Grant Murphy
e94e23200a
Merge pull request #129 from cosmincojocar/big_exp
...
Add a rule which audits the use of math/big.Int.Exp function call
2017-04-11 12:36:57 -07:00
Cosmin Cojocar
7dc4638db8
Update the README
2017-04-10 19:40:27 +02:00
Cosmin Cojocar
5b71c2b05f
Add a test for math/big.Int.Exp rule
2017-04-10 16:10:24 +02:00
Cosmin Cojocar
65b8e74ecd
Add a rule for big.Exp function call
2017-04-10 14:25:48 +02:00
Grant Murphy
05738474a1
Merge pull request #125 from mockturtl/patch-1
...
BindsToAllNetworkInterfaces should check TLS also
2017-03-29 20:00:40 -07:00
mockturtl
b74c83e7e7
BindsToAllNetworkInterfaces should check TLS also
2017-03-28 13:24:22 -04:00
Grant Murphy
177fa7dde0
Merge pull request #122 from GoASTScanner/testfixes
...
Correct bad test cases and intermitent failure
2017-03-22 10:51:44 -07:00
Grant Murphy
622440f167
Correct bad test cases and intermitent failure
...
The filelist test was non-deterministic and causing intermittent
failures due to ordering. This change will ensure that the file list
returns an ordered list of files in the String() method now.
Additionally there were a number of test cases that the sample code
was incorrect, or would not compile. These have also been corrected.
2017-03-15 08:47:40 -07:00
Grant Murphy
5c302fb1b3
Merge pull request #121 from cosmincojocar/tls
...
Add a check for PreferServerCipherSuites flag of tls.Config
2017-03-15 08:38:07 -07:00
Cosmin Cojocar
2262f5d474
Add a check for PreferServerCipherSuites flag of tls.Config
2017-03-15 15:05:44 +01:00
Grant Murphy
1c8e7ff686
Merge pull request #118 from GoASTScanner/issue/117
...
Fix recursive case on Windows platforms
2017-01-27 09:22:21 -08:00
Grant Murphy
1c99e45d1c
Fix recursive case on Windows platforms
...
Closes #117
2017-01-27 09:16:36 -08:00
Grant Murphy
72caf3de41
Merge pull request #115 from GoASTScanner/bugfix
...
Temporarily disable typechecker fatal error
2017-01-14 15:25:58 -08:00
Grant Murphy
3e9b66a91a
Temporarily disable typechecker fatal error
...
It seems that the typechecker isn't considering the entire package
fileset in the current way that gas is processing projects. This leads
to cases where types that are defined in one file aren't known about
when gas is processing other files within that module.
A redesign is needed, this is a temporary fix to return to old
behaviour.
Related to #113
2017-01-14 15:21:55 -08:00
Grant Murphy
f6aeaa8dec
Merge pull request #114 from GoASTScanner/feature
...
Consider entropy when warning on hardcoded credentials
2017-01-14 14:46:19 -08:00
Grant Murphy
4099783722
Go 1.5 does not support width precision specifier
2017-01-14 14:39:22 -08:00
Grant Murphy
4b70300e15
Exclude vendor directory from go vet
2017-01-14 14:03:31 -08:00
Grant Murphy
aaddac5e4b
Add the zxcvbn library to vendor list
2017-01-14 13:48:53 -08:00
Grant Murphy
9bc02396e8
Introduce entropy checking of string
...
This will hopefully reduce the number of false positives when it comes
to hard coded credentials. The zxcvbn library is used to calculate the
entropy of the string. By default the first 16 characters are considered
as doing the entropy check for strings much longer than that introduces
a fairly significant performance hit.
2017-01-14 13:45:34 -08:00
Grant Murphy
cc52ef5b26
Merge pull request #112 from GoASTScanner/bugfix
...
Report a failure and exit if type checking fails
2017-01-13 13:34:33 -08:00
Grant Murphy
a7ec9ccc63
Backport test case for 1.5
...
Go 1.5 does not have a rand.Read function so need to adjust test
definitions accordingly.
2017-01-13 13:31:22 -08:00
Grant Murphy
f9868aa8c8
Fix additional test case
2017-01-13 12:46:16 -08:00
Grant Murphy
ab4867bc76
Fix test cases with invalid sample code
2017-01-13 12:40:49 -08:00
Grant Murphy
d3f0a08f0d
Report a failure and exit if type checking fails
...
Type checking failures were previously not reported and the file was
silently ignored. This change will report the error and halt further
processing.
2017-01-13 11:27:17 -08:00
Grant Murphy
bc21a39c66
Merge pull request #110 from GoASTScanner/bugfix
...
