
that `ioutil.WriteFile` should be replaced by
`os.WriteFile` instead. To account for this change
and to detect incorrect permissions also for `os.WriteFile`
I changed `filePermissions` rule slightly to allows
specifying multiple packages that can contain given
function and that we should check. This workaround
can be removed after a sufficient time has passed
and after it is decided that checking `os.WriteFile`
is enough.

Fixes: https://github.com/securego/gosec/issues/576
 2021-02-22 09:22:04 +01:00
Cosmin Cojocar
897c203e62
Reset the state of TLS rule after each version check (#570) 
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
 2021-02-11 10:52:16 +01:00
Chris Bandy
e100f6b862 Assert that sample code compiles 2021-01-04 09:28:00 +01:00
Jeff Widman
9fe0b2e21a
Fix typo (#547) 2020-12-11 09:34:38 +01:00
Cosmin Cojocar
13519fda59 Update the tls configuration generate to handle also the NSS alternative names 
Regenerate the configuration of TLS rule.

Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
 2020-09-03 10:54:08 +02:00
Cosmin Cojocar
f13b8bc639 Add also filepath.Rel as a sanitization method for input argument in the G304 rule 
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
 2020-08-19 09:40:07 +02:00
Cosmin Cojocar
047729a84f Fix the rule G304 to handle the case when the input is cleaned as a variable assignment 
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
 2020-08-19 09:40:07 +02:00
ggkitsas
b60ddc21ba feat: adds support for path.Join and for tar archives in G305 2020-08-03 09:17:45 +02:00
Cosmin Cojocar
110b62b05f Add io.CopyBuffer function to rule G110 
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2020-07-29 14:25:45 +02:00
Cosmin Cojocar
ade81d3873 Rename file for consistency 
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2020-06-29 13:52:47 +02:00
evalphobia
03f12f3f5d Change naming rule from blacklist to blocklist 2020-06-29 13:45:44 +02:00
Cosmin Cojocar
55d368f2e5 Improve the TLS version checking 
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2020-06-25 09:21:14 +02:00
Cosmin Cojocar
1d2c951f2c Extend the rule G304 with os.OpenFile and add a test to cover it 
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2020-06-17 13:14:08 +02:00
Cosmin Cojocar
6bbf8f9cbc Extend the insecure random rule with more insecure random functions 
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2020-06-15 15:12:02 +02:00
Cosmin Cojocar
30e93bf865 Improve the SQL strings concat rules to handle multiple string concatenation 
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2020-05-27 10:16:56 +02:00
Cosmin Cojocar
68bce94323 Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context 
In addition makes pattern matching used by the rules cases insensitive.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2020-05-27 10:16:56 +02:00
Grant Murphy
8630c43b66 Add null pointer check in G601 
fixes: #475
 2020-05-21 05:51:45 +02:00
Vitaly Velikodny
668512fc5c Update bad_defer.go 
Fix a mistake in the message:
> G307: Deferring unsafe method "*os.File" on type "Close" (gosec)

type and method changed
 2020-05-06 16:23:04 +02:00
Caccavale
ee3146e637 Rule which detects aliasing of values in RangeStmt 2020-04-24 07:46:25 -07:00
Cosmin Cojocar
fb44007c6e Enhance the hardcoded credentials rule to check the equality and non-equality of strings 
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2020-04-20 03:08:39 -07:00
Cosmin Cojocar
802292c54f Fix the configuration parsing for hardcoded credentials 
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2020-04-15 07:21:19 -07:00
Cosmin Cojocar
c6e10af40f Handle properly the gosec module version v2 
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2020-04-06 09:06:23 -07:00
Cosmin Cojocar
cf2590442c Fix the subproc rule to handle correctly the CommandContext check 
In this case, we need to skip the first argument because it is the context.

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2020-03-13 13:25:35 +01:00
Cosmin Cojocar
f97f86103c Update the subproc rule to detect the syscall.ForkExec and syscall.StartProces calls 
Also add the corresponding tests for this.

