mirror of
https://github.com/securego/gosec.git
synced 2025-01-12 04:45:53 +00:00
0ae0174c25
The existing code assumed imports to be either imported, or imported with an alias. Badly formatted files may have duplicate imports for a package, using different aliases. This patch refactors the code, and; Introduces a new `GetImportedNames` function, which returns all name(s) and aliase(s) for a package, which effectively combines `GetAliasedName` and `GetImportedName`, but adding support for duplicate imports. The old `GetAliasedName` and `GetImportedName` functions have been rewritten to use the new function and marked deprecated, but could be removed if there are no external consumers. With this patch, the linter is able to detect issues in files such as; package main import ( crand "crypto/rand" "math/big" "math/rand" rand2 "math/rand" rand3 "math/rand" ) func main() { _, _ = crand.Int(crand.Reader, big.NewInt(int64(2))) // good _ = rand.Intn(2) // bad _ = rand2.Intn(2) // bad _ = rand3.Intn(2) // bad } Before this patch, only a single issue would be detected: gosec --quiet . [main.go:14] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 13: > 14: _ = rand.Intn(2) // bad 15: _ = rand2.Intn(2) // bad With this patch, all issues are identified: gosec --quiet . [main.go:16] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 15: _ = rand2.Intn(2) // bad > 16: _ = rand3.Intn(2) // bad 17: } [main.go:15] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 14: _ = rand.Intn(2) // bad > 15: _ = rand2.Intn(2) // bad 16: _ = rand3.Intn(2) // bad [main.go:14] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH) 13: > 14: _ = rand.Intn(2) // bad 15: _ = rand2.Intn(2) // bad While working on this change, I noticed that ImportTracker.TrackFile() was not able to find import aliases; Analyser.Check() called both ImportTracker.TrackFile() and ast.Walk(), which (with the updated ImportTracker) resulted in importes to be in- correctly included multiple times (once with the correct alias, once with the default). I updated ImportTracker.TrackFile() to fix this, but with the updated ImportTracker, Analyser.Check() no longer has to call ImportTracker.TrackFile() separately, as ast.Walk() already handles the file, and will find all imports. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
53 lines
1.3 KiB
Go
53 lines
1.3 KiB
Go
package gosec_test
|
|
|
|
import (
|
|
. "github.com/onsi/ginkgo/v2"
|
|
. "github.com/onsi/gomega"
|
|
"github.com/securego/gosec/v2"
|
|
"github.com/securego/gosec/v2/testutils"
|
|
)
|
|
|
|
var _ = Describe("Import Tracker", func() {
|
|
Context("when tracking a file", func() {
|
|
It("should parse the imports from file", func() {
|
|
tracker := gosec.NewImportTracker()
|
|
pkg := testutils.NewTestPackage()
|
|
defer pkg.Close()
|
|
pkg.AddFile("foo.go", `
|
|
package foo
|
|
import "fmt"
|
|
func foo() {
|
|
fmt.Println()
|
|
}
|
|
`)
|
|
err := pkg.Build()
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
pkgs := pkg.Pkgs()
|
|
Expect(pkgs).Should(HaveLen(1))
|
|
files := pkgs[0].Syntax
|
|
Expect(files).Should(HaveLen(1))
|
|
tracker.TrackFile(files[0])
|
|
Expect(tracker.Imported).Should(Equal(map[string][]string{"fmt": {"fmt"}}))
|
|
})
|
|
It("should parse the named imports from file", func() {
|
|
tracker := gosec.NewImportTracker()
|
|
pkg := testutils.NewTestPackage()
|
|
defer pkg.Close()
|
|
pkg.AddFile("foo.go", `
|
|
package foo
|
|
import fm "fmt"
|
|
func foo() {
|
|
fm.Println()
|
|
}
|
|
`)
|
|
err := pkg.Build()
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
pkgs := pkg.Pkgs()
|
|
Expect(pkgs).Should(HaveLen(1))
|
|
files := pkgs[0].Syntax
|
|
Expect(files).Should(HaveLen(1))
|
|
tracker.TrackFile(files[0])
|
|
Expect(tracker.Imported).Should(Equal(map[string][]string{"fmt": {"fm"}}))
|
|
})
|
|
})
|
|
})
|