2018-07-19 18:42:25 +02:00
|
|
|
package gosec_test
|
2017-07-19 15:17:00 -06:00
|
|
|
|
|
|
|
import (
|
2019-04-30 16:57:32 +02:00
|
|
|
"errors"
|
2017-07-19 15:17:00 -06:00
|
|
|
"log"
|
|
|
|
"os"
|
2023-02-06 14:15:05 +01:00
|
|
|
"regexp"
|
2017-07-19 15:17:00 -06:00
|
|
|
"strings"
|
|
|
|
|
2022-01-03 18:11:35 +01:00
|
|
|
. "github.com/onsi/ginkgo/v2"
|
2017-07-19 15:17:00 -06:00
|
|
|
. "github.com/onsi/gomega"
|
2021-09-13 09:40:10 +02:00
|
|
|
"github.com/securego/gosec/v2"
|
|
|
|
"github.com/securego/gosec/v2/rules"
|
2020-04-01 22:18:39 +02:00
|
|
|
"github.com/securego/gosec/v2/testutils"
|
2021-09-13 09:40:10 +02:00
|
|
|
"golang.org/x/tools/go/packages"
|
2017-07-19 15:17:00 -06:00
|
|
|
)
|
|
|
|
|
|
|
|
var _ = Describe("Analyzer", func() {
|
|
|
|
var (
|
2018-07-19 18:42:25 +02:00
|
|
|
analyzer *gosec.Analyzer
|
2018-04-20 01:45:04 +02:00
|
|
|
logger *log.Logger
|
|
|
|
buildTags []string
|
2019-04-28 19:33:50 +02:00
|
|
|
tests bool
|
2017-07-19 15:17:00 -06:00
|
|
|
)
|
|
|
|
BeforeEach(func() {
|
2018-01-30 09:32:04 +10:00
|
|
|
logger, _ = testutils.NewLogger()
|
2022-02-16 18:23:37 +01:00
|
|
|
analyzer = gosec.NewAnalyzer(nil, tests, false, false, 1, logger)
|
2017-07-19 15:17:00 -06:00
|
|
|
})
|
|
|
|
|
|
|
|
Context("when processing a package", func() {
|
2019-04-30 16:57:32 +02:00
|
|
|
It("should not report an error if the package contains no Go files", func() {
|
2021-12-09 18:53:36 +08:00
|
|
|
analyzer.LoadRules(rules.Generate(false).RulesInfo())
|
2022-08-08 10:37:43 +02:00
|
|
|
dir, err := os.MkdirTemp("", "empty")
|
2017-07-19 15:17:00 -06:00
|
|
|
defer os.RemoveAll(dir)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
2018-04-20 01:45:04 +02:00
|
|
|
err = analyzer.Process(buildTags, dir)
|
2019-04-30 16:57:32 +02:00
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
_, _, errors := analyzer.Report()
|
2023-04-04 08:52:59 +02:00
|
|
|
Expect(errors).To(BeEmpty())
|
2017-07-19 15:17:00 -06:00
|
|
|
})
|
|
|
|
|
2019-04-30 16:57:32 +02:00
|
|
|
It("should report an error if the package fails to build", func() {
|
2021-12-09 18:53:36 +08:00
|
|
|
analyzer.LoadRules(rules.Generate(false).RulesInfo())
|
2017-07-19 15:17:00 -06:00
|
|
|
pkg := testutils.NewTestPackage()
|
|
|
|
defer pkg.Close()
|
|
|
|
pkg.AddFile("wonky.go", `func main(){ println("forgot the package")}`)
|
2019-04-28 22:30:08 +02:00
|
|
|
err := pkg.Build()
|
|
|
|
Expect(err).Should(HaveOccurred())
|
|
|
|
err = analyzer.Process(buildTags, pkg.Path)
|
2019-04-30 16:57:32 +02:00
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
_, _, errors := analyzer.Report()
|
2023-04-04 08:52:59 +02:00
|
|
|
Expect(errors).To(HaveLen(1))
|
2019-04-30 16:57:32 +02:00
|
|
|
for _, ferr := range errors {
|
2023-04-04 08:52:59 +02:00
|
|
|
Expect(ferr).To(HaveLen(1))
|
2019-04-30 16:57:32 +02:00
|
|
|
}
|
2017-07-19 15:17:00 -06:00
|
|
|
})
|
|
|
|
|
2018-10-11 15:45:31 +03:00
|
|
|
It("should be able to analyze multiple Go files", func() {
|
2021-12-09 18:53:36 +08:00
|
|
|
analyzer.LoadRules(rules.Generate(false).RulesInfo())
|
2017-12-14 10:04:22 +10:00
|
|
|
pkg := testutils.NewTestPackage()
|
|
|
|
defer pkg.Close()
|
|
|
|
pkg.AddFile("foo.go", `
|
|
|
|
package main
|
|
|
|
func main(){
|
|
|
|
bar()
|
|
|
|
}`)
|
|
|
|
pkg.AddFile("bar.go", `
|
|
|
|
package main
|
|
|
|
func bar(){
|
|
|
|
println("package has two files!")
