Commit graph

1065 commits

Author SHA1 Message Date
czechbol
eaedce9a8b
Improvement the int conversion overflow logic to handle bound checks (#1194)
* add test cases

Signed-off-by: czechbol <adamludes@gmail.com>

* fix bounds check logic

Signed-off-by: czechbol <adamludes@gmail.com>

* tweak test cases

Signed-off-by: czechbol <adamludes@gmail.com>

* fix codestyle

Signed-off-by: czechbol <adamludes@gmail.com>

* improve bounds check logic

Signed-off-by: czechbol <adamludes@gmail.com>

* max recursion depth

Signed-off-by: czechbol <adamludes@gmail.com>

* add test case for len function

Signed-off-by: czechbol <adamludes@gmail.com>

* relax len function bounds checks

Co-authored-by: Ben Krieger <ben.krieger@intel.com>

* handle cases when convert instruction is after the if blocks

Signed-off-by: czechbol <adamludes@gmail.com>

* improve range check discovery, add tests

Signed-off-by: czechbol <adamludes@gmail.com>

* refactor for readability

Signed-off-by: czechbol <adamludes@gmail.com>

* add cap function test

Signed-off-by: czechbol <adamludes@gmail.com>

* calculate signed min without throwing overflow warnings

Signed-off-by: czechbol <adamludes@gmail.com>

* perform bounds checks int size calculations

Signed-off-by: czechbol <adamludes@gmail.com>

* basic equal operator logic

Signed-off-by: czechbol <adamludes@gmail.com>

* uintptr -> unsafe.Pointer test case

Signed-off-by: czechbol <adamludes@gmail.com>

* fix review comments

Signed-off-by: czechbol <adamludes@gmail.com>

* Rebase and fix go module

Change-Id: I8da6495eaaf25b1739389aa98492bd7df338085b
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>

* fix false positive for negated value

Signed-off-by: czechbol <adamludes@gmail.com>

* fix range conditions

Signed-off-by: czechbol <adamludes@gmail.com>

* Ignore the golangci/gosec G115 warning

Change-Id: I0db56cb0a5f9ab6e815e2480ec0b66d7061b23d3
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>

---------

Signed-off-by: czechbol <adamludes@gmail.com>
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
Co-authored-by: Ben Krieger <ben.krieger@intel.com>
Co-authored-by: Cosmin Cojocar <ccojocar@google.com>
2024-09-04 16:09:54 +02:00
William Bergeron-Drouin
ea5b2766bb
fix: G602 support for nested conditionals with bounds check (#1201)
* Recursive fix

* Add some more test cases

* Fix formatting

* Add depth check
2024-09-04 11:07:42 +02:00
Cosmin Cojocar
11d69032b0 Update go.mod to sue go 1.22.0 toolchain 2024-09-02 09:46:29 +02:00
renovate[bot]
655527dfb4 chore(deps): update all dependencies 2024-09-02 09:46:29 +02:00
Cosmin Cojocar
0898560169 Make variable name more clear
Change-Id: I5b863c0da6cc3d01efa527c60c93fdcbc8c5a53c
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-30 19:35:07 +02:00
Cosmin Cojocar
ac67231ec5 Make variable names more explicity and reduce duplications
Change-Id: Ifa141b70351136cfe7d0756a83e8166a24b5d538
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-30 19:35:07 +02:00
Cosmin Cojocar
e0414c4640 Fix formatting
Change-Id: I49caeb75f1bd7ecdb9b4f99466d96ad81e2e95ac
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-30 19:35:07 +02:00
Cosmin Cojocar
c7003fc7e5 Refactor to reduce some fuctions and variable names
Change-Id: I7f42c1de4e39dceb8e8144037d5af9223331ff06
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-30 19:35:07 +02:00
Cosmin Cojocar
2401936458 Pass the value argument directly since is an interface
The value doens't require to be passed as a pointer since is a
interface.

