gosec

mirror of https://github.com/securego/gosec.git synced 2024-11-06 03:55:50 +00:00

Author	SHA1	Message	Date
Cosmin Cojocar	0ba05e160a	chore: fix lint warnings Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>	2022-08-08 10:56:19 +02:00
Ville Skyttä	0c8e63ed86	Detect use of net/http functions that have no support for setting timeouts (#842 ) https://blog.cloudflare.com/the-complete-guide-to-golang-net-http-timeouts/ https://blog.cloudflare.com/exposing-go-on-the-internet/ Closes https://github.com/securego/gosec/issues/833	2022-08-02 17:16:44 +02:00
Dmitry Golushko	a5982fb6a6	Fix for G402. Check package path instead of package name (#838 )	2022-07-28 08:51:30 +02:00
Ziqi Zhao	ea6d49d1b5	fix G204 bugs (#835 ) Signed-off-by: Ziqi Zhao <zhaoziqi9146@gmail.com>	2022-07-26 11:08:43 +02:00
云微	602ced7e71	Fix wrong location for G109 (#829 ) Before this commit, G109 will report on `strconv.Atoi`. After this, it will report on the convertion like`int32(a)`.	2022-07-06 06:37:11 +02:00
云微	b0f3e78e07	fix ReadTimeout for G112 rule	2022-06-23 14:58:13 +02:00
Vladimir Severov	9c19cb6501	Add check for usage of Rat.SetString in math/big with an overflow error (#819 ) * Add check for usage of Rat.SetString in math/big with an overflow error Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. It is the CVE-2022-23772. * Use ContainsPkgCallExpr instead of manual parsing	2022-06-03 00:19:51 +02:00
云微	34d144b3fa	Add new rule for Slowloris Attack	2022-04-30 12:38:50 +02:00
Calin Capitanu	48bbf96b56	Adds directory traversal for Http.Dir("/")	2022-03-06 10:58:47 +01:00
Cosmin Cojocar	1fbcf10e18	Add a test for tls min version defined in a different file	2022-01-26 19:27:26 +01:00
kaiili	1d909e2687	Add db.Exec and db.Prepare to the sql rule (#763 ) * Add db.Exec and db.Prepare to the sql rule * add test cases for G201,G202	2022-01-17 13:50:37 +01:00
Cosmin Cojocar	7be6d4efb5	Add os.Create to the readfile rule (#761 )	2022-01-12 19:33:17 +01:00
kaiili	75cc7dcd51	Fix false negative for SQL injection when using DB.QueryRow.Scan() (#759 )	2022-01-12 16:33:39 +01:00
kaiili	9d66b0d346	Fix false negatives for SQL injection in multi-line queries	2022-01-05 12:05:53 +01:00
Ville Skyttä	4c1afaa492	Find G303 with filepath.Join'd temp dirs (#754 )	2022-01-04 14:48:02 +01:00
Ville Skyttä	19bda8d15f	Find more tempdirs * Find G303 in string concatenations, with os.TempDir, and in path.Join args * Find G303 with /usr/tmp, too /usr/tmp is commonly found e.g. on Solaris.	2022-01-03 21:58:25 +01:00
Ville Skyttä	d23ab2d997	Remove space between `//` and `#nosec` in examples and internal use Comments intended for machines to read do not have the space by convention.	2021-12-15 19:31:14 +01:00
Lars	6a41fb9e61	Fix https://github.com/securego/gosec/issues/714 (#733 )	2021-11-24 16:34:42 +01:00
Ville Skyttä	40fa36d1de	G303: catch with os.WriteFile, add os.Create test case (#718 ) * Add G303 os.Create test case * Catch G303 with os.WriteFile too	2021-11-09 21:13:45 +01:00
Eng Zer Jun	7fd4aef9dc	feat: add os.ReadFile to G304 (#706 ) In Go 1.16 or higher, the `io/ioutil` has been deprecated and the `ioutil.ReadFile` function now calls `os.ReadFile`. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>	2021-10-14 09:53:26 +02:00
Matthieu MOREL	bfb0f422fe	chore(lint): enable errorlint and gci (#698 )	2021-09-13 09:40:10 +02:00
Cosmin Cojocar	f285d612b5	Fix formatting issues with gofumpt (#685 ) Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>	2021-08-18 13:16:21 +02:00
Nanik	5a131be2ec	fix: add more rules for G204 (#677 ) * fix: add more rules for G204 * fix: add extra test and comment	2021-08-16 11:31:51 +02:00
Lars	d4dc2d2df5	Improve the G307 rule * Add G307 sample code. The sample should reflect a defered close that leads to data loss. Due to IDE auto-complete people tend at least log errors, but not really care about handling. * Add more G307 sample code. Propose a way to implement * Remove unused code. Add example that should not return an error but does * Remove test for synced closed file for now. Will add this later Co-authored-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2021-07-31 23:03:09 +02:00