|
|
|
|
}`)
|
2019-04-28 22:30:08 +02:00
|
|
|
err := pkg.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = analyzer.Process(buildTags, pkg.Path)
|
2017-12-14 10:04:22 +10:00
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
2019-02-27 00:24:06 +02:00
|
|
|
_, metrics, _ := analyzer.Report()
|
2017-12-14 10:04:22 +10:00
|
|
|
Expect(metrics.NumFiles).To(Equal(2))
|
2018-01-07 15:02:33 -08:00
|
|
|
})
|
|
|
|
|
2022-02-16 18:23:37 +01:00
|
|
|
It("should be able to analyze multiple Go files concurrently", func() {
|
|
|
|
customAnalyzer := gosec.NewAnalyzer(nil, true, true, false, 32, logger)
|
|
|
|
customAnalyzer.LoadRules(rules.Generate(false).RulesInfo())
|
|
|
|
pkg := testutils.NewTestPackage()
|
|
|
|
defer pkg.Close()
|
|
|
|
pkg.AddFile("foo.go", `
|
|
|
|
package main
|
|
|
|
func main(){
|
|
|
|
bar()
|
|
|
|
}`)
|
|
|
|
pkg.AddFile("bar.go", `
|
|
|
|
package main
|
|
|
|
func bar(){
|
|
|
|
println("package has two files!")
|
|
|
|
}`)
|
|
|
|
err := pkg.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = customAnalyzer.Process(buildTags, pkg.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
_, metrics, _ := customAnalyzer.Report()
|
|
|
|
Expect(metrics.NumFiles).To(Equal(2))
|
|
|
|
})
|
|
|
|
|
2018-10-11 15:45:31 +03:00
|
|
|
It("should be able to analyze multiple Go packages", func() {
|
2021-12-09 18:53:36 +08:00
|
|
|
analyzer.LoadRules(rules.Generate(false).RulesInfo())
|
2018-01-07 15:02:33 -08:00
|
|
|
pkg1 := testutils.NewTestPackage()
|
|
|
|
pkg2 := testutils.NewTestPackage()
|
|
|
|
defer pkg1.Close()
|
|
|
|
defer pkg2.Close()
|
|
|
|
pkg1.AddFile("foo.go", `
|
|
|
|
package main
|
|
|
|
func main(){
|
|
|
|
}`)
|
|
|
|
pkg2.AddFile("bar.go", `
|
|
|
|
package main
|
|
|
|
func bar(){
|
|
|
|
}`)
|
2019-04-28 22:30:08 +02:00
|
|
|
err := pkg1.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = pkg2.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = analyzer.Process(buildTags, pkg1.Path, pkg2.Path)
|
2018-01-07 15:02:33 -08:00
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
2019-02-27 00:24:06 +02:00
|
|
|
_, metrics, _ := analyzer.Report()
|
2018-01-07 15:02:33 -08:00
|
|
|
Expect(metrics.NumFiles).To(Equal(2))
|
2017-12-14 10:04:22 +10:00
|
|
|
})
|
|
|
|
|
2017-07-19 15:17:00 -06:00
|
|
|
It("should find errors when nosec is not in use", func() {
|
|
|
|
sample := testutils.SampleCodeG401[0]
|
2018-09-28 11:42:25 +03:00
|
|
|
source := sample.Code[0]
|
2021-12-09 18:53:36 +08:00
|
|
|
analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo())
|
2017-07-19 15:17:00 -06:00
|
|
|
|
|
|
|
controlPackage := testutils.NewTestPackage()
|
|
|
|
defer controlPackage.Close()
|
|
|
|
controlPackage.AddFile("md5.go", source)
|
2019-04-28 22:30:08 +02:00
|
|
|
err := controlPackage.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = analyzer.Process(buildTags, controlPackage.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
2019-02-27 00:24:06 +02:00
|
|
|
controlIssues, _, _ := analyzer.Report()
|
2017-07-19 15:17:00 -06:00
|
|
|
Expect(controlIssues).Should(HaveLen(sample.Errors))
|
|
|
|
})
|
|
|
|
|
2019-04-30 12:17:44 +02:00
|
|
|
It("should report Go build errors and invalid files", func() {
|
2021-12-09 18:53:36 +08:00
|
|
|
analyzer.LoadRules(rules.Generate(false).RulesInfo())
|
2019-02-27 00:24:06 +02:00
|
|
|
pkg := testutils.NewTestPackage()
|
|
|
|
