Cosmin Cojocar
e57efa8482
Fix a panic in suproc rule when the declaration of the variable is not available in the AST ( #728 )
2021-11-16 21:41:26 +01:00
Cosmin Cojocar
55c6ceaaa6
Fix crash when parsing the TLS min version value ( #724 )
2021-11-09 21:59:53 +01:00
Ville Skyttä
40fa36d1de
G303: catch with os.WriteFile, add os.Create test case ( #718 )
...
* Add G303 os.Create test case
* Catch G303 with os.WriteFile too
2021-11-09 21:13:45 +01:00
Eng Zer Jun
7fd4aef9dc
feat: add os.ReadFile to G304 ( #706 )
...
In Go 1.16 or higher, the `io/ioutil` has been deprecated and the
`ioutil.ReadFile` function now calls `os.ReadFile`.
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2021-10-14 09:53:26 +02:00
Yuval Kashtan
1933cba5b5
Add os.Unsetenv to NoErrorCheck whitelist ( #702 )
...
it always return nil err
2021-10-05 19:30:34 +02:00
Matthieu MOREL
bfb0f422fe
chore(lint): enable errorlint and gci ( #698 )
2021-09-13 09:40:10 +02:00
Cosmin Cojocar
d3309fb4f5
Add a more generic message for rule g204 ( #688 )
2021-08-19 15:18:20 +02:00
Cosmin Cojocar
f285d612b5
Fix formatting issues with gofumpt ( #685 )
...
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2021-08-18 13:16:21 +02:00
Nanik
5a131be2ec
fix: add more rules for G204 ( #677 )
...
* fix: add more rules for G204
* fix: add extra test and comment
2021-08-16 11:31:51 +02:00
Marc Brugger
62db81342e
Allow excluding generated files
2021-08-04 17:33:20 +02:00
Lars
d4dc2d2df5
Improve the G307 rule
...
* Add G307 sample code.
The sample should reflect a defered close that leads to data loss.
Due to IDE auto-complete people tend at least log errors, but not
really care about handling.
* Add more G307 sample code. Propose a way to implement
* Remove unused code. Add example that should not return an error but does
* Remove test for synced closed file for now.
Will add this later
Co-authored-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2021-07-31 23:03:09 +02:00
Nanik
9535c9e3e1
fix: add variable assignment checking as part of MinVersion ( #669 )
...
* fix: add variable assignment checking as part of MinVersion
* fix: add more code to allow assignment with const
* fix: rework the code and add more test cases for MinVersion
* fix: format linting issue using gofumpt
2021-07-27 22:03:59 +02:00
Nanik
2a4064d45d
feat: adding new keyword for hardcoded credentials ( #666 )
2021-07-19 11:23:39 +02:00
Josh Kaufman
514f65f3c3
Add G204 rule for sys/execabs ( #660 )
...
* Add G204 rule for sys/execabs
* syntax error in testutils/sources.go
2021-07-01 17:43:25 +02:00
エガオノキミヘ
3c230ac0f7
errors.go: add Hash.Write() to the white list. ( #648 )
2021-06-13 13:30:49 +02:00
Matthieu MOREL
1256f16f33
Fix lint and fail on error in the ci build
2021-05-31 10:44:12 +02:00
Matthieu MOREL
4df7f1c3e9
Fix typos, Go Report link and Gofmt
2021-05-07 18:04:01 +02:00
Chris Bandy
27a5ffb5c8
Quiet warnings about integer truncation ( #586 )
...
Both MinVersion and MaxVersion of crypto/tls.Config are uint16, so the
int16 fields of rules.insecureConfigTLS are too small. GetInt()
interprets integer literals as fitting within 64-bits, so simplify
things by using int64.
2021-03-03 10:05:33 +01:00
Matouš Dzivjak
1fce46151c
fix: WriteParams rule to work also with golang 1.16 ( #577 )
...
In go 1.16 the `ioutil` package was deprecated and
the functions should be replaced by their equivalents
in either `io` or `os` packages. This means,
that `ioutil.WriteFile` should be replaced by
`os.WriteFile` instead. To account for this change
and to detect incorrect permissions also for `os.WriteFile`
I changed `filePermissions` rule slightly to allows
specifying multiple packages that can contain given
function and that we should check. This workaround
can be removed after a sufficient time has passed
and after it is decided that checking `os.WriteFile`
is enough.
Fixes: https://github.com/securego/gosec/issues/576
2021-02-22 09:22:04 +01:00
Cosmin Cojocar
897c203e62
Reset the state of TLS rule after each version check ( #570 )
...
