2018-07-19 18:42:25 +02:00
|
|
|
package gosec_test
|
2017-07-19 23:17:00 +02:00
|
|
|
|
|
|
|
import (
|
2017-09-16 02:12:27 +02:00
|
|
|
"go/ast"
|
|
|
|
|
2017-07-19 23:17:00 +02:00
|
|
|
. "github.com/onsi/ginkgo"
|
|
|
|
. "github.com/onsi/gomega"
|
2020-04-01 22:18:39 +02:00
|
|
|
"github.com/securego/gosec/v2"
|
|
|
|
"github.com/securego/gosec/v2/rules"
|
|
|
|
"github.com/securego/gosec/v2/testutils"
|
2017-07-19 23:17:00 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
var _ = Describe("Issue", func() {
|
|
|
|
|
|
|
|
Context("when creating a new issue", func() {
|
2017-09-16 02:12:27 +02:00
|
|
|
It("should create a code snippet from the specified ast.Node", func() {
|
|
|
|
var target *ast.BasicLit
|
|
|
|
source := `package main
|
|
|
|
const foo = "bar"
|
|
|
|
func main(){
|
|
|
|
println(foo)
|
|
|
|
}
|
|
|
|
`
|
|
|
|
pkg := testutils.NewTestPackage()
|
|
|
|
defer pkg.Close()
|
|
|
|
pkg.AddFile("foo.go", source)
|
|
|
|
ctx := pkg.CreateContext("foo.go")
|
|
|
|
v := testutils.NewMockVisitor()
|
2018-07-19 18:42:25 +02:00
|
|
|
v.Callback = func(n ast.Node, ctx *gosec.Context) bool {
|
2017-09-16 02:12:27 +02:00
|
|
|
if node, ok := n.(*ast.BasicLit); ok {
|
|
|
|
target = node
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
v.Context = ctx
|
|
|
|
ast.Walk(v, ctx.Root)
|
|
|
|
Expect(target).ShouldNot(BeNil())
|
|
|
|
|
2018-07-19 18:42:25 +02:00
|
|
|
issue := gosec.NewIssue(ctx, target, "TEST", "", gosec.High, gosec.High)
|
2017-09-16 02:12:27 +02:00
|
|
|
Expect(issue).ShouldNot(BeNil())
|
|
|
|
Expect(issue.Code).Should(MatchRegexp(`"bar"`))
|
2017-10-01 02:31:39 +02:00
|
|
|
Expect(issue.Line).Should(Equal("2"))
|
2020-01-03 11:56:21 +02:00
|
|
|
Expect(issue.Col).Should(Equal("16"))
|
2019-10-31 10:22:38 +02:00
|
|
|
Expect(issue.Cwe.ID).Should(Equal(""))
|
2017-07-19 23:17:00 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
It("should return an error if specific context is not able to be obtained", func() {
|
2017-12-13 08:35:28 +02:00
|
|
|
Skip("Not implemented")
|
2017-07-19 23:17:00 +02:00
|
|
|
})
|
|
|
|
|
2020-04-14 09:50:02 +02:00
|
|
|
It("should construct file path based on line and file information", func() {
|
|
|
|
var target *ast.AssignStmt
|
|
|
|
|
|
|
|
source := `package main
|
|
|
|
import "fmt"
|
|
|
|
func main() {
|
|
|
|
username := "admin"
|
|
|
|
password := "f62e5bcda4fae4f82370da0c6f20697b8f8447ef"
|
|
|
|
fmt.Println("Doing something with: ", username, password)
|
|
|
|
}`
|
|
|
|
|
|
|
|
pkg := testutils.NewTestPackage()
|
|
|
|
defer pkg.Close()
|
|
|
|
pkg.AddFile("foo.go", source)
|
|
|
|
ctx := pkg.CreateContext("foo.go")
|
|
|
|
v := testutils.NewMockVisitor()
|
|
|
|
v.Callback = func(n ast.Node, ctx *gosec.Context) bool {
|
|
|
|
if node, ok := n.(*ast.AssignStmt); ok {
|
