// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package rules import "github.com/securego/gosec/v2" // RuleDefinition contains the description of a rule and a mechanism to // create it. type RuleDefinition struct { ID string Description string Create gosec.RuleBuilder } // RuleList contains a mapping of rule ID's to rule definitions and a mapping // of rule ID's to whether rules are suppressed. type RuleList struct { Rules map[string]RuleDefinition RuleSuppressed map[string]bool } // RulesInfo returns all the create methods and the rule suppressed map for a // given list func (rl RuleList) RulesInfo() (map[string]gosec.RuleBuilder, map[string]bool) { builders := make(map[string]gosec.RuleBuilder) for _, def := range rl.Rules { builders[def.ID] = def.Create } return builders, rl.RuleSuppressed } // RuleFilter can be used to include or exclude a rule depending on the return // value of the function type RuleFilter func(string) bool // NewRuleFilter is a closure that will include/exclude the rule ID's based on // the supplied boolean value. func NewRuleFilter(action bool, ruleIDs ...string) RuleFilter { rulelist := make(map[string]bool) for _, rule := range ruleIDs { rulelist[rule] = true } return func(rule string) bool { if _, found := rulelist[rule]; found { return action } return !action } } // Generate the list of rules to use func Generate(trackSuppressions bool, filters ...RuleFilter) RuleList { rules := []RuleDefinition{ // misc {"G101", "Look for hardcoded credentials", NewHardcodedCredentials}, {"G102", "Bind to all interfaces", NewBindsToAllNetworkInterfaces}, {"G103", "Audit the use of unsafe block", NewUsingUnsafe}, {"G104", "Audit errors not checked", NewNoErrorCheck}, {"G106", "Audit the use of ssh.InsecureIgnoreHostKey function", NewSSHHostKey}, {"G107", "Url provided to HTTP request as taint input", NewSSRFCheck}, {"G108", "Profiling endpoint is automatically exposed", NewPprofCheck}, {"G109", "Converting strconv.Atoi result to int32/int16", NewIntegerOverflowCheck}, {"G110", "Detect io.Copy instead of io.CopyN when decompression", NewDecompressionBombCheck}, {"G111", "Detect http.Dir('/') as a potential risk", NewDirectoryTraversal}, {"G112", "Detect ReadHeaderTimeout not configured as a potential risk", NewSlowloris}, {"G113", "Usage of Rat.SetString in math/big with an overflow", NewUsingOldMathBig}, {"G114", "Use of net/http serve function that has no support for setting timeouts", NewHTTPServeWithoutTimeouts}, // injection {"G201", "SQL query construction using format string", NewSQLStrFormat}, {"G202", "SQL query construction using string concatenation", NewSQLStrConcat}, {"G203", "Use of unescaped data in HTML templates", NewTemplateCheck}, {"G204", "Audit use of command execution", NewSubproc}, // filesystem {"G301", "Poor file permissions used when creating a directory", NewMkdirPerms}, {"G302", "Poor file permissions used when creation file or using chmod", NewFilePerms}, {"G303", "Creating tempfile using a predictable path", NewBadTempFile}, {"G304", "File path provided as taint input", NewReadFile}, {"G305", "File path traversal when extracting zip archive", NewArchive}, {"G306", "Poor file permissions used when writing to a file", NewWritePerms}, // crypto {"G401", "Detect the usage of DES, RC4, MD5 or SHA1", NewUsesWeakCryptography}, {"G402", "Look for bad TLS connection settings", NewIntermediateTLSCheck}, {"G403", "Ensure minimum RSA key length of 2048 bits", NewWeakKeyStrength}, {"G404", "Insecure random number source (rand)", NewWeakRandCheck}, // blocklist {"G501", "Import blocklist: crypto/md5", NewBlocklistedImportMD5}, {"G502", "Import blocklist: crypto/des", NewBlocklistedImportDES}, {"G503", "Import blocklist: crypto/rc4", NewBlocklistedImportRC4}, {"G504", "Import blocklist: net/http/cgi", NewBlocklistedImportCGI}, {"G505", "Import blocklist: crypto/sha1", NewBlocklistedImportSHA1}, // memory safety {"G601", "Implicit memory aliasing in RangeStmt", NewImplicitAliasing}, } ruleMap := make(map[string]RuleDefinition) ruleSuppressedMap := make(map[string]bool) RULES: for _, rule := range rules { ruleSuppressedMap[rule.ID] = false for _, filter := range filters { if filter(rule.ID) { ruleSuppressedMap[rule.ID] = true if !trackSuppressions { continue RULES } } } ruleMap[rule.ID] = rule } return RuleList{ruleMap, ruleSuppressedMap} }