Commit graph

917 commits

Author SHA1 Message Date
Jeff Widman
0695fa026e
Add -u to local install instructions (#595)
`-u` will ensure that users are updated the latest released version.

This way bugs are less likely to be reported that are already fixed.
2021-04-16 09:50:10 +02:00
Cosmin Cojocar
7f2308bd85
Tidy up the moduels after updating (#593)
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2021-04-01 09:49:25 +02:00
renovate[bot]
f21b0b8dac
chore(deps): update all dependencies (#592)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-04-01 09:16:31 +02:00
Rogerio Peixoto
148e608148
Adding KICS to USERS.md (#590) 2021-03-25 14:51:59 +01:00
Chris Bandy
27a5ffb5c8
Quiet warnings about integer truncation (#586)
Both MinVersion and MaxVersion of crypto/tls.Config are uint16, so the
int16 fields of rules.insecureConfigTLS are too small. GetInt()
interprets integer literals as fitting within 64-bits, so simplify
things by using int64.
2021-03-03 10:05:33 +01:00
Cosmin Cojocar
bf2cd2392b
Update all dependencies (#585) 2021-03-01 09:45:00 +01:00
Aurélien Rainone
01ee764ed8
Fix typo in USERS.md (#583) 2021-02-27 18:54:40 +01:00
Cosmin Cojocar
9c047e32a3
Add support for Go 1.16 in the CI and release workflows (#581)
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2021-02-26 11:12:38 +01:00
Matouš Dzivjak
1fce46151c
fix: WriteParams rule to work also with golang 1.16 (#577)
In go 1.16 the `ioutil` package was deprecated and
the functions should be replaced by their equivalents
in either `io` or `os` packages. This means,
that `ioutil.WriteFile` should be replaced by
`os.WriteFile` instead. To account for this change
and to detect incorrect permissions also for `os.WriteFile`
I changed `filePermissions` rule slightly to allows
specifying multiple packages that can contain given
function and that we should check. This workaround
can be removed after a sufficient time has passed
and after it is decided that checking `os.WriteFile`
is enough.

Fixes: https://github.com/securego/gosec/issues/576
2021-02-22 09:22:04 +01:00
Cosmin Cojocar
dcbcc4dd2a
Use a more generic path for sonarqube import path (#573)
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2021-02-11 14:19:46 +01:00
Cosmin Cojocar
2777e5065e
Update README with a note which describes how to import a SonarQube report (#572) 2021-02-11 12:10:44 +01:00
Cosmin Cojocar
897c203e62
Reset the state of TLS rule after each version check (#570)
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2021-02-11 10:52:16 +01:00
Dmitry Salakhov
6c57ae1628
Fix sarif formatting issues (#565)
* include tool version

* change declared safix shema version

* dedup rules, fix result locations

* refactor rules collection creation
2021-02-05 10:06:04 +01:00
Renovate Bot
b6524ce487 Update all dependencies 2021-02-01 09:45:05 +01:00
Cosmin Cojocar
00bbbd8413
Fix the release workflow to allow unsecure commands
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2021-01-22 11:36:52 +01:00
Mark Wolfe
d9d75834b6 update README with instructions on how to integrate with GitHub codescanning 2021-01-22 11:31:07 +01:00
Mark Wolfe
3ed39fe612 fix sarif add default configuration set to correct level 2021-01-22 10:26:59 +01:00
Mark Wolfe
732f759e4f fix for sarif which maps level from issue severity 2021-01-21 18:26:43 +01:00
Mark Wolfe
327b2a0841 ensure the sarif results are an empty array if nothing is reported 2021-01-21 11:03:13 +01:00
K
41ea431779 Fix for SARIF output when Issue.Line contains a range 2021-01-05 08:38:25 +01:00
Cosmin Cojocar
a5911ad7bb Fix compilation errors in the test samples
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2021-01-04 09:28:00 +01:00
Chris Bandy
23ef7009f9 Fix some typos in rules tests 2021-01-04 09:28:00 +01:00
Chris Bandy
e100f6b862 Assert that sample code compiles 2021-01-04 09:28:00 +01:00
Cosmin Cojocar
bcfb27955e
Clean up the go module dependncies (#555)
* Clean up the dependencies

Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>

* Add pq package to dependencies
2021-01-04 08:41:45 +01:00
renovate[bot]
e4d0e9f5be
Update all dependencies (#553)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-04 08:03:52 +01:00
Jeff Widman
9fe0b2e21a
Fix typo (#547) 2020-12-11 09:34:38 +01:00
renovate[bot]
d8fa95aad8
Update all dependencies (#544)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2020-12-01 09:29:25 +01:00
Ethan Buchman
984c1d39a0
fix typo in ContainsPkgCallExpr comment (#545) 2020-12-01 09:28:38 +01:00
renovate[bot]
208b73eec4
Update all dependencies (#538)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2020-11-02 09:15:56 +01:00
mrtc0
0d4f1cb2cb
Support SARIF output (#539)
* SARIF support

* add sarif option to help text
2020-11-02 09:13:53 +01:00
renovate[bot]
a4746e18e3
Update all dependencies (#533)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2020-10-07 20:32:18 +02:00
Miki Tebeka
6bd6e4ba2c Use $(go env GOPATH) that works even when GOPATH is not set 2020-10-01 04:17:43 +10:00
Lucas Charles
aef335a98e Fix typo in README.md
s/trucate/truncate for G101 configuration
2020-10-01 04:17:00 +10:00
xpivarc
0ce48a584f
Reproducible junit report (#529)
* Fix junit format ordering

Signed-off-by: L. Pivarc <lpivarc@redhat.com>

* Make ordering stable

Signed-off-by: L. Pivarc <lpivarc@redhat.com>

* Test ordering

Signed-off-by: L. Pivarc <lpivarc@redhat.com>
2020-09-29 19:17:38 +02:00
Cosmin Cojocar
868556b846 Update README with the correct path to tlsconfig command
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-09-03 10:54:08 +02:00
Cosmin Cojocar
13519fda59 Update the tls configuration generate to handle also the NSS alternative names
Regenerate the configuration of TLS rule.

Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-09-03 10:54:08 +02:00
Renovate Bot
e351067255 Update all dependencies 2020-09-01 08:58:31 +02:00
Cosmin Cojocar
166e4f5f45 Update README file with some more details required to run successfully a scan with the docker image
The current working directory needs to be specified in the docker run option in order for gosec
to download the dependencies defined in the go module file.

Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-09-01 08:57:52 +02:00
Cosmin Cojocar
f5cc32a320 Update the Go version to 1.15 in the Makefile
This is only used when building locally the docker image.

Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-09-01 08:57:52 +02:00
Cosmin Cojocar
ea0fa28b7f Update the Github go action version to 1.6.0
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-31 10:27:23 +02:00
Cosmin Cojocar
feea8bb243 Fix the action tag
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-31 10:27:23 +02:00
Cosmin Cojocar
6688a97661 Fix the github action for Go 1.15
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-31 10:27:23 +02:00
Cosmin Cojocar
7234349e33 Add Go 1.15 to the supported version and phase out the Go 1.12
Also updated the release automation to release gosec with use Go 1.15

Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-31 10:27:23 +02:00
Cosmin Cojocar
a3895d5c55 Fix typo in README file
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-31 10:27:02 +02:00
Jamie Cuthill
17c955519e Incorrect local installation instructions for v2 2020-08-21 11:23:36 +02:00
Cosmin Cojocar
f13b8bc639 Add also filepath.Rel as a sanitization method for input argument in the G304 rule
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-19 09:40:07 +02:00
Cosmin Cojocar
047729a84f Fix the rule G304 to handle the case when the input is cleaned as a variable assignment
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-19 09:40:07 +02:00
ggkitsas
b60ddc21ba feat: adds support for path.Join and for tar archives in G305 2020-08-03 09:17:45 +02:00
Renovate Bot
673a139e55 Update all dependencies 2020-08-03 09:07:46 +02:00
Cosmin Cojocar
110b62b05f Add io.CopyBuffer function to rule G110
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-07-29 14:25:45 +02:00