Marc Brugger
62db81342e
Allow excluding generated files
2021-08-04 17:33:20 +02:00
Matthieu MOREL
1256f16f33
Fix lint and fail on error in the ci build
2021-05-31 10:44:12 +02:00
Lukas Aron
826db1cfec
Fix the build tags propagation
...
The build tags are now propagated into the build context when analysing a package.
2020-05-27 12:42:19 +02:00
Cosmin Cojocar
81e8278164
Add the Cgo files to the analysed files and ingonre all non-Go files
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-01-16 09:06:23 +01:00
Hiroki Suezawa
9cb83e10af
Add a rule which detects when there is potential integer overflow ( #422 )
...
* Add G109(Potential Integer OverFlow Detection)
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
* add CWE to G109(Potential Integer Overflow)
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
* Modify G109 to use gosec.Context
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-06 09:55:52 +01:00
Rafael dos Santos
f43a957359
Check for both default and alternative nosec tags ( #426 )
...
* Check both nosec tags
* Adjust test to find vulnerabilities
* Add a few alias in Makefile to get GOPATH
2020-01-06 09:47:28 +01:00
Cosmin Cojocar
e680875ea1
Replace the deprecated load mode with more specific flags are recommended in the packages docs ( #400 )
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-02 14:05:14 +02:00
Isaev Denis
b9c4c66295
Expose analyzer API ( #366 )
...
Make it possible to use gosec from e.g. golangci-lint
without modification of gosec.
2019-09-12 14:06:59 +02:00
Daniel Carlier
8932f702ce
Add flag to handle '#nosec' alternative ( #346 )
...
* Add logic to check for a #nosec alternative
* Add NoSecAlternative as a new global variable
* Add nosec-tag flag
2019-09-04 10:20:43 +02:00
Cosmin Cojocar
63b44b6681
Add some more tests to make codecov happy
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 11:56:26 +02:00
Cosmin Cojocar
78a49491a8
Load rules on each code sample in order to reconfigure them
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 11:14:27 +02:00
Cosmin Cojocar
ed9934fa48
Refactor the rules tests to be able to configure the analyzer config per test sample
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 10:29:19 +02:00
Cosmin Cojocar
b68ac76dbc
Fix formatting
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
3e69a8c8a2
Append the package load errors to analyser's errors
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
aac9b00845
Refactor properly the package error parsing and cover all test cases
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
625718d294
Refactor the test for Go build errors
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
3af4ae9ddb
Fix some lint warnings
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
b04c1ce0a7
Fix error parsing from package
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
92b3644625
Fix error parsing when the loaded package is empty
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
5ef2beeaa6
Track only the import from the file which is checked
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-29 19:34:57 +02:00
Cosmin Cojocar
b49c9532a8
Add a flag which allows to scan also the tests files
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-29 06:55:24 +02:00
Cosmin Cojocar
4dfaf0a997
Refactor the analyzer to process one package at the time
...
This avoids loading all packages in memory before running the checks.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-28 09:06:52 +02:00
Cosmin Cojocar
85221996b6
Improve logging in the analyser
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-27 14:02:43 -07:00
Naoya Yoshizawa
85d180848d
Go modules support for 1.12 ( #297 )
...
* support go module
* fix implement and uncommented out tests
* includes test package
* remove test environment go1.10 or older
2019-04-25 09:25:32 +02:00
Martin Vrachev
62b5195dd9
Report for Golang errors ( #284 )
...
* Report for Golang errors
Right now if you use Gosec to scan invalid go file and if you report the result in a text, JSON, CSV or another file format you will always receive 0 issues.
The reason for that is that Gosec can't parse the AST of invalid go files and thus will not report anything.
The real problem here is that the user will never know about the issue if he generates the output in a file.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-02-27 08:24:06 +10:00
Cosmin Cojocar
f87af5fa72
Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration ( #274 )
...
* Define more explicit the global options in the configuration
* Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 21:37:40 +10:00
Oleksandr Redko
3116b07de4
Fix typos in comments and rulelist ( #256 )
2018-10-11 14:45:31 +02:00
Delon Wong Her Laang
d3f1980e7a
Fix false positives for SQL string concatenation with constants from another file ( #247 )
...
* Allow for SQL concatenation of nodes that resolve to literals
If node.Y resolves to a literal, it will not be considered as an issue.
* Fix typo in comment.
* Go through all files in package to resolve that identifier
* Refactor code and added comments.
* Changed checking to not var or func.
* Allow for supporting code for test cases.
* Resolve merge conflict changes.
2018-09-28 10:46:59 +03:00
Cosmin Cojocar
4c6396b7d4
Derive the package from given files
...
Move some utility functions into the helper
2018-07-23 15:16:47 +02:00
Cosmin Cojocar
893b87b343
Replace gas with gosec everywhere in the project
2018-07-19 18:42:25 +02:00
cosmincojocar
4ae8c95b40
Add an option for Go build tags ( #201 )
...
* Add an option for Go build tags
* Update README with a section for Go build tags
2018-04-20 09:45:03 +10:00
Grant Murphy
830cb81b29
Support package resolution and filepaths ( #187 )
...
* Support package resolution and filepaths
This change introduces the logic to resolve packages using gotool
and build packages from filepaths. It assumes that the packages
being scanned are located within the GOPATH.
If the GOPATH environment variable is not set the GOPATH is derived
as $HOME/go.
Relates to #184
* Fix build error
* Address unhandled error
* Fix formatting error
* Handle multiple paths on GOPATH
2018-04-16 15:46:39 +10:00
Jon McClintock
429ac07bbd
Change the exclude syntax to be a part of #nosec
2018-03-08 19:01:00 +00:00
Jon McClintock
18700c276f
Style tweak
2018-03-03 00:04:48 +00:00
Jon McClintock
1429033aca
Add support for #excluding specific rules
2018-03-02 23:44:51 +00:00
Cosmin Cojocar
7355f0a119
Fix some gas warnings
2018-02-10 20:10:56 +01:00
Jon McClintock
f111d5de2c
[Issue 159] Allow loader errors so that processing continues if there's a package loading problem.
2018-01-29 18:33:48 +00:00
Andrew S. Brown
22dc89384d
Do a single build for all packages.
...
This is much faster because the loader can reuse packages.
2018-01-07 15:02:33 -08:00
Grant Murphy
25d74c6b20
address review comments
2017-12-14 10:04:22 +10:00
Grant Murphy
af25ac1f6e
fix golint errors picked up by hound-ci
2017-12-13 22:35:47 +10:00
Grant Murphy
6943f9e5e4
Major rework of codebase
...
- Get rid of 'core' and move CLI to cmd/gas directory
- Migrate (most) tests to use Ginkgo and testutils framework
- GAS now expects package to reside in $GOPATH
- GAS now can resolve dependencies for better type checking (if package
on GOPATH)
- Simplified public API
2017-07-19 15:17:00 -06:00
Grant Murphy
026fe4c534
Simplify analyzer and command line interface
...
The analyzer now only handles packages rather than one off files. This
simplifies the CLI functionality significantly.
2017-05-09 21:26:53 -07:00
Grant Murphy
bf78d027a9
Restructure and introduce a standalone config
2017-04-28 14:46:26 -07:00
Grant Murphy
cacf21f3c0
Restructure to focus on lib rather than cli
2017-04-26 08:08:46 -07:00