2017-04-28 23:46:26 +02:00
|
|
|
// (c) Copyright 2016 Hewlett Packard Enterprise Development LP
|
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
|
|
package rules
|
|
|
|
|
2020-04-01 22:18:39 +02:00
|
|
|
import "github.com/securego/gosec/v2"
|
2017-04-28 23:46:26 +02:00
|
|
|
|
2017-12-13 09:39:00 +02:00
|
|
|
// RuleDefinition contains the description of a rule and a mechanism to
|
|
|
|
// create it.
|
2017-04-28 23:46:26 +02:00
|
|
|
type RuleDefinition struct {
|
2017-10-05 23:32:03 +02:00
|
|
|
ID string
|
2017-04-28 23:46:26 +02:00
|
|
|
Description string
|
2018-07-19 18:42:25 +02:00
|
|
|
Create gosec.RuleBuilder
|
2017-04-28 23:46:26 +02:00
|
|
|
}
|
|
|
|
|
2021-12-09 12:53:36 +02:00
|
|
|
// RuleList contains a mapping of rule ID's to rule definitions and a mapping
|
|
|
|
// of rule ID's to whether rules are suppressed.
|
|
|
|
type RuleList struct {
|
|
|
|
Rules map[string]RuleDefinition
|
|
|
|
RuleSuppressed map[string]bool
|
|
|
|
}
|
2017-04-28 23:46:26 +02:00
|
|
|
|
2021-12-09 12:53:36 +02:00
|
|
|
// RulesInfo returns all the create methods and the rule suppressed map for a
|
|
|
|
// given list
|
|
|
|
func (rl RuleList) RulesInfo() (map[string]gosec.RuleBuilder, map[string]bool) {
|
2018-07-19 18:42:25 +02:00
|
|
|
builders := make(map[string]gosec.RuleBuilder)
|
2021-12-09 12:53:36 +02:00
|
|
|
for _, def := range rl.Rules {
|
2017-10-05 23:32:03 +02:00
|
|
|
builders[def.ID] = def.Create
|
2017-05-10 06:26:12 +02:00
|
|
|
}
|
2021-12-09 12:53:36 +02:00
|
|
|
return builders, rl.RuleSuppressed
|
2017-05-10 06:26:12 +02:00
|
|
|
}
|
|
|
|
|
2017-12-13 09:39:00 +02:00
|
|
|
// RuleFilter can be used to include or exclude a rule depending on the return
|
|
|
|
// value of the function
|
2017-04-28 23:46:26 +02:00
|
|
|
type RuleFilter func(string) bool
|
|
|
|
|
2017-12-13 09:39:00 +02:00
|
|
|
// NewRuleFilter is a closure that will include/exclude the rule ID's based on
|
|
|
|
// the supplied boolean value.
|
2017-04-28 23:46:26 +02:00
|
|
|
func NewRuleFilter(action bool, ruleIDs ...string) RuleFilter {
|
|
|
|
rulelist := make(map[string]bool)
|
|
|
|
for _, rule := range ruleIDs {
|
|
|
|
rulelist[rule] = true
|
|
|
|
}
|
|
|
|
return func(rule string) bool {
|
|
|
|
if _, found := rulelist[rule]; found {
|
|
|
|
return action
|
|
|
|
}
|
|
|
|
return !action
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Generate the list of rules to use
|
2021-12-09 12:53:36 +02:00
|
|
|
func Generate(trackSuppressions bool, filters ...RuleFilter) RuleList {
|
2017-10-05 23:32:03 +02:00
|
|
|
rules := []RuleDefinition{
|
2017-04-28 23:46:26 +02:00
|
|
|
// misc
|
2018-03-03 02:03:39 +02:00
|
|
|
{"G101", "Look for hardcoded credentials", NewHardcodedCredentials},
|
|
|
|
{"G102", "Bind to all interfaces", NewBindsToAllNetworkInterfaces},
|
|
|
|
{"G103", "Audit the use of unsafe block", NewUsingUnsafe},
|
|
|
|
{"G104", "Audit errors not checked", NewNoErrorCheck},
|
|
|
|
{"G106", "Audit the use of ssh.InsecureIgnoreHostKey function", NewSSHHostKey},
|
2018-09-04 08:55:03 +02:00
|
|
|
{"G107", "Url provided to HTTP request as taint input", NewSSRFCheck},
|
2019-09-20 10:46:06 +02:00
|
|
|
{"G108", "Profiling endpoint is automatically exposed", NewPprofCheck},
|
2020-01-06 10:55:52 +02:00
|
|
|
{"G109", "Converting strconv.Atoi result to int32/int16", NewIntegerOverflowCheck},
|
2020-01-19 21:40:19 +02:00
|
|
|
{"G110", "Detect io.Copy instead of io.CopyN when decompression", NewDecompressionBombCheck},
|
