Commit graph

947 commits

Author SHA1 Message Date
Rafael dos Santos
f43a957359 Check for both default and alternative nosec tags (#426)
* Check both nosec tags

* Adjust test to find vulnerabilities

* Add a few alias in Makefile to get GOPATH
2020-01-06 09:47:28 +01:00
Hiroki Suezawa
79fbf3af8d Add golint format to output format (#428)
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-03 10:56:21 +01:00
renovate[bot]
57c3788fe5 Update all dependencies (#427) 2020-01-02 17:56:50 +01:00
Grant Murphy
5d613739e1 fix(docker) gcc and libc-dev required bindings
The docker image doesn't include the necessary packages to build / analyze
some packages. Adding gcc and libc-dev to addess this.
2019-12-20 08:45:01 +10:00
renovate[bot]
cb4f343eaf Update all dependencies (#417) 2019-12-17 09:31:52 +01:00
Lars Lehtonen
df484bfa9e cmd/tlsconfig: remove support for deprecated tls.VersionSSL30 (#412)
* cmd/tlsconfig: build tags to deprecate tls.VersionSSL30 from go1.14

* cmd/tlsconfig: build tags to turn off TLSv1.3 in go1.11
2019-11-19 11:41:25 +01:00
renovate[bot]
b4c76d4234 Update all dependencies (#410) 2019-11-04 16:45:32 +01:00
Cosmin Cojocar
99170e0d76
Update the README with some details about the CWE mapping (#407)
* Fix some typos in the README file

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>

* Update the README with some details about the CWE mapping

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-31 11:56:17 +01:00
Julian Thome
53be8dd864 Add CWE rule mappings (#405)
* added mappings

* added cwe to template

* link in function to template

* moved mappings and added test cases

* wording

* cleanup
2019-10-31 09:22:38 +01:00
Cosmin Cojocar
28c1128b73 Add more tests to improve the coverage of resolve
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-08 11:56:58 +02:00
Cosmin Cojocar
d78f02634a Format import to make codecov happy
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-08 11:56:58 +02:00
Cosmin Cojocar
50e1fe267d Improve the SSRF rule to report an issue for package scoped variables
Made also the rule to not report an issue when encountering function
scoped variable which terminate in a basic literal such as a string.

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-08 11:56:58 +02:00
Cosmin Cojocar
07770ae76d Add a test for composite literals when trying to resolve an AST tree node
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-08 11:56:58 +02:00
Cosmin Cojocar
f413f1436d Handle the ValueSpec when trying to resolve an AST tree node
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-08 11:56:58 +02:00
Cosmin Cojocar
c1970ff5c9 Handle the ValueSpec when trying to resolve an AST tree node
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-08 11:56:58 +02:00
Cosmin Cojocar
ea9faae22d
Update the Go version to 1.13 in the Dockerfile (#403)
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-08 09:44:34 +02:00
Cosmin Cojocar
186dec7b26
Convert the global settings to correct type when reading them from file (#399)
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-08 09:44:17 +02:00
Cosmin Cojocar
e680875ea1
Replace the deprecated load mode with more specific flags are recommended in the packages docs (#400)
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-02 14:05:14 +02:00
renovate[bot]
ad375d3b8f Update golang.org/x/tools commit hash to 7c411de (#389) 2019-10-01 09:10:45 +02:00
Grant Murphy
607f2408a5 reconfigure rennoavate bot (#395)
I *think* this schedule only monthly semver updates but still give us
vulnerability alerts.

