Commit graph

576 commits

Author SHA1 Message Date
Martin Vrachev
62b5195dd9 Report for Golang errors (#284)
* Report for Golang errors

Right now if you use Gosec to scan invalid go file and if you report the result in a text, JSON, CSV or another file format you will always receive 0 issues.
The reason for that is that Gosec can't parse the AST of invalid go files and thus will not report anything.

The real problem here is that the user will never know about the issue if he generates the output in a file.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-02-27 08:24:06 +10:00
Martin Vrachev
9cdfec40ca Change test
I thought that an example where the user inputs a URL is more realistic.
Because if your operating system is already hacked then you are already screwed.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-02-13 11:47:59 +01:00
Cosmin Cojocar
8048b15efa Add more badges in the README file 2019-02-13 11:46:36 +01:00
Joaquin L. Pereyra
e2752bc191 revert to default GOPATH if necessary (#279)
* revert to default GOPATH if necessary
2019-02-07 09:34:52 +10:00
JulesDT
04ce7baf6c add a no-fail flag 2019-01-28 09:38:18 +01:00
Joaquin L. Pereyra
a966ff760c Fix -conf example in README.md
1. Example config json included a trailing comma, even though as we obviously know this is how things should be, JSON does not agree and the parser fails miserably
2. Flag was incorrectly stated as -config in the README, the correct flag is -conf
3. Example command did not work as did not include final dot to examine the current pkg.
2019-01-22 15:33:45 +01:00
Cosmin Cojocar
b6626154df Fix typo 2019-01-18 11:09:41 +01:00
Cosmin Cojocar
5d33e6ebe1 Update the README with some details about the configuration file
fixes #269
2019-01-18 11:09:41 +01:00
Cosmin Cojocar
f87af5fa72 Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274)
* Define more explicit the global options in the configuration

* Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 21:37:40 +10:00
Cosmin Cojocar
14ed63d558 Do not flag the unhandled errors which are explicitly ignored
fixes #270
2019-01-14 10:06:30 +01:00
Cosmin Cojocar
12400f9a1c Update README with the code coverage batch 2018-12-11 18:15:58 +01:00
Cosmin Cojocar
72e95e88ac Geneate and upload the test coverage report to codecove.io 2018-12-11 17:08:31 +01:00
Cosmin Cojocar
24e3094d2a Extend the bind rule to handle the case when the net.Listen address in provided from a const 2018-12-04 09:22:06 +01:00
Cosmin Cojocar
9b32fcac16 Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call 2018-12-04 09:22:06 +01:00
Cosmin Cojocar
f14f17fb1d Add a helper function which extracts the string parameters values of a call expression 2018-12-04 09:22:06 +01:00
Cosmin Cojocar
2695567487 Build the code sample for string builder only fron Go 1.10 onwards 2018-11-11 09:57:28 +01:00
Cosmin Cojocar
ae82798b9c Fix the WriteSring test by handling the error 2018-11-11 09:57:28 +01:00
Edoardo Tenani
adb42220da whitelist strings.Builder method in rule G104 2018-11-11 09:57:28 +01:00
Edoardo Tenani
9b966a447e add test case for strings.Builder G104 whitelist inclusion 2018-11-11 09:57:28 +01:00
Yuki Ito
41809946d4 Make G201 ignore CallExpr with no args (#262) 2018-11-05 09:28:47 +01:00
Yuki Ito
443f84fd4d Fix golint link (#263) 2018-11-05 09:13:26 +01:00
Oleksandr Redko
3116b07de4 Fix typos in comments and rulelist (#256) 2018-10-11 14:45:31 +02:00
Cosmin Cojocar
e0a150bfa3
Merge pull request #254 from kishaningithub/253
Add install.sh script and update readme
2018-10-05 13:12:28 +02:00
Kishan B
97bc137c5b Add CI Installation steps and correct markdown lint errors 2018-10-05 15:27:14 +05:30
Kishan B
8c09a83248 Add install.sh script 2018-10-05 15:26:13 +05:30
Cosmin Cojocar
d032909e3f
Merge pull request #251 from NeverOddOrEven/fix-html-template
Fix the html template
2018-10-04 09:39:56 +02:00
NeverOddOrEven
027dc2b8a7 This fixes the html template when using '-fmt=html'
- resolves HTML escaping issues within the template
 - resolves reference issues to reportInfo struct i.e. issues -> Issues, metrics -> Stats
2018-10-03 13:31:59 -05:00
Cosmin Cojocar
f9b41874b1
Merge pull request #249 from andrewhsu/go
bump Dockerfile golang from 1.10 to 1.11
2018-10-03 08:35:47 +02:00
Andrew Hsu
1ecd47e007 bump Dockerfile golang from 1.10 to 1.11
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
2018-10-03 00:28:39 +00:00
Cosmin Cojocar
2cc6838ca3
Merge pull request #248 from ccojocar/code-samples-multiple-files
Refactor the test code sample to support multiple files per sample
2018-09-28 11:52:04 +03:00
Cosmin Cojocar
64d58c2e51 Refactor the test code sample to support multiple files per sample 2018-09-28 11:42:25 +03:00
Delon Wong Her Laang
d3f1980e7a Fix false positives for SQL string concatenation with constants from another file (#247)
* Allow for SQL concatenation of nodes that resolve to literals

