Commit graph

1107 commits

Author SHA1 Message Date
pro-wh
cf63541008
fileperms: bitwise permission comparison (#883)
* fileperms: extract existing mode comparison logic

* fileperms: add failing test

* fileperms: bitwise permission comparison
2022-10-20 08:48:40 +02:00
Cosmin Cojocar
1af1d5bb49
Pin release build to Go version 1.19.2 (#882) 2022-10-17 11:06:43 +02:00
Sebastiaan van Stijn
0ae0174c25
Refactor to support duplicate imports with different aliases (#865)
The existing code assumed imports to be either imported, or imported with an
alias. Badly formatted files may have duplicate imports for a package, using
different aliases.

This patch refactors the code, and;

Introduces a new `GetImportedNames` function, which returns all name(s) and
aliase(s) for a package, which effectively combines `GetAliasedName` and
`GetImportedName`, but adding support for duplicate imports.

The old `GetAliasedName` and `GetImportedName` functions have been rewritten to
use the new function and marked deprecated, but could be removed if there are no
external consumers.

With this patch, the linter is able to detect issues in files such as;

    package main

    import (
        crand "crypto/rand"
        "math/big"
        "math/rand"
        rand2 "math/rand"
        rand3 "math/rand"
    )

    func main() {
        _, _ = crand.Int(crand.Reader, big.NewInt(int64(2))) // good

        _ = rand.Intn(2) // bad
        _ = rand2.Intn(2)  // bad
        _ = rand3.Intn(2)  // bad
    }

Before this patch, only a single issue would be detected:

    gosec --quiet .

    [main.go:14] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
        13:
      > 14: 	_ = rand.Intn(2) // bad
        15: 	_ = rand2.Intn(2)  // bad

With this patch, all issues are identified:

    gosec --quiet .

    [main.go:16] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
        15: 	_ = rand2.Intn(2)  // bad
      > 16: 	_ = rand3.Intn(2)  // bad
        17: }

    [main.go:15] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
        14: 	_ = rand.Intn(2) // bad
      > 15: 	_ = rand2.Intn(2)  // bad
        16: 	_ = rand3.Intn(2)  // bad

    [main.go:14] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
        13:
      > 14: 	_ = rand.Intn(2) // bad
        15: 	_ = rand2.Intn(2)  // bad

While working on this change, I noticed that ImportTracker.TrackFile() was not able
to find import aliases;  Analyser.Check() called both ImportTracker.TrackFile() and
ast.Walk(), which (with the updated ImportTracker) resulted in importes to be in-
correctly included multiple times (once with the correct alias, once with the default).

I updated ImportTracker.TrackFile() to fix this, but with the updated ImportTracker,
Analyser.Check() no longer has to call ImportTracker.TrackFile() separately, as ast.Walk()
already handles the file, and will find all imports.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-17 10:59:18 +02:00
renovate[bot]
a2719d3248
chore(deps): update all dependencies (#881)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-10-17 10:14:22 +02:00
Sebastiaan van Stijn
ed386818fd
go.mod: ginkgo/v2 v2.3.1, golang.org/x/text v0.3.8, update go versions (#880)
* gha: remove go1.17, temporarily force 1.18.7, 1.19.2

The  security scanner is flagging the code to have a vulnerability, but it's
detecting that we're running go1.18.6, not "latest" (go1.18.7 at time of writing).

Temporarily pinning to go1.18.7 to force installing the latest version:

    Vulnerability #1: GO-2022-1039
      Programs which compile regular expressions from untrusted
      sources may be vulnerable to memory exhaustion or denial of
      service. The parsed regexp representation is linear in the size
      of the input, but in some cases the constant factor can be as
      high as 40,000, making relatively small regexps consume much
      larger amounts of memory. After fix, each regexp being parsed is
      limited to a 256 MB memory footprint. Regular expressions whose
      representation would use more space than that are rejected.
      Normal use of regular expressions is unaffected.

      Call stacks in your code:
      Error:       helpers.go:463:26: github.com/securego/gosec/v2.ExcludedDirsRegExp calls regexp.MustCompile, which eventually calls regexp/syntax.Parse

      Found in: regexp/syntax@go1.18.6
      Fixed in: regexp/syntax@go1.19.2
      More info: https://pkg.go.dev/vuln/GO-2022-1039

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

* go.mod: github.com/onsi/ginkgo/v2 v2.3.1

CI was failing because of a mismatch:

    /home/runner/go/bin/ginkgo -v --fail-fast
    Ginkgo detected a version mismatch between the Ginkgo CLI and the version of Ginkgo imported by your packages:
      Ginkgo CLI Version:
        2.3.1
      Mismatched package versions found:
       2.2.0 used by gosec

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

* go.mod: golang.org/x/text v0.3.8

to address GO-2022-1059

    The vulnerabilities below are in packages that you import, but your code
    doesn't appear to call any vulnerable functions. You may not need to take any
    action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
    for details.