Change-Id: Ia21bceb5f315f4c30bd28425d62f678e9203e93f
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-30 19:35:07 +02:00
Dimitar Banchev
f5d312825f Added suggested changes 2024-08-30 19:35:07 +02:00
Dimitar Banchev
a14ca4ac59 Added another test case in order to increase code coverage 2024-08-30 19:35:07 +02:00
Dimitar Banchev
a6dd589bae Removed function parameter which is always the same 2024-08-30 19:35:07 +02:00
Dimitar Banchev
b4c746962f Formatting problems(CI was not passing) 2024-08-30 19:35:07 +02:00
Dimitar Banchev
7f8f654235 Updated analyzer to use new way of initialization
* Removed old way of initializing analyzers
* Added the new analyzer to the rest of the default analyzers
* Fixed small bug in the rule
* Removed the test for the new analyzer from the file responsible for testing the rules
* Merged the diffrent examples into 1 variable
* Added tests for the analyzer
* Removed code that was used for testing rules, but it was used to test the analyzer
2024-08-30 19:35:07 +02:00
Dimitar Banchev
a26215cf23 Migrated the rule to the analyzers folder 2024-08-30 19:35:07 +02:00
Dimitar Banchev
3f6e1e7326 Refractored code a little bit 2024-08-30 19:35:07 +02:00
Dimitar Banchev
0eb8143c23 Added new rule G407(hardcoded IV/nonce)
The rule is supposed to detect for the usage of hardcoded or static nonce/Iv in many encryption algorithms:

* The different modes of AES (mainly tested here)
* It should be able to work with ascon

Currently the rules doesn't check when constant variables are used.

TODO: Improve the rule, to detected for constatant variable usage
2024-08-30 19:35:07 +02:00
Ben Krieger
4ae73c8ba3 Fix conversion overflow false positive when using ParseUint 2024-08-28 08:58:42 +02:00
Cosmin Cojocar
c52dc0ea4e Add a build step to measure the scan perfomance
This step will measure the scan performance difference against the
master version.

Change-Id: I1b9196ef3348350cf818471f55d9024d14064ac6
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-26 19:08:32 +02:00
czechbol
bcec04e784 Fix conversion overflow false positives when they are checked or pre-determined
Signed-off-by: czechbol <adamludes@gmail.com>
2024-08-26 16:57:12 +02:00
Cosmin Cojocar
71e397b994 Update go.mod 2024-08-26 16:47:36 +02:00
renovate[bot]
aec45b0b7d chore(deps): update all dependencies 2024-08-26 16:47:36 +02:00
Cosmin Cojocar
ab3f6c1c83 Fix false positive in conversion overflow check from uint8/int8 type
Change-Id: I543545e22fa12de0d85dcf92664a0a54e8f7244a
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-22 09:47:52 +02:00
Cosmin Cojocar
a39ec5a16b Disable staticcheck SA1019 rule
Change-Id: Ia9db0083f5ffb34d911b5ca491ef0ce23be979f8
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-21 15:00:06 +02:00
Cosmin Cojocar
a1b2ab80af Update the golangci linters
Change-Id: I8938d57e9751913f65b4825a44c252b31888f9e8
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-21 15:00:06 +02:00
Cosmin Cojocar
8467f012e0 Add more test to cover more use cases for G115 rule
Change-Id: Icb60fe14ae12439c1ee0e507a407a23ce4c64c85
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-21 15:00:06 +02:00
Rahul Gadi
81cda2f91f
Allow excluding analyzers globally (#1180)
* This change does not exclude analyzers for inline comment
* Changed the expected issues count for G103, G109 samples for test. Previously G115 has been included in the issue count
* Show analyzers IDs(G115, G602) in gosec usage help
* See #1175
2024-08-20 10:43:40 +02:00
Cosmin Cojocar
18135b439c
Update to Go 1.23.0 (#1183)
Change-Id: I11a6402e85ac543305e8bad4ea35239779424dd6

Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-19 09:17:50 +02:00
renovate[bot]
91c708a620
chore(deps): update all dependencies (#1182)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-08-19 08:58:30 +02:00
Cosmin Cojocar
92bac42afc
Read the AI API key also from an environment variable (#1181)
* Read the AI API key also from an environment variable

Change-Id: If18fd025ab2ef68a3690f8a69d1c8894e44a87ef
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>

* Fix lint warning

Change-Id: Icd3eb8a029764db76596c3e171275c03a23f8cef
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>

---------

Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-18 17:59:45 +02:00
Tran The Lam
56f943b802
Add support to generate auto fixes using LLM (AI) (#1177)
This feature adds support to generate auto fixes for Go scanning findings using LLM (AI). In a first instance, it relies on Gemini API to get a suggestion for a solution. This can be later extended, to integrate also other AI providers.