See: https://docs.renovatebot.com/presets for more information.
2019-10-01 09:10:23 +02:00
Cosmin Cojocar
832d7bb398 Update README with CII Best Practicies badge
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-27 08:53:58 +10:00
Cosmin Cojocar
29341f6e9c Fix the rule G108/pporf to handle the case when the pporf import has not name
This is causing a crash.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-24 18:16:45 +10:00
Martin Vrachev
b504783a71 Change unit tests to check for one thing (#381)
The unit tests should check for a single thing at a time.
This was not true for some the tests.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-24 10:15:56 +02:00
renovate[bot]
7dbc65b199 Update golang.org/x/tools commit hash to 3ac2a5b (#387) 2019-09-24 10:14:45 +02:00
Renovate Bot
f3bd9fb960 Update golang.org/x/tools commit hash to 0f9bb8f 2019-09-24 11:40:53 +10:00
Renovate Bot
c6ac709aa8 Update golang.org/x/net commit hash to aa69164 2019-09-24 00:41:44 +00:00
Renovate Bot
7a6460dde9 Update golang.org/x/crypto commit hash to 9ee001b 2019-09-24 09:35:22 +10:00
Cosmin Cojocar
d8f249a079 Update README with rule G108
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-24 09:32:09 +10:00
Cosmin Cojocar
9cee24cccd Add a rule which detects when pprof endpoint is automatically exposed
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-24 09:32:09 +10:00
Renovate Bot
73fbc9ba49 Update golang.org/x/net commit hash to 1a5e07d 2019-09-23 09:54:52 +00:00
renovate[bot]
124da07009 Update golang.org/x/tools commit hash to 5eefd05 (#378) 2019-09-23 11:54:36 +02:00
renovate[bot]
915e9eeba8 Update golang.org/x/sys commit hash to b4ddaad (#374) 2019-09-17 12:37:15 +02:00
Martin Vrachev
e7b3ae9c54 Clarify and add new unit tests for rule G107 (#376)
The existing unit tests for G107 didn't have any comments why
a certain code is problematic.
Other than that we need more unit tests for rule G107 for the
different scenarios.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-17 12:22:43 +02:00
renovate[bot]
f90efff866 Update golang.org/x/tools commit hash to 2dc213d (#375) 2019-09-17 12:22:00 +02:00
renovate[bot]
90e975912b Update golang.org/x/net commit hash to c858923 (#373) 2019-09-17 12:20:44 +02:00
Martin Vrachev
709ed1ba65 Change rule G204 to be less restrictive (#339)
Currently, rule G204 warns you about every single use of the
functions syscall.Exec, os.exec.CommandContext and os.Exec.Command.
This can create false positives and it's not accurate because you can
use those functions with perfectly secure arguments like hardcoded
strings for example.

With this change, G204 will warn you in 3 cases when passing arguments
to a function which starts a new process the arguments:
1) are variables initialized by calling another function
2) are functions
3) are command-line arguments or environmental variables

Closes: https://github.com/securego/gosec/issues/338

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-16 16:15:06 +02:00
renovate[bot]
98749b7357 Update golang.org/x/net commit hash to 24e19bd (#372) 2019-09-16 10:25:16 +02:00
renovate[bot]
d8f6c4f7f7 Update golang.org/x/sys commit hash to c3b328c (#371) 2019-09-16 10:23:55 +02:00
renovate[bot]
32041942e8 Update golang.org/x/tools commit hash to 92af9d6 (#370) 2019-09-16 10:23:43 +02:00
Renovate Bot
140048b2a2 Update golang.org/x/sys commit hash to 7ad0cfa 2019-09-12 12:07:52 +00:00
renovate[bot]
a65402bc5a Update golang.org/x/tools commit hash to 6bfd74c (#365) 2019-09-12 14:07:35 +02:00
Isaev Denis
b9c4c66295 Expose analyzer API (#366)
Make it possible to use gosec from e.g. golangci-lint
without modification of gosec.
2019-09-12 14:06:59 +02:00
Grant Murphy
29fddff3b4 turn on automerge for rennovate bot 2019-09-11 21:29:05 +10:00
renovate[bot]
bee7b5aa0d Update golang.org/x/crypto commit hash to 227b76d (#363) 2019-09-11 09:51:50 +02:00
renovate[bot]
069c31f980 Update golang.org/x/tools commit hash to 16c5e0f (#362) 2019-09-11 09:51:26 +02:00
renovate[bot]
3e65f8ff9d Update golang.org/x/sys commit hash to bbd1755 (#361) 2019-09-11 09:51:06 +02:00
renovate[bot]
f5d5e20b3e Update golang.org/x/tools commit hash to dd2b5c8 (#360) 2019-09-10 09:18:49 +02:00
Cosmin Cojocar
a1c9c76277 Remove the unused code to increase the test coverage
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-10 11:59:05 +10:00
Cosmin Cojocar
338b50debb Remove rule G105 which detects the use of math/big#Int.Exp
The big#Int.Exp used to be vulnerable in older versions of Go, but in the
meantime has been fixed (https://github.com/golang/go/issues/15184).

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-10 11:59:05 +10:00
Cosmin Cojocar
43e3664713 Build the tls config generator only with Go versions compatible with Go 1.12
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-10 11:57:18 +10:00