Cosmin Cojocar
f13b8bc639
Add also filepath.Rel as a sanitization method for input argument in the G304 rule
...
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-19 09:40:07 +02:00
Cosmin Cojocar
047729a84f
Fix the rule G304 to handle the case when the input is cleaned as a variable assignment
...
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-19 09:40:07 +02:00
ggkitsas
b60ddc21ba
feat: adds support for path.Join and for tar archives in G305
2020-08-03 09:17:45 +02:00
Cosmin Cojocar
110b62b05f
Add io.CopyBuffer function to rule G110
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-07-29 14:25:45 +02:00
Cosmin Cojocar
ade81d3873
Rename file for consistency
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-29 13:52:47 +02:00
evalphobia
03f12f3f5d
Change naming rule from blacklist to blocklist
2020-06-29 13:45:44 +02:00
Cosmin Cojocar
55d368f2e5
Improve the TLS version checking
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-25 09:21:14 +02:00
Cosmin Cojocar
1d2c951f2c
Extend the rule G304 with os.OpenFile and add a test to cover it
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-17 13:14:08 +02:00
Cosmin Cojocar
6bbf8f9cbc
Extend the insecure random rule with more insecure random functions
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-15 15:12:02 +02:00
Cosmin Cojocar
30e93bf865
Improve the SQL strings concat rules to handle multiple string concatenation
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-27 10:16:56 +02:00
Cosmin Cojocar
68bce94323
Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context
...
In addition makes pattern matching used by the rules cases insensitive.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-27 10:16:56 +02:00
Grant Murphy
8630c43b66
Add null pointer check in G601
...
fixes : #475
2020-05-21 05:51:45 +02:00
Vitaly Velikodny
668512fc5c
Update bad_defer.go
...
Fix a mistake in the message:
> G307: Deferring unsafe method "*os.File" on type "Close" (gosec)
type and method changed
2020-05-06 16:23:04 +02:00
Caccavale
ee3146e637
Rule which detects aliasing of values in RangeStmt
2020-04-24 07:46:25 -07:00
Cosmin Cojocar
fb44007c6e
Enhance the hardcoded credentials rule to check the equality and non-equality of strings
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-20 03:08:39 -07:00
Cosmin Cojocar
802292c54f
Fix the configuration parsing for hardcoded credentials
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-15 07:21:19 -07:00
Cosmin Cojocar
c6e10af40f
Handle properly the gosec module version v2
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-06 09:06:23 -07:00
Cosmin Cojocar
cf2590442c
Fix the subproc rule to handle correctly the CommandContext check
...
In this case, we need to skip the first argument because it is the context.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-13 13:25:35 +01:00
Cosmin Cojocar
f97f86103c
Update the subproc rule to detect the syscall.ForkExec and syscall.StartProces calls
...
Also add the corresponding tests for this.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-13 13:25:35 +01:00
Sam Caccavale
7525fe4bb7
Rule for defering methods which return errors ( #441 )
2020-03-01 21:45:37 +01:00
Sam Caccavale
a305f10eb9
Fileperms ( #442 )
2020-02-28 12:48:18 +01:00
Cosmin Cojocar
3e069e7756
Fix the errors rule whitelist to work on types methods
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-01-29 09:41:46 +01:00
Hiroki Suezawa
459e2d3e91
Modify rule for integer overflow to have more acurate results ( #434 )
...
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-21 10:13:11 +01:00
Hiroki Suezawa
a4d7b3628b
Add G110(Potential DoS vulnerability via decompression bomb)
...
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-20 10:37:56 +01:00
Hiroki Suezawa
9cb83e10af
Add a rule which detects when there is potential integer overflow ( #422 )
...
* Add G109(Potential Integer OverFlow Detection)
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
* add CWE to G109(Potential Integer Overflow)
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
* Modify G109 to use gosec.Context
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-06 09:55:52 +01:00
Cosmin Cojocar
50e1fe267d
Improve the SSRF rule to report an issue for package scoped variables
...
Made also the rule to not report an issue when encountering function
scoped variable which terminate in a basic literal such as a string.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-08 11:56:58 +02:00
Cosmin Cojocar
29341f6e9c
Fix the rule G108/pporf to handle the case when the pporf import has not name
...
This is causing a crash.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-24 18:16:45 +10:00
Cosmin Cojocar
9cee24cccd
Add a rule which detects when pprof endpoint is automatically exposed
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-24 09:32:09 +10:00
Martin Vrachev
709ed1ba65
Change rule G204 to be less restrictive ( #339 )
...