defer pkg.Close()
|
|
|
|
pkg.AddFile("foo.go", `
|
|
|
|
package main
|
|
|
|
func main()
|
|
|
|
}`)
|
2019-04-28 22:30:08 +02:00
|
|
|
err := pkg.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = analyzer.Process(buildTags, pkg.Path)
|
2019-02-27 00:24:06 +02:00
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
2019-04-30 12:17:44 +02:00
|
|
|
_, _, errors := analyzer.Report()
|
2023-02-06 14:15:05 +01:00
|
|
|
foundErr := false
|
2019-04-30 12:17:44 +02:00
|
|
|
for _, ferr := range errors {
|
2023-04-04 08:52:59 +02:00
|
|
|
Expect(ferr).To(HaveLen(1))
|
2023-02-06 14:15:05 +01:00
|
|
|
match, err := regexp.MatchString(ferr[0].Err, `expected declaration, found '}'`)
|
|
|
|
if !match || err != nil {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
foundErr = true
|
2019-04-30 12:17:44 +02:00
|
|
|
Expect(ferr[0].Line).To(Equal(4))
|
|
|
|
Expect(ferr[0].Column).To(Equal(5))
|
|
|
|
Expect(ferr[0].Err).Should(MatchRegexp(`expected declaration, found '}'`))
|
2019-02-27 00:24:06 +02:00
|
|
|
}
|
2023-02-06 14:15:05 +01:00
|
|
|
Expect(foundErr).To(BeTrue())
|
2019-02-27 00:24:06 +02:00
|
|
|
})
|
|
|
|
|
2021-12-14 00:45:47 +08:00
|
|
|
It("should not report errors when a nosec line comment is present", func() {
|
2017-07-19 15:17:00 -06:00
|
|
|
sample := testutils.SampleCodeG401[0]
|
2018-09-28 11:42:25 +03:00
|
|
|
source := sample.Code[0]
|
2021-12-09 18:53:36 +08:00
|
|
|
analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo())
|
2017-07-19 15:17:00 -06:00
|
|
|
|
|
|
|
nosecPackage := testutils.NewTestPackage()
|
|
|
|
defer nosecPackage.Close()
|
2021-12-15 20:31:14 +02:00
|
|
|
nosecSource := strings.Replace(source, "h := md5.New()", "h := md5.New() //#nosec", 1)
|
2017-07-19 15:17:00 -06:00
|
|
|
nosecPackage.AddFile("md5.go", nosecSource)
|
2019-04-28 22:30:08 +02:00
|
|
|
err := nosecPackage.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = analyzer.Process(buildTags, nosecPackage.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
2019-02-27 00:24:06 +02:00
|
|
|
nosecIssues, _, _ := analyzer.Report()
|
2017-07-19 15:17:00 -06:00
|
|
|
Expect(nosecIssues).Should(BeEmpty())
|
|
|
|
})
|
2017-10-05 21:32:03 +00:00
|
|
|
|
2021-12-14 00:45:47 +08:00
|
|
|
It("should not report errors when a nosec block comment is present", func() {
|
|
|
|
sample := testutils.SampleCodeG401[0]
|
|
|
|
source := sample.Code[0]
|
|
|
|
analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo())
|
|
|
|
|
|
|
|
nosecPackage := testutils.NewTestPackage()
|
|
|
|
defer nosecPackage.Close()
|
|
|
|
nosecSource := strings.Replace(source, "h := md5.New()", "h := md5.New() /* #nosec */", 1)
|
|
|
|
nosecPackage.AddFile("md5.go", nosecSource)
|
|
|
|
err := nosecPackage.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = analyzer.Process(buildTags, nosecPackage.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
nosecIssues, _, _ := analyzer.Report()
|
|
|
|
Expect(nosecIssues).Should(BeEmpty())
|
|
|
|
})
|
|
|
|
|
2017-10-05 21:32:03 +00:00
|
|
|
It("should not report errors when an exclude comment is present for the correct rule", func() {
|
|
|
|
// Rule for MD5 weak crypto usage
|
|
|
|
sample := testutils.SampleCodeG401[0]
|
2018-09-28 11:42:25 +03:00
|
|
|
source := sample.Code[0]
|
2021-12-09 18:53:36 +08:00
|
|
|
analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo())
|
2017-10-05 21:32:03 +00:00
