Commit graph

980 commits

Author SHA1 Message Date
Grant Murphy
9b081744c9 Process via packages instead of files
Initial commit to change GAS to process packages rather than standalone
files. This is to address issues with type resolution for external
dependencies.

Uses golang.org/x/tools/go/loader to prepare analyzer input rather than
finding the individual files.
2017-04-25 16:01:28 -07:00
Grant Murphy
1beec25f77 Merge pull request #128 from cosmincojocar/improve_skip
Add support for partial path match in the skip option
2017-04-11 12:38:52 -07:00
Grant Murphy
e94e23200a Merge pull request #129 from cosmincojocar/big_exp
Add a rule which audits the use of math/big.Int.Exp function call
2017-04-11 12:36:57 -07:00
Cosmin Cojocar
7dc4638db8 Update the README 2017-04-10 19:40:27 +02:00
Cosmin Cojocar
5b71c2b05f Add a test for math/big.Int.Exp rule 2017-04-10 16:10:24 +02:00
Cosmin Cojocar
65b8e74ecd Add a rule for big.Exp function call 2017-04-10 14:25:48 +02:00
Cosmin Cojocar
3ae2762bb1 Add support for partial path match in the skip option 2017-04-10 11:18:02 +02:00
Grant Murphy
05738474a1 Merge pull request #125 from mockturtl/patch-1
BindsToAllNetworkInterfaces should check TLS also
2017-03-29 20:00:40 -07:00
mockturtl
b74c83e7e7 BindsToAllNetworkInterfaces should check TLS also 2017-03-28 13:24:22 -04:00
Grant Murphy
177fa7dde0 Merge pull request #122 from GoASTScanner/testfixes
Correct bad test cases and intermitent failure
2017-03-22 10:51:44 -07:00
Grant Murphy
622440f167 Correct bad test cases and intermitent failure
The filelist test was non-deterministic and causing intermittent
failures due to ordering. This change will ensure that the file list
returns an ordered list of files in the String() method now.

Additionally there were a number of test cases that the sample code
was incorrect, or would not compile. These have also been corrected.
2017-03-15 08:47:40 -07:00
Grant Murphy
5c302fb1b3 Merge pull request #121 from cosmincojocar/tls
Add a check for PreferServerCipherSuites flag of tls.Config
2017-03-15 08:38:07 -07:00
Cosmin Cojocar
2262f5d474 Add a check for PreferServerCipherSuites flag of tls.Config 2017-03-15 15:05:44 +01:00
Grant Murphy
1c8e7ff686 Merge pull request #118 from GoASTScanner/issue/117
Fix recursive case on Windows platforms
2017-01-27 09:22:21 -08:00
Grant Murphy
1c99e45d1c Fix recursive case on Windows platforms
Closes #117
2017-01-27 09:16:36 -08:00
Grant Murphy
72caf3de41 Merge pull request #115 from GoASTScanner/bugfix
Temporarily disable typechecker fatal error
2017-01-14 15:25:58 -08:00
Grant Murphy
3e9b66a91a Temporarily disable typechecker fatal error
It seems that the typechecker isn't considering the entire package
fileset in the current way that gas is processing projects. This leads
to cases where types that are defined in one file aren't known about
when gas is processing other files within that module.

A redesign is needed, this is a temporary fix to return to old
behaviour.

Related to #113
2017-01-14 15:21:55 -08:00
Grant Murphy
f6aeaa8dec Merge pull request #114 from GoASTScanner/feature
Consider entropy when warning on hardcoded credentials
2017-01-14 14:46:19 -08:00
Grant Murphy
4099783722 Go 1.5 does not support width precision specifier 2017-01-14 14:39:22 -08:00
Grant Murphy
4b70300e15 Exclude vendor directory from go vet 2017-01-14 14:03:31 -08:00
Grant Murphy
aaddac5e4b Add the zxcvbn library to vendor list 2017-01-14 13:48:53 -08:00
Grant Murphy
9bc02396e8 Introduce entropy checking of string
This will hopefully reduce the number of false positives when it comes
to hard coded credentials. The zxcvbn library is used to calculate the
entropy of the string. By default the first 16 characters are considered
as doing the entropy check for strings much longer than that introduces
a fairly significant performance hit.
2017-01-14 13:45:34 -08:00
Grant Murphy
cc52ef5b26 Merge pull request #112 from GoASTScanner/bugfix
Report a failure and exit if type checking fails
2017-01-13 13:34:33 -08:00
Grant Murphy
a7ec9ccc63 Backport test case for 1.5
Go 1.5 does not have a rand.Read function so need to adjust test
definitions accordingly.
2017-01-13 13:31:22 -08:00
Grant Murphy
f9868aa8c8 Fix additional test case 2017-01-13 12:46:16 -08:00
Grant Murphy
ab4867bc76 Fix test cases with invalid sample code 2017-01-13 12:40:49 -08:00
Grant Murphy
d3f0a08f0d Report a failure and exit if type checking fails
Type checking failures were previously not reported and the file was
silently ignored. This change will report the error and halt further
processing.
2017-01-13 11:27:17 -08:00
Grant Murphy
bc21a39c66 Merge pull request #110 from GoASTScanner/bugfix
Improve specitivity of error message for GenDecl
2017-01-11 10:25:58 -08:00
Grant Murphy
d1303fee0b Improve specitivity of error message for GenDecl 2017-01-11 10:12:11 -08:00
Grant Murphy
0545d13d8a Merge pull request #109 from GoASTScanner/bugfix
Ensure hardcoded credentials check only considers constant strings
2017-01-11 10:03:53 -08:00
Grant Murphy
1e736c8838 Fix test case (invalid sample code) 2017-01-11 09:51:25 -08:00
Grant Murphy
d1e67fc995 Ensure hardcoded credentials only examines strings
The hardcoded credentials test should only consider assignment of const strings.

