Commit graph

132 commits

Author SHA1 Message Date
Miki Tebeka
6bd6e4ba2c Use $(go env GOPATH) that works even when GOPATH is not set 2020-10-01 04:17:43 +10:00
Lucas Charles
aef335a98e Fix typo in README.md
s/trucate/truncate for G101 configuration
2020-10-01 04:17:00 +10:00
Cosmin Cojocar
868556b846 Update README with the correct path to tlsconfig command
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-09-03 10:54:08 +02:00
Cosmin Cojocar
166e4f5f45 Update README file with some more details required to run successfully a scan with the docker image
The current working directory needs to be specified in the docker run option in order for gosec
to download the dependencies defined in the go module file.

Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-09-01 08:57:52 +02:00
Cosmin Cojocar
a3895d5c55 Fix typo in README file
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-31 10:27:02 +02:00
Jamie Cuthill
17c955519e Incorrect local installation instructions for v2 2020-08-21 11:23:36 +02:00
ggkitsas
b60ddc21ba feat: adds support for path.Join and for tar archives in G305 2020-08-03 09:17:45 +02:00
evalphobia
03f12f3f5d Change naming rule from blacklist to blocklist 2020-06-29 13:45:44 +02:00
Cosmin Cojocar
6a130d55b3
Update the link pointing to issues to CWE mapping to use the master version (#483)
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-28 14:40:15 +02:00
Cosmin Cojocar
1b915ddad7 Set up a gosec's users list
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-12 08:51:13 +02:00
Caccavale
ee3146e637 Rule which detects aliasing of values in RangeStmt 2020-04-24 07:46:25 -07:00
Cosmin Cojocar
8662624e28 Update the build badge to ge the status from GitHub workflow
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-20 03:20:30 -07:00
Cosmin Cojocar
a2a40de847 Update the README with an example to configure the hard-coded credentials rule
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-15 07:21:19 -07:00
Cosmin Cojocar
51e4317f09 Automate the release process using a GitHub workflow
The release will trigger when a new tag is pushed.

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-14 00:41:56 -07:00
Cosmin Cojocar
3b6c3f13f1 Update README with some instruction how to run gosec as a GitHub action
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-08 00:39:01 -07:00
Sam Caccavale
7525fe4bb7
Rule for defering methods which return errors (#441) 2020-03-01 21:45:37 +01:00
Sam Caccavale
a305f10eb9
Fileperms (#442) 2020-02-28 12:48:18 +01:00
Hiroki Suezawa
a4d7b3628b Add G110(Potential DoS vulnerability via decompression bomb)
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-20 10:37:56 +01:00
Hiroki Suezawa
9cb83e10af Add a rule which detects when there is potential integer overflow (#422)
* Add G109(Potential Integer OverFlow Detection)

Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>

* add CWE to G109(Potential Integer Overflow)

Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>

* Modify G109 to use gosec.Context

Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-06 09:55:52 +01:00
Hiroki Suezawa
79fbf3af8d Add golint format to output format (#428)
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-03 10:56:21 +01:00
Cosmin Cojocar
99170e0d76
Update the README with some details about the CWE mapping (#407)
* Fix some typos in the README file

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>

* Update the README with some details about the CWE mapping

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-31 11:56:17 +01:00
Cosmin Cojocar
832d7bb398 Update README with CII Best Practicies badge
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-27 08:53:58 +10:00
Cosmin Cojocar
d8f249a079 Update README with rule G108
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-24 09:32:09 +10:00
Cosmin Cojocar
338b50debb Remove rule G105 which detects the use of math/big#Int.Exp
The big#Int.Exp used to be vulnerable in older versions of Go, but in the
meantime has been fixed (https://github.com/golang/go/issues/15184).

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-10 11:59:05 +10:00
Cosmin Cojocar
7851918c4f Add support to exclude arbitrary folders from scanning (#353)
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-09 22:01:36 +10:00
Cosmin Cojocar
fde1f82f34 Update the tag format in the release steps (#348)
Go modules requires that the tag starts with a `v`.

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-09 21:11:32 +10:00
Cosmin Cojocar
992f173356 Update README file with a note on dependencies (#351)
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-09 21:11:12 +10:00
Cosmin Cojocar
141235719b Add some documentation for G104 whitelist configuration
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 11:26:28 +02:00
Martin Vrachev
196edd34b6 Add checksum clarification in README
Currently, if you download the gosec binary using the commands
suggested in the README and you decide to check the checksum
of the binary, you just downloaded then your checksum check will fail.
As a result, the user can think that your binary is corrupted.