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2020-03-13 13:25:35 +01:00
Sam Caccavale
7525fe4bb7
Rule for defering methods which return errors (#441) 2020-03-01 21:45:37 +01:00
Sam Caccavale
a305f10eb9
Fileperms (#442) 2020-02-28 12:48:18 +01:00
Cosmin Cojocar
3e069e7756 Fix the errors rule whitelist to work on types methods 
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2020-01-29 09:41:46 +01:00
Hiroki Suezawa
459e2d3e91 Modify rule for integer overflow to have more acurate results (#434) 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2020-01-21 10:13:11 +01:00
Hiroki Suezawa
a4d7b3628b Add G110(Potential DoS vulnerability via decompression bomb) 
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2020-01-20 10:37:56 +01:00
Hiroki Suezawa
9cb83e10af Add a rule which detects when there is potential integer overflow (#422) 
* Add G109(Potential Integer OverFlow Detection)

Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>

* add CWE to G109(Potential Integer Overflow)

Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>

* Modify G109 to use gosec.Context

Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
 2020-01-06 09:55:52 +01:00
Cosmin Cojocar
50e1fe267d Improve the SSRF rule to report an issue for package scoped variables 
Made also the rule to not report an issue when encountering function
scoped variable which terminate in a basic literal such as a string.

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2019-10-08 11:56:58 +02:00
Cosmin Cojocar
29341f6e9c Fix the rule G108/pporf to handle the case when the pporf import has not name 
This is causing a crash.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2019-09-24 18:16:45 +10:00
Cosmin Cojocar
9cee24cccd Add a rule which detects when pprof endpoint is automatically exposed 
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2019-09-24 09:32:09 +10:00
Martin Vrachev
709ed1ba65 Change rule G204 to be less restrictive (#339) 
Currently, rule G204 warns you about every single use of the
functions syscall.Exec, os.exec.CommandContext and os.Exec.Command.
This can create false positives and it's not accurate because you can
use those functions with perfectly secure arguments like hardcoded
strings for example.

With this change, G204 will warn you in 3 cases when passing arguments
to a function which starts a new process the arguments:
1) are variables initialized by calling another function
2) are functions
3) are command-line arguments or environmental variables

Closes: https://github.com/securego/gosec/issues/338

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
 2019-09-16 16:15:06 +02:00
Cosmin Cojocar
338b50debb Remove rule G105 which detects the use of math/big#Int.Exp 
The big#Int.Exp used to be vulnerable in older versions of Go, but in the
meantime has been fixed (https://github.com/golang/go/issues/15184).

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2019-09-10 11:59:05 +10:00
Cosmin Cojocar
81b6dc8872 Regenerate the TLS configuration based on latest Mozilla's recommended ciphers 
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2019-09-10 11:57:18 +10:00
Cosmin Cojocar
f3445245a2 Fix the whitelist on G104 rule and add a test 
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2019-06-25 11:15:11 +02:00
Cosmin Cojocar
78a49491a8 Load rules on each code sample in order to reconfigure them 
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2019-06-25 11:14:27 +02:00
Cosmin Cojocar
ed9934fa48 Refactor the rules tests to be able to configure the analyzer config per test sample 
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2019-06-25 10:29:19 +02:00
Ben Bytheway
04dc713f22 One approach for fixing the false positive identified in #325. 2019-06-13 08:22:48 +10:00
Cosmin Cojocar
3af4ae9ddb Fix some lint warnings 
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2019-05-01 08:52:23 +02:00
Cosmin Cojocar
b49c9532a8 Add a flag which allows to scan also the tests files 
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
 2019-04-29 06:55:24 +02:00
Martin Vrachev
62b5195dd9 Report for Golang errors (#284) 
* Report for Golang errors

Right now if you use Gosec to scan invalid go file and if you report the result in a text, JSON, CSV or another file format you will always receive 0 issues.
The reason for that is that Gosec can't parse the AST of invalid go files and thus will not report anything.

The real problem here is that the user will never know about the issue if he generates the output in a file.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
 2019-02-27 08:24:06 +10:00
Cosmin Cojocar
f87af5fa72 Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274) 
* Define more explicit the global options in the configuration

* Detect in audit mode the unhandled errors even thought they are explicitly ignored
 2019-01-14 21:37:40 +10:00
Cosmin Cojocar
14ed63d558 Do not flag the unhandled errors which are explicitly ignored 
fixes #270
 2019-01-14 10:06:30 +01:00
Cosmin Cojocar
24e3094d2a Extend the bind rule to handle the case when the net.Listen address in provided from a const 2018-12-04 09:22:06 +01:00
Cosmin Cojocar
9b32fcac16 Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call 2018-12-04 09:22:06 +01:00
Edoardo Tenani
adb42220da whitelist strings.Builder method in rule G104 2018-11-11 09:57:28 +01:00