gosec

mirror of https://github.com/securego/gosec.git synced 2024-11-06 03:55:50 +00:00

Author	SHA1	Message	Date
Grant Murphy	4b70300e15	Exclude vendor directory from go vet	2017-01-14 14:03:31 -08:00
Grant Murphy	aaddac5e4b	Add the zxcvbn library to vendor list	2017-01-14 13:48:53 -08:00
Grant Murphy	9bc02396e8	Introduce entropy checking of string This will hopefully reduce the number of false positives when it comes to hard coded credentials. The zxcvbn library is used to calculate the entropy of the string. By default the first 16 characters are considered as doing the entropy check for strings much longer than that introduces a fairly significant performance hit.	2017-01-14 13:45:34 -08:00
Grant Murphy	a7ec9ccc63	Backport test case for 1.5 Go 1.5 does not have a rand.Read function so need to adjust test definitions accordingly.	2017-01-13 13:31:22 -08:00
Grant Murphy	f9868aa8c8	Fix additional test case	2017-01-13 12:46:16 -08:00
Grant Murphy	ab4867bc76	Fix test cases with invalid sample code	2017-01-13 12:40:49 -08:00
Grant Murphy	d3f0a08f0d	Report a failure and exit if type checking fails Type checking failures were previously not reported and the file was silently ignored. This change will report the error and halt further processing.	2017-01-13 11:27:17 -08:00
Grant Murphy	bc21a39c66	Merge pull request #110 from GoASTScanner/bugfix Improve specitivity of error message for GenDecl	2017-01-11 10:25:58 -08:00
Grant Murphy	d1303fee0b	Improve specitivity of error message for GenDecl	2017-01-11 10:12:11 -08:00
Grant Murphy	0545d13d8a	Merge pull request #109 from GoASTScanner/bugfix Ensure hardcoded credentials check only considers constant strings	2017-01-11 10:03:53 -08:00
Grant Murphy	1e736c8838	Fix test case (invalid sample code)	2017-01-11 09:51:25 -08:00
Grant Murphy	d1e67fc995	Ensure hardcoded credentials only examines strings The hardcoded credentials test should only consider assignment of const strings. Related to issue #108	2017-01-11 09:43:05 -08:00
Grant Murphy	d4f9b88cbf	Merge pull request #104 from endophage/help_fix updating skip cli help and readme description	2016-12-13 15:00:18 -08:00
David Lawrence	5f1c2df44a	updating skip cli help and readme description	2016-12-13 14:36:51 -08:00
Grant Murphy	c68ed64f6c	Merge pull request #102 from GoASTScanner/bugfix Reduce logging messages a tad	2016-12-02 15:43:33 -08:00
Grant Murphy	94ac200d79	Tests broken if logger is not initialized	2016-12-02 15:39:01 -08:00
Grant Murphy	1ba8b93565	Reduce logging messages a tad Only need to log if we're skipping a file or if we're processing it. Should also use the [gas] prefix to aid filtering.	2016-12-02 15:34:12 -08:00
Grant Murphy	465338b05b	Merge pull request #101 from GoASTScanner/bugfix Recreate fileset each time we process a file	2016-12-02 15:25:32 -08:00
Grant Murphy	191750f44c	Recreate fileset each time we process a file Some files were being counted multiple times here and giving a skewed result for line numbers processed. Closes #100	2016-12-02 15:21:13 -08:00
Grant Murphy	b5308ff621	Merge pull request #98 from endophage/recursive adding support for arbitrary paths with ellipses	2016-12-02 14:21:02 -08:00
Grant Murphy	365e9f6cbc	Merge pull request #99 from mcpeak/fix-nosec Fix nosec to work as documented	2016-12-02 14:06:55 -08:00
David Lawrence	1a481fad70	adding support for arbitrary paths with ...	2016-12-02 13:54:05 -08:00
Travis McPeak	942f40acf5	Fix nosec to work as documented This commit fixes the nosec feature to check for '#nosec' instead of 'nosec'. This should help reduce false positives associated with comments that have 'nosec' in them somewhere.	2016-12-02 15:45:59 -06:00
Grant Murphy	39113216a8	Merge pull request #97 from GoASTScanner/experimental Address unhandled error conditions	2016-12-02 10:35:02 -08:00
Grant Murphy	6ace60b950	Address unhandled error conditions Closes #95	2016-12-02 10:20:23 -08:00
Grant Murphy	8f78248b61	Merge pull request #92 from GoASTScanner/experimental Resolve issues with error rules	2016-12-02 09:01:30 -08:00