The reason for that failure is that the checksums are for the
tar.gz files provided in the release notes.
This should be documented to avoid future unclarities.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-06-07 22:33:15 +10:00
Cosmin Cojocar
29cec138dc
Fix formatting in README, remove prerequisite and reworked the Makefile tests goals (#313)
* Fix formating in README

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>

* Split the various test goals in the Makefile

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>

* Remove the prerequisites from README since they are automatically installed

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>

* Remove unnecessary install steps from Travis CI build

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>

* Make sure golint is installed before running the lint command

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>

* Make sure ginkgo command is installed before running the tests

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-02 09:19:18 +02:00
Cosmin Cojocar
6e5135f6eb Update README with some instructions to enable the tests and vendor folder scanning
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-29 06:55:24 +02:00
Cosmin Cojocar
ed2e0aa927 Update local install command in README file
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-29 06:54:40 +02:00
Cosmin Cojocar
6c174a61d4 Update README file
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-27 08:20:40 +02:00
kencrawford
8eab50eb17 update README.md to add support of sonarqube. 2019-03-21 07:30:14 +10:00
Cosmin Cojocar
2bd007e968 Update README 2019-03-06 17:18:50 +10:00
Liam Galvin
9cd538fcf2 Fix README typo 2019-03-06 08:14:35 +10:00
Cosmin Cojocar
8048b15efa Add more badges in the README file 2019-02-13 11:46:36 +01:00
Joaquin L. Pereyra
a966ff760c Fix -conf example in README.md
1. Example config json included a trailing comma, even though as we obviously know this is how things should be, JSON does not agree and the parser fails miserably
2. Flag was incorrectly stated as -config in the README, the correct flag is -conf
3. Example command did not work as did not include final dot to examine the current pkg.
2019-01-22 15:33:45 +01:00
Cosmin Cojocar
b6626154df Fix typo 2019-01-18 11:09:41 +01:00
Cosmin Cojocar
5d33e6ebe1 Update the README with some details about the configuration file
fixes #269
2019-01-18 11:09:41 +01:00
Cosmin Cojocar
12400f9a1c Update README with the code coverage batch 2018-12-11 18:15:58 +01:00
Yuki Ito
443f84fd4d Fix golint link (#263) 2018-11-05 09:13:26 +01:00
Kishan B
97bc137c5b Add CI Installation steps and correct markdown lint errors 2018-10-05 15:27:14 +05:30
Andrew Hsu
5f98926a7b Refactor Dockerfile (#245)
* ignore the temporary image file used for builds

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* no need for GOPATH in the Dockerfile

It is already set in the golang:1.10.3-alpine3.8 image.

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* no need for GOROOT in Dockerfile

The correct value is embedded in the go tool.

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* bump Dockerfile golang to 1.10.4

The latest golang version thus far.

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* replace docker-entrypoint.sh with the gosec binary

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* git ignore gosec binary

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* refactor Dockerfile into multi-stage

First stage does the build in a pristine alpine environment. Second
stage is a minimal image with just the necessary stuff to run the
compiled binary. Also added packages for gcc and musl-dev so cgo can do
its thang.

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>

* fix the image execution example in README.md

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
2018-09-26 08:09:20 +03:00
Grant Murphy
7f6509a916
Update README.md (#246)
Add logo to README.md
2018-09-25 19:44:53 +10:00
cschoenduve-splunk
419c9292c8 G107 - SSRF (#236)
* Initial SSRF Rule

* Added Selector evaluation

* Added source code tests

* Fixed spacing issues

* Fixed Spacingv2

* Removed resty test
2018-09-04 08:55:03 +02:00
Dom Udall 改善
63b25c147f Fix typo in README (#235)
`PORJECT` -> `PROJECT`
2018-09-03 09:39:31 +02:00
Cosmin Cojocar
e4ba96adc3 Update README 2018-08-21 11:15:14 +02:00
Cosmin Cojocar
9577fd0b44 Update README 2018-08-15 09:58:26 +02:00
Cosmin Cojocar
8dfa8dc015 Update README 2018-08-08 16:41:34 +02:00
John Martinez
0d2e16dfa3
Document #nosec use with a list of rules
Extend the readme to document the ability to prevent some, but not all, rules from being enforced within an AST node.
2018-07-31 16:22:19 -04:00
Cosmin Cojocar
2a6e887167 Use the goreleaser tool to perform releases 2018-07-27 14:42:00 +02:00
Grant Murphy
3f2b81461f
Update README.md 2018-07-20 09:23:46 +10:00
Grant Murphy
138e6decee
Add slack community link (#215)
Add slack community link
2018-07-20 09:22:43 +10:00
Cosmin Cojocar
e6641c6265 Replace gas with gosec in the README file 2018-07-19 18:46:26 +02:00
Grant Murphy
da26f64208
Rename github org (#214) 2018-07-19 17:40:28 +10:00
Cosmin Cojocar
1923b6d18e Rule which detects a potential path traversal when extracting zip archives (#208)
* Add a rule which detects file path traversal when extracting zip archive

