Currently, if you download the gosec binary using the commands
suggested in the README and you decide to check the checksum
of the binary, you just downloaded then your checksum check will fail.
As a result, the user can think that your binary is corrupted.
The reason for that failure is that the checksums are for the
tar.gz files provided in the release notes.
This should be documented to avoid future unclarities.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
* Fix formating in README
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
* Split the various test goals in the Makefile
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
* Remove the prerequisites from README since they are automatically installed
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
* Remove unnecessary install steps from Travis CI build
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
* Make sure golint is installed before running the lint command
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
* Make sure ginkgo command is installed before running the tests
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
1. Example config json included a trailing comma, even though as we obviously know this is how things should be, JSON does not agree and the parser fails miserably
2. Flag was incorrectly stated as -config in the README, the correct flag is -conf
3. Example command did not work as did not include final dot to examine the current pkg.
* ignore the temporary image file used for builds
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
* no need for GOPATH in the Dockerfile
It is already set in the golang:1.10.3-alpine3.8 image.
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
* no need for GOROOT in Dockerfile
The correct value is embedded in the go tool.
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
* bump Dockerfile golang to 1.10.4
The latest golang version thus far.
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
* replace docker-entrypoint.sh with the gosec binary
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
* git ignore gosec binary
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
* refactor Dockerfile into multi-stage
First stage does the build in a pristine alpine environment. Second
stage is a minimal image with just the necessary stuff to run the
compiled binary. Also added packages for gcc and musl-dev so cgo can do
its thang.
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
* fix the image execution example in README.md
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
* Add a rule which detects file path traversal when extracting zip archive
* Detect if any argument is derived from zip.File
* Drop support for Go version 1.8
This fixes a couple issues found in the README in the development
section:
* There was no information provided on dependencies. Both go/dep
and golint are required to run make.
* To run the tests, the command 'make test' not 'make tests' has
to be used.
* Add a semantic version to the usage text
* Add a comment to the version function
* Inject the version, git tag and build date as build variables
* Update README
* Fix lint warnings
* Update README
* Manage dependencies with dep tool instead of godep
* Add a Makefile for common build tasks
* Update the build file to use the make tool
* Update Dockerfile
* Add docker entry point in to make the passing of arguments easy
* Update README
* Add missing tools to the build
* Drop 1.7 support and add 1.10
* Fix Go 1.10 according with the travis guidelines
https://docs.travis-ci.com/user/languages/go/
* Update the tls-observatory package
* Fix lint warnings
* Change the output of the tests to be more verbose
* Check if the are build errors before executing the rule test
* Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178)
* Add a tool which generates the TLS rule configuration from Mozilla server side
TLS configuration
* Update README
* Remove trailing space in README
* Update dependencies
* Fix the commends of the generated functions
* Add nil pointer check to rule. (#181)
TypeOf returns the type of expression e, or nil if not found. We are
calling .String() on a value that may be nil in this clause.
Relates to #174
* Add support for YAML output format (#177)
* Add YAML output format
* Update README
* added rule to check for tainted file path
* added #nosec to main/issue.go
* updated test case import
* Add a tool which generates the TLS rule configuration from Mozilla server side
TLS configuration
* Update README
* Remove trailing space in README
* Update dependencies
* Fix the commends of the generated functions