Commit graph

8 commits

Author SHA1 Message Date
Grant Murphy
ab4867bc76 Fix test cases with invalid sample code 2017-01-13 12:40:49 -08:00
Grant Murphy
bf103da519 Allow rules to register against multiple ast nodes
Update the AddRule interface to allow rules to register interest in
multiple ast.Nodes. Adds more flexibility to how rules can work, and was
needed to fix the hard coded credentials test specifically.
2016-11-13 12:55:31 -08:00
Grant Murphy
74b6633ee0 Updated imports to new repository location. 2016-11-02 16:54:20 -07:00
Tim Kelsey
713949fe69 Rule selection rules
This makes the following changes:
- riles are identified by an ID
- include / exclude list now work
- rules are selected based on these lists
- blacklist rules are broken out into methods
- rule constructors now take the config map
- config file can be used to select rules
- CLI options embelish config selection options
2016-08-11 10:45:51 +01:00
Tim Kelsey
e3b1d33b95 Configuration
This re-works the way that CLI options are passed through to the
analyzer so that they can act as overrides for config options. If
not given on the CLI, options will come from a config file. If no
file is used then a default value is chosen.

Two lists are also populated with tests to include or exclude.
These lists are not used for now but will eventually replace the
way we select test to run in a future patch to follow.
2016-08-08 16:18:46 +01:00
Tim Kelsey
45f3b5f671 Creating blacklist import rules
Creating a new generic blacklist rule and removing the older
specific ones. This will need configuration integration when
we have some.

The new test is immune to import aliasing but not shadowing
2016-08-05 12:58:27 +01:00
Tim Kelsey
d4367de2e2 Adding a config block to the analyzer, parsed from JSON
A CLI option can now be given to tell GAS it should parse data
from a JSON file. Fatal errors are given if the file is not
readable or is not valid JSON.
2016-08-01 17:39:47 +01:00
Tim Kelsey
361593394e Adding check for httpoxy
Go code running under CGI is vulnerable to httpoxy attack. See
https://httpoxy.org/ this checks for an import of net/http/cgi
that might indicate code may be run under CGI.

closes #1
2016-07-21 16:30:09 +01:00