* Detect if any argument is derived from zip.File

* Drop support for Go version 1.8
2018-07-18 22:31:07 +10:00
cosmincojocar
4ae8c95b40 Add an option for Go build tags (#201)
* Add an option for Go build tags

* Update README with a section for Go build tags
2018-04-20 09:45:03 +10:00
Eric Brown
542d0c0e4f Fix up some mistakes in the README instructions (#195)
This fixes a couple issues found in the README in the development
section:
* There was no information provided on dependencies.  Both go/dep
  and golint are required to run make.
* To run the tests, the command 'make test' not 'make tests' has
  to be used.
2018-03-20 09:21:32 +10:00
cosmincojocar
e809226800 Build improvments (#179)
* Add a semantic version to the usage text

* Add a comment to the version function

* Inject the version, git tag and build date as build variables

* Update README

* Fix lint warnings

* Update README

* Manage dependencies with dep tool instead of godep

* Add a Makefile for common build tasks

* Update the build file to use the make tool

* Update Dockerfile

* Add docker entry point in to make the passing of arguments easy

* Update README

* Add missing tools to the build

* Drop 1.7 support and add 1.10

* Fix Go 1.10 according with the travis guidelines

https://docs.travis-ci.com/user/languages/go/

* Update the tls-observatory package

* Fix lint warnings

* Change the output of the tests to be more verbose

* Check if the are build errors before executing the rule test
2018-03-13 08:57:10 +10:00
coredefend
e76b258456 New Rule Tainted file (#183)
* Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178)

* Add a tool which generates the TLS rule configuration from Mozilla server side
TLS configuration

* Update README

* Remove trailing space in README

* Update dependencies

* Fix the commends of the generated functions

* Add nil pointer check to rule. (#181)

TypeOf returns the type of expression e, or nil if not found. We are
calling .String() on a value that may be nil in this clause.

Relates to #174

* Add support for YAML output format (#177)

* Add YAML output format

* Update README

* added rule to check for tainted file path

* added #nosec to main/issue.go

* updated test case import
2018-03-09 09:23:27 +10:00
cosmincojocar
1d9f816ca5 Add support for YAML output format (#177)
* Add YAML output format

* Update README
2018-03-05 22:20:24 +10:00
cosmincojocar
edb362fc9d Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178)
* Add a tool which generates the TLS rule configuration from Mozilla server side
TLS configuration

* Update README

* Remove trailing space in README

* Update dependencies

* Fix the commends of the generated functions
2018-02-21 15:59:18 +10:00
Cosmin Cojocar
f1b903f060 Update README 2018-02-06 16:59:00 +01:00
Wong Her Laang
1346bd37ca Edited README and help text. 2018-01-27 12:19:38 +08:00
Grant Murphy
806c1d081f
Add install instructions
Closes 153
2018-01-11 11:31:08 +10:00
Grant Murphy
3520a5ae85
Merge pull request #146 from GoASTScanner/experimental
Merge experimental / refactor
2018-01-05 22:08:59 +10:00
Grant Murphy
e3b6fd94c2 update readme to provide info regarding package level scans 2017-12-13 16:35:54 +10:00
Amber Wiens
5f0f8f89a6 Adding Docker container and changing README 2017-08-03 11:50:58 -06:00
Cosmin Cojocar
7dc4638db8 Update the README 2017-04-10 19:40:27 +02:00
David Lawrence
5f1c2df44a updating skip cli help and readme description 2016-12-13 14:36:51 -08:00
Grant Murphy
74b6633ee0 Updated imports to new repository location. 2016-11-02 16:54:20 -07:00
Grant Murphy
b5a98c12a8 Add godocs.org bagdge 2016-08-28 11:36:53 -07:00
Grant Murphy
a2b7f3e0a2 Add LICENSE information to README.md 2016-08-28 11:09:52 -07:00
Grant Murphy
929edb490a Update README.md to use rule ID's 2016-08-28 11:07:28 -07:00
Tim Kelsey
6d831c0923 Updating docs for new CLI "skip" option 2016-08-10 10:09:37 +01:00
Grant Murphy
9521472897 Add build status to README.md 2016-08-05 09:54:29 -07:00
Robert Clark
9651a40525 Fixed-up some language in README.md 2016-07-27 09:36:13 +01:00
Grant Murphy
1cff72694b Fix exclude documentation
Closes issue #17
2016-07-26 21:53:45 -07:00
Grant Murphy
9ce14dc683 Disclaimer about project status 2016-07-25 09:51:19 -07:00
Grant Murphy
2cac3900fb Update the README to include newer rules 2016-07-22 07:50:30 -07:00
Tim Kelsey
4f3d620d37 Initial public release 2016-07-20 15:56:32 +01:00