Commit graph

114 commits

Author SHA1 Message Date
Cosmin Cojocar
e02e2f6d5b Redesign and reimplement the slice out of bounds check using SSA code representation
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-09-20 10:19:51 +02:00
Cosmin Cojocar
17b7d31f41
Update README file with new rule (#975)
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-06-21 10:07:27 +02:00
Olivier Mengué
2ee3213dc1
README: upgrade GitHub action in examples (#950)
Upgrade actions/checkout from v2 to v3 in GitHub actions examples.
2023-04-13 10:23:06 +02:00
dan "smiley" murray
cdd3476f91
fix dead link to issue.go in README.md (#936) 2023-03-06 09:09:40 +01:00
Cosmin Cojocar
d5a9c73723
Remove rule G307 which checks when an error is not handled when a file or socket connection is closed (#935)
* Remove read only types from unsafe defer rules

* Remove rule G307 which checks when an error is not handled when a file or socket connection is closed

This doesn't seem to bring much value from security perspective, and it caused a lot of controversy since
is a very common pattern in Go.

* Mentioned in documentation that rule G307 is retired

* Clean up the test for rule G307
2023-02-24 14:04:13 +01:00
Cosmin Cojocar
392e53c8d0
Pin github action to latest release version 2.15.0 2023-02-08 11:29:30 +01:00
Cosmin Cojocar
d22a7b6ede
Add gosec version as an input parameter to GitHub action (#927)
* Add gosec version as a paramter to the Github action

* Run gosec as a github action as part of CI
2023-02-08 10:40:36 +01:00
Cosmin Cojocar
f9a8bf0152
Update slack badge and link (#905) 2022-12-12 12:20:22 +01:00
Ville Skyttä
0c8e63ed86
Detect use of net/http functions that have no support for setting timeouts (#842)
https://blog.cloudflare.com/the-complete-guide-to-golang-net-http-timeouts/
https://blog.cloudflare.com/exposing-go-on-the-internet/

Closes https://github.com/securego/gosec/issues/833
2022-08-02 17:16:44 +02:00
Vladimir Severov
9c19cb6501
Add check for usage of Rat.SetString in math/big with an overflow error (#819)
* Add check for usage of Rat.SetString in math/big with an overflow error

Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7
has an overflow that can lead to Uncontrolled Memory Consumption.

It is the CVE-2022-23772.

* Use ContainsPkgCallExpr instead of manual parsing
2022-06-03 00:19:51 +02:00
云微
34d144b3fa
Add new rule for Slowloris Attack 2022-04-30 12:38:50 +02:00
Gautam Mehta
0791d31471
Fix typo in ReadMe (#802) 2022-04-05 07:15:22 +02:00
Calin Capitanu
48bbf96b56
Adds directory traversal for Http.Dir("/") 2022-03-06 10:58:47 +01:00
Cosmin Cojocar
26f10e0a7a
Extend the release action to sign the docker image and binary files with cosign (#781)
* Extend the release action to sign the docker image and binary files with cosign

* Fix lint warnings

* Fix the ling warnings

* Fix the lint warnings
2022-02-22 21:33:42 +01:00
de-jcup
db8d98b571 Updated sponsor link in README.md
- Because of rebranding (Daimler AG has become
  Mercedes-Benz Group AG) the github organization has
  been renamed as well.
- Updated sponsorship link in README.md to new github organization
2022-02-07 10:34:42 +01:00
Cosmin Cojocar
e0f354aa0d
Add the sponsors section in the README file (#740) 2021-12-15 20:10:40 +01:00
Ville Skyttä
d23ab2d997
Remove space between // and #nosec in examples and internal use
Comments intended for machines to read do not have the space by
convention.
2021-12-15 19:31:14 +01:00
Yiwei Ding
b45f95f6ad
Add support for suppressing the findings 2021-12-09 11:53:36 +01:00
Ville Skyttä
f1f0056a90
Spelling fixes (#717) 2021-11-09 21:02:24 +01:00
xq840622
1297bedbc7
Update README.md (#707)
"io/ioutil" package name is "ioutil"
2021-10-14 09:54:09 +02:00
nobishii
991dd94f3a
Update local installation instruction (#703)
Update local installation instruction for Go1.16+.
2021-10-05 19:33:55 +02:00
Rodrigo Broggi
9f30bb6602
Typo correction (#681)
Correcting the command flag from 'tag' to 'tags'
2021-08-16 11:29:35 +02:00
Marc Brugger
62db81342e
Allow excluding generated files 2021-08-04 17:33:20 +02:00
Matthieu MOREL
af27673a87
Update README.md 2021-05-28 09:19:31 +02:00
Shreyas Subhedar
a8b633f124
Adding stdout and verbose flags and refactor how the report is saved 2021-05-10 10:44:55 +02:00
Matthieu MOREL
4df7f1c3e9
Fix typos, Go Report link and Gofmt 2021-05-07 18:04:01 +02:00
Matthieu MOREL
c4f5932ab7
Refactor : Replace Cwe with cwe.Weakness 2021-05-07 16:54:34 +02:00
Matthieu MOREL
cc83d4c922
Generate the SARIF types, handle taxonomies and separate responsibilities 2021-05-05 18:54:32 +02:00
Jeff Widman
0695fa026e
Add -u to local install instructions (#595)
`-u` will ensure that users are updated the latest released version.

