Commit graph

212 commits

Author SHA1 Message Date
Tim Kelsey
45f3b5f671 Creating blacklist import rules
Creating a new generic blacklist rule and removing the older
specific ones. This will need configuration integration when
we have some.

The new test is immune to import aliasing but not shadowing
2016-08-05 12:58:27 +01:00
Tim Kelsey
d2d49f1c8c Try to resolve all elements in an expression to a known const
This is used in the subprocess launching test but will be added to
others as applicable.

This also closes #28
2016-08-03 17:21:48 +01:00
Tim Kelsey
d4367de2e2 Adding a config block to the analyzer, parsed from JSON
A CLI option can now be given to tell GAS it should parse data
from a JSON file. Fatal errors are given if the file is not
readable or is not valid JSON.
2016-08-01 17:39:47 +01:00
Grant Murphy
cee5fad4c3 Fix incorrect regexp matches
There are some cases where the '.' character would also match any
character and could lead to incorrect results. For example the
regular expression -  `^ioutils.WriteFile$' would match
ioutils.WriteFile, but also ioutils_WriteFile.

Additionally made sure that all regexp were declared using raw
strings to avoid any unnecesary string escaping that potentially
make the regexp difficult to read.
2016-07-30 13:29:33 -07:00
Grant Murphy
b659538aa8 Merge pull request #26 from HewlettPackard/fix_annotations
Fixing annotations
2016-07-29 07:24:05 -07:00
Tim Kelsey
68aac2539a Fixing annotations
The logic around annotations (nosec) was broken, meaning they were
ignored by default and would not skip sub-blocks. This fixes the
problem and also adds a test to make sure it wont be broken in the
future. Closes #25
2016-07-29 10:34:19 +01:00
Grant Murphy
28f0f1abe8 Merge pull request #23 from csstaub/cs/detect-math-rand
Detect use of rand.Read from math/rand
2016-07-28 13:20:38 -07:00
Cedric Staub
c53af75658
Detect use of rand.Read from math/rand 2016-07-28 11:26:34 -07:00
Cedric Staub
3cd0ebee96 Smarter hard-coded credentials check
Check right-hand side expr for literals when looking for hard-coded
credentials. This is to avoid issuing warnings for cases where a
password, token, etc. is read from a file or a terminal.
2016-07-27 22:51:34 -07:00
Tim Kelsey
3e4d96ef3e Better SQLi testing
This prevents the string concat tests flagging a false positive if
joining two literal strings (eg "SELECT * FROM " + " table" ... )
or with a constant (eg const tab = "name"; "SELECT * from " + tab)
2016-07-27 15:47:07 +01:00
Tim Kelsey
361593394e Adding check for httpoxy
Go code running under CGI is vulnerable to httpoxy attack. See
https://httpoxy.org/ this checks for an import of net/http/cgi
that might indicate code may be run under CGI.

closes #1
2016-07-21 16:30:09 +01:00
Tim Kelsey
4f3d620d37 Initial public release 2016-07-20 15:56:32 +01:00