    Vulnerability #1: GO-2022-1059
      An attacker may cause a denial of service by crafting an Accept-Language
      header which ParseAcceptLanguage will take significant time to parse.

      Found in: golang.org/x/text/language@v0.3.7
      Fixed in: golang.org/x/text/language@v0.3.8
      More info: https://pkg.go.dev/vuln/GO-2022-1059

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-17 10:05:13 +02:00
Cosmin Cojocar
84661730b0
Update Go version to 1.19 in the makefile (#876)
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2022-10-10 09:31:09 +02:00
renovate[bot]
f9ad0d88a1
chore(deps): update all dependencies (#875)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-10-10 09:27:01 +02:00
Cosmin Cojocar
6cd9e6289d
Add CWE-676 to cwe mapping (#874) 2022-10-06 08:18:21 +02:00
renovate[bot]
bb4a1e3544
chore(deps): update all dependencies (#872)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-10-04 09:23:21 +02:00
Lars Gohr
7ea37bbdc2
Add a way to use private repositories on GitHub (#869) 2022-09-23 10:32:26 +02:00
renovate[bot]
e244c811ea
chore(deps): update all dependencies (#868)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-09-22 11:18:20 +02:00
Cosmin Cojocar
e9b2781247 Check go version when installing govulncheck
govulncheck supports only go 1.18 or greater

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2022-09-12 15:01:04 +02:00
Cosmin Cojocar
88c23deb88 Check go version when running govulncheck
govulncheck supports only go 1.18 or greater.

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2022-09-12 15:01:04 +02:00
Cosmin Cojocar
84f6424ac9 Add vulncheck to the test steps
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2022-09-12 15:01:04 +02:00
renovate[bot]
180fc23b72 chore(deps): update all dependencies 2022-09-12 09:35:57 +02:00
Sebastiaan van Stijn
dfde579243 Fix false positives for G404 with aliased packages
It appears that `GetImportedName` returns _both_ aliased and non-aliased imports.
As a result, a file having both crypto/rand and math/rand (but aliased) would
trigger false positives on G404. Given the following file;

```go
package main

import (
	"crypto/rand"
	"math/big"
	rnd "math/rand"
)

func main() {
	_, _ = rand.Int(rand.Reader, big.NewInt(int64(2)))
	_ = rnd.Intn(2)
}
```

And patching for debugging;

```patch
diff --git a/helpers.go b/helpers.go
index 437d032..80f4233 100644
--- a/helpers.go
+++ b/helpers.go
@@ -250,6 +250,8 @@ func GetBinaryExprOperands(be *ast.BinaryExpr) []ast.Node {
 // GetImportedName returns the name used for the package within the
 // code. It will ignore initialization only imports.
 func GetImportedName(path string, ctx *Context) (string, bool) {
+       fmt.Printf("%+v", ctx.Imports.Imported)
+       os.Exit(1)
        importName, imported := ctx.Imports.Imported[path]
        if !imported {
                return "", false
```

Would show that `math/rand` was included in the list, using it's non-aliased
name (`:rand`).

    gosec -quiet .
    map[crypto/rand:rand math/big:big math/rand:rand]

This patch works around this problem by reversing the order in which imports
are resolved in `MatchCallByPackage()`. Aliased packages are tried first, after
which non-aliased imports are tried.

Given the example application mentioned above:

Before this patch:

```bash
gosec -quiet .
Results:

[/Users/sebastiaan/Projects/test/gosec-issue/main.go:10] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    9: func main() {
  > 10: 	_, _ = rand.Int(rand.Reader, big.NewInt(int64(2)))
    11: 	_ = rnd.Intn(2)
```