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2021-02-11 10:52:16 +01:00
Chris Bandy
e100f6b862
Assert that sample code compiles
2021-01-04 09:28:00 +01:00
Jeff Widman
9fe0b2e21a
Fix typo ( #547 )
2020-12-11 09:34:38 +01:00
Cosmin Cojocar
13519fda59
Update the tls configuration generate to handle also the NSS alternative names
...
Regenerate the configuration of TLS rule.
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-09-03 10:54:08 +02:00
Cosmin Cojocar
f13b8bc639
Add also filepath.Rel as a sanitization method for input argument in the G304 rule
...
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-19 09:40:07 +02:00
Cosmin Cojocar
047729a84f
Fix the rule G304 to handle the case when the input is cleaned as a variable assignment
...
Signed-off-by: Cosmin Cojocar <ccojocar@cloudbees.com>
2020-08-19 09:40:07 +02:00
ggkitsas
b60ddc21ba
feat: adds support for path.Join and for tar archives in G305
2020-08-03 09:17:45 +02:00
Cosmin Cojocar
110b62b05f
Add io.CopyBuffer function to rule G110
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-07-29 14:25:45 +02:00
Cosmin Cojocar
ade81d3873
Rename file for consistency
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-29 13:52:47 +02:00
evalphobia
03f12f3f5d
Change naming rule from blacklist to blocklist
2020-06-29 13:45:44 +02:00
Cosmin Cojocar
55d368f2e5
Improve the TLS version checking
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-25 09:21:14 +02:00
Cosmin Cojocar
1d2c951f2c
Extend the rule G304 with os.OpenFile and add a test to cover it
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-17 13:14:08 +02:00
Cosmin Cojocar
6bbf8f9cbc
Extend the insecure random rule with more insecure random functions
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-06-15 15:12:02 +02:00
Cosmin Cojocar
30e93bf865
Improve the SQL strings concat rules to handle multiple string concatenation
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-27 10:16:56 +02:00
Cosmin Cojocar
68bce94323
Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context
...
In addition makes pattern matching used by the rules cases insensitive.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-05-27 10:16:56 +02:00
Grant Murphy
8630c43b66
Add null pointer check in G601
...
fixes : #475
2020-05-21 05:51:45 +02:00
Vitaly Velikodny
668512fc5c
Update bad_defer.go
...
Fix a mistake in the message:
> G307: Deferring unsafe method "*os.File" on type "Close" (gosec)
type and method changed
2020-05-06 16:23:04 +02:00
Caccavale
ee3146e637
Rule which detects aliasing of values in RangeStmt
2020-04-24 07:46:25 -07:00
Cosmin Cojocar
fb44007c6e
Enhance the hardcoded credentials rule to check the equality and non-equality of strings
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-20 03:08:39 -07:00
Cosmin Cojocar
802292c54f
Fix the configuration parsing for hardcoded credentials
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-15 07:21:19 -07:00
Cosmin Cojocar
c6e10af40f
Handle properly the gosec module version v2
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-04-06 09:06:23 -07:00
Cosmin Cojocar
cf2590442c
Fix the subproc rule to handle correctly the CommandContext check
...
In this case, we need to skip the first argument because it is the context.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-13 13:25:35 +01:00
Cosmin Cojocar
f97f86103c
Update the subproc rule to detect the syscall.ForkExec and syscall.StartProces calls
...
Also add the corresponding tests for this.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-03-13 13:25:35 +01:00
Sam Caccavale
7525fe4bb7
Rule for defering methods which return errors ( #441 )
2020-03-01 21:45:37 +01:00
Sam Caccavale
a305f10eb9
Fileperms ( #442 )
2020-02-28 12:48:18 +01:00
Cosmin Cojocar
3e069e7756
Fix the errors rule whitelist to work on types methods
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-01-29 09:41:46 +01:00
Hiroki Suezawa
459e2d3e91
Modify rule for integer overflow to have more acurate results ( #434 )
...
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-21 10:13:11 +01:00
Hiroki Suezawa
a4d7b3628b
Add G110(Potential DoS vulnerability via decompression bomb)
...
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-20 10:37:56 +01:00
Hiroki Suezawa
9cb83e10af
Add a rule which detects when there is potential integer overflow ( #422 )
...
* Add G109(Potential Integer OverFlow Detection)
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
* add CWE to G109(Potential Integer Overflow)
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
* Modify G109 to use gosec.Context
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-06 09:55:52 +01:00
Cosmin Cojocar
50e1fe267d
Improve the SSRF rule to report an issue for package scoped variables
...
Made also the rule to not report an issue when encountering function
scoped variable which terminate in a basic literal such as a string.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-08 11:56:58 +02:00
Cosmin Cojocar
29341f6e9c
Fix the rule G108/pporf to handle the case when the pporf import has not name
...
This is causing a crash.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-24 18:16:45 +10:00