Currently, rule G204 warns you about every single use of the
functions syscall.Exec, os.exec.CommandContext and os.Exec.Command.
This can create false positives and it's not accurate because you can
use those functions with perfectly secure arguments like hardcoded
strings for example.
With this change, G204 will warn you in 3 cases when passing arguments
to a function which starts a new process the arguments:
1) are variables initialized by calling another function
2) are functions
3) are command-line arguments or environmental variables
Closes: https://github.com/securego/gosec/issues/338
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-16 16:15:06 +02:00
Cosmin Cojocar
338b50debb
Remove rule G105 which detects the use of math/big#Int.Exp
...
The big#Int.Exp used to be vulnerable in older versions of Go, but in the
meantime has been fixed (https://github.com/golang/go/issues/15184 ).
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-10 11:59:05 +10:00
Cosmin Cojocar
81b6dc8872
Regenerate the TLS configuration based on latest Mozilla's recommended ciphers
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-10 11:57:18 +10:00
Cosmin Cojocar
f3445245a2
Fix the whitelist on G104 rule and add a test
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 11:15:11 +02:00
Cosmin Cojocar
78a49491a8
Load rules on each code sample in order to reconfigure them
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 11:14:27 +02:00
Cosmin Cojocar
ed9934fa48
Refactor the rules tests to be able to configure the analyzer config per test sample
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 10:29:19 +02:00
Ben Bytheway
04dc713f22
One approach for fixing the false positive identified in #325 .
2019-06-13 08:22:48 +10:00
Cosmin Cojocar
3af4ae9ddb
Fix some lint warnings
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
b49c9532a8
Add a flag which allows to scan also the tests files
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-29 06:55:24 +02:00
Martin Vrachev
62b5195dd9
Report for Golang errors ( #284 )
...
* Report for Golang errors
Right now if you use Gosec to scan invalid go file and if you report the result in a text, JSON, CSV or another file format you will always receive 0 issues.
The reason for that is that Gosec can't parse the AST of invalid go files and thus will not report anything.
The real problem here is that the user will never know about the issue if he generates the output in a file.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-02-27 08:24:06 +10:00
Cosmin Cojocar
f87af5fa72
Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration ( #274 )
...
* Define more explicit the global options in the configuration
* Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 21:37:40 +10:00
Cosmin Cojocar
14ed63d558
Do not flag the unhandled errors which are explicitly ignored
...
fixes #270
2019-01-14 10:06:30 +01:00
Cosmin Cojocar
24e3094d2a
Extend the bind rule to handle the case when the net.Listen address in provided from a const
2018-12-04 09:22:06 +01:00
Cosmin Cojocar
9b32fcac16
Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call
2018-12-04 09:22:06 +01:00
Edoardo Tenani
adb42220da
whitelist strings.Builder method in rule G104
2018-11-11 09:57:28 +01:00
Yuki Ito
41809946d4
Make G201 ignore CallExpr with no args ( #262 )
2018-11-05 09:28:47 +01:00
Oleksandr Redko
3116b07de4
Fix typos in comments and rulelist ( #256 )
2018-10-11 14:45:31 +02:00
Cosmin Cojocar
64d58c2e51
Refactor the test code sample to support multiple files per sample
2018-09-28 11:42:25 +03:00
Delon Wong Her Laang
d3f1980e7a
Fix false positives for SQL string concatenation with constants from another file ( #247 )
...
* Allow for SQL concatenation of nodes that resolve to literals
If node.Y resolves to a literal, it will not be considered as an issue.
* Fix typo in comment.
* Go through all files in package to resolve that identifier
* Refactor code and added comments.
* Changed checking to not var or func.
* Allow for supporting code for test cases.
* Resolve merge conflict changes.
2018-09-28 10:46:59 +03:00
Dale Hui
762ff3a709
Allow quoted strings to be used to format SQL queries ( #240 )
...
* Support stripping vendor paths when matching calls
* Factor out matching of formatter string
* Quoted strings are safe to use with SQL str formatted strings
* Add test for allowing quoted strings with string formatters
* Install the pq package for tests to pass
2018-09-25 10:40:05 +03:00
cschoenduve-splunk
145f1a0bf4
Removed wrapping feature ( #238 )
2018-09-04 18:08:37 +02:00
cschoenduve-splunk
419c9292c8
G107 - SSRF ( #236 )
...
* Initial SSRF Rule
* Added Selector evaluation
* Added source code tests
* Fixed spacing issues
* Fixed Spacingv2
* Removed resty test
2018-09-04 08:55:03 +02:00
cschoenduve-splunk
7fd94463ed
update to G304 which adds binary expressions and file joining ( #233 )
...