|
|
|
|
|
|
|
nosecPackage := testutils.NewTestPackage()
|
|
|
|
defer nosecPackage.Close()
|
2021-12-15 20:31:14 +02:00
|
|
|
nosecSource := strings.Replace(source, "h := md5.New()", "h := md5.New() //#nosec G401", 1)
|
2017-10-05 21:32:03 +00:00
|
|
|
nosecPackage.AddFile("md5.go", nosecSource)
|
2019-04-28 22:30:08 +02:00
|
|
|
err := nosecPackage.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = analyzer.Process(buildTags, nosecPackage.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
2019-02-27 00:24:06 +02:00
|
|
|
nosecIssues, _, _ := analyzer.Report()
|
2017-10-05 21:32:03 +00:00
|
|
|
Expect(nosecIssues).Should(BeEmpty())
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should report errors when an exclude comment is present for a different rule", func() {
|
|
|
|
sample := testutils.SampleCodeG401[0]
|
2018-09-28 11:42:25 +03:00
|
|
|
source := sample.Code[0]
|
2021-12-09 18:53:36 +08:00
|
|
|
analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo())
|
2017-10-05 21:32:03 +00:00
|
|
|
|
|
|
|
nosecPackage := testutils.NewTestPackage()
|
|
|
|
defer nosecPackage.Close()
|
2021-12-15 20:31:14 +02:00
|
|
|
nosecSource := strings.Replace(source, "h := md5.New()", "h := md5.New() //#nosec G301", 1)
|
2017-10-05 21:32:03 +00:00
|
|
|
nosecPackage.AddFile("md5.go", nosecSource)
|
2019-04-28 22:30:08 +02:00
|
|
|
err := nosecPackage.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = analyzer.Process(buildTags, nosecPackage.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
2019-02-27 00:24:06 +02:00
|
|
|
nosecIssues, _, _ := analyzer.Report()
|
2017-10-05 21:32:03 +00:00
|
|
|
Expect(nosecIssues).Should(HaveLen(sample.Errors))
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should not report errors when an exclude comment is present for multiple rules, including the correct rule", func() {
|
|
|
|
sample := testutils.SampleCodeG401[0]
|
2018-09-28 11:42:25 +03:00
|
|
|
source := sample.Code[0]
|
2021-12-09 18:53:36 +08:00
|
|
|
analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo())
|
2017-10-05 21:32:03 +00:00
|
|
|
|
|
|
|
nosecPackage := testutils.NewTestPackage()
|
|
|
|
defer nosecPackage.Close()
|
2021-12-15 20:31:14 +02:00
|
|
|
nosecSource := strings.Replace(source, "h := md5.New()", "h := md5.New() //#nosec G301 G401", 1)
|
2017-10-05 21:32:03 +00:00
|
|
|
nosecPackage.AddFile("md5.go", nosecSource)
|
2019-04-28 22:30:08 +02:00
|
|
|
err := nosecPackage.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = analyzer.Process(buildTags, nosecPackage.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = analyzer.Process(buildTags, nosecPackage.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
2019-02-27 00:24:06 +02:00
|
|
|
nosecIssues, _, _ := analyzer.Report()
|
2017-10-05 21:32:03 +00:00
|
|
|
Expect(nosecIssues).Should(BeEmpty())
|
|
|
|
})
|
2018-04-20 01:45:04 +02:00
|
|
|
|
|
|
|
It("should pass the build tags", func() {
|
2020-05-21 01:17:44 +10:00
|
|
|
sample := testutils.SampleCodeBuildTag[0]
|
2018-09-28 11:42:25 +03:00
|
|
|
source := sample.Code[0]
|
2021-12-09 18:53:36 +08:00
|
|
|
analyzer.LoadRules(rules.Generate(false).RulesInfo())
|
2018-04-20 01:45:04 +02:00
|
|
|
pkg := testutils.NewTestPackage()
|
|
|
|
defer pkg.Close()
|
|
|
|
pkg.AddFile("tags.go", source)
|
2019-04-30 16:57:32 +02:00
|
|
|
tags := []string{"tag"}
|
|
|
|
