Commit graph

71 commits

Author SHA1 Message Date
Cosmin Cojocar
179c178924 Add some review fixes 2018-02-07 09:23:52 +01:00
Cosmin Cojocar
d3c3cd6419 Add a rule to detect the usage of ssh InsecureIgnoreHostKey function 2018-02-06 16:56:26 +01:00
Grant Murphy
a97a196160 Unused import 2018-01-30 09:35:35 +10:00
Grant Murphy
7c7fe752b6 Fix go vet errors in tests 2018-01-30 09:32:04 +10:00
Jon McClintock
1ca335016a Rebase to master 2018-01-22 18:45:07 +00:00
Jon McClintock
8eb9cc02a4 Adjust SQL format-string rules to ignore inherently safe formats 2018-01-22 18:34:57 +00:00
Grant Murphy
085e0f65af
Merge pull request #150 from GoASTScanner/experimental
Use explicit packages in call lists
2018-01-05 23:14:24 +10:00
Grant Murphy
aecbc873ef Use explicit packages in call lists
By allowing partial matches of selectors there are chances of collisions
such as those in issue #145, this removes it to expect explicit packages
for each rule.

Closes #145
2018-01-05 23:05:53 +10:00
Grant Murphy
9a2bec1cd0
Merge pull request #149 from GoASTScanner/experimental
Fix nil pointer dereference in complit types
2018-01-05 22:20:21 +10:00
Grant Murphy
b6f85d50da Fix nil pointer dereference in complit types 2018-01-05 22:19:08 +10:00
Grant Murphy
3520a5ae85
Merge pull request #146 from GoASTScanner/experimental
Merge experimental / refactor
2018-01-05 22:08:59 +10:00
Grant Murphy
e925d3c347 Migrated old test cases. 2017-12-28 16:54:10 +10:00
Grant Murphy
af25ac1f6e fix golint errors picked up by hound-ci 2017-12-13 22:35:47 +10:00
Grant Murphy
cfa432729c fix hound-ci errors 2017-12-13 17:39:00 +10:00
Grant Murphy
3caf7c3154 Add test cases 2017-09-16 10:12:27 +10:00
Cosmin Cojocar
c36954f04a Add the CHACHA20 to good ciphers in modern tls check 2017-08-30 16:00:56 +02:00
Grant Murphy
6943f9e5e4 Major rework of codebase
- Get rid of 'core' and move CLI to cmd/gas directory
- Migrate (most) tests to use Ginkgo and testutils framework
- GAS now expects package to reside in $GOPATH
- GAS now can resolve dependencies for better type checking (if package
  on GOPATH)
- Simplified public API
2017-07-19 15:17:00 -06:00
Grant Murphy
65b18da711 Hack to address circular dependency in rulelist 2017-05-09 21:26:12 -07:00
Grant Murphy
bf78d027a9 Restructure and introduce a standalone config 2017-04-28 14:46:26 -07:00
Grant Murphy
cacf21f3c0 Restructure to focus on lib rather than cli 2017-04-26 08:08:46 -07:00
Cosmin Cojocar
5b71c2b05f Add a test for math/big.Int.Exp rule 2017-04-10 16:10:24 +02:00
Cosmin Cojocar
65b8e74ecd Add a rule for big.Exp function call 2017-04-10 14:25:48 +02:00
mockturtl
b74c83e7e7 BindsToAllNetworkInterfaces should check TLS also 2017-03-28 13:24:22 -04:00
Grant Murphy
177fa7dde0 Merge pull request #122 from GoASTScanner/testfixes
Correct bad test cases and intermitent failure
2017-03-22 10:51:44 -07:00
Grant Murphy
622440f167 Correct bad test cases and intermitent failure
The filelist test was non-deterministic and causing intermittent
failures due to ordering. This change will ensure that the file list
returns an ordered list of files in the String() method now.