* Added features to G304
* Linted
* Added path selectors
* Used better solution
* removed debugging lines
* fixed comments
* Added test code
* fixed a spacing change
2018-08-28 14:34:07 +10:00
cschoenduve-splunk
b6891998ce
Add Fprintf to Rule G201
2018-08-21 09:31:38 +02:00
cschoenduve-splunk
a7cff91312
Small update to G201 and added ConcatString Function ( #228 )
2018-08-19 19:57:36 +02:00
Cosmin Cojocar
8dfa8dc015
Update README
2018-08-08 16:41:34 +02:00
Cosmin Cojocar
fb0dc73a96
Add sha1 to weak crypto primitives
2018-08-08 16:38:57 +02:00
Will Roden
6a156e2695
Merge branch 'master' into commandcontext
2018-07-26 09:13:43 -05:00
Cosmin Cojocar
893b87b343
Replace gas with gosec everywhere in the project
2018-07-19 18:42:25 +02:00
Grant Murphy
da26f64208
Rename github org ( #214 )
2018-07-19 17:40:28 +10:00
Cosmin Cojocar
1923b6d18e
Rule which detects a potential path traversal when extracting zip archives ( #208 )
...
* Add a rule which detects file path traversal when extracting zip archive
* Detect if any argument is derived from zip.File
* Drop support for Go version 1.8
2018-07-18 22:31:07 +10:00
Will Roden
d7ec2fce7a
add CommandContext as subprocess launcher
2018-06-03 16:43:28 -05:00
cosmincojocar
4ae8c95b40
Add an option for Go build tags ( #201 )
...
* Add an option for Go build tags
* Update README with a section for Go build tags
2018-04-20 09:45:03 +10:00
cosmincojocar
c25269ef39
Regenerate the TLS config ( #199 )
2018-04-16 15:44:11 +10:00
cosmincojocar
e809226800
Build improvments ( #179 )
...
* Add a semantic version to the usage text
* Add a comment to the version function
* Inject the version, git tag and build date as build variables
* Update README
* Fix lint warnings
* Update README
* Manage dependencies with dep tool instead of godep
* Add a Makefile for common build tasks
* Update the build file to use the make tool
* Update Dockerfile
* Add docker entry point in to make the passing of arguments easy
* Update README
* Add missing tools to the build
* Drop 1.7 support and add 1.10
* Fix Go 1.10 according with the travis guidelines
https://docs.travis-ci.com/user/languages/go/
* Update the tls-observatory package
* Fix lint warnings
* Change the output of the tests to be more verbose
* Check if the are build errors before executing the rule test
2018-03-13 08:57:10 +10:00
jonmcclintock
2115402409
Add the rule ID to issues ( #188 )
2018-03-12 18:18:44 +10:00
Grant Murphy
66aea5cd99
fix gofmt errors
2018-03-09 12:49:01 +10:00
Grant Murphy
90fe5cb5ab
Port readfile rule to include ID and metadata
2018-03-09 11:27:41 +10:00
Grant Murphy
58a48c471c
Merge branch 'nosec-specify-rule' of git://github.com/jonmcclintock/gas into jonmcclintock-nosec-specify-rule
2018-03-09 10:54:34 +10:00
andyleap
f3c8d59863
Switch to valuespec instead of gendecl for hardcoded credential rule ( #186 )
2018-03-09 09:49:49 +10:00
coredefend
e76b258456
New Rule Tainted file ( #183 )
...
* Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178 )
* Add a tool which generates the TLS rule configuration from Mozilla server side
TLS configuration
* Update README
* Remove trailing space in README
* Update dependencies
* Fix the commends of the generated functions
* Add nil pointer check to rule. (#181 )
TypeOf returns the type of expression e, or nil if not found. We are
calling .String() on a value that may be nil in this clause.
Relates to #174
* Add support for YAML output format (#177 )
* Add YAML output format
* Update README
* added rule to check for tainted file path
* added #nosec to main/issue.go
* updated test case import
2018-03-09 09:23:27 +10:00
Jon McClintock
6b484e734e
Run gofmt
2018-03-03 00:03:39 +00:00
Jon McClintock
1429033aca
Add support for #excluding specific rules
2018-03-02 23:44:51 +00:00
Grant Murphy
c6183b4d5c
Add nil pointer check to rule. ( #181 )
...
TypeOf returns the type of expression e, or nil if not found. We are
calling .String() on a value that may be nil in this clause.
