Oleksandr Redko
92de0ee7a2
Replace old golang.org links with new go.dev ( #1271 )
CI / test (map[go:1.22.10 golangci:latest]) (push) Waiting to run
CI / test (map[go:1.23.4 golangci:latest]) (push) Waiting to run
CI / coverage (push) Blocked by required conditions
Security Scan / build (push) Waiting to run
2024-12-16 15:18:51 +01:00
dannyc-grafana
09b914371e
Documentation on adding new rules and analyzers ( #1262 )
...
* Create CONTRIBUTING.md
Add some docs for developers who want to extend gosec
* Address comments from ccojocar
* Update CONTRIBUTING.md
Co-authored-by: Oleksandr Redko <oleksandr.red+github@gmail.com>
* Update CONTRIBUTING.md
Co-authored-by: Oleksandr Redko <oleksandr.red+github@gmail.com>
* Update README.md
Co-authored-by: Oleksandr Redko <oleksandr.red+github@gmail.com>
* Update CONTRIBUTING.md
Co-authored-by: Oleksandr Redko <oleksandr.red+github@gmail.com>
* Update CONTRIBUTING.md
Co-authored-by: Oleksandr Redko <oleksandr.red+github@gmail.com>
* Linting/formatting pass
* Update CONTRIBUTING.md
* Update README.md
Fix phrasing to be clearer
---------
Co-authored-by: Oleksandr Redko <oleksandr.red+github@gmail.com>
2024-12-16 10:38:51 +01:00
Dimitar Banchev
0eb8143c23
Added new rule G407(hardcoded IV/nonce)
...
The rule is supposed to detect for the usage of hardcoded or static nonce/Iv in many encryption algorithms:
* The different modes of AES (mainly tested here)
* It should be able to work with ascon
Currently the rules doesn't check when constant variables are used.
TODO: Improve the rule, to detected for constatant variable usage
2024-08-30 19:35:07 +02:00
Cosmin Cojocar
92bac42afc
Read the AI API key also from an environment variable ( #1181 )
...
* Read the AI API key also from an environment variable
Change-Id: If18fd025ab2ef68a3690f8a69d1c8894e44a87ef
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
* Fix lint warning
Change-Id: Icd3eb8a029764db76596c3e171275c03a23f8cef
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
---------
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-18 17:59:45 +02:00
Tran The Lam
56f943b802
Add support to generate auto fixes using LLM (AI) ( #1177 )
...
This feature adds support to generate auto fixes for Go scanning findings using LLM (AI). In a first instance, it relies on Gemini API to get a suggestion for a solution. This can be later extended, to integrate also other AI providers.
---------
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
Co-authored-by: ccoVeille <3875889+ccoVeille@users.noreply.github.com>
Co-authored-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-12 12:52:41 +02:00
Dimitar Banchev
9a4a741e6b
Added more rules
...
* Rule G406 responsible for the usage of deprecated MD4 and RIPEMD160 added.
* Rules G506, G507 responsible for tracking the usage of the already mentioned libraries added.
* Slight changes in the Makefile(`make clean` wasn't removing all expected files)
* Added license to `analyzer_test.go`
2024-06-25 13:18:27 +02:00
Dimitar Banchev
58e4fccc13
Split the G401 rule into two separate ones
...
Now the G401 rule is split into hashing and encryption algorithms.
G401 is responsible for checking the usage of MD5 and SHA1, with corresponding CWE of 328.
And G405(New rule) is responsible for checking the usege of DES and RC4, with corresponding CWE of 327.
2024-06-24 15:25:54 +02:00
Cosmin Cojocar
43bef719b4
Update README with G115 rule description
...
Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-05-27 13:03:01 +02:00
Fernandez Ludovic
5f0084eb01
feat: add env var to override the Go version detection
2024-05-25 11:00:44 +02:00
Cosmin Cojocar
1e1fc91d15
Update the README with some details related to Go version used by the rules
...
Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-05-22 10:24:44 +02:00
Janusz Marcinkiewicz
f25ccd9fb5
Ignore 'implicit memory aliasing' rule for Go 1.22+
...
Signed-off-by: Janusz Marcinkiewicz <januszm@nvidia.com>
2024-03-04 10:24:32 +01:00
Chaminda Divitotawela
43b7cbf661
Update README with upload-sarif v2 ( #1078 )
...
GitHub action upload-sarif v1 is deprecated and action fails if used. Updated README with v2 so workflow can be copy and use without modiciations
Fixes #1077
2023-11-28 09:09:22 +01:00
Cosmin Cojocar
64bbe90144
Fix some typos
...
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-10-23 10:32:21 +02:00
Cosmin Cojocar
d9071e359b
Update local installation instructions by removing the details for Go 1.16
...
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-10-23 10:28:11 +02:00
Cosmin Cojocar
e298388908
Update README with details which describe the current behaviour of #nosec
...
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-10-18 12:02:48 +02:00
Oleksandr Redko
09cf6efb3e
Fix typos in struct fields, comments, and docs ( #1023 )
2023-10-05 12:59:17 +02:00
Cosmin Cojocar
0d332a1027
Add a new rule which detects when a file is created with os.Create but the configured permissions are less than 0666
...
It seems that the os.Create will create by default a file with 0666 permissions.
This should be detected when the configured permissions are less than 0666. By default will not detect this case
unless the more restrictive mode is configured.
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-09-25 13:24:34 +02:00
Cosmin Cojocar
e02e2f6d5b
Redesign and reimplement the slice out of bounds check using SSA code representation
...
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-09-20 10:19:51 +02:00
Cosmin Cojocar
17b7d31f41
Update README file with new rule ( #975 )
...
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-06-21 10:07:27 +02:00
Olivier Mengué
2ee3213dc1
README: upgrade GitHub action in examples ( #950 )
...
Upgrade actions/checkout from v2 to v3 in GitHub actions examples.
2023-04-13 10:23:06 +02:00
dan "smiley" murray
cdd3476f91
fix dead link to issue.go in README.md ( #936 )
2023-03-06 09:09:40 +01:00
Cosmin Cojocar
d5a9c73723
Remove rule G307 which checks when an error is not handled when a file or socket connection is closed ( #935 )
...
* Remove read only types from unsafe defer rules
* Remove rule G307 which checks when an error is not handled when a file or socket connection is closed
This doesn't seem to bring much value from security perspective, and it caused a lot of controversy since
is a very common pattern in Go.
* Mentioned in documentation that rule G307 is retired
* Clean up the test for rule G307
2023-02-24 14:04:13 +01:00
Cosmin Cojocar
392e53c8d0
Pin github action to latest release version 2.15.0
2023-02-08 11:29:30 +01:00
Cosmin Cojocar
d22a7b6ede
Add gosec version as an input parameter to GitHub action ( #927 )
...
* Add gosec version as a paramter to the Github action
* Run gosec as a github action as part of CI
2023-02-08 10:40:36 +01:00
Cosmin Cojocar
f9a8bf0152
Update slack badge and link ( #905 )
2022-12-12 12:20:22 +01:00
Ville Skyttä
0c8e63ed86
Detect use of net/http functions that have no support for setting timeouts ( #842 )
...
https://blog.cloudflare.com/the-complete-guide-to-golang-net-http-timeouts/
https://blog.cloudflare.com/exposing-go-on-the-internet/
Closes https://github.com/securego/gosec/issues/833
2022-08-02 17:16:44 +02:00
Vladimir Severov
9c19cb6501
Add check for usage of Rat.SetString in math/big with an overflow error ( #819 )
...
* Add check for usage of Rat.SetString in math/big with an overflow error
Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7
has an overflow that can lead to Uncontrolled Memory Consumption.