If node.Y resolves to a literal, it will not be considered as an issue.

* Fix typo in comment.

* Go through all files in package to resolve that identifier

* Refactor code and added comments.

* Changed checking to not var or func.

* Allow for supporting code for test cases.

* Resolve merge conflict changes.
2018-09-28 10:46:59 +03:00
Andrew Hsu
5f98926a7b Refactor Dockerfile (#245)
* ignore the temporary image file used for builds

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* no need for GOPATH in the Dockerfile

It is already set in the golang:1.10.3-alpine3.8 image.

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* no need for GOROOT in Dockerfile

The correct value is embedded in the go tool.

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* bump Dockerfile golang to 1.10.4

The latest golang version thus far.

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* replace docker-entrypoint.sh with the gosec binary

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* git ignore gosec binary

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* refactor Dockerfile into multi-stage

First stage does the build in a pristine alpine environment. Second
stage is a minimal image with just the necessary stuff to run the
compiled binary. Also added packages for gcc and musl-dev so cgo can do
its thang.

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* fix the image execution example in README.md

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
2018-09-26 08:09:20 +03:00
Grant Murphy
7f6509a916
Update README.md (#246)
Add logo to README.md
2018-09-25 19:44:53 +10:00
Dale Hui
762ff3a709 Allow quoted strings to be used to format SQL queries (#240)
* Support stripping vendor paths when matching calls

* Factor out matching of formatter string

* Quoted strings are safe to use with SQL str formatted strings

* Add test for allowing quoted strings with string formatters

* Install the pq package for tests to pass
2018-09-25 10:40:05 +03:00
Dale Hui
ec32ce68d8 Support Go 1.11 (#239)
* Test with the latest minor version of each major Go version

* Support Go 1.11 and modules
2018-09-10 09:09:12 +02:00
cschoenduve-splunk
145f1a0bf4 Removed wrapping feature (#238) 2018-09-04 18:08:37 +02:00
cschoenduve-splunk
419c9292c8 G107 - SSRF (#236)
* Initial SSRF Rule

* Added Selector evaluation

* Added source code tests

* Fixed spacing issues

* Fixed Spacingv2

* Removed resty test
2018-09-04 08:55:03 +02:00
Dom Udall 改善
63b25c147f Fix typo in README (#235)
`PORJECT` -> `PROJECT`
2018-09-03 09:39:31 +02:00
cschoenduve-splunk
7fd94463ed update to G304 which adds binary expressions and file joining (#233)
* Added features to G304

* Linted

* Added path selectors

* Used better solution

* removed debugging lines

* fixed comments

* Added test code

* fixed a spacing change
2018-08-28 14:34:07 +10:00
Cosmin Cojocar
e4ba96adc3 Update README 2018-08-21 11:15:14 +02:00
Cosmin Cojocar
ec0f8ec9d6 Set the GOROOT and GOPATH env variables in Dockerfile 2018-08-21 11:15:14 +02:00
Cosmin Cojocar
247828cfa5 Update docker base image to 1.10.3-alpine3.8 2018-08-21 11:15:14 +02:00
cschoenduve-splunk
b6891998ce Add Fprintf to Rule G201 2018-08-21 09:31:38 +02:00
cschoenduve-splunk
a7cff91312 Small update to G201 and added ConcatString Function (#228) 2018-08-19 19:57:36 +02:00
Grant Murphy
1c438e36af
Tweak makefile to match up with docker repo (#231) 2018-08-19 10:28:17 +10:00
Cosmin Cojocar
9577fd0b44 Update README 2018-08-15 09:58:26 +02:00
Cosmin Cojocar
e543f4662c Use the Linux build for Docker image 2018-08-15 09:53:33 +02:00
Cosmin Cojocar
dbd0f8f511 Use the make build goal when creeating the docker image 2018-08-15 09:45:37 +02:00
Cosmin Cojocar
f06a84ebaa
Merge pull request #227 from ccojocar/sha1
Add sha1 to weak crypto primitives
2018-08-09 09:34:49 +02:00