Commit graph

28 commits

Author SHA1 Message Date
bean.zhang
a624254e39
Update hardcoded_credentials.go fix: adaper equal expr which const value at left (#917)
* Update hardcoded_credentials.go

adaper equal expr which const value at left.
```
if "Tr0ub4dour_UPL&&LOlo" == pwd
```

* Update hardcoded_credentials.go

check ident not equal nil

* adapter const == key hardcoded, add testcases
2023-01-31 09:52:37 +01:00
robot-5
afc9903ba9
Fix use rule IDs to retrieve the rule config 2022-03-28 20:28:02 +02:00
Nanik
2a4064d45d
feat: adding new keyword for hardcoded credentials (#666) 2021-07-19 11:23:39 +02:00
Matthieu MOREL
1256f16f33
Fix lint and fail on error in the ci build 2021-05-31 10:44:12 +02:00
Cosmin Cojocar
fb44007c6e Enhance the hardcoded credentials rule to check the equality and non-equality of strings
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-20 03:08:39 -07:00
Cosmin Cojocar
802292c54f Fix the configuration parsing for hardcoded credentials
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-15 07:21:19 -07:00
Cosmin Cojocar
c6e10af40f Handle properly the gosec module version v2
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-06 09:06:23 -07:00
Cosmin Cojocar
893b87b343 Replace gas with gosec everywhere in the project 2018-07-19 18:42:25 +02:00
Grant Murphy
da26f64208
Rename github org (#214) 2018-07-19 17:40:28 +10:00
jonmcclintock
2115402409 Add the rule ID to issues (#188) 2018-03-12 18:18:44 +10:00
Grant Murphy
58a48c471c Merge branch 'nosec-specify-rule' of git://github.com/jonmcclintock/gas into jonmcclintock-nosec-specify-rule 2018-03-09 10:54:34 +10:00
andyleap
f3c8d59863 Switch to valuespec instead of gendecl for hardcoded credential rule (#186) 2018-03-09 09:49:49 +10:00
Jon McClintock
1429033aca Add support for #excluding specific rules 2018-03-02 23:44:51 +00:00
Grant Murphy
af25ac1f6e fix golint errors picked up by hound-ci 2017-12-13 22:35:47 +10:00
Grant Murphy
bf78d027a9 Restructure and introduce a standalone config 2017-04-28 14:46:26 -07:00
Grant Murphy
cacf21f3c0 Restructure to focus on lib rather than cli 2017-04-26 08:08:46 -07:00
Grant Murphy
4099783722 Go 1.5 does not support width precision specifier 2017-01-14 14:39:22 -08:00
Grant Murphy
9bc02396e8 Introduce entropy checking of string
This will hopefully reduce the number of false positives when it comes
to hard coded credentials. The zxcvbn library is used to calculate the
entropy of the string. By default the first 16 characters are considered
as doing the entropy check for strings much longer than that introduces
a fairly significant performance hit.
2017-01-14 13:45:34 -08:00
Grant Murphy
d1303fee0b Improve specitivity of error message for GenDecl 2017-01-11 10:12:11 -08:00
Grant Murphy
d1e67fc995 Ensure hardcoded credentials only examines strings
The hardcoded credentials test should only consider assignment of const strings.

Related to issue #108
2017-01-11 09:43:05 -08:00
Grant Murphy
c7bb2dd3b7 Fix additional crash condition
A var GenDecl may not have a value assigned. This error case must be
handled.
2016-11-14 15:15:17 -08:00
Grant Murphy
5012c34d48 Handle inbalanced declaration of constants
The following code would create a panic condition:

const foo, bar = "some thing"

Fixes #84
2016-11-14 13:57:55 -08:00
Grant Murphy
a3fcd96f57 Update hardcoded credentials rule for GenDecls
The hardcoded credentials rule will now also examine GenDecls so will
work with global vars and constants.

Fixes #74
2016-11-13 12:57:59 -08:00
Grant Murphy
74b6633ee0 Updated imports to new repository location. 2016-11-02 16:54:20 -07:00
Tim Kelsey
713949fe69 Rule selection rules
This makes the following changes:
- riles are identified by an ID
- include / exclude list now work
- rules are selected based on these lists
- blacklist rules are broken out into methods
- rule constructors now take the config map
- config file can be used to select rules
- CLI options embelish config selection options
2016-08-11 10:45:51 +01:00
Grant Murphy
cee5fad4c3 Fix incorrect regexp matches
There are some cases where the '.' character would also match any
character and could lead to incorrect results. For example the
regular expression -  `^ioutils.WriteFile$' would match
ioutils.WriteFile, but also ioutils_WriteFile.

Additionally made sure that all regexp were declared using raw
strings to avoid any unnecesary string escaping that potentially
make the regexp difficult to read.
2016-07-30 13:29:33 -07:00
Cedric Staub
3cd0ebee96 Smarter hard-coded credentials check
Check right-hand side expr for literals when looking for hard-coded
credentials. This is to avoid issuing warnings for cases where a
password, token, etc. is read from a file or a terminal.
2016-07-27 22:51:34 -07:00
Tim Kelsey
4f3d620d37 Initial public release 2016-07-20 15:56:32 +01:00