Commit graph

934 commits

Author SHA1 Message Date
Cosmin Cojocar
fb44007c6e Enhance the hardcoded credentials rule to check the equality and non-equality of strings
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-20 03:08:39 -07:00
Cosmin Cojocar
a2a40de847 Update the README with an example to configure the hard-coded credentials rule
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-15 07:21:19 -07:00
Cosmin Cojocar
802292c54f Fix the configuration parsing for hardcoded credentials
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-15 07:21:19 -07:00
Cosmin Cojocar
c58f3563d3 Set the default color on only for text format
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-14 09:33:44 -07:00
Cosmin Cojocar
1a113d6da9 Turn the color always on when the text format is set
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-14 02:21:37 -07:00
Cosmin Cojocar
c4417de46d Use the latest color package to get the color working with tmux
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-14 02:21:37 -07:00
Marco Antônio Singer
656691b387
feature(formatter/text): Add color option on text format (#460)
* feature(issue): Add function to return file path and line number

* docs(formatter/CreateReport): Update formats accepted

* feature(formatter): Add color output for text format

Basic color support for text format. For now, only the "Summary" title
and "Issues" section has color

* feature(formatter): Highlight issues based on severity

Given an issue, the file path is painted based on its severity.
We're using the following rules: high is red, medium is yellow and
low is simple black & white

* feature(main): Add color flag

It's only valid for text format

* refactor(formatter): Passing color flag forward
2020-04-14 09:50:02 +02:00
Cosmin Cojocar
51e4317f09 Automate the release process using a GitHub workflow
The release will trigger when a new tag is pushed.

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-14 00:41:56 -07:00
Cosmin Cojocar
341059e11a Update the GitHub action name to be more desriptive 2020-04-08 09:40:50 +02:00
Cosmin Cojocar
3b6c3f13f1 Update README with some instruction how to run gosec as a GitHub action
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-08 00:39:01 -07:00
Cosmin Cojocar
08202fee80 Add a GitHub action to run gosec
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-08 00:39:01 -07:00
Cosmin Cojocar
c6e10af40f Handle properly the gosec module version v2
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-06 09:06:23 -07:00
Renovate Bot
e946c8c399 Update all dependencies 2020-04-01 01:20:31 -07:00
Cosmin Cojocar
e030aa4f76 Remove the go 1.14 version from github action
It seems to fail when starting the action.

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-30 13:20:59 +02:00
Cosmin Cojocar
ee176ff8fc Fix the job names in the Github workflow
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-30 13:16:53 +02:00
Cosmin Cojocar
cabccc75ef Add to GitHub workflow some jobs for go1.13 and go1.12
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-30 13:15:21 +02:00
Cosmin Cojocar
a111777041 Change the GitHub workflow to use only the latest Go version
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-30 13:06:29 +02:00
Cosmin Cojocar
722acb64cb Change the GitHub workflow to run the builds only on ubuntu-latest platform
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-30 12:59:02 +02:00
Cosmin Cojocar
5284f34b6f Change the GitHub workflow to use an action which install Go using a Go version from the matrix
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-30 12:52:42 +02:00
Cosmin Cojocar
8de5fb6eb2 Migrate the build to GitHub Actions
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-30 03:32:24 -07:00
Cosmin Cojocar
7da9f46445 Fix the call list info to handle selector expressions
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-16 09:44:57 +01:00
Cosmin Cojocar
cf2590442c Fix the subproc rule to handle correctly the CommandContext check
In this case, we need to skip the first argument because it is the context.

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-13 13:25:35 +01:00
Cosmin Cojocar
f97f86103c Update the subproc rule to detect the syscall.ForkExec and syscall.StartProces calls
Also add the corresponding tests for this.