|
|
|
if id, ok := node.Lhs[0].(*ast.Ident); ok && id.Name == "password" {
|
|
|
|
target = node
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
v.Context = ctx
|
|
|
|
ast.Walk(v, ctx.Root)
|
|
|
|
Expect(target).ShouldNot(BeNil())
|
|
|
|
|
|
|
|
// Use hardcodeded rule to check assignment
|
|
|
|
cfg := gosec.NewConfig()
|
|
|
|
rule, _ := rules.NewHardcodedCredentials("TEST", cfg)
|
|
|
|
issue, err := rule.Match(target, ctx)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
Expect(issue).ShouldNot(BeNil())
|
|
|
|
Expect(issue.FileLocation()).Should(MatchRegexp("foo.go:5"))
|
|
|
|
})
|
|
|
|
|
2017-07-19 23:17:00 +02:00
|
|
|
It("should provide accurate line and file information", func() {
|
2017-12-13 08:35:28 +02:00
|
|
|
Skip("Not implemented")
|
2017-07-19 23:17:00 +02:00
|
|
|
})
|
|
|
|
|
2017-09-16 02:12:27 +02:00
|
|
|
It("should provide accurate line and file information for multi-line statements", func() {
|
|
|
|
var target *ast.BinaryExpr
|
|
|
|
|
|
|
|
source := `package main
|
|
|
|
import "os"
|
|
|
|
func main(){`
|
2018-07-19 18:42:25 +02:00
|
|
|
source += "q := `SELECT * FROM table WHERE` + \n os.Args[1] + `= ?` // nolint: gosec\n"
|
2017-09-16 02:12:27 +02:00
|
|
|
source += `println(q)}`
|
|
|
|
|
|
|
|
pkg := testutils.NewTestPackage()
|
|
|
|
defer pkg.Close()
|
|
|
|
pkg.AddFile("foo.go", source)
|
|
|
|
ctx := pkg.CreateContext("foo.go")
|
|
|
|
v := testutils.NewMockVisitor()
|
2018-07-19 18:42:25 +02:00
|
|
|
v.Callback = func(n ast.Node, ctx *gosec.Context) bool {
|
2017-09-16 02:12:27 +02:00
|
|
|
if node, ok := n.(*ast.BinaryExpr); ok {
|
|
|
|
target = node
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
v.Context = ctx
|
|
|
|
ast.Walk(v, ctx.Root)
|
|
|
|
Expect(target).ShouldNot(BeNil())
|
|
|
|
|
|
|
|
// Use SQL rule to check binary expr
|
2018-07-19 18:42:25 +02:00
|
|
|
cfg := gosec.NewConfig()
|
2017-10-05 23:32:03 +02:00
|
|
|
rule, _ := rules.NewSQLStrConcat("TEST", cfg)
|
2017-09-16 02:12:27 +02:00
|
|
|
issue, err := rule.Match(target, ctx)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
Expect(issue).ShouldNot(BeNil())
|
|
|
|
Expect(issue.File).Should(MatchRegexp("foo.go"))
|
|
|
|
Expect(issue.Line).Should(MatchRegexp("3-4"))
|
2020-01-03 11:56:21 +02:00
|
|
|
Expect(issue.Col).Should(Equal("21"))
|
2017-09-16 02:12:27 +02:00
|
|
|
})
|
|
|
|
|
2017-07-19 23:17:00 +02:00
|
|
|
It("should maintain the provided severity score", func() {
|
2017-12-13 08:35:28 +02:00
|
|
|
Skip("Not implemented")
|
2017-07-19 23:17:00 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
It("should maintain the provided confidence score", func() {
|
2017-12-13 08:35:28 +02:00
|
|
|
Skip("Not implemented")
|
2017-07-19 23:17:00 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
})
|
|
|
|
|
|
|
|
})
|