* Report for Golang errors
Right now if you use Gosec to scan invalid go file and if you report the result in a text, JSON, CSV or another file format you will always receive 0 issues.
The reason for that is that Gosec can't parse the AST of invalid go files and thus will not report anything.
The real problem here is that the user will never know about the issue if he generates the output in a file.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
I thought that an example where the user inputs a URL is more realistic.
Because if your operating system is already hacked then you are already screwed.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
1. Example config json included a trailing comma, even though as we obviously know this is how things should be, JSON does not agree and the parser fails miserably
2. Flag was incorrectly stated as -config in the README, the correct flag is -conf
3. Example command did not work as did not include final dot to examine the current pkg.
* Allow for SQL concatenation of nodes that resolve to literals
If node.Y resolves to a literal, it will not be considered as an issue.
* Fix typo in comment.
* Go through all files in package to resolve that identifier
* Refactor code and added comments.
* Changed checking to not var or func.
* Allow for supporting code for test cases.
* Resolve merge conflict changes.
* ignore the temporary image file used for builds
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
* no need for GOPATH in the Dockerfile
It is already set in the golang:1.10.3-alpine3.8 image.
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
* no need for GOROOT in Dockerfile
The correct value is embedded in the go tool.
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
* bump Dockerfile golang to 1.10.4
The latest golang version thus far.
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
* replace docker-entrypoint.sh with the gosec binary
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
* git ignore gosec binary
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
* refactor Dockerfile into multi-stage
First stage does the build in a pristine alpine environment. Second
stage is a minimal image with just the necessary stuff to run the
compiled binary. Also added packages for gcc and musl-dev so cgo can do
its thang.
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
* fix the image execution example in README.md
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
* Support stripping vendor paths when matching calls
* Factor out matching of formatter string
* Quoted strings are safe to use with SQL str formatted strings
* Add test for allowing quoted strings with string formatters
* Install the pq package for tests to pass