Commit graph

49 commits

Author SHA1 Message Date
Cosmin Cojocar
c06903addd Fix test that checks the overriden nosec directive
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-10-18 14:33:51 +02:00
Cosmin Cojocar
e108c56933 Format the file
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-10-18 12:02:48 +02:00
Cosmin Cojocar
d8a6d358dc Ensure the ignores are parsed before analysing the package
In addition this handles the ignores for multi-line issues

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-10-18 12:02:48 +02:00
Cosmin Cojocar
0ec6cd95d7 Refactor how ignored issues are tracked
Track ignored issues using file location instead of a AST node. There are issues linked to a different AST node than the original node used to start the scan.

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-10-13 14:11:08 +02:00
Cosmin Cojocar
9120883a15
Fix no-sec alternative tag (#962)
The no-sec alternative tag prepends now automatically the # symbol

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-05-25 11:54:26 +02:00
Matthieu MOREL
68b520165d
enable ginkgolinter linter (#948)
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
2023-04-04 08:52:59 +02:00
Cosmin Cojocar
df14837174
Update to Go 1.20 and fix unit tests (#923)
* Fix unit tests for Go 1.20

* Update to Go 1.20 in the build scripts

* Remove support for 1.18 in the build

* Fix the golangci lint version according to Go version used

* Fix golangci version string

* Fix gci linter warning

* Remove golint in favour of golangci
2023-02-06 14:15:05 +01:00
Cosmin Cojocar
0ba05e160a chore: fix lint warnings
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2022-08-08 10:56:19 +02:00
kruskal
7d539ed494
feat: add concurrency option to parallelize package loading (#778)
* feat: add concurrency option to parallelize package loading

* refactor: move wg.add inside the for loop

* fix: gracefully stop the workers on error

* test: add test for concurrent scan
2022-02-16 18:23:37 +01:00
Cosmin Cojocar
ad5d74d5a1
Update to ginkgo v2 (#753) 2022-01-03 18:11:35 +01:00
Yiwei Ding
72f1145f8a
Fix #743 (#748)
* Check if nosec tag is in front of a line

* Use \n instead of a whitespace in a test case
2022-01-03 16:48:42 +01:00
Yiwei Ding
2d1c1a6df7
Track both #nosec and #nosec rulelist for one violation (#741) 2021-12-20 23:33:01 +01:00
Ville Skyttä
d23ab2d997
Remove space between // and #nosec in examples and internal use
Comments intended for machines to read do not have the space by
convention.
2021-12-15 19:31:14 +01:00
Yiwei Ding
35af340d07
Fix #736 (#738) 2021-12-13 17:45:47 +01:00
Yiwei Ding
b45f95f6ad
Add support for suppressing the findings 2021-12-09 11:53:36 +01:00
Matthieu MOREL
bfb0f422fe
chore(lint): enable errorlint and gci (#698) 2021-09-13 09:40:10 +02:00
Marc Brugger
ba23b5e49a
Add possibility to list waived (nosec) marked issues but not count them as such 2021-08-18 13:00:38 +02:00
Marc Brugger
62db81342e
Allow excluding generated files 2021-08-04 17:33:20 +02:00
Matthieu MOREL
1256f16f33
Fix lint and fail on error in the ci build 2021-05-31 10:44:12 +02:00
Matthieu MOREL
4df7f1c3e9
Fix typos, Go Report link and Gofmt 2021-05-07 18:04:01 +02:00
Grant Murphy
8630c43b66 Add null pointer check in G601
fixes: #475
2020-05-21 05:51:45 +02:00
Cosmin Cojocar
c6e10af40f Handle properly the gosec module version v2
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-06 09:06:23 -07:00
Cosmin Cojocar
3d5c97b418 Add a test sample for Cgo files
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-01-16 09:06:23 +01:00
Rafael dos Santos
f43a957359 Check for both default and alternative nosec tags (#426)
* Check both nosec tags

* Adjust test to find vulnerabilities

* Add a few alias in Makefile to get GOPATH
2020-01-06 09:47:28 +01:00
Daniel Carlier
8932f702ce Add flag to handle '#nosec' alternative (#346)
* Add logic to check for a #nosec alternative

* Add NoSecAlternative as a new global variable

* Add nosec-tag flag
2019-09-04 10:20:43 +02:00
Cosmin Cojocar
63b44b6681 Add some more tests to make codecov happy
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 11:56:26 +02:00
Cosmin Cojocar
0ebfa2f8b7
Rework analyzer unit test to pass the go tip version (#318)
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-17 15:35:46 +02:00
Cosmin Cojocar
b68ac76dbc Fix formatting
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
3e69a8c8a2 Append the package load errors to analyser's errors
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
aac9b00845 Refactor properly the package error parsing and cover all test cases
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
625718d294 Refactor the test for Go build errors
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
bac6f0fb8f Add tests for an empty package without any test file
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
76b2c12044 Add a test to cover the processing of empty packages
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
f1ea7f6ee3 Add tests for analyser test pacakge check
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-29 06:55:24 +02:00
Cosmin Cojocar
b49c9532a8 Add a flag which allows to scan also the tests files
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-29 06:55:24 +02:00
Cosmin Cojocar
4dfaf0a997 Refactor the analyzer to process one package at the time
This avoids loading all packages in memory before running the checks.

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-28 09:06:52 +02:00
Martin Vrachev
62b5195dd9 Report for Golang errors (#284)
* Report for Golang errors

Right now if you use Gosec to scan invalid go file and if you report the result in a text, JSON, CSV or another file format you will always receive 0 issues.
The reason for that is that Gosec can't parse the AST of invalid go files and thus will not report anything.

The real problem here is that the user will never know about the issue if he generates the output in a file.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-02-27 08:24:06 +10:00
Cosmin Cojocar
f87af5fa72 Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274)
* Define more explicit the global options in the configuration

* Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 21:37:40 +10:00
Oleksandr Redko
3116b07de4 Fix typos in comments and rulelist (#256) 2018-10-11 14:45:31 +02:00
Cosmin Cojocar
64d58c2e51 Refactor the test code sample to support multiple files per sample 2018-09-28 11:42:25 +03:00
Cosmin Cojocar
893b87b343 Replace gas with gosec everywhere in the project 2018-07-19 18:42:25 +02:00
Grant Murphy
da26f64208
Rename github org (#214) 2018-07-19 17:40:28 +10:00
cosmincojocar
4ae8c95b40 Add an option for Go build tags (#201)
* Add an option for Go build tags

* Update README with a section for Go build tags
2018-04-20 09:45:03 +10:00
Jon McClintock
429ac07bbd Change the exclude syntax to be a part of #nosec 2018-03-08 19:01:00 +00:00
Jon McClintock
1429033aca Add support for #excluding specific rules 2018-03-02 23:44:51 +00:00
Grant Murphy
485bc31df8 Fix go vet errors in tests 2018-01-30 00:55:35 +00:00
Andrew S. Brown
22dc89384d Do a single build for all packages.
This is much faster because the loader can reuse packages.
2018-01-07 15:02:33 -08:00
Grant Murphy
25d74c6b20 address review comments 2017-12-14 10:04:22 +10:00
Grant Murphy
6943f9e5e4 Major rework of codebase
- Get rid of 'core' and move CLI to cmd/gas directory
- Migrate (most) tests to use Ginkgo and testutils framework
- GAS now expects package to reside in $GOPATH
- GAS now can resolve dependencies for better type checking (if package
  on GOPATH)
- Simplified public API
2017-07-19 15:17:00 -06:00