Commit graph

472 commits

Author SHA1 Message Date
JulesDT
04ce7baf6c add a no-fail flag 2019-01-28 09:38:18 +01:00
Joaquin L. Pereyra
a966ff760c Fix -conf example in README.md
1. Example config json included a trailing comma, even though as we obviously know this is how things should be, JSON does not agree and the parser fails miserably
2. Flag was incorrectly stated as -config in the README, the correct flag is -conf
3. Example command did not work as did not include final dot to examine the current pkg.
2019-01-22 15:33:45 +01:00
Cosmin Cojocar
b6626154df Fix typo 2019-01-18 11:09:41 +01:00
Cosmin Cojocar
5d33e6ebe1 Update the README with some details about the configuration file
fixes #269
2019-01-18 11:09:41 +01:00
Cosmin Cojocar
f87af5fa72 Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274)
* Define more explicit the global options in the configuration

* Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 21:37:40 +10:00
Cosmin Cojocar
14ed63d558 Do not flag the unhandled errors which are explicitly ignored
fixes #270
2019-01-14 10:06:30 +01:00
Cosmin Cojocar
12400f9a1c Update README with the code coverage batch 2018-12-11 18:15:58 +01:00
Cosmin Cojocar
72e95e88ac Geneate and upload the test coverage report to codecove.io 2018-12-11 17:08:31 +01:00
Cosmin Cojocar
24e3094d2a Extend the bind rule to handle the case when the net.Listen address in provided from a const 2018-12-04 09:22:06 +01:00
Cosmin Cojocar
9b32fcac16 Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call 2018-12-04 09:22:06 +01:00
Cosmin Cojocar
f14f17fb1d Add a helper function which extracts the string parameters values of a call expression 2018-12-04 09:22:06 +01:00
Cosmin Cojocar
2695567487 Build the code sample for string builder only fron Go 1.10 onwards 2018-11-11 09:57:28 +01:00
Cosmin Cojocar
ae82798b9c Fix the WriteSring test by handling the error 2018-11-11 09:57:28 +01:00
Edoardo Tenani
adb42220da whitelist strings.Builder method in rule G104 2018-11-11 09:57:28 +01:00
Edoardo Tenani
9b966a447e add test case for strings.Builder G104 whitelist inclusion 2018-11-11 09:57:28 +01:00
Yuki Ito
41809946d4 Make G201 ignore CallExpr with no args (#262) 2018-11-05 09:28:47 +01:00
Yuki Ito
443f84fd4d Fix golint link (#263) 2018-11-05 09:13:26 +01:00
Oleksandr Redko
3116b07de4 Fix typos in comments and rulelist (#256) 2018-10-11 14:45:31 +02:00
Cosmin Cojocar
e0a150bfa3
Merge pull request #254 from kishaningithub/253
Add install.sh script and update readme
2018-10-05 13:12:28 +02:00
Kishan B
97bc137c5b Add CI Installation steps and correct markdown lint errors 2018-10-05 15:27:14 +05:30
Kishan B
8c09a83248 Add install.sh script 2018-10-05 15:26:13 +05:30
Cosmin Cojocar
d032909e3f
Merge pull request #251 from NeverOddOrEven/fix-html-template
Fix the html template
2018-10-04 09:39:56 +02:00
NeverOddOrEven
027dc2b8a7 This fixes the html template when using '-fmt=html'
- resolves HTML escaping issues within the template
 - resolves reference issues to reportInfo struct i.e. issues -> Issues, metrics -> Stats
2018-10-03 13:31:59 -05:00
Cosmin Cojocar
f9b41874b1
Merge pull request #249 from andrewhsu/go
bump Dockerfile golang from 1.10 to 1.11
2018-10-03 08:35:47 +02:00
Andrew Hsu
1ecd47e007 bump Dockerfile golang from 1.10 to 1.11
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
2018-10-03 00:28:39 +00:00
Cosmin Cojocar
2cc6838ca3
Merge pull request #248 from ccojocar/code-samples-multiple-files
Refactor the test code sample to support multiple files per sample
2018-09-28 11:52:04 +03:00
Cosmin Cojocar
64d58c2e51 Refactor the test code sample to support multiple files per sample 2018-09-28 11:42:25 +03:00
Delon Wong Her Laang
d3f1980e7a Fix false positives for SQL string concatenation with constants from another file (#247)
* Allow for SQL concatenation of nodes that resolve to literals

If node.Y resolves to a literal, it will not be considered as an issue.

* Fix typo in comment.

* Go through all files in package to resolve that identifier

* Refactor code and added comments.

