* Allow for SQL concatenation of nodes that resolve to literals
If node.Y resolves to a literal, it will not be considered as an issue.
* Fix typo in comment.
* Go through all files in package to resolve that identifier
* Refactor code and added comments.
* Changed checking to not var or func.
* Allow for supporting code for test cases.
* Resolve merge conflict changes.
* Support stripping vendor paths when matching calls
* Factor out matching of formatter string
* Quoted strings are safe to use with SQL str formatted strings
* Add test for allowing quoted strings with string formatters
* Install the pq package for tests to pass
* Add a rule which detects file path traversal when extracting zip archive
* Detect if any argument is derived from zip.File
* Drop support for Go version 1.8
* Add a semantic version to the usage text
* Add a comment to the version function
* Inject the version, git tag and build date as build variables
* Update README
* Fix lint warnings
* Update README
* Manage dependencies with dep tool instead of godep
* Add a Makefile for common build tasks
* Update the build file to use the make tool
* Update Dockerfile
* Add docker entry point in to make the passing of arguments easy
* Update README
* Add missing tools to the build
* Drop 1.7 support and add 1.10
* Fix Go 1.10 according with the travis guidelines
https://docs.travis-ci.com/user/languages/go/
* Update the tls-observatory package
* Fix lint warnings
* Change the output of the tests to be more verbose
* Check if the are build errors before executing the rule test
* Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178)
* Add a tool which generates the TLS rule configuration from Mozilla server side
TLS configuration
* Update README
* Remove trailing space in README
* Update dependencies
* Fix the commends of the generated functions
* Add nil pointer check to rule. (#181)
TypeOf returns the type of expression e, or nil if not found. We are
calling .String() on a value that may be nil in this clause.
Relates to #174
* Add support for YAML output format (#177)
* Add YAML output format
* Update README
* added rule to check for tainted file path
* added #nosec to main/issue.go
* updated test case import
* Add a tool which generates the TLS rule configuration from Mozilla server side
TLS configuration
* Update README
* Remove trailing space in README
* Update dependencies
* Fix the commends of the generated functions
By allowing partial matches of selectors there are chances of collisions
such as those in issue #145, this removes it to expect explicit packages
for each rule.
Closes#145
- Get rid of 'core' and move CLI to cmd/gas directory
- Migrate (most) tests to use Ginkgo and testutils framework
- GAS now expects package to reside in $GOPATH
- GAS now can resolve dependencies for better type checking (if package
on GOPATH)
- Simplified public API
The filelist test was non-deterministic and causing intermittent
failures due to ordering. This change will ensure that the file list
returns an ordered list of files in the String() method now.
Additionally there were a number of test cases that the sample code
was incorrect, or would not compile. These have also been corrected.
This will hopefully reduce the number of false positives when it comes
to hard coded credentials. The zxcvbn library is used to calculate the
entropy of the string. By default the first 16 characters are considered
as doing the entropy check for strings much longer than that introduces
a fairly significant performance hit.
There were several issues with the error test case that have been
addressed in this commit.
- It is possible to specify a whitelist of calls that error handling
should be ignored for.
- Additional support for ast.ExprStmt for cases where the error is
implicitly ignored.
There were several other additions to the helpers and call list in order
to support this type of functionality.
Fixes#54
Update the AddRule interface to allow rules to register interest in
multiple ast.Nodes. Adds more flexibility to how rules can work, and was
needed to fix the hard coded credentials test specifically.
There seems to be an inconsistency in the way that the type.Info.Uses
map is populated by the type checker in Go 1.5 and the latest release.
It is possible to ascertain the package that relates to an object 1.7.x
release but this does not work for earlier Go versions.
To work around this limitation we now track imports, and monitor if they
are aliased or initalization only imports.
This makes the following changes:
- riles are identified by an ID
- include / exclude list now work
- rules are selected based on these lists
- blacklist rules are broken out into methods
- rule constructors now take the config map
- config file can be used to select rules
- CLI options embelish config selection options
This re-works the way that CLI options are passed through to the
analyzer so that they can act as overrides for config options. If
not given on the CLI, options will come from a config file. If no
file is used then a default value is chosen.
Two lists are also populated with tests to include or exclude.
These lists are not used for now but will eventually replace the
way we select test to run in a future patch to follow.
Creating a new generic blacklist rule and removing the older
specific ones. This will need configuration integration when
we have some.
The new test is immune to import aliasing but not shadowing
A CLI option can now be given to tell GAS it should parse data
from a JSON file. Fatal errors are given if the file is not
readable or is not valid JSON.
There are some cases where the '.' character would also match any
character and could lead to incorrect results. For example the
regular expression - `^ioutils.WriteFile$' would match
ioutils.WriteFile, but also ioutils_WriteFile.
Additionally made sure that all regexp were declared using raw
strings to avoid any unnecesary string escaping that potentially
make the regexp difficult to read.
The logic around annotations (nosec) was broken, meaning they were
ignored by default and would not skip sub-blocks. This fixes the
problem and also adds a test to make sure it wont be broken in the
future. Closes#25
Check right-hand side expr for literals when looking for hard-coded
credentials. This is to avoid issuing warnings for cases where a
password, token, etc. is read from a file or a terminal.