Nanik	9535c9e3e1	fix: add variable assignment checking as part of MinVersion (#669 ) * fix: add variable assignment checking as part of MinVersion * fix: add more code to allow assignment with const * fix: rework the code and add more test cases for MinVersion * fix: format linting issue using gofumpt	2021-07-27 22:03:59 +02:00
Nanik	2a4064d45d	feat: adding new keyword for hardcoded credentials (#666 )	2021-07-19 11:23:39 +02:00
Josh Kaufman	514f65f3c3	Add G204 rule for sys/execabs (#660 ) * Add G204 rule for sys/execabs * syntax error in testutils/sources.go	2021-07-01 17:43:25 +02:00
Matthieu MOREL	1256f16f33	Fix lint and fail on error in the ci build	2021-05-31 10:44:12 +02:00
Matthieu MOREL	4df7f1c3e9	Fix typos, Go Report link and Gofmt	2021-05-07 18:04:01 +02:00
Cosmin Cojocar	897c203e62	Reset the state of TLS rule after each version check (#570 ) Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>	2021-02-11 10:52:16 +01:00
Cosmin Cojocar	a5911ad7bb	Fix compilation errors in the test samples Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>	2021-01-04 09:28:00 +01:00
Chris Bandy	23ef7009f9	Fix some typos in rules tests	2021-01-04 09:28:00 +01:00
Chris Bandy	e100f6b862	Assert that sample code compiles	2021-01-04 09:28:00 +01:00
Cosmin Cojocar	f13b8bc639	Add also filepath.Rel as a sanitization method for input argument in the G304 rule Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>	2020-08-19 09:40:07 +02:00
Cosmin Cojocar	047729a84f	Fix the rule G304 to handle the case when the input is cleaned as a variable assignment Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>	2020-08-19 09:40:07 +02:00
ggkitsas	b60ddc21ba	feat: adds support for path.Join and for tar archives in G305	2020-08-03 09:17:45 +02:00
Cosmin Cojocar	110b62b05f	Add io.CopyBuffer function to rule G110 Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2020-07-29 14:25:45 +02:00
evalphobia	03f12f3f5d	Change naming rule from blacklist to blocklist	2020-06-29 13:45:44 +02:00
Cosmin Cojocar	55d368f2e5	Improve the TLS version checking Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2020-06-25 09:21:14 +02:00
Cosmin Cojocar	1d2c951f2c	Extend the rule G304 with os.OpenFile and add a test to cover it Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2020-06-17 13:14:08 +02:00
Cosmin Cojocar	0c1a71b8a1	Add more tests samples to increase coverage Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2020-06-15 15:12:02 +02:00
Cosmin Cojocar	fe07fcf276	Fix unit test when checking a mix of good and bad random functions Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2020-06-15 15:12:02 +02:00
Cosmin Cojocar	30e93bf865	Improve the SQL strings concat rules to handle multiple string concatenation Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2020-05-27 10:16:56 +02:00
Cosmin Cojocar	68bce94323	Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context In addition makes pattern matching used by the rules cases insensitive. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2020-05-27 10:16:56 +02:00
Grant Murphy	8630c43b66	Add null pointer check in G601 fixes: #475	2020-05-21 05:51:45 +02:00
Lukas Aron	1418b856ea	ondisk -> onDisk	2020-05-19 11:34:34 +02:00
Caccavale	ee3146e637	Rule which detects aliasing of values in RangeStmt	2020-04-24 07:46:25 -07:00
Cosmin Cojocar	fb44007c6e	Enhance the hardcoded credentials rule to check the equality and non-equality of strings Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2020-04-20 03:08:39 -07:00
Cosmin Cojocar	c6e10af40f	Handle properly the gosec module version v2 Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2020-04-06 09:06:23 -07:00
Cosmin Cojocar	7da9f46445	Fix the call list info to handle selector expressions Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>	2020-03-16 09:44:57 +01:00

1 2 3

112 commits