---------

Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
Co-authored-by: ccoVeille <3875889+ccoVeille@users.noreply.github.com>
Co-authored-by: Cosmin Cojocar <ccojocar@google.com>
2024-08-12 12:52:41 +02:00
renovate[bot]
f33fd4bf29 chore(deps): update all dependencies 2024-08-12 10:21:07 +02:00
renovate[bot]
55a47f3774 chore(deps): update all dependencies 2024-08-05 17:38:32 +02:00
renovate[bot]
a5d9ef67e2 chore(deps): update all dependencies 2024-07-29 10:58:28 +02:00
renovate[bot]
68424445af chore(deps): update dependency babel-standalone to v7.24.10 2024-07-23 11:43:16 +02:00
Alex Gartner
08b94f9392 Resolve underlying type to detect overflows in type aliases 2024-07-20 10:06:43 +02:00
renovate[bot]
4487a0c5a2 chore(deps): update dependency babel-standalone to v7.24.8 2024-07-15 09:13:59 +02:00
Alex Gartner
007626773c Fix multifile ignores 2024-07-15 09:00:36 +02:00
Alex Gartner
2f1b81b889 Add -enable-audit cli flag 2024-07-13 11:25:25 +02:00
Cosmin Cojocar
87fcb9b95b Update to go 1.22.5 and 1.21.12
Change-Id: I3334016ed2714ce4aed959d7f19a33e220c000e4
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
2024-07-08 16:00:12 +02:00
renovate[bot]
466992feca chore(deps): update all dependencies 2024-07-08 15:49:41 +02:00
Dimitar Banchev
9a4a741e6b Added more rules
* Rule G406 responsible for the usage of deprecated MD4 and RIPEMD160 added.
* Rules G506, G507 responsible for tracking the usage of the already mentioned libraries added.
* Slight changes in the Makefile(`make clean` wasn't removing all expected files)
* Added license to `analyzer_test.go`
2024-06-25 13:18:27 +02:00
Dimitar Banchev
6382394ce8 Fixed coverage workflow
* Renamed file(removed space)
* Changed the expected issues ( 1 -> 2)
2024-06-24 15:25:54 +02:00
Dimitar Banchev
5666ea35ba Fixed CI workflow
The CI workflow wasn't able to complete succesfully.

* Formatted the call_list_test.go file
2024-06-24 15:25:54 +02:00
Dimitar Banchev
fc0957f6a3 Minor changes
* Renamed the file responsible for rule G401
* Removed copyright of HP from the new rule
2024-06-24 15:25:54 +02:00
Dimitar Banchev
58e4fccc13 Split the G401 rule into two separate ones
Now the G401 rule is split into hashing and encryption algorithms.

G401 is responsible for checking the usage of MD5 and SHA1, with corresponding CWE of 328.
And G405(New rule) is responsible for checking the usege of DES and RC4, with corresponding CWE of 327.
2024-06-24 15:25:54 +02:00
Dimitar Banchev
2e71f37efd Updated G401 corresponding CWE
The corresponding CWE from G401 rule was changed from CWE-326 -> CWE-328.
In my opinion, this CWE suits better the rule.
2024-06-24 15:25:54 +02:00
renovate[bot]
3edc633c24 chore(deps): update docker/build-push-action action to v6 2024-06-24 15:24:22 +02:00
Cosmin Cojocar
2ae137abcf Update to go versions to 1.21.11 and 1.22.4
Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-06-11 21:47:56 +02:00
renovate[bot]
30a8a9c8c3 chore(deps): update all dependencies 2024-06-11 21:31:12 +02:00