Commit graph

778 commits

Author SHA1 Message Date
Cosmin Cojocar
ea0fa28b7f Update the Github go action version to 1.6.0
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-31 10:27:23 +02:00
Cosmin Cojocar
feea8bb243 Fix the action tag
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-31 10:27:23 +02:00
Cosmin Cojocar
6688a97661 Fix the github action for Go 1.15
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-31 10:27:23 +02:00
Cosmin Cojocar
7234349e33 Add Go 1.15 to the supported version and phase out the Go 1.12
Also updated the release automation to release gosec with use Go 1.15

Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-31 10:27:23 +02:00
Cosmin Cojocar
a3895d5c55 Fix typo in README file
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-31 10:27:02 +02:00
Jamie Cuthill
17c955519e Incorrect local installation instructions for v2 2020-08-21 11:23:36 +02:00
Cosmin Cojocar
f13b8bc639 Add also filepath.Rel as a sanitization method for input argument in the G304 rule
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-19 09:40:07 +02:00
Cosmin Cojocar
047729a84f Fix the rule G304 to handle the case when the input is cleaned as a variable assignment
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-19 09:40:07 +02:00
ggkitsas
b60ddc21ba feat: adds support for path.Join and for tar archives in G305 2020-08-03 09:17:45 +02:00
Renovate Bot
673a139e55 Update all dependencies 2020-08-03 09:07:46 +02:00
Cosmin Cojocar
110b62b05f Add io.CopyBuffer function to rule G110
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-07-29 14:25:45 +02:00
Cosmin Cojocar
6bcd89aa6b Mark all lines of a multi-line finding
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-07-07 10:00:15 +02:00
Cosmin Cojocar
4d4e5949c6 Add some comments
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-07-07 10:00:15 +02:00
Cosmin Cojocar
d1467ac998 Extend the code snippet included in the issue and refactored how the code snippet is printed
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-07-07 10:00:15 +02:00
Cosmin Cojocar
37d1af0af3 Expand the arguments to a list of strings when they are provided as a single string
The GitHub action provide the arguments as a single string to the docker container,
so we need to expand them in order for gosec to properly interpret them.

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-07-06 19:38:49 +02:00
Renovate Bot
59cbe0071f Update all dependencies 2020-07-01 09:13:45 +02:00
Cosmin Cojocar
ade81d3873 Rename file for consistency
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-29 13:52:47 +02:00
evalphobia
03f12f3f5d Change naming rule from blacklist to blocklist 2020-06-29 13:45:44 +02:00
Cosmin Cojocar
3784ffea4e Fix panic when reading the version from debug info in Go 1.13
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-25 15:27:53 +02:00
Cosmin Cojocar
55d368f2e5 Improve the TLS version checking
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-25 09:21:14 +02:00
Cosmin Cojocar
ad1cb7e47e Make sure some version information is set when no version was injected into the binary
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-25 09:20:55 +02:00
Cosmin Cojocar
1d2c951f2c Extend the rule G304 with os.OpenFile and add a test to cover it
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-17 13:14:08 +02:00
Cosmin Cojocar
0c1a71b8a1 Add more tests samples to increase coverage
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-15 15:12:02 +02:00
Cosmin Cojocar
fe07fcf276 Fix unit test when checking a mix of good and bad random functions
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-15 15:12:02 +02:00
Cosmin Cojocar
6bbf8f9cbc Extend the insecure random rule with more insecure random functions
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-15 15:12:02 +02:00
Hiroaki Sano
af699f6a62
Exclude .git directory from scan (#485) 2020-06-09 15:16:27 +02:00
renovate[bot]
6202b38a44
Update all dependencies (#484)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2020-06-02 09:31:29 +02:00
Cosmin Cojocar
6a130d55b3
Update the link pointing to issues to CWE mapping to use the master version (#483)
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-28 14:40:15 +02:00
Lukas Aron
826db1cfec
Fix the build tags propagation
The build tags are now propagated into the build context when analysing a package.
2020-05-27 12:42:19 +02:00
Cosmin Cojocar
7da9248ce6 Change the issue test to verify that a multi-line finding contains a line range
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-27 10:16:56 +02:00
Cosmin Cojocar
7aedcc56ab Remove print line from tests
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-27 10:16:56 +02:00
Cosmin Cojocar
30e93bf865 Improve the SQL strings concat rules to handle multiple string concatenation
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-27 10:16:56 +02:00
Cosmin Cojocar
68bce94323 Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context
In addition makes pattern matching used by the rules cases insensitive.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-27 10:16:56 +02:00
Cosmin Cojocar
32be4a5cc6 Make sure all rules are mapped to CWE numbers
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-26 08:59:14 +02:00
Grant Murphy
8630c43b66 Add null pointer check in G601
fixes: #475
2020-05-21 05:51:45 +02:00
Lukas Aron
1418b856ea ondisk -> onDisk 2020-05-19 11:34:34 +02:00
Lukas Aron
b2cfc5d638 USERS.md type in the title fixed. 2020-05-19 11:34:34 +02:00
Cosmin Cojocar
425b8f9531 Display a sponsor button in the repository
Enable the funding button in the project following https://help.github.com/en/github/administering-a-repository/displaying-a-sponsor-button-in-your-repository
2020-05-14 09:33:18 +02:00
Cosmin Cojocar
0714a1e62a Update the users file with some more projects and companies
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-12 08:51:13 +02:00
Cosmin Cojocar
1b915ddad7 Set up a gosec's users list
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-12 08:51:13 +02:00
Vitaly Velikodny
668512fc5c Update bad_defer.go
Fix a mistake in the message:
> G307: Deferring unsafe method "*os.File" on type "Close" (gosec)

type and method changed
2020-05-06 16:23:04 +02:00
Caccavale
ee3146e637 Rule which detects aliasing of values in RangeStmt 2020-04-24 07:46:25 -07:00
Cosmin Cojocar
8662624e28 Update the build badge to ge the status from GitHub workflow
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-20 03:20:30 -07:00
Cosmin Cojocar
a5db4e1f04 Run mod tidy to clean up the dependencies
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-20 03:08:39 -07:00
Cosmin Cojocar
fb44007c6e Enhance the hardcoded credentials rule to check the equality and non-equality of strings
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-20 03:08:39 -07:00
Cosmin Cojocar
a2a40de847 Update the README with an example to configure the hard-coded credentials rule
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-15 07:21:19 -07:00
Cosmin Cojocar
802292c54f Fix the configuration parsing for hardcoded credentials
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-15 07:21:19 -07:00
Cosmin Cojocar
c58f3563d3 Set the default color on only for text format
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-14 09:33:44 -07:00
Cosmin Cojocar
1a113d6da9 Turn the color always on when the text format is set
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-14 02:21:37 -07:00
Cosmin Cojocar
c4417de46d Use the latest color package to get the color working with tmux
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-14 02:21:37 -07:00