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-13 13:25:35 +01:00
Tomas Kral
c998389da2
re-generate install.sh with latest godownloader (#446) 2020-03-02 14:48:48 +01:00
Sam Caccavale
7525fe4bb7
Rule for defering methods which return errors (#441) 2020-03-01 21:45:37 +01:00
renovate[bot]
a2ac0bf32b
Update all dependencies (#445)
Co-authored-by: WhiteSource Renovate <renovatebot@gmail.com>
2020-03-01 21:44:28 +01:00
Sam Caccavale
a305f10eb9
Fileperms (#442) 2020-02-28 12:48:18 +01:00
Lars Lehtonen
00363edac5
remove support for go 1.11 (#444) 2020-02-28 12:47:01 +01:00
Renovate Bot
d13bb6d242 Update all dependencies 2020-02-03 10:45:20 +01:00
Cosmin Cojocar
17df5b3702 Fix typos
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-01-29 09:41:46 +01:00
Cosmin Cojocar
3e069e7756 Fix the errors rule whitelist to work on types methods
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-01-29 09:41:46 +01:00
Hiroki Suezawa
459e2d3e91 Modify rule for integer overflow to have more acurate results (#434)
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-21 10:13:11 +01:00
Hiroki Suezawa
a4d7b3628b Add G110(Potential DoS vulnerability via decompression bomb)
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-20 10:37:56 +01:00
Cosmin Cojocar
3d5c97b418 Add a test sample for Cgo files
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-01-16 09:06:23 +01:00
Cosmin Cojocar
81e8278164 Add the Cgo files to the analysed files and ingonre all non-Go files
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-01-16 09:06:23 +01:00
Cosmin Cojocar
a1969e208c
Handle all errors in the formatter tests (#431)
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-01-16 09:05:38 +01:00
Hiroki Suezawa
9cb83e10af Add a rule which detects when there is potential integer overflow (#422)
* Add G109(Potential Integer OverFlow Detection)

Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>

* add CWE to G109(Potential Integer Overflow)

Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>

* Modify G109 to use gosec.Context

Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-06 09:55:52 +01:00
Rafael dos Santos
f43a957359 Check for both default and alternative nosec tags (#426)
* Check both nosec tags

* Adjust test to find vulnerabilities

* Add a few alias in Makefile to get GOPATH
2020-01-06 09:47:28 +01:00
Hiroki Suezawa
79fbf3af8d Add golint format to output format (#428)
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-03 10:56:21 +01:00
renovate[bot]
57c3788fe5 Update all dependencies (#427) 2020-01-02 17:56:50 +01:00
Grant Murphy
5d613739e1 fix(docker) gcc and libc-dev required bindings
The docker image doesn't include the necessary packages to build / analyze
some packages. Adding gcc and libc-dev to addess this.
2019-12-20 08:45:01 +10:00
renovate[bot]
cb4f343eaf Update all dependencies (#417) 2019-12-17 09:31:52 +01:00
Lars Lehtonen
df484bfa9e cmd/tlsconfig: remove support for deprecated tls.VersionSSL30 (#412)
* cmd/tlsconfig: build tags to deprecate tls.VersionSSL30 from go1.14

* cmd/tlsconfig: build tags to turn off TLSv1.3 in go1.11
2019-11-19 11:41:25 +01:00
renovate[bot]
b4c76d4234 Update all dependencies (#410) 2019-11-04 16:45:32 +01:00
Cosmin Cojocar
99170e0d76
Update the README with some details about the CWE mapping (#407)
* Fix some typos in the README file

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>

* Update the README with some details about the CWE mapping

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-31 11:56:17 +01:00
Julian Thome
53be8dd864 Add CWE rule mappings (#405)
* added mappings

* added cwe to template

* link in function to template

* moved mappings and added test cases

* wording

* cleanup
2019-10-31 09:22:38 +01:00
Cosmin Cojocar
28c1128b73 Add more tests to improve the coverage of resolve
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-08 11:56:58 +02:00
Cosmin Cojocar
d78f02634a Format import to make codecov happy
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-08 11:56:58 +02:00
Cosmin Cojocar
50e1fe267d Improve the SSRF rule to report an issue for package scoped variables
Made also the rule to not report an issue when encountering function
scoped variable which terminate in a basic literal such as a string.

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-08 11:56:58 +02:00
Cosmin Cojocar
07770ae76d Add a test for composite literals when trying to resolve an AST tree node
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-08 11:56:58 +02:00