Commit graph

329 commits

Author SHA1 Message Date
Tim Kelsey
68aac2539a Fixing annotations
The logic around annotations (nosec) was broken, meaning they were
ignored by default and would not skip sub-blocks. This fixes the
problem and also adds a test to make sure it wont be broken in the
future. Closes #25
2016-07-29 10:34:19 +01:00
Grant Murphy
28f0f1abe8 Merge pull request #23 from csstaub/cs/detect-math-rand
Detect use of rand.Read from math/rand
2016-07-28 13:20:38 -07:00
Cedric Staub
c53af75658
Detect use of rand.Read from math/rand 2016-07-28 11:26:34 -07:00
Tim Kelsey
c5d271566c Merge pull request #24 from csstaub/cs/smarter-creds-check
Smarter hard-coded credentials check
2016-07-28 10:31:33 +01:00
Tim Kelsey
e86addbfea Merge pull request #22 from csstaub/cs/csv
Use encoding/csv for CSV output
2016-07-28 10:25:27 +01:00
Cedric Staub
3cd0ebee96 Smarter hard-coded credentials check
Check right-hand side expr for literals when looking for hard-coded
credentials. This is to avoid issuing warnings for cases where a
password, token, etc. is read from a file or a terminal.
2016-07-27 22:51:34 -07:00
Cedric Staub
2ec102c7bf Use encoding/csv for CSV output
The encoding/csv package will take care of quoting, double-quoting,
and other CSV quirks -- avoids having to fiddle with text templates.
2016-07-27 20:55:09 -07:00
Grant Murphy
81b5e98828 Merge pull request #21 from HewlettPackard/better_sql
Better SQLi testing
2016-07-27 08:00:09 -07:00
Tim Kelsey
3e4d96ef3e Better SQLi testing
This prevents the string concat tests flagging a false positive if
joining two literal strings (eg "SELECT * FROM " + " table" ... )
or with a constant (eg const tab = "name"; "SELECT * from " + tab)
2016-07-27 15:47:07 +01:00
Tim Kelsey
2d0a26dafe Merge pull request #18 from HewlettPackard/issue16
Expand cases accepted by -exclude
2016-07-27 09:47:47 +01:00
Tim Kelsey
48910f5866 Merge pull request #20 from hyakuhei/Fix_Readme
Fixed-up some language in README.md
2016-07-27 09:45:52 +01:00
Robert Clark
9651a40525 Fixed-up some language in README.md 2016-07-27 09:36:13 +01:00
Grant Murphy
0dd7ec9c3c Merge pull request #19 from HewlettPackard/issue17
Fix exclude documentation
2016-07-26 21:54:43 -07:00
Grant Murphy
1cff72694b Fix exclude documentation
Closes issue #17
2016-07-26 21:53:45 -07:00
Grant Murphy
a7ebf35465 Expand cases accepted by -exclude
The exclude flag was only using filepath.Match which isn't intuitive
compared with some other command line tools. Added a couple of
additional cases to handle relative paths.

Fixes issue #16
2016-07-26 21:47:09 -07:00
Tim Kelsey
debb1f5b08 Merge pull request #14 from csstaub/cs/fix-json
Use encoding/json for -fmt json output
2016-07-26 17:50:44 +01:00
Cedric Staub
271cff19f7
Use encoding/json for -fmt json output 2016-07-25 16:40:49 -07:00
Grant Murphy
50fb7f4217 Merge pull request #10 from HewlettPackard/issue9
Handle import error rather than panic on failure
2016-07-25 16:17:02 -07:00
Grant Murphy
37cc56d425 Merge pull request #11 from csstaub/cs/fix-json
Make sure -fmt json produces valid output
2016-07-25 16:16:29 -07:00
Cedric Staub
c6e25a9b64
Make sure -fmt json produces valid output 2016-07-25 16:10:00 -07:00
Grant Murphy
2f84b67a47 Handle import error rather than panic on failure
This should handle issue #9 more gracefully.
2016-07-25 13:49:36 -07:00
Grant Murphy
9ce14dc683 Disclaimer about project status 2016-07-25 09:51:19 -07:00
Tim Kelsey
f9bf428e75 Merge pull request #6 from HewlettPackard/tools
Check input files and handle panic condition
2016-07-25 09:40:18 +01:00
Grant Murphy
0bd254c2eb Check input files and handle panic condition 2016-07-22 11:07:23 -07:00
Grant Murphy
e2caa921fe Merge pull request #5 from HewlettPackard/docs
Update the README to include newer rules
2016-07-22 07:55:53 -07:00
Grant Murphy
2cac3900fb Update the README to include newer rules 2016-07-22 07:50:30 -07:00
Grant Murphy
59deedb2f3 Merge pull request #4 from HewlettPackard/httpoxy
Adding check for httpoxy
2016-07-21 09:26:11 -07:00
Tim Kelsey
361593394e Adding check for httpoxy
Go code running under CGI is vulnerable to httpoxy attack. See
https://httpoxy.org/ this checks for an import of net/http/cgi
that might indicate code may be run under CGI.

closes #1
2016-07-21 16:30:09 +01:00
Tim Kelsey
4f3d620d37 Initial public release 2016-07-20 15:56:32 +01:00