* Fix some typos in the README file
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
* Update the README with some details about the CWE mapping
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
The big#Int.Exp used to be vulnerable in older versions of Go, but in the
meantime has been fixed (https://github.com/golang/go/issues/15184).
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
Currently, if you download the gosec binary using the commands
suggested in the README and you decide to check the checksum
of the binary, you just downloaded then your checksum check will fail.
As a result, the user can think that your binary is corrupted.
The reason for that failure is that the checksums are for the
tar.gz files provided in the release notes.
This should be documented to avoid future unclarities.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
* Fix formating in README
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
* Split the various test goals in the Makefile
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
* Remove the prerequisites from README since they are automatically installed
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
* Remove unnecessary install steps from Travis CI build
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
* Make sure golint is installed before running the lint command
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
* Make sure ginkgo command is installed before running the tests
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
1. Example config json included a trailing comma, even though as we obviously know this is how things should be, JSON does not agree and the parser fails miserably
2. Flag was incorrectly stated as -config in the README, the correct flag is -conf
3. Example command did not work as did not include final dot to examine the current pkg.
* ignore the temporary image file used for builds
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
* no need for GOPATH in the Dockerfile
It is already set in the golang:1.10.3-alpine3.8 image.
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
* no need for GOROOT in Dockerfile
The correct value is embedded in the go tool.
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
* bump Dockerfile golang to 1.10.4
The latest golang version thus far.
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
* replace docker-entrypoint.sh with the gosec binary
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
* git ignore gosec binary
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
* refactor Dockerfile into multi-stage
First stage does the build in a pristine alpine environment. Second
stage is a minimal image with just the necessary stuff to run the
compiled binary. Also added packages for gcc and musl-dev so cgo can do
its thang.
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
* fix the image execution example in README.md
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
* Add a rule which detects file path traversal when extracting zip archive
* Detect if any argument is derived from zip.File
* Drop support for Go version 1.8
This fixes a couple issues found in the README in the development
section:
* There was no information provided on dependencies. Both go/dep
and golint are required to run make.
* To run the tests, the command 'make test' not 'make tests' has
to be used.