Grant Murphy	e1e435cf33	Merge pull request #93 from GoASTScanner/bugfix Remove ast.Print debug message from tryresolve	2016-12-01 09:27:52 -08:00
Grant Murphy	dcfd97c57d	Remove ast.Print debug message from tryresolve	2016-12-01 09:24:58 -08:00
Grant Murphy	129be1561b	Update error test case There were several issues with the error test case that have been addressed in this commit. - It is possible to specify a whitelist of calls that error handling should be ignored for. - Additional support for ast.ExprStmt for cases where the error is implicitly ignored. There were several other additions to the helpers and call list in order to support this type of functionality. Fixes #54	2016-11-18 14:09:10 -08:00
Grant Murphy	5242a2c1df	Extend helpers and call list - Update call list to work directly with call expression - Add call list test cases - Extend helpers to add GetCallInfo to resolve call name and package or type if it's a var. - Add test cases to ensure correct behaviour	2016-11-18 09:57:34 -08:00
Grant Murphy	d29c64800e	Add match call by type	2016-11-17 20:18:31 -08:00
Grant Murphy	d30c5cde36	Merge pull request #91 from GoASTScanner/experimental Update unsafe rule to match package explicitly	2016-11-15 14:00:59 -08:00
Grant Murphy	63e8b1af23	Update unsafe rule to match package explicitly Unsafe is not tracked in Package.Imports(), the regexp was not explicit enough and foounsafe.Blah() would trigger an error.	2016-11-15 13:53:36 -08:00
Grant Murphy	b26f5cf3c6	Merge pull request #90 from GoASTScanner/experimental Remove debug print messages	2016-11-15 12:40:07 -08:00
Grant Murphy	39b18a1539	Remove debug print messages	2016-11-15 12:36:02 -08:00
Grant Murphy	5b3192b656	Merge pull request #88 from GoASTScanner/experimental Initialize fresh import info for each file	2016-11-15 12:01:53 -08:00
Grant Murphy	ca42de24ba	Initialize fresh import info for each file The import information was being persisted between files. This was causing false positives. Fixes #87	2016-11-15 11:58:28 -08:00
Grant Murphy	6ef59ba3ae	Merge pull request #86 from GoASTScanner/experimental Handle inbalanced declaration of constants	2016-11-14 15:20:54 -08:00
Grant Murphy	c7bb2dd3b7	Fix additional crash condition A var GenDecl may not have a value assigned. This error case must be handled.	2016-11-14 15:15:17 -08:00
Grant Murphy	5012c34d48	Handle inbalanced declaration of constants The following code would create a panic condition: const foo, bar = "some thing" Fixes #84	2016-11-14 13:57:55 -08:00
Grant Murphy	93016846d2	Merge pull request #83 from GoASTScanner/experimental Adjust rule interface to allow interest in multiple ast node types	2016-11-13 13:08:58 -08:00
Grant Murphy	a3fcd96f57	Update hardcoded credentials rule for GenDecls The hardcoded credentials rule will now also examine GenDecls so will work with global vars and constants. Fixes #74	2016-11-13 12:57:59 -08:00
Grant Murphy	bf103da519	Allow rules to register against multiple ast nodes Update the AddRule interface to allow rules to register interest in multiple ast.Nodes. Adds more flexibility to how rules can work, and was needed to fix the hard coded credentials test specifically.	2016-11-13 12:55:31 -08:00
Grant Murphy	c6587df4a5	Merge pull request #82 from GoASTScanner/experimental Ensure os.OpenFile file permissions are checked	2016-11-12 18:03:20 -08:00
Grant Murphy	1d732b8ae3	Ensure os.OpenFile file permissions are checked In addition configuration file may be used to set the permission level. Closes #53	2016-11-12 17:57:20 -08:00
Grant Murphy	423a303712	Merge pull request #81 from GoASTScanner/experimental Incorrect rule mapping in rulelist	2016-11-08 09:22:18 -08:00
Grant Murphy	97dcc72a8b	Incorrect rule mapping in rulelist	2016-11-08 08:48:45 -08:00
Grant Murphy	7dd3032823	Merge pull request #76 from GoASTScanner/experimental Fix alias logic	2016-11-07 20:13:48 -08:00
Grant Murphy	be96ef273d	Fix alias logic	2016-11-07 20:10:30 -08:00
Grant Murphy	c833bfae02	Merge branch 'tam7t-rand-pkg-helper'	2016-11-07 20:04:40 -08:00

1 2 3 4

160 commits