It seems that the os.Create will create by default a file with 0666 permissions.
This should be detected when the configured permissions are less than 0666. By default will not detect this case
unless the more restrictive mode is configured.
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
* Added slice bounds testing for slice expressions.
* Added checking slice index.
* Added test for reassigning slice.
* Store capacities on reslicing.
* Scope change clears map. Func name used to track slices.
* Map CallExpr to check bounds when passing to functions.
* Fixed linter errors.
* Updated rulelist with CWE mapping.
* Added comment for NewSliceBoundCheck.
* Addressed nil cap runtime error.
* Replaced usage of nil in call arg map with dummy callexprs.
* Updated comments, wrapped error return, addressed other review concerns.
* Remove read only types from unsafe defer rules
* Remove rule G307 which checks when an error is not handled when a file or socket connection is closed
This doesn't seem to bring much value from security perspective, and it caused a lot of controversy since
is a very common pattern in Go.
* Mentioned in documentation that rule G307 is retired
* Clean up the test for rule G307
* Add check for usage of Rat.SetString in math/big with an overflow error
Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7
has an overflow that can lead to Uncontrolled Memory Consumption.
It is the CVE-2022-23772.
* Use ContainsPkgCallExpr instead of manual parsing
The big#Int.Exp used to be vulnerable in older versions of Go, but in the
meantime has been fixed (https://github.com/golang/go/issues/15184).
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
* Add a rule which detects file path traversal when extracting zip archive
* Detect if any argument is derived from zip.File
* Drop support for Go version 1.8
* Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178)
* Add a tool which generates the TLS rule configuration from Mozilla server side
TLS configuration
* Update README
* Remove trailing space in README
* Update dependencies
* Fix the commends of the generated functions
* Add nil pointer check to rule. (#181)
TypeOf returns the type of expression e, or nil if not found. We are
calling .String() on a value that may be nil in this clause.
Relates to #174
* Add support for YAML output format (#177)
* Add YAML output format
* Update README
* added rule to check for tainted file path
* added #nosec to main/issue.go
* updated test case import
