Commit graph

623 commits

Author SHA1 Message Date
Ben Bytheway
04dc713f22 One approach for fixing the false positive identified in #325. 2019-06-13 08:22:48 +10:00
Martin Vrachev
196edd34b6 Add checksum clarification in README
Currently, if you download the gosec binary using the commands
suggested in the README and you decide to check the checksum
of the binary, you just downloaded then your checksum check will fail.
As a result, the user can think that your binary is corrupted.

The reason for that failure is that the checksums are for the
tar.gz files provided in the release notes.
This should be documented to avoid future unclarities.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-06-07 22:33:15 +10:00
Cosmin Cojocar
0ebfa2f8b7
Rework analyzer unit test to pass the go tip version (#318)
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-17 15:35:46 +02:00
Sandor Szücs
9d9098fa97 print version string (#317)
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
2019-05-17 11:33:02 +02:00
Cosmin Cojocar
ee80733faf
Add a flag to filter issues by confidence (#316)
Refactor also how the issues are filtered by severity.

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-10 10:15:09 +02:00
Cosmin Cojocar
29cec138dc
Fix formatting in README, remove prerequisite and reworked the Makefile tests goals (#313)
* Fix formating in README

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>

* Split the various test goals in the Makefile

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>

* Remove the prerequisites from README since they are automatically installed

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>

* Remove unnecessary install steps from Travis CI build

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>

* Make sure golint is installed before running the lint command

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>

* Make sure ginkgo command is installed before running the tests

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-02 09:19:18 +02:00
Cosmin Cojocar
b68ac76dbc Fix formatting
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
3e69a8c8a2 Append the package load errors to analyser's errors
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
aac9b00845 Refactor properly the package error parsing and cover all test cases
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
625718d294 Refactor the test for Go build errors
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
3af4ae9ddb Fix some lint warnings
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
bac6f0fb8f Add tests for an empty package without any test file
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
76b2c12044 Add a test to cover the processing of empty packages
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
b04c1ce0a7 Fix error parsing from package
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
92b3644625 Fix error parsing when the loaded package is empty
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
48e39323f3 Remove tests case from import tracker
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-29 19:34:57 +02:00
Cosmin Cojocar
25b5a1a1ce Add tests to cover the import tracker from file
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-29 19:34:57 +02:00
Cosmin Cojocar
5ef2beeaa6 Track only the import from the file which is checked
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-29 19:34:57 +02:00
Cosmin Cojocar
f1ea7f6ee3 Add tests for analyser test pacakge check
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-29 06:55:24 +02:00
Cosmin Cojocar
6e5135f6eb Update README with some instructions to enable the tests and vendor folder scanning
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-29 06:55:24 +02:00
Cosmin Cojocar
b49c9532a8 Add a flag which allows to scan also the tests files
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-29 06:55:24 +02:00
Cosmin Cojocar
f1d49a6945 Remove unused code
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-29 06:54:59 +02:00
Cosmin Cojocar
ed2e0aa927 Update local install command in README file
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-29 06:54:40 +02:00
Cosmin Cojocar
4dfaf0a997 Refactor the analyzer to process one package at the time
This avoids loading all packages in memory before running the checks.

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-28 09:06:52 +02:00
Cosmin Cojocar
adcfe94257 Fix test for helpers
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-27 14:02:43 -07:00
Cosmin Cojocar
5ae52660ae Add some tests that covers the helper function which list the package paths
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-27 14:02:43 -07:00
Cosmin Cojocar
e419eb8f4e Exclude correctly the vendor folder from the scanned packages
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-27 14:02:43 -07:00
Cosmin Cojocar
85eb8a52ab Scan the go packages path recursively starting from a root folder
This is replacing the gotool.ImportPaths which seems to have some troubles with Go modules.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-27 14:02:43 -07:00
Cosmin Cojocar
85221996b6 Improve logging in the analyser
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-27 14:02:43 -07:00
Cosmin Cojocar
ea16ff1f9e Remove GOPATH check to allow running gosec outside of GOPATH
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-27 14:02:43 -07:00
Cosmin Cojocar
6c174a61d4 Update README file
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-27 08:20:40 +02:00
Cosmin Cojocar
7935fd85b9 Rework the Dockerfile for Go modules
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-27 08:20:40 +02:00
Cosmin Cojocar
806908a805 Remove the dep tool installation from travis CI
Use the just built gosec to scan the source code.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-27 08:20:18 +02:00
Cosmin Cojocar
950e84c3fa Handle errors to fix lint warnings
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-27 08:20:18 +02:00
Cosmin Cojocar
ee73b9e94b Remove dep and Use only Go modules to manage dependencies
Update the depenendencies to latest versions

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-27 08:20:18 +02:00
Naoya Yoshizawa
85d180848d Go modules support for 1.12 (#297)
* support go module

* fix implement and uncommented out tests

* includes test package

* remove test environment go1.10 or older
2019-04-25 09:25:32 +02:00
kencrawford
eaba99df37 fix comment. 2019-03-21 07:30:14 +10:00
kencrawford
4cd14f9068 remove panic 2019-03-21 07:30:14 +10:00
kencrawford
66e7c8d8f8 Extract to a constant 2019-03-21 07:30:14 +10:00
kencrawford
1b28d323d8 fix sonarIssues struct 2019-03-21 07:30:14 +10:00
kencrawford
8eab50eb17 update README.md to add support of sonarqube. 2019-03-21 07:30:14 +10:00
kencrawford
989eb3ff88 Update Hound errors 2019-03-21 07:30:14 +10:00
kencrawford
ddfe54d0a0 Add sonarqube output 2019-03-21 07:30:14 +10:00
JulesDT
c5e6c4aedd fix no-fail flag logic 2019-03-19 08:11:02 +10:00
Cosmin Cojocar
2bd007e968 Update README 2019-03-06 17:18:50 +10:00
Cosmin Cojocar
8b27d1c091 Update go version to 1.11.5 in the docker file 2019-03-06 17:18:50 +10:00
Liam Galvin
9cd538fcf2 Fix README typo 2019-03-06 08:14:35 +10:00
Martin Vrachev
62b5195dd9 Report for Golang errors (#284)
* Report for Golang errors

Right now if you use Gosec to scan invalid go file and if you report the result in a text, JSON, CSV or another file format you will always receive 0 issues.
The reason for that is that Gosec can't parse the AST of invalid go files and thus will not report anything.

The real problem here is that the user will never know about the issue if he generates the output in a file.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-02-27 08:24:06 +10:00
Martin Vrachev
9cdfec40ca Change test
I thought that an example where the user inputs a URL is more realistic.
Because if your operating system is already hacked then you are already screwed.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-02-13 11:47:59 +01:00
Cosmin Cojocar
8048b15efa Add more badges in the README file 2019-02-13 11:46:36 +01:00