云微
34d144b3fa
Add new rule for Slowloris Attack
2022-04-30 12:38:50 +02:00
Cosmin Cojocar
89dfdc0c97
Update the description message of template rule ( #803 )
2022-04-05 07:41:36 +02:00
robot-5
afc9903ba9
Fix use rule IDs to retrieve the rule config
2022-03-28 20:28:02 +02:00
Calin Capitanu
48bbf96b56
Adds directory traversal for Http.Dir("/")
2022-03-06 10:58:47 +01:00
kruskal
7d539ed494
feat: add concurrency option to parallelize package loading ( #778 )
...
* feat: add concurrency option to parallelize package loading
* refactor: move wg.add inside the for loop
* fix: gracefully stop the workers on error
* test: add test for concurrent scan
2022-02-16 18:23:37 +01:00
Cosmin Cojocar
2fad8a4193
Resolve the TLS min version when is declarted in the same package but in a different file
2022-01-26 19:27:26 +01:00
Cosmin Cojocar
1fbcf10e18
Add a test for tls min version defined in a different file
2022-01-26 19:27:26 +01:00
kaiili
1d909e2687
Add db.Exec and db.Prepare to the sql rule ( #763 )
...
* Add db.Exec and db.Prepare to the sql rule
* add test cases for G201,G202
2022-01-17 13:50:37 +01:00
Cosmin Cojocar
7be6d4efb5
Add os.Create to the readfile rule ( #761 )
2022-01-12 19:33:17 +01:00
kaiili
75cc7dcd51
Fix false negative for SQL injection when using DB.QueryRow.Scan() ( #759 )
2022-01-12 16:33:39 +01:00
kaiili
9d66b0d346
Fix false negatives for SQL injection in multi-line queries
2022-01-05 12:05:53 +01:00
Ville Skyttä
4c1afaa492
Find G303 with filepath.Join'd temp dirs ( #754 )
2022-01-04 14:48:02 +01:00
Ville Skyttä
19bda8d15f
Find more tempdirs
...
* Find G303 in string concatenations, with os.TempDir, and in path.Join args
* Find G303 with /usr/tmp, too
/usr/tmp is commonly found e.g. on Solaris.
2022-01-03 21:58:25 +01:00
Cosmin Cojocar
ad5d74d5a1
Update to ginkgo v2 ( #753 )
2022-01-03 18:11:35 +01:00
Yiwei Ding
b45f95f6ad
Add support for suppressing the findings
2021-12-09 11:53:36 +01:00
Lars
6a41fb9e61
Fix https://github.com/securego/gosec/issues/714 ( #733 )
2021-11-24 16:34:42 +01:00
Cosmin Cojocar
e57efa8482
Fix a panic in suproc rule when the declaration of the variable is not available in the AST ( #728 )
2021-11-16 21:41:26 +01:00
Cosmin Cojocar
55c6ceaaa6
Fix crash when parsing the TLS min version value ( #724 )
2021-11-09 21:59:53 +01:00
Ville Skyttä
40fa36d1de
G303: catch with os.WriteFile, add os.Create test case ( #718 )
...
* Add G303 os.Create test case
* Catch G303 with os.WriteFile too
2021-11-09 21:13:45 +01:00
Eng Zer Jun
7fd4aef9dc
feat: add os.ReadFile to G304 ( #706 )
...
In Go 1.16 or higher, the `io/ioutil` has been deprecated and the
`ioutil.ReadFile` function now calls `os.ReadFile`.
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2021-10-14 09:53:26 +02:00
Yuval Kashtan
1933cba5b5
Add os.Unsetenv to NoErrorCheck whitelist ( #702 )
...
it always return nil err
2021-10-05 19:30:34 +02:00
Matthieu MOREL
bfb0f422fe
chore(lint): enable errorlint and gci ( #698 )
2021-09-13 09:40:10 +02:00
Cosmin Cojocar
d3309fb4f5
Add a more generic message for rule g204 ( #688 )
2021-08-19 15:18:20 +02:00
Cosmin Cojocar
f285d612b5
Fix formatting issues with gofumpt ( #685 )
...
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2021-08-18 13:16:21 +02:00
Nanik
5a131be2ec
fix: add more rules for G204 ( #677 )
...
* fix: add more rules for G204
* fix: add extra test and comment
2021-08-16 11:31:51 +02:00
Marc Brugger
62db81342e
Allow excluding generated files
2021-08-04 17:33:20 +02:00
Lars
d4dc2d2df5
Improve the G307 rule
...
* Add G307 sample code.
The sample should reflect a defered close that leads to data loss.