Relates to #174
2018-02-28 04:29:25 +10:00
cosmincojocar
edb362fc9d
Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation ( #178 )
...
* Add a tool which generates the TLS rule configuration from Mozilla server side
TLS configuration
* Update README
* Remove trailing space in README
* Update dependencies
* Fix the commends of the generated functions
2018-02-21 15:59:18 +10:00
cosmincojocar
1c58cbd378
Make the folder permissions more permissive to avoid false positives ( #175 )
2018-02-15 19:53:01 +10:00
Cosmin Cojocar
230d286f4e
Fix gofmt formatting
2018-02-10 20:04:58 +01:00
Grant Murphy
6b28d5c0e6
Merge pull request #166 from cosmincojocar/fprint_whitelist
...
Add Fprint, Fprintf, Fprintln to NoErrorCheck whitelist
2018-02-08 11:54:44 +10:00
Cosmin Cojocar
6cd7a6d7fe
Add Fprint, Fprintf, Fprintln to NoErrorCheck whitelist
2018-02-07 14:13:17 +01:00
Cosmin Cojocar
179c178924
Add some review fixes
2018-02-07 09:23:52 +01:00
Cosmin Cojocar
d3c3cd6419
Add a rule to detect the usage of ssh InsecureIgnoreHostKey function
2018-02-06 16:56:26 +01:00
Grant Murphy
a97a196160
Unused import
2018-01-30 09:35:35 +10:00
Grant Murphy
7c7fe752b6
Fix go vet errors in tests
2018-01-30 09:32:04 +10:00
Jon McClintock
1ca335016a
Rebase to master
2018-01-22 18:45:07 +00:00
Jon McClintock
8eb9cc02a4
Adjust SQL format-string rules to ignore inherently safe formats
2018-01-22 18:34:57 +00:00
Grant Murphy
085e0f65af
Merge pull request #150 from GoASTScanner/experimental
...
Use explicit packages in call lists
2018-01-05 23:14:24 +10:00
Grant Murphy
aecbc873ef
Use explicit packages in call lists
...
By allowing partial matches of selectors there are chances of collisions
such as those in issue #145 , this removes it to expect explicit packages
for each rule.
Closes #145
2018-01-05 23:05:53 +10:00
Grant Murphy
9a2bec1cd0
Merge pull request #149 from GoASTScanner/experimental
...
Fix nil pointer dereference in complit types
2018-01-05 22:20:21 +10:00
Grant Murphy
b6f85d50da
Fix nil pointer dereference in complit types
2018-01-05 22:19:08 +10:00
Grant Murphy
3520a5ae85
Merge pull request #146 from GoASTScanner/experimental
...
Merge experimental / refactor
2018-01-05 22:08:59 +10:00
Grant Murphy
e925d3c347
Migrated old test cases.
2017-12-28 16:54:10 +10:00
Grant Murphy
af25ac1f6e
fix golint errors picked up by hound-ci
2017-12-13 22:35:47 +10:00
Grant Murphy
cfa432729c
fix hound-ci errors
2017-12-13 17:39:00 +10:00
Grant Murphy
3caf7c3154
Add test cases
2017-09-16 10:12:27 +10:00
Cosmin Cojocar
c36954f04a
Add the CHACHA20 to good ciphers in modern tls check
2017-08-30 16:00:56 +02:00
Grant Murphy
6943f9e5e4
Major rework of codebase
...
- Get rid of 'core' and move CLI to cmd/gas directory
- Migrate (most) tests to use Ginkgo and testutils framework
- GAS now expects package to reside in $GOPATH
- GAS now can resolve dependencies for better type checking (if package
on GOPATH)
- Simplified public API
2017-07-19 15:17:00 -06:00
Grant Murphy
65b18da711
Hack to address circular dependency in rulelist
2017-05-09 21:26:12 -07:00
Grant Murphy
bf78d027a9
Restructure and introduce a standalone config
2017-04-28 14:46:26 -07:00
Grant Murphy
cacf21f3c0
Restructure to focus on lib rather than cli
2017-04-26 08:08:46 -07:00
Cosmin Cojocar
5b71c2b05f
Add a test for math/big.Int.Exp rule
2017-04-10 16:10:24 +02:00
Cosmin Cojocar
65b8e74ecd
Add a rule for big.Exp function call
2017-04-10 14:25:48 +02:00
mockturtl
b74c83e7e7
BindsToAllNetworkInterfaces should check TLS also
2017-03-28 13:24:22 -04:00