err := analyzer.Process(tags, pkg.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
2018-04-20 01:45:04 +02:00
|
|
|
})
|
2019-04-30 10:21:16 +02:00
|
|
|
|
2019-04-30 11:09:57 +02:00
|
|
|
It("should process an empty package with test file", func() {
|
2021-12-09 18:53:36 +08:00
|
|
|
analyzer.LoadRules(rules.Generate(false).RulesInfo())
|
2019-04-30 10:21:16 +02:00
|
|
|
pkg := testutils.NewTestPackage()
|
|
|
|
defer pkg.Close()
|
|
|
|
pkg.AddFile("foo_test.go", `
|
2019-04-30 17:14:26 +02:00
|
|
|
package tests
|
2019-04-30 10:21:16 +02:00
|
|
|
import "testing"
|
|
|
|
func TestFoo(t *testing.T){
|
|
|
|
}`)
|
|
|
|
err := pkg.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = analyzer.Process(buildTags, pkg.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
})
|
2019-04-30 13:53:22 +02:00
|
|
|
|
|
|
|
It("should be possible to overwrite nosec comments, and report issues", func() {
|
|
|
|
// Rule for MD5 weak crypto usage
|
|
|
|
sample := testutils.SampleCodeG401[0]
|
|
|
|
source := sample.Code[0]
|
2017-07-19 15:17:00 -06:00
|
|
|
|
2019-04-30 13:53:22 +02:00
|
|
|
// overwrite nosec option
|
|
|
|
nosecIgnoreConfig := gosec.NewConfig()
|
|
|
|
nosecIgnoreConfig.SetGlobal(gosec.Nosec, "true")
|
2022-02-16 18:23:37 +01:00
|
|
|
customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig, tests, false, false, 1, logger)
|
2021-12-09 18:53:36 +08:00
|
|
|
customAnalyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo())
|
2019-04-28 22:30:08 +02:00
|
|
|
|
2019-04-30 13:53:22 +02:00
|
|
|
nosecPackage := testutils.NewTestPackage()
|
|
|
|
defer nosecPackage.Close()
|
2021-12-15 20:31:14 +02:00
|
|
|
nosecSource := strings.Replace(source, "h := md5.New()", "h := md5.New() //#nosec", 1)
|
2019-04-30 13:53:22 +02:00
|
|
|
nosecPackage.AddFile("md5.go", nosecSource)
|
|
|
|
err := nosecPackage.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = customAnalyzer.Process(buildTags, nosecPackage.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
nosecIssues, _, _ := customAnalyzer.Report()
|
|
|
|
Expect(nosecIssues).Should(HaveLen(sample.Errors))
|
|
|
|
})
|
|
|
|
|
2021-08-18 13:00:38 +02:00
|
|
|
XIt("should be possible to overwrite nosec comments, and report issues but the should not be counted", func() {
|
|
|
|
// Rule for MD5 weak crypto usage
|
|
|
|
sample := testutils.SampleCodeG401[0]
|
|
|
|
source := sample.Code[0]
|
|
|
|
|
|
|
|
// overwrite nosec option
|
|
|
|
nosecIgnoreConfig := gosec.NewConfig()
|
|
|
|
nosecIgnoreConfig.SetGlobal(gosec.Nosec, "true")
|
|
|
|
nosecIgnoreConfig.SetGlobal(gosec.ShowIgnored, "true")
|
2022-02-16 18:23:37 +01:00
|
|
|
customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig, tests, false, false, 1, logger)
|
2021-12-09 18:53:36 +08:00
|
|
|
customAnalyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo())
|
2021-08-18 13:00:38 +02:00
|
|
|
|
|
|
|
nosecPackage := testutils.NewTestPackage()
|
|
|
|
defer nosecPackage.Close()
|
2021-12-15 20:31:14 +02:00
|
|
|
nosecSource := strings.Replace(source, "h := md5.New()", "h := md5.New() //#nosec", 1)
|
2021-08-18 13:00:38 +02:00
|
|
|
nosecPackage.AddFile("md5.go", nosecSource)
|
|
|
|
err := nosecPackage.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = customAnalyzer.Process(buildTags, nosecPackage.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
nosecIssues, metrics, _ := customAnalyzer.Report()
