Commit graph

1054 commits

Author SHA1 Message Date
Dimitar Banchev
a6dd589bae Removed function parameter which is always the same 2024-08-30 19:35:07 +02:00
Dimitar Banchev
b4c746962f Formatting problems(CI was not passing) 2024-08-30 19:35:07 +02:00
Dimitar Banchev
7f8f654235 Updated analyzer to use new way of initialization
* Removed old way of initializing analyzers
* Added the new analyzer to the rest of the default analyzers
* Fixed small bug in the rule
* Removed the test for the new analyzer from the file responsible for testing the rules
* Merged the diffrent examples into 1 variable
* Added tests for the analyzer
* Removed code that was used for testing rules, but it was used to test the analyzer
2024-08-30 19:35:07 +02:00
Dimitar Banchev
a26215cf23 Migrated the rule to the analyzers folder 2024-08-30 19:35:07 +02:00
Dimitar Banchev
3f6e1e7326 Refractored code a little bit 2024-08-30 19:35:07 +02:00
Dimitar Banchev
0eb8143c23 Added new rule G407(hardcoded IV/nonce)
The rule is supposed to detect for the usage of hardcoded or static nonce/Iv in many encryption algorithms:

* The different modes of AES (mainly tested here)
* It should be able to work with ascon

Currently the rules doesn't check when constant variables are used.

TODO: Improve the rule, to detected for constatant variable usage
2024-08-30 19:35:07 +02:00
Ben Krieger
4ae73c8ba3 Fix conversion overflow false positive when using ParseUint 2024-08-28 08:58:42 +02:00
Cosmin Cojocar
c52dc0ea4e Add a build step to measure the scan perfomance
This step will measure the scan performance difference against the
master version.

Change-Id: I1b9196ef3348350cf818471f55d9024d14064ac6
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-26 19:08:32 +02:00
czechbol
bcec04e784 Fix conversion overflow false positives when they are checked or pre-determined
Signed-off-by: czechbol <adamludes@gmail.com>
2024-08-26 16:57:12 +02:00
Cosmin Cojocar
71e397b994 Update go.mod 2024-08-26 16:47:36 +02:00
renovate[bot]
aec45b0b7d chore(deps): update all dependencies 2024-08-26 16:47:36 +02:00
Cosmin Cojocar
ab3f6c1c83 Fix false positive in conversion overflow check from uint8/int8 type
Change-Id: I543545e22fa12de0d85dcf92664a0a54e8f7244a
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-22 09:47:52 +02:00
Cosmin Cojocar
a39ec5a16b Disable staticcheck SA1019 rule
Change-Id: Ia9db0083f5ffb34d911b5ca491ef0ce23be979f8
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-21 15:00:06 +02:00
Cosmin Cojocar
a1b2ab80af Update the golangci linters
Change-Id: I8938d57e9751913f65b4825a44c252b31888f9e8
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-21 15:00:06 +02:00
Cosmin Cojocar
8467f012e0 Add more test to cover more use cases for G115 rule
Change-Id: Icb60fe14ae12439c1ee0e507a407a23ce4c64c85
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-21 15:00:06 +02:00
Rahul Gadi
81cda2f91f
Allow excluding analyzers globally (#1180)
* This change does not exclude analyzers for inline comment
* Changed the expected issues count for G103, G109 samples for test. Previously G115 has been included in the issue count
* Show analyzers IDs(G115, G602) in gosec usage help
* See #1175
2024-08-20 10:43:40 +02:00
Cosmin Cojocar
18135b439c
Update to Go 1.23.0 (#1183)
Change-Id: I11a6402e85ac543305e8bad4ea35239779424dd6

Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-19 09:17:50 +02:00
renovate[bot]
91c708a620
chore(deps): update all dependencies (#1182)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-19 08:58:30 +02:00
Cosmin Cojocar
92bac42afc
Read the AI API key also from an environment variable (#1181)
* Read the AI API key also from an environment variable

Change-Id: If18fd025ab2ef68a3690f8a69d1c8894e44a87ef
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>

* Fix lint warning

Change-Id: Icd3eb8a029764db76596c3e171275c03a23f8cef
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>

---------

Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-18 17:59:45 +02:00
Tran The Lam
56f943b802
Add support to generate auto fixes using LLM (AI) (#1177)
This feature adds support to generate auto fixes for Go scanning findings using LLM (AI). In a first instance, it relies on Gemini API to get a suggestion for a solution. This can be later extended, to integrate also other AI providers.

