Grant Murphy
b659538aa8
Merge pull request #26 from HewlettPackard/fix_annotations
...
Fixing annotations
2016-07-29 07:24:05 -07:00
Tim Kelsey
68aac2539a
Fixing annotations
...
The logic around annotations (nosec) was broken, meaning they were
ignored by default and would not skip sub-blocks. This fixes the
problem and also adds a test to make sure it wont be broken in the
future. Closes #25
2016-07-29 10:34:19 +01:00
Grant Murphy
28f0f1abe8
Merge pull request #23 from csstaub/cs/detect-math-rand
...
Detect use of rand.Read from math/rand
2016-07-28 13:20:38 -07:00
Cedric Staub
c53af75658
Detect use of rand.Read from math/rand
2016-07-28 11:26:34 -07:00
Tim Kelsey
c5d271566c
Merge pull request #24 from csstaub/cs/smarter-creds-check
...
Smarter hard-coded credentials check
2016-07-28 10:31:33 +01:00
Tim Kelsey
e86addbfea
Merge pull request #22 from csstaub/cs/csv
...
Use encoding/csv for CSV output
2016-07-28 10:25:27 +01:00
Cedric Staub
3cd0ebee96
Smarter hard-coded credentials check
...
Check right-hand side expr for literals when looking for hard-coded
credentials. This is to avoid issuing warnings for cases where a
password, token, etc. is read from a file or a terminal.
2016-07-27 22:51:34 -07:00
Cedric Staub
2ec102c7bf
Use encoding/csv for CSV output
...
The encoding/csv package will take care of quoting, double-quoting,
and other CSV quirks -- avoids having to fiddle with text templates.
2016-07-27 20:55:09 -07:00
Grant Murphy
81b5e98828
Merge pull request #21 from HewlettPackard/better_sql
...
Better SQLi testing
2016-07-27 08:00:09 -07:00
Tim Kelsey
3e4d96ef3e
Better SQLi testing
...
This prevents the string concat tests flagging a false positive if
joining two literal strings (eg "SELECT * FROM " + " table" ... )
or with a constant (eg const tab = "name"; "SELECT * from " + tab)
2016-07-27 15:47:07 +01:00
Tim Kelsey
2d0a26dafe
Merge pull request #18 from HewlettPackard/issue16
...
Expand cases accepted by -exclude
2016-07-27 09:47:47 +01:00
Tim Kelsey
48910f5866
Merge pull request #20 from hyakuhei/Fix_Readme
...
Fixed-up some language in README.md
2016-07-27 09:45:52 +01:00
Robert Clark
9651a40525
Fixed-up some language in README.md
2016-07-27 09:36:13 +01:00
Grant Murphy
0dd7ec9c3c
Merge pull request #19 from HewlettPackard/issue17
...
Fix exclude documentation
2016-07-26 21:54:43 -07:00
Grant Murphy
1cff72694b
Fix exclude documentation
...
Closes issue #17
2016-07-26 21:53:45 -07:00
Grant Murphy
a7ebf35465
Expand cases accepted by -exclude
...
The exclude flag was only using filepath.Match which isn't intuitive
compared with some other command line tools. Added a couple of
additional cases to handle relative paths.
Fixes issue #16
2016-07-26 21:47:09 -07:00
Tim Kelsey
debb1f5b08
Merge pull request #14 from csstaub/cs/fix-json
...
Use encoding/json for -fmt json output
2016-07-26 17:50:44 +01:00
Cedric Staub
271cff19f7
Use encoding/json for -fmt json output
2016-07-25 16:40:49 -07:00
Grant Murphy
50fb7f4217
Merge pull request #10 from HewlettPackard/issue9
...
Handle import error rather than panic on failure
2016-07-25 16:17:02 -07:00
Grant Murphy
37cc56d425
Merge pull request #11 from csstaub/cs/fix-json
...
Make sure -fmt json produces valid output
2016-07-25 16:16:29 -07:00
Cedric Staub
c6e25a9b64
Make sure -fmt json produces valid output
2016-07-25 16:10:00 -07:00
Grant Murphy
2f84b67a47
Handle import error rather than panic on failure
...
This should handle issue #9 more gracefully.
2016-07-25 13:49:36 -07:00
Grant Murphy
9ce14dc683
Disclaimer about project status
2016-07-25 09:51:19 -07:00
Tim Kelsey
f9bf428e75
Merge pull request #6 from HewlettPackard/tools
...
Check input files and handle panic condition
2016-07-25 09:40:18 +01:00
Grant Murphy
0bd254c2eb
Check input files and handle panic condition
2016-07-22 11:07:23 -07:00
Grant Murphy
e2caa921fe
Merge pull request #5 from HewlettPackard/docs
...
Update the README to include newer rules
2016-07-22 07:55:53 -07:00
Grant Murphy
2cac3900fb
Update the README to include newer rules
2016-07-22 07:50:30 -07:00
Grant Murphy
59deedb2f3
Merge pull request #4 from HewlettPackard/httpoxy
...
Adding check for httpoxy
2016-07-21 09:26:11 -07:00
Tim Kelsey
361593394e
Adding check for httpoxy
...
Go code running under CGI is vulnerable to httpoxy attack. See
https://httpoxy.org/ this checks for an import of net/http/cgi
that might indicate code may be run under CGI.
closes #1
2016-07-21 16:30:09 +01:00
Tim Kelsey
4f3d620d37
Initial public release
2016-07-20 15:56:32 +01:00