Related to issue #108
2017-01-11 09:43:05 -08:00
Grant Murphy
d4f9b88cbf Merge pull request #104 from endophage/help_fix
updating skip cli help and readme description
2016-12-13 15:00:18 -08:00
David Lawrence
5f1c2df44a updating skip cli help and readme description 2016-12-13 14:36:51 -08:00
Grant Murphy
c68ed64f6c Merge pull request #102 from GoASTScanner/bugfix
Reduce logging messages a tad
2016-12-02 15:43:33 -08:00
Grant Murphy
94ac200d79 Tests broken if logger is not initialized 2016-12-02 15:39:01 -08:00
Grant Murphy
1ba8b93565 Reduce logging messages a tad
Only need to log if we're skipping a file or if we're processing it.
Should also use the [gas] prefix to aid filtering.
2016-12-02 15:34:12 -08:00
Grant Murphy
465338b05b Merge pull request #101 from GoASTScanner/bugfix
Recreate fileset each time we process a file
2016-12-02 15:25:32 -08:00
Grant Murphy
191750f44c Recreate fileset each time we process a file
Some files were being counted multiple times here and giving a skewed
result for line numbers processed.

Closes #100
2016-12-02 15:21:13 -08:00
Grant Murphy
b5308ff621 Merge pull request #98 from endophage/recursive
adding support for arbitrary paths with ellipses
2016-12-02 14:21:02 -08:00
Grant Murphy
365e9f6cbc Merge pull request #99 from mcpeak/fix-nosec
Fix nosec to work as documented
2016-12-02 14:06:55 -08:00
David Lawrence
1a481fad70 adding support for arbitrary paths with ... 2016-12-02 13:54:05 -08:00
Travis McPeak
942f40acf5 Fix nosec to work as documented
This commit fixes the nosec feature to check for '#nosec' instead
of 'nosec'.  This should help reduce false positives associated
with comments that have 'nosec' in them somewhere.
2016-12-02 15:45:59 -06:00
Grant Murphy
39113216a8 Merge pull request #97 from GoASTScanner/experimental
Address unhandled error conditions
2016-12-02 10:35:02 -08:00
Grant Murphy
6ace60b950 Address unhandled error conditions
Closes #95
2016-12-02 10:20:23 -08:00
Grant Murphy
8f78248b61 Merge pull request #92 from GoASTScanner/experimental
Resolve issues with error rules
2016-12-02 09:01:30 -08:00
Grant Murphy
e1e435cf33 Merge pull request #93 from GoASTScanner/bugfix
Remove ast.Print debug message from tryresolve
2016-12-01 09:27:52 -08:00
Grant Murphy
dcfd97c57d Remove ast.Print debug message from tryresolve 2016-12-01 09:24:58 -08:00
Grant Murphy
129be1561b Update error test case
There were several issues with the error test case that have been
addressed in this commit.

- It is possible to specify a whitelist of calls that error handling
  should be ignored for.
- Additional support for ast.ExprStmt for cases where the error is
  implicitly ignored.

There were several other additions to the helpers and call list in order
to support this type of functionality.

Fixes #54
2016-11-18 14:09:10 -08:00
Grant Murphy
5242a2c1df Extend helpers and call list
- Update call list to work directly with call expression
- Add call list test cases
- Extend helpers to add GetCallInfo to resolve call name and package or
  type if it's a var.
- Add test cases to ensure correct behaviour
2016-11-18 09:57:34 -08:00