Improve specitivity of error message for GenDecl
2017-01-11 10:25:58 -08:00
Grant Murphy
d1303fee0b
Improve specitivity of error message for GenDecl
2017-01-11 10:12:11 -08:00
Grant Murphy
0545d13d8a
Merge pull request #109 from GoASTScanner/bugfix
...
Ensure hardcoded credentials check only considers constant strings
2017-01-11 10:03:53 -08:00
Grant Murphy
1e736c8838
Fix test case (invalid sample code)
2017-01-11 09:51:25 -08:00
Grant Murphy
d1e67fc995
Ensure hardcoded credentials only examines strings
...
The hardcoded credentials test should only consider assignment of const strings.
Related to issue #108
2017-01-11 09:43:05 -08:00
Grant Murphy
d4f9b88cbf
Merge pull request #104 from endophage/help_fix
...
updating skip cli help and readme description
2016-12-13 15:00:18 -08:00
David Lawrence
5f1c2df44a
updating skip cli help and readme description
2016-12-13 14:36:51 -08:00
Grant Murphy
c68ed64f6c
Merge pull request #102 from GoASTScanner/bugfix
...
Reduce logging messages a tad
2016-12-02 15:43:33 -08:00
Grant Murphy
94ac200d79
Tests broken if logger is not initialized
2016-12-02 15:39:01 -08:00
Grant Murphy
1ba8b93565
Reduce logging messages a tad
...
Only need to log if we're skipping a file or if we're processing it.
Should also use the [gas] prefix to aid filtering.
2016-12-02 15:34:12 -08:00
Grant Murphy
465338b05b
Merge pull request #101 from GoASTScanner/bugfix
...
Recreate fileset each time we process a file
2016-12-02 15:25:32 -08:00
Grant Murphy
191750f44c
Recreate fileset each time we process a file
...
Some files were being counted multiple times here and giving a skewed
result for line numbers processed.
Closes #100
2016-12-02 15:21:13 -08:00
Grant Murphy
b5308ff621
Merge pull request #98 from endophage/recursive
...
adding support for arbitrary paths with ellipses
2016-12-02 14:21:02 -08:00
Grant Murphy
365e9f6cbc
Merge pull request #99 from mcpeak/fix-nosec
...
Fix nosec to work as documented
2016-12-02 14:06:55 -08:00
David Lawrence
1a481fad70
adding support for arbitrary paths with ...
2016-12-02 13:54:05 -08:00
Travis McPeak
942f40acf5
Fix nosec to work as documented
...
This commit fixes the nosec feature to check for '#nosec' instead
of 'nosec'. This should help reduce false positives associated
with comments that have 'nosec' in them somewhere.
2016-12-02 15:45:59 -06:00
Grant Murphy
39113216a8
Merge pull request #97 from GoASTScanner/experimental
...
Address unhandled error conditions
2016-12-02 10:35:02 -08:00
Grant Murphy
6ace60b950
Address unhandled error conditions
...
Closes #95
2016-12-02 10:20:23 -08:00
Grant Murphy
8f78248b61
Merge pull request #92 from GoASTScanner/experimental
...
Resolve issues with error rules
2016-12-02 09:01:30 -08:00
Grant Murphy
e1e435cf33
Merge pull request #93 from GoASTScanner/bugfix
...
Remove ast.Print debug message from tryresolve
2016-12-01 09:27:52 -08:00
Grant Murphy
dcfd97c57d
Remove ast.Print debug message from tryresolve
2016-12-01 09:24:58 -08:00
Grant Murphy
129be1561b
Update error test case
...
There were several issues with the error test case that have been
addressed in this commit.
- It is possible to specify a whitelist of calls that error handling
should be ignored for.
- Additional support for ast.ExprStmt for cases where the error is
implicitly ignored.
There were several other additions to the helpers and call list in order
to support this type of functionality.
Fixes #54
2016-11-18 14:09:10 -08:00
Grant Murphy
5242a2c1df
Extend helpers and call list
...
- Update call list to work directly with call expression
- Add call list test cases
- Extend helpers to add GetCallInfo to resolve call name and package or
type if it's a var.
- Add test cases to ensure correct behaviour
2016-11-18 09:57:34 -08:00
Grant Murphy
d29c64800e
Add match call by type
2016-11-17 20:18:31 -08:00
Grant Murphy
d30c5cde36
Merge pull request #91 from GoASTScanner/experimental
...
Update unsafe rule to match package explicitly
2016-11-15 14:00:59 -08:00
Grant Murphy
63e8b1af23
Update unsafe rule to match package explicitly
...
Unsafe is not tracked in Package.Imports(), the regexp was not explicit
enough and foounsafe.Blah() would trigger an error.
2016-11-15 13:53:36 -08:00