2022-03-06 11:58:47 +02:00
|
|
|
{"G111", "Detect http.Dir('/') as a potential risk", NewDirectoryTraversal},
|
2022-04-30 12:38:50 +02:00
|
|
|
{"G112", "Detect ReadHeaderTimeout not configured as a potential risk", NewSlowloris},
|
2022-06-03 00:19:51 +02:00
|
|
|
{"G113", "Usage of Rat.SetString in math/big with an overflow", NewUsingOldMathBig},
|
2017-04-28 23:46:26 +02:00
|
|
|
|
|
|
|
// injection
|
2018-03-03 02:03:39 +02:00
|
|
|
{"G201", "SQL query construction using format string", NewSQLStrFormat},
|
|
|
|
{"G202", "SQL query construction using string concatenation", NewSQLStrConcat},
|
|
|
|
{"G203", "Use of unescaped data in HTML templates", NewTemplateCheck},
|
|
|
|
{"G204", "Audit use of command execution", NewSubproc},
|
2017-04-28 23:46:26 +02:00
|
|
|
|
|
|
|
// filesystem
|
2018-03-03 02:03:39 +02:00
|
|
|
{"G301", "Poor file permissions used when creating a directory", NewMkdirPerms},
|
2018-10-11 14:45:31 +02:00
|
|
|
{"G302", "Poor file permissions used when creation file or using chmod", NewFilePerms},
|
2018-03-03 02:03:39 +02:00
|
|
|
{"G303", "Creating tempfile using a predictable path", NewBadTempFile},
|
2018-03-09 04:49:01 +02:00
|
|
|
{"G304", "File path provided as taint input", NewReadFile},
|
2018-07-18 14:31:07 +02:00
|
|
|
{"G305", "File path traversal when extracting zip archive", NewArchive},
|
2020-02-28 13:48:18 +02:00
|
|
|
{"G306", "Poor file permissions used when writing to a file", NewWritePerms},
|
2020-03-01 22:45:37 +02:00
|
|
|
{"G307", "Unsafe defer call of a method returning an error", NewDeferredClosing},
|
2017-04-28 23:46:26 +02:00
|
|
|
|
|
|
|
// crypto
|
2018-08-08 16:41:34 +02:00
|
|
|
{"G401", "Detect the usage of DES, RC4, MD5 or SHA1", NewUsesWeakCryptography},
|
2018-03-03 02:03:39 +02:00
|
|
|
{"G402", "Look for bad TLS connection settings", NewIntermediateTLSCheck},
|
|
|
|
{"G403", "Ensure minimum RSA key length of 2048 bits", NewWeakKeyStrength},
|
|
|
|
{"G404", "Insecure random number source (rand)", NewWeakRandCheck},
|
2017-04-28 23:46:26 +02:00
|
|
|
|
2020-06-29 13:21:15 +02:00
|
|
|
// blocklist
|
|
|
|
{"G501", "Import blocklist: crypto/md5", NewBlocklistedImportMD5},
|
|
|
|
{"G502", "Import blocklist: crypto/des", NewBlocklistedImportDES},
|
|
|
|
{"G503", "Import blocklist: crypto/rc4", NewBlocklistedImportRC4},
|
|
|
|
{"G504", "Import blocklist: net/http/cgi", NewBlocklistedImportCGI},
|
|
|
|
{"G505", "Import blocklist: crypto/sha1", NewBlocklistedImportSHA1},
|
2019-12-19 19:39:33 +02:00
|
|
|
|
|
|
|
// memory safety
|
|
|
|
{"G601", "Implicit memory aliasing in RangeStmt", NewImplicitAliasing},
|
2017-04-28 23:46:26 +02:00
|
|
|
}
|
|
|
|
|
2017-10-05 23:32:03 +02:00
|
|
|
ruleMap := make(map[string]RuleDefinition)
|
2021-12-09 12:53:36 +02:00
|
|
|
ruleSuppressedMap := make(map[string]bool)
|
2017-10-05 23:32:03 +02:00
|
|
|
|
|
|
|
RULES:
|
|
|
|
for _, rule := range rules {
|
2021-12-09 12:53:36 +02:00
|
|
|
ruleSuppressedMap[rule.ID] = false
|
2017-04-28 23:46:26 +02:00
|
|
|
for _, filter := range filters {
|
2017-10-05 23:32:03 +02:00
|
|
|
if filter(rule.ID) {
|
2021-12-09 12:53:36 +02:00
|
|
|
ruleSuppressedMap[rule.ID] = true
|
|
|
|
if !trackSuppressions {
|
|
|
|
continue RULES
|
|
|
|
}
|
2017-04-28 23:46:26 +02:00
|
|
|
}
|
|
|
|
}
|
2017-10-05 23:32:03 +02:00
|
|
|
ruleMap[rule.ID] = rule
|
2017-04-28 23:46:26 +02:00
|
|
|
}
|
2021-12-09 12:53:36 +02:00
|
|
|
return RuleList{ruleMap, ruleSuppressedMap}
|
2017-04-28 23:46:26 +02:00
|
|
|
}
|