Due to IDE auto-complete people tend at least log errors, but not
really care about handling.
* Add more G307 sample code. Propose a way to implement
* Remove unused code. Add example that should not return an error but does
* Remove test for synced closed file for now.
Will add this later
Co-authored-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2021-07-31 23:03:09 +02:00
Nanik
9535c9e3e1
fix: add variable assignment checking as part of MinVersion ( #669 )
...
* fix: add variable assignment checking as part of MinVersion
* fix: add more code to allow assignment with const
* fix: rework the code and add more test cases for MinVersion
* fix: format linting issue using gofumpt
2021-07-27 22:03:59 +02:00
Nanik
2a4064d45d
feat: adding new keyword for hardcoded credentials ( #666 )
2021-07-19 11:23:39 +02:00
Josh Kaufman
514f65f3c3
Add G204 rule for sys/execabs ( #660 )
...
* Add G204 rule for sys/execabs
* syntax error in testutils/sources.go
2021-07-01 17:43:25 +02:00
エガオノキミヘ
3c230ac0f7
errors.go: add Hash.Write() to the white list. ( #648 )
2021-06-13 13:30:49 +02:00
Matthieu MOREL
1256f16f33
Fix lint and fail on error in the ci build
2021-05-31 10:44:12 +02:00
Matthieu MOREL
4df7f1c3e9
Fix typos, Go Report link and Gofmt
2021-05-07 18:04:01 +02:00
Chris Bandy
27a5ffb5c8
Quiet warnings about integer truncation ( #586 )
...
Both MinVersion and MaxVersion of crypto/tls.Config are uint16, so the
int16 fields of rules.insecureConfigTLS are too small. GetInt()
interprets integer literals as fitting within 64-bits, so simplify
things by using int64.
2021-03-03 10:05:33 +01:00
Matouš Dzivjak
1fce46151c
fix: WriteParams rule to work also with golang 1.16 ( #577 )
...
In go 1.16 the `ioutil` package was deprecated and
the functions should be replaced by their equivalents
in either `io` or `os` packages. This means,
that `ioutil.WriteFile` should be replaced by
`os.WriteFile` instead. To account for this change
and to detect incorrect permissions also for `os.WriteFile`
I changed `filePermissions` rule slightly to allows
specifying multiple packages that can contain given
function and that we should check. This workaround
can be removed after a sufficient time has passed
and after it is decided that checking `os.WriteFile`
is enough.
Fixes: https://github.com/securego/gosec/issues/576
2021-02-22 09:22:04 +01:00
Cosmin Cojocar
897c203e62
Reset the state of TLS rule after each version check ( #570 )
...
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2021-02-11 10:52:16 +01:00
Chris Bandy
e100f6b862
Assert that sample code compiles
2021-01-04 09:28:00 +01:00
Jeff Widman
9fe0b2e21a
Fix typo ( #547 )
2020-12-11 09:34:38 +01:00
Cosmin Cojocar
13519fda59
Update the tls configuration generate to handle also the NSS alternative names
...
Regenerate the configuration of TLS rule.
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-09-03 10:54:08 +02:00
Cosmin Cojocar
f13b8bc639
Add also filepath.Rel as a sanitization method for input argument in the G304 rule
...
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-19 09:40:07 +02:00
Cosmin Cojocar
047729a84f
Fix the rule G304 to handle the case when the input is cleaned as a variable assignment
...
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-19 09:40:07 +02:00
ggkitsas
b60ddc21ba
feat: adds support for path.Join and for tar archives in G305
2020-08-03 09:17:45 +02:00
Cosmin Cojocar
110b62b05f
Add io.CopyBuffer function to rule G110
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-07-29 14:25:45 +02:00
Cosmin Cojocar
ade81d3873
Rename file for consistency
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-29 13:52:47 +02:00
evalphobia
03f12f3f5d
Change naming rule from blacklist to blocklist
2020-06-29 13:45:44 +02:00
Cosmin Cojocar
55d368f2e5
Improve the TLS version checking
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-25 09:21:14 +02:00
Cosmin Cojocar
1d2c951f2c
Extend the rule G304 with os.OpenFile and add a test to cover it
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-17 13:14:08 +02:00
Cosmin Cojocar
6bbf8f9cbc
Extend the insecure random rule with more insecure random functions
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-15 15:12:02 +02:00
Cosmin Cojocar
30e93bf865
Improve the SQL strings concat rules to handle multiple string concatenation
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-27 10:16:56 +02:00
Cosmin Cojocar
68bce94323
Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context
...
In addition makes pattern matching used by the rules cases insensitive.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-27 10:16:56 +02:00