With this patch applied:

```bash
    gosec --quiet .
    Results:

    [/Users/sebastiaan/Projects/test/gosec-issue/main.go:11] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
        10: 	_, _ = rand.Int(rand.Reader, big.NewInt(int64(2)))
      > 11: 	_ = rnd.Intn(2)
        12: }
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-05 09:49:02 +02:00
renovate[bot]
aaaf80c9a7 chore(deps): update all dependencies 2022-09-05 09:42:37 +02:00
renovate[bot]
ae58325bfe chore(deps): update all dependencies 2022-08-29 10:21:47 +02:00
Cosmin Cojocar
a892be9827 fix: add a CWE ID mapping to rule G114
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2022-08-22 10:23:10 +02:00
renovate[bot]
a319b668cd chore(deps): update golang.org/x/crypto digest to bc19a97 2022-08-22 09:57:21 +02:00
Cosmin Cojocar
19fa856bad fix: make sure that nil Cwe pointer is handled when getting the CWE ID 2022-08-20 13:32:31 +02:00
Cosmin Cojocar
62fa4b4e9b test: remove white spaces from template 2022-08-20 13:08:50 +02:00
Cosmin Cojocar
074dc71087 fix: handle nil CWE pointer in text template 2022-08-20 13:08:50 +02:00
renovate[bot]
79a5b13bdb chore(deps): update dependency babel-standalone to v7 2022-08-15 09:17:13 +02:00
Cosmin Cojocar
97f03d9939 chore: update module go to 1.19
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2022-08-08 10:56:19 +02:00
Cosmin Cojocar
0ba05e160a chore: fix lint warnings
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2022-08-08 10:56:19 +02:00
Cosmin Cojocar
d3933f9e14 chore: add support for Go 1.19
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2022-08-08 10:56:19 +02:00
Ludovic Fernandez
4e68fb5b15
fix: parsing of the Go version (#844)
* fix: parsing of the Go version

* fix: convert pseudo directive to comment
2022-08-08 09:28:41 +02:00
Ville Skyttä
0c8e63ed86
Detect use of net/http functions that have no support for setting timeouts (#842)
https://blog.cloudflare.com/the-complete-guide-to-golang-net-http-timeouts/
https://blog.cloudflare.com/exposing-go-on-the-internet/

Closes https://github.com/securego/gosec/issues/833
2022-08-02 17:16:44 +02:00
Ville Skyttä
6a26c231fc
Refactor SQL rules for better extensibility (#841)
Remove hardwired assumption and heuristics on index of arg taking a SQL
string, be explicit about it instead.
2022-08-02 15:25:30 +02:00
renovate[bot]
1b0873a235
chore(deps): update module golang.org/x/tools to v0.1.12 (#840)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-08-02 08:08:23 +02:00
Cosmin Cojocar
845483e0b1 Fix lint warning
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2022-07-28 11:10:00 +02:00
Cosmin Cojocar
45bf9a6095 Check the suppressed issues when generating the exit code
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2022-07-28 11:10:00 +02:00
Dmitry Golushko
a5982fb6a6
Fix for G402. Check package path instead of package name (#838) 2022-07-28 08:51:30 +02:00
Ziqi Zhao
ea6d49d1b5
fix G204 bugs (#835)
Signed-off-by: Ziqi Zhao <zhaoziqi9146@gmail.com>
2022-07-26 11:08:43 +02:00
Cosmin Cojocar
21fcd2f904
Phase out support for Go 1.16 since is not supported anymore by Go team (#837)
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2022-07-26 11:08:30 +02:00
renovate[bot]
3cda47a9b8
chore(deps): update all dependencies (#836)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-07-26 10:57:36 +02:00
renovate[bot]
0212c83699
chore(deps): update dependency highlight.js to v11.6.0 (#830)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-07-18 16:20:54 +02:00
Tim Costa
9a25f4ed2d
fix: filepaths with git anywhere in them being erroneously excluded (#828)
Co-authored-by: Tim Costa <timcosta@amazon.com>
2022-07-06 06:46:49 +02:00
云微
602ced7e71
Fix wrong location for G109 (#829)
Before this commit, G109 will report on `strconv.Atoi`.
After this, it will report on the convertion like`int32(a)`.
2022-07-06 06:37:11 +02:00
renovate[bot]
7dd9ddd583
chore(deps): update golang.org/x/crypto digest to 0559593 (#826)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-07-06 06:34:31 +02:00
云微
b0f3e78e07
fix ReadTimeout for G112 rule 2022-06-23 14:58:13 +02:00
Sascha Grunert
05f3ca80f9
Pin cosign-installer to v2 (#824)
We now have tags available in the cosign-installer, which allows us to
pin the latest release via `v2`.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2022-06-23 14:50:50 +02:00
renovate[bot]
a9b0ef0a11
chore(deps): update all dependencies (#822)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-06-13 19:48:12 +02:00
Vladimir Severov
9c19cb6501
Add check for usage of Rat.SetString in math/big with an overflow error (#819)
* Add check for usage of Rat.SetString in math/big with an overflow error

Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7
has an overflow that can lead to Uncontrolled Memory Consumption.

It is the CVE-2022-23772.

* Use ContainsPkgCallExpr instead of manual parsing
2022-06-03 00:19:51 +02:00
Peter Dave Hello
fb587c1d10
Remove additional --update for apk in Dockerfile (#818)
There is no need to use --update with --no-cache when using apk on
Alpine Linux, as using --no-cache will fetch the index every time and
leave no local cache, so the index will always be the latest without
temporary files remain in the image.
2022-05-31 15:06:52 +02:00
Thomas Gorham
c3ede62822
Update x/tools to pick up fix for golang/go#51629 (#817) 2022-05-29 17:41:10 +02:00
renovate[bot]
0a929c7b6c
chore(deps): update all dependencies (#816)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-05-29 17:36:29 +02:00
renovate[bot]
12be14859b
chore(deps): update all dependencies (#812)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-05-09 12:02:57 +02:00
renovate[bot]
0dcc3362ae
chore(deps): update all dependencies (#811)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-05-02 21:00:33 +02:00