It is the CVE-2022-23772.
* Use ContainsPkgCallExpr instead of manual parsing
2022-06-03 00:19:51 +02:00
云微
34d144b3fa
Add new rule for Slowloris Attack
2022-04-30 12:38:50 +02:00
Gautam Mehta
0791d31471
Fix typo in ReadMe ( #802 )
2022-04-05 07:15:22 +02:00
Calin Capitanu
48bbf96b56
Adds directory traversal for Http.Dir("/")
2022-03-06 10:58:47 +01:00
Cosmin Cojocar
26f10e0a7a
Extend the release action to sign the docker image and binary files with cosign ( #781 )
...
* Extend the release action to sign the docker image and binary files with cosign
* Fix lint warnings
* Fix the ling warnings
* Fix the lint warnings
2022-02-22 21:33:42 +01:00
de-jcup
db8d98b571
Updated sponsor link in README.md
...
- Because of rebranding (Daimler AG has become
Mercedes-Benz Group AG) the github organization has
been renamed as well.
- Updated sponsorship link in README.md to new github organization
2022-02-07 10:34:42 +01:00
Cosmin Cojocar
e0f354aa0d
Add the sponsors section in the README file ( #740 )
2021-12-15 20:10:40 +01:00
Ville Skyttä
d23ab2d997
Remove space between //
and #nosec
in examples and internal use
...
Comments intended for machines to read do not have the space by
convention.
2021-12-15 19:31:14 +01:00
Yiwei Ding
b45f95f6ad
Add support for suppressing the findings
2021-12-09 11:53:36 +01:00
Ville Skyttä
f1f0056a90
Spelling fixes ( #717 )
2021-11-09 21:02:24 +01:00
xq840622
1297bedbc7
Update README.md ( #707 )
...
"io/ioutil" package name is "ioutil"
2021-10-14 09:54:09 +02:00
nobishii
991dd94f3a
Update local installation instruction ( #703 )
...
Update local installation instruction for Go1.16+.
2021-10-05 19:33:55 +02:00
Rodrigo Broggi
9f30bb6602
Typo correction ( #681 )
...
Correcting the command flag from 'tag' to 'tags'
2021-08-16 11:29:35 +02:00
Marc Brugger
62db81342e
Allow excluding generated files
2021-08-04 17:33:20 +02:00
Matthieu MOREL
af27673a87
Update README.md
2021-05-28 09:19:31 +02:00
Shreyas Subhedar
a8b633f124
Adding stdout and verbose flags and refactor how the report is saved
2021-05-10 10:44:55 +02:00
Matthieu MOREL
4df7f1c3e9
Fix typos, Go Report link and Gofmt
2021-05-07 18:04:01 +02:00
Matthieu MOREL
c4f5932ab7
Refactor : Replace Cwe with cwe.Weakness
2021-05-07 16:54:34 +02:00
Matthieu MOREL
cc83d4c922
Generate the SARIF types, handle taxonomies and separate responsibilities
2021-05-05 18:54:32 +02:00
Jeff Widman
0695fa026e
Add -u
to local install instructions ( #595 )
...
`-u` will ensure that users are updated the latest released version.
This way bugs are less likely to be reported that are already fixed.
2021-04-16 09:50:10 +02:00
Cosmin Cojocar
dcbcc4dd2a
Use a more generic path for sonarqube import path ( #573 )
...
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2021-02-11 14:19:46 +01:00
Cosmin Cojocar
2777e5065e
Update README with a note which describes how to import a SonarQube report ( #572 )
2021-02-11 12:10:44 +01:00
Mark Wolfe
d9d75834b6
update README with instructions on how to integrate with GitHub codescanning
2021-01-22 11:31:07 +01:00
Miki Tebeka
6bd6e4ba2c
Use $(go env GOPATH) that works even when GOPATH is not set
2020-10-01 04:17:43 +10:00