This way bugs are less likely to be reported that are already fixed.
2021-04-16 09:50:10 +02:00
Cosmin Cojocar
dcbcc4dd2a
Use a more generic path for sonarqube import path (#573)
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2021-02-11 14:19:46 +01:00
Cosmin Cojocar
2777e5065e
Update README with a note which describes how to import a SonarQube report (#572) 2021-02-11 12:10:44 +01:00
Mark Wolfe
d9d75834b6 update README with instructions on how to integrate with GitHub codescanning 2021-01-22 11:31:07 +01:00
Miki Tebeka
6bd6e4ba2c Use $(go env GOPATH) that works even when GOPATH is not set 2020-10-01 04:17:43 +10:00
Lucas Charles
aef335a98e Fix typo in README.md
s/trucate/truncate for G101 configuration
2020-10-01 04:17:00 +10:00
Cosmin Cojocar
868556b846 Update README with the correct path to tlsconfig command
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-09-03 10:54:08 +02:00
Cosmin Cojocar
166e4f5f45 Update README file with some more details required to run successfully a scan with the docker image
The current working directory needs to be specified in the docker run option in order for gosec
to download the dependencies defined in the go module file.

Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-09-01 08:57:52 +02:00
Cosmin Cojocar
a3895d5c55 Fix typo in README file
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-31 10:27:02 +02:00
Jamie Cuthill
17c955519e Incorrect local installation instructions for v2 2020-08-21 11:23:36 +02:00
ggkitsas
b60ddc21ba feat: adds support for path.Join and for tar archives in G305 2020-08-03 09:17:45 +02:00
evalphobia
03f12f3f5d Change naming rule from blacklist to blocklist 2020-06-29 13:45:44 +02:00
Cosmin Cojocar
6a130d55b3
Update the link pointing to issues to CWE mapping to use the master version (#483)
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-28 14:40:15 +02:00
Cosmin Cojocar
1b915ddad7 Set up a gosec's users list
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-12 08:51:13 +02:00
Caccavale
ee3146e637 Rule which detects aliasing of values in RangeStmt 2020-04-24 07:46:25 -07:00
Cosmin Cojocar
8662624e28 Update the build badge to ge the status from GitHub workflow
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-20 03:20:30 -07:00
Cosmin Cojocar
a2a40de847 Update the README with an example to configure the hard-coded credentials rule
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-15 07:21:19 -07:00
Cosmin Cojocar
51e4317f09 Automate the release process using a GitHub workflow
The release will trigger when a new tag is pushed.

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-14 00:41:56 -07:00
Cosmin Cojocar
3b6c3f13f1 Update README with some instruction how to run gosec as a GitHub action
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-08 00:39:01 -07:00
Sam Caccavale
7525fe4bb7
Rule for defering methods which return errors (#441) 2020-03-01 21:45:37 +01:00
Sam Caccavale
a305f10eb9
Fileperms (#442) 2020-02-28 12:48:18 +01:00
Hiroki Suezawa
a4d7b3628b Add G110(Potential DoS vulnerability via decompression bomb)
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-20 10:37:56 +01:00