Additionally there were a number of test cases that the sample code
was incorrect, or would not compile. These have also been corrected.
2017-03-15 08:47:40 -07:00
Cosmin Cojocar
2262f5d474 Add a check for PreferServerCipherSuites flag of tls.Config 2017-03-15 15:05:44 +01:00
Grant Murphy
4099783722 Go 1.5 does not support width precision specifier 2017-01-14 14:39:22 -08:00
Grant Murphy
9bc02396e8 Introduce entropy checking of string
This will hopefully reduce the number of false positives when it comes
to hard coded credentials. The zxcvbn library is used to calculate the
entropy of the string. By default the first 16 characters are considered
as doing the entropy check for strings much longer than that introduces
a fairly significant performance hit.
2017-01-14 13:45:34 -08:00
Grant Murphy
a7ec9ccc63 Backport test case for 1.5
Go 1.5 does not have a rand.Read function so need to adjust test
definitions accordingly.
2017-01-13 13:31:22 -08:00
Grant Murphy
f9868aa8c8 Fix additional test case 2017-01-13 12:46:16 -08:00
Grant Murphy
ab4867bc76 Fix test cases with invalid sample code 2017-01-13 12:40:49 -08:00
Grant Murphy
d1303fee0b Improve specitivity of error message for GenDecl 2017-01-11 10:12:11 -08:00
Grant Murphy
1e736c8838 Fix test case (invalid sample code) 2017-01-11 09:51:25 -08:00
Grant Murphy
d1e67fc995 Ensure hardcoded credentials only examines strings
The hardcoded credentials test should only consider assignment of const strings.

Related to issue #108
2017-01-11 09:43:05 -08:00
Grant Murphy
191750f44c Recreate fileset each time we process a file
Some files were being counted multiple times here and giving a skewed
result for line numbers processed.

Closes #100
2016-12-02 15:21:13 -08:00
Grant Murphy
6ace60b950 Address unhandled error conditions
Closes #95
2016-12-02 10:20:23 -08:00
Grant Murphy
129be1561b Update error test case
There were several issues with the error test case that have been
addressed in this commit.

- It is possible to specify a whitelist of calls that error handling
  should be ignored for.
- Additional support for ast.ExprStmt for cases where the error is
  implicitly ignored.

There were several other additions to the helpers and call list in order
to support this type of functionality.

Fixes #54
2016-11-18 14:09:10 -08:00
Grant Murphy
63e8b1af23 Update unsafe rule to match package explicitly
Unsafe is not tracked in Package.Imports(), the regexp was not explicit
enough and foounsafe.Blah() would trigger an error.
2016-11-15 13:53:36 -08:00
Grant Murphy
39b18a1539 Remove debug print messages 2016-11-15 12:36:02 -08:00
Grant Murphy
ca42de24ba Initialize fresh import info for each file
The import information was being persisted between files. This was
causing false positives.

Fixes #87
2016-11-15 11:58:28 -08:00
Grant Murphy
c7bb2dd3b7 Fix additional crash condition
A var GenDecl may not have a value assigned. This error case must be
handled.
2016-11-14 15:15:17 -08:00
Grant Murphy
5012c34d48 Handle inbalanced declaration of constants
The following code would create a panic condition:

const foo, bar = "some thing"

Fixes #84
2016-11-14 13:57:55 -08:00
Grant Murphy
a3fcd96f57 Update hardcoded credentials rule for GenDecls
The hardcoded credentials rule will now also examine GenDecls so will
work with global vars and constants.

Fixes #74
2016-11-13 12:57:59 -08:00
Grant Murphy
bf103da519 Allow rules to register against multiple ast nodes
Update the AddRule interface to allow rules to register interest in
multiple ast.Nodes. Adds more flexibility to how rules can work, and was
needed to fix the hard coded credentials test specifically.
2016-11-13 12:55:31 -08:00
Grant Murphy
1d732b8ae3 Ensure os.OpenFile file permissions are checked
In addition configuration file may be used to set the permission level.

Closes #53
2016-11-12 17:57:20 -08:00
Grant Murphy
be96ef273d Fix alias logic 2016-11-07 20:10:30 -08:00
Grant Murphy
e0db3f404a Merge branch 'rand-pkg-helper' of git://github.com/tam7t/gas into tam7t-rand-pkg-helper 2016-11-07 20:03:51 -08:00
Grant Murphy
20f2a98ce8 Ensure initialization only imports are ignored
Blacklisted imports should not report failures when a module is imported
for side-effects only using the blank identifier.

Closes #59
2016-11-07 09:28:37 -08:00
Grant Murphy
7a275fd0ad MatchCallByPackage updated to avoid GetCallObject
There seems to be an inconsistency in the way that the type.Info.Uses
map is populated by the type checker in Go 1.5 and the latest release.

It is possible to ascertain the package that relates to an object 1.7.x
release but this does not work for earlier Go versions.

To work around this limitation we now track imports, and monitor if they
are aliased or initalization only imports.
2016-11-07 09:13:20 -08:00
Tommy Murphy
afb84ff20c
rand: use a MatchCallByPackage helper 2016-11-06 12:31:12 -05:00