---------

Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
Co-authored-by: ccoVeille <3875889+ccoVeille@users.noreply.github.com>
Co-authored-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-12 12:52:41 +02:00
renovate[bot]
f33fd4bf29 chore(deps): update all dependencies 2024-08-12 10:21:07 +02:00
renovate[bot]
55a47f3774 chore(deps): update all dependencies 2024-08-05 17:38:32 +02:00
renovate[bot]
a5d9ef67e2 chore(deps): update all dependencies 2024-07-29 10:58:28 +02:00
renovate[bot]
68424445af chore(deps): update dependency babel-standalone to v7.24.10 2024-07-23 11:43:16 +02:00
Alex Gartner
08b94f9392 Resolve underlying type to detect overflows in type aliases 2024-07-20 10:06:43 +02:00
renovate[bot]
4487a0c5a2 chore(deps): update dependency babel-standalone to v7.24.8 2024-07-15 09:13:59 +02:00
Alex Gartner
007626773c Fix multifile ignores 2024-07-15 09:00:36 +02:00
Alex Gartner
2f1b81b889 Add -enable-audit cli flag 2024-07-13 11:25:25 +02:00
Cosmin Cojocar
87fcb9b95b Update to go 1.22.5 and 1.21.12
Change-Id: I3334016ed2714ce4aed959d7f19a33e220c000e4
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-07-08 16:00:12 +02:00
renovate[bot]
466992feca chore(deps): update all dependencies 2024-07-08 15:49:41 +02:00
Dimitar Banchev
9a4a741e6b Added more rules
* Rule G406 responsible for the usage of deprecated MD4 and RIPEMD160 added.
* Rules G506, G507 responsible for tracking the usage of the already mentioned libraries added.
* Slight changes in the Makefile(`make clean` wasn't removing all expected files)
* Added license to `analyzer_test.go`
2024-06-25 13:18:27 +02:00
Dimitar Banchev
6382394ce8 Fixed coverage workflow
* Renamed file(removed space)
* Changed the expected issues ( 1 -> 2)
2024-06-24 15:25:54 +02:00
Dimitar Banchev
5666ea35ba Fixed CI workflow
The CI workflow wasn't able to complete succesfully.

* Formatted the call_list_test.go file
2024-06-24 15:25:54 +02:00
Dimitar Banchev
fc0957f6a3 Minor changes
* Renamed the file responsible for rule G401
* Removed copyright of HP from the new rule
2024-06-24 15:25:54 +02:00
Dimitar Banchev
58e4fccc13 Split the G401 rule into two separate ones
Now the G401 rule is split into hashing and encryption algorithms.

G401 is responsible for checking the usage of MD5 and SHA1, with corresponding CWE of 328.
And G405(New rule) is responsible for checking the usege of DES and RC4, with corresponding CWE of 327.
2024-06-24 15:25:54 +02:00
Dimitar Banchev
2e71f37efd Updated G401 corresponding CWE
The corresponding CWE from G401 rule was changed from CWE-326 -> CWE-328.
In my opinion, this CWE suits better the rule.
2024-06-24 15:25:54 +02:00
renovate[bot]
3edc633c24 chore(deps): update docker/build-push-action action to v6 2024-06-24 15:24:22 +02:00
Cosmin Cojocar
2ae137abcf Update to go versions to 1.21.11 and 1.22.4
Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-06-11 21:47:56 +02:00
renovate[bot]
30a8a9c8c3 chore(deps): update all dependencies 2024-06-11 21:31:12 +02:00
Cosmin Cojocar
ac75d44f56 Fix nosec when applied to a block
Handle properly nosec directive when applied to a block or as a single
line on a multi-line issue.

Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-05-28 12:54:05 +02:00
Cosmin Cojocar
ed3f51e663 Add more types to templates rule
Add additional types such as CSS, JSStr and Srcset to the template rule.
These types are marked as a security risk in the godoc
https://pkg.go.dev/html/template.

Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-05-28 10:39:33 +02:00
Cosmin Cojocar
c3209fcaac Map the G115 rule to an CWE ID
Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-05-27 15:12:55 +02:00
renovate[bot]
45fbb27d87 chore(deps): update all dependencies 2024-05-27 13:03:14 +02:00
Cosmin Cojocar
43bef719b4 Update README with G115 rule description
Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-05-27 13:03:01 +02:00
Cosmin Cojocar
555fe448dd Remove deprecated megacheck linter from golangci
Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-05-27 13:03:01 +02:00
Cosmin Cojocar
81b076f53d Format imports
Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-05-27 13:03:01 +02:00
Cosmin Cojocar
f775eb19c5 Update .gitignore
Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-05-27 13:03:01 +02:00
Cosmin Cojocar
4bf5667f66 Add a new rule to detect integer overflow on integer types conversion
Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-05-27 13:03:01 +02:00
Fernandez Ludovic
5f0084eb01 feat: add env var to override the Go version detection 2024-05-25 11:00:44 +02:00
Cosmin Cojocar
75dd9d61ff Use the proper logic when disabling the go module version
Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-05-22 10:31:43 +02:00