* Changed checking to not var or func.

* Allow for supporting code for test cases.

* Resolve merge conflict changes.
2018-09-28 10:46:59 +03:00
Andrew Hsu
5f98926a7b Refactor Dockerfile (#245)
* ignore the temporary image file used for builds

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* no need for GOPATH in the Dockerfile

It is already set in the golang:1.10.3-alpine3.8 image.

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* no need for GOROOT in Dockerfile

The correct value is embedded in the go tool.

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* bump Dockerfile golang to 1.10.4

The latest golang version thus far.

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* replace docker-entrypoint.sh with the gosec binary

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* git ignore gosec binary

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* refactor Dockerfile into multi-stage

First stage does the build in a pristine alpine environment. Second
stage is a minimal image with just the necessary stuff to run the
compiled binary. Also added packages for gcc and musl-dev so cgo can do
its thang.

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* fix the image execution example in README.md

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
2018-09-26 08:09:20 +03:00
Grant Murphy
7f6509a916
Update README.md (#246)
Add logo to README.md
2018-09-25 19:44:53 +10:00
Dale Hui
762ff3a709 Allow quoted strings to be used to format SQL queries (#240)
* Support stripping vendor paths when matching calls

* Factor out matching of formatter string

* Quoted strings are safe to use with SQL str formatted strings

* Add test for allowing quoted strings with string formatters

* Install the pq package for tests to pass
2018-09-25 10:40:05 +03:00
Dale Hui
ec32ce68d8 Support Go 1.11 (#239)
* Test with the latest minor version of each major Go version

* Support Go 1.11 and modules
2018-09-10 09:09:12 +02:00
cschoenduve-splunk
145f1a0bf4 Removed wrapping feature (#238) 2018-09-04 18:08:37 +02:00
cschoenduve-splunk
419c9292c8 G107 - SSRF (#236)
* Initial SSRF Rule

* Added Selector evaluation

* Added source code tests

* Fixed spacing issues

* Fixed Spacingv2

* Removed resty test
2018-09-04 08:55:03 +02:00
Dom Udall 改善
63b25c147f Fix typo in README (#235)
`PORJECT` -> `PROJECT`
2018-09-03 09:39:31 +02:00
cschoenduve-splunk
7fd94463ed update to G304 which adds binary expressions and file joining (#233)
* Added features to G304

* Linted

* Added path selectors

* Used better solution

* removed debugging lines

* fixed comments

* Added test code

* fixed a spacing change
2018-08-28 14:34:07 +10:00
Cosmin Cojocar
e4ba96adc3 Update README 2018-08-21 11:15:14 +02:00
Cosmin Cojocar
ec0f8ec9d6 Set the GOROOT and GOPATH env variables in Dockerfile 2018-08-21 11:15:14 +02:00
Cosmin Cojocar
247828cfa5 Update docker base image to 1.10.3-alpine3.8 2018-08-21 11:15:14 +02:00
cschoenduve-splunk
b6891998ce Add Fprintf to Rule G201 2018-08-21 09:31:38 +02:00
cschoenduve-splunk
a7cff91312 Small update to G201 and added ConcatString Function (#228) 2018-08-19 19:57:36 +02:00
Grant Murphy
1c438e36af
Tweak makefile to match up with docker repo (#231) 2018-08-19 10:28:17 +10:00
Cosmin Cojocar
9577fd0b44 Update README 2018-08-15 09:58:26 +02:00
Cosmin Cojocar
e543f4662c Use the Linux build for Docker image 2018-08-15 09:53:33 +02:00
Cosmin Cojocar
dbd0f8f511 Use the make build goal when creeating the docker image 2018-08-15 09:45:37 +02:00
Cosmin Cojocar
f06a84ebaa
Merge pull request #227 from ccojocar/sha1
Add sha1 to weak crypto primitives
2018-08-09 09:34:49 +02:00
Cosmin Cojocar
8dfa8dc015 Update README 2018-08-08 16:41:34 +02:00
Cosmin Cojocar
fb0dc73a96 Add sha1 to weak crypto primitives 2018-08-08 16:38:57 +02:00
Cosmin Cojocar
90a1c1d625
Merge pull request #225 from jvmatl/jvmatl-patch-1
Document #nosec use with a list of rules
2018-08-03 10:02:42 +02:00
John Martinez
0d2e16dfa3
Document #nosec use with a list of rules
Extend the readme to document the ability to prevent some, but not all, rules from being enforced within an AST node.
2018-07-31 16:22:19 -04:00