|
|
|
|
Expect(nosecIssues).Should(HaveLen(sample.Errors))
|
|
|
|
Expect(metrics.NumFound).Should(Equal(0))
|
|
|
|
Expect(metrics.NumNosec).Should(Equal(1))
|
|
|
|
})
|
|
|
|
|
2022-01-03 23:48:42 +08:00
|
|
|
It("should not report errors when nosec tag is in front of a line", func() {
|
|
|
|
sample := testutils.SampleCodeG401[0]
|
|
|
|
source := sample.Code[0]
|
|
|
|
analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo())
|
|
|
|
|
|
|
|
nosecPackage := testutils.NewTestPackage()
|
|
|
|
defer nosecPackage.Close()
|
|
|
|
nosecSource := strings.Replace(source, "h := md5.New()", "//Some description\n//#nosec G401\nh := md5.New()", 1)
|
|
|
|
nosecPackage.AddFile("md5.go", nosecSource)
|
|
|
|
err := nosecPackage.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = analyzer.Process(buildTags, nosecPackage.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
nosecIssues, _, _ := analyzer.Report()
|
|
|
|
Expect(nosecIssues).Should(BeEmpty())
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should report errors when nosec tag is not in front of a line", func() {
|
|
|
|
sample := testutils.SampleCodeG401[0]
|
|
|
|
source := sample.Code[0]
|
|
|
|
analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo())
|
|
|
|
|
|
|
|
nosecPackage := testutils.NewTestPackage()
|
|
|
|
defer nosecPackage.Close()
|
|
|
|
nosecSource := strings.Replace(source, "h := md5.New()", "//Some description\n//Another description #nosec G401\nh := md5.New()", 1)
|
|
|
|
nosecPackage.AddFile("md5.go", nosecSource)
|
|
|
|
err := nosecPackage.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = analyzer.Process(buildTags, nosecPackage.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
nosecIssues, _, _ := analyzer.Report()
|
|
|
|
Expect(nosecIssues).Should(HaveLen(sample.Errors))
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should not report errors when rules are in front of nosec tag even rules are wrong", func() {
|
|
|
|
sample := testutils.SampleCodeG401[0]
|
|
|
|
source := sample.Code[0]
|
|
|
|
analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo())
|
|
|
|
|
|
|
|
nosecPackage := testutils.NewTestPackage()
|
|
|
|
defer nosecPackage.Close()
|
|
|
|
nosecSource := strings.Replace(source, "h := md5.New()", "//G301\n//#nosec\nh := md5.New()", 1)
|
|
|
|
nosecPackage.AddFile("md5.go", nosecSource)
|
|
|
|
err := nosecPackage.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = analyzer.Process(buildTags, nosecPackage.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
nosecIssues, _, _ := analyzer.Report()
|
|
|
|
Expect(nosecIssues).Should(BeEmpty())
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should report errors when there are nosec tags after a #nosec WrongRuleList annotation", func() {
|
|
|
|
sample := testutils.SampleCodeG401[0]
|
|
|
|
source := sample.Code[0]
|
|
|
|
analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo())
|
|
|
|
|
|
|
|
nosecPackage := testutils.NewTestPackage()
|
|
|
|
defer nosecPackage.Close()
|
|
|
|
nosecSource := strings.Replace(source, "h := md5.New()", "//#nosec\n//G301\n//#nosec\nh := md5.New()", 1)
|
|
|
|
nosecPackage.AddFile("md5.go", nosecSource)
|
|
|
|
err := nosecPackage.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = analyzer.Process(buildTags, nosecPackage.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
nosecIssues, _, _