Commit graph

44 commits

Author SHA1 Message Date
Marc Brugger
62db81342e
Allow excluding generated files 2021-08-04 17:33:20 +02:00
Matthieu MOREL
1256f16f33
Fix lint and fail on error in the ci build 2021-05-31 10:44:12 +02:00
Lukas Aron
826db1cfec
Fix the build tags propagation
The build tags are now propagated into the build context when analysing a package.
2020-05-27 12:42:19 +02:00
Cosmin Cojocar
81e8278164 Add the Cgo files to the analysed files and ingonre all non-Go files
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-01-16 09:06:23 +01:00
Hiroki Suezawa
9cb83e10af Add a rule which detects when there is potential integer overflow (#422)
* Add G109(Potential Integer OverFlow Detection)

Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>

* add CWE to G109(Potential Integer Overflow)

Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>

* Modify G109 to use gosec.Context

Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-06 09:55:52 +01:00
Rafael dos Santos
f43a957359 Check for both default and alternative nosec tags (#426)
* Check both nosec tags

* Adjust test to find vulnerabilities

* Add a few alias in Makefile to get GOPATH
2020-01-06 09:47:28 +01:00
Cosmin Cojocar
e680875ea1
Replace the deprecated load mode with more specific flags are recommended in the packages docs (#400)
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-02 14:05:14 +02:00
Isaev Denis
b9c4c66295 Expose analyzer API (#366)
Make it possible to use gosec from e.g. golangci-lint
without modification of gosec.
2019-09-12 14:06:59 +02:00
Daniel Carlier
8932f702ce Add flag to handle '#nosec' alternative (#346)
* Add logic to check for a #nosec alternative

* Add NoSecAlternative as a new global variable

* Add nosec-tag flag
2019-09-04 10:20:43 +02:00
Cosmin Cojocar
63b44b6681 Add some more tests to make codecov happy
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 11:56:26 +02:00
Cosmin Cojocar
78a49491a8 Load rules on each code sample in order to reconfigure them
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 11:14:27 +02:00
Cosmin Cojocar
ed9934fa48 Refactor the rules tests to be able to configure the analyzer config per test sample
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 10:29:19 +02:00
Cosmin Cojocar
b68ac76dbc Fix formatting
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
3e69a8c8a2 Append the package load errors to analyser's errors
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
aac9b00845 Refactor properly the package error parsing and cover all test cases
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
625718d294 Refactor the test for Go build errors
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
3af4ae9ddb Fix some lint warnings
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
b04c1ce0a7 Fix error parsing from package
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
92b3644625 Fix error parsing when the loaded package is empty
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
5ef2beeaa6 Track only the import from the file which is checked
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-29 19:34:57 +02:00
Cosmin Cojocar
b49c9532a8 Add a flag which allows to scan also the tests files
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-29 06:55:24 +02:00
Cosmin Cojocar
4dfaf0a997 Refactor the analyzer to process one package at the time
This avoids loading all packages in memory before running the checks.

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-28 09:06:52 +02:00
Cosmin Cojocar
85221996b6 Improve logging in the analyser
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-27 14:02:43 -07:00
Naoya Yoshizawa
85d180848d Go modules support for 1.12 (#297)
* support go module

* fix implement and uncommented out tests

* includes test package

* remove test environment go1.10 or older
2019-04-25 09:25:32 +02:00
Martin Vrachev
62b5195dd9 Report for Golang errors (#284)
* Report for Golang errors

Right now if you use Gosec to scan invalid go file and if you report the result in a text, JSON, CSV or another file format you will always receive 0 issues.
The reason for that is that Gosec can't parse the AST of invalid go files and thus will not report anything.

The real problem here is that the user will never know about the issue if he generates the output in a file.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-02-27 08:24:06 +10:00
Cosmin Cojocar
f87af5fa72 Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274)
* Define more explicit the global options in the configuration

* Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 21:37:40 +10:00
Oleksandr Redko
3116b07de4 Fix typos in comments and rulelist (#256) 2018-10-11 14:45:31 +02:00
Delon Wong Her Laang
d3f1980e7a Fix false positives for SQL string concatenation with constants from another file (#247)
* Allow for SQL concatenation of nodes that resolve to literals

If node.Y resolves to a literal, it will not be considered as an issue.

* Fix typo in comment.

* Go through all files in package to resolve that identifier

* Refactor code and added comments.

* Changed checking to not var or func.

* Allow for supporting code for test cases.

* Resolve merge conflict changes.
2018-09-28 10:46:59 +03:00
Cosmin Cojocar
4c6396b7d4 Derive the package from given files
Move some utility functions into the helper
2018-07-23 15:16:47 +02:00
Cosmin Cojocar
893b87b343 Replace gas with gosec everywhere in the project 2018-07-19 18:42:25 +02:00
cosmincojocar
4ae8c95b40 Add an option for Go build tags (#201)
* Add an option for Go build tags

* Update README with a section for Go build tags
2018-04-20 09:45:03 +10:00
Grant Murphy
830cb81b29
Support package resolution and filepaths (#187)
* Support package resolution and filepaths

This change introduces the logic to resolve packages using gotool
and build packages from filepaths. It assumes that the packages
being scanned are located within the GOPATH.

If the GOPATH environment variable is not set the GOPATH is derived
as $HOME/go.

Relates to #184

* Fix build error

* Address unhandled error

* Fix formatting error

* Handle multiple paths on GOPATH
2018-04-16 15:46:39 +10:00
Jon McClintock
429ac07bbd Change the exclude syntax to be a part of #nosec 2018-03-08 19:01:00 +00:00
Jon McClintock
18700c276f Style tweak 2018-03-03 00:04:48 +00:00
Jon McClintock
1429033aca Add support for #excluding specific rules 2018-03-02 23:44:51 +00:00
Cosmin Cojocar
7355f0a119 Fix some gas warnings 2018-02-10 20:10:56 +01:00
Jon McClintock
f111d5de2c [Issue 159] Allow loader errors so that processing continues if there's a package loading problem. 2018-01-29 18:33:48 +00:00
Andrew S. Brown
22dc89384d Do a single build for all packages.
This is much faster because the loader can reuse packages.
2018-01-07 15:02:33 -08:00
Grant Murphy
25d74c6b20 address review comments 2017-12-14 10:04:22 +10:00
Grant Murphy
af25ac1f6e fix golint errors picked up by hound-ci 2017-12-13 22:35:47 +10:00
Grant Murphy
6943f9e5e4 Major rework of codebase
- Get rid of 'core' and move CLI to cmd/gas directory
- Migrate (most) tests to use Ginkgo and testutils framework
- GAS now expects package to reside in $GOPATH
- GAS now can resolve dependencies for better type checking (if package
  on GOPATH)
- Simplified public API
2017-07-19 15:17:00 -06:00
Grant Murphy
026fe4c534 Simplify analyzer and command line interface
The analyzer now only handles packages rather than one off files. This
simplifies the CLI functionality significantly.
2017-05-09 21:26:53 -07:00
Grant Murphy
bf78d027a9 Restructure and introduce a standalone config 2017-04-28 14:46:26 -07:00
Grant Murphy
cacf21f3c0 Restructure to focus on lib rather than cli 2017-04-26 08:08:46 -07:00
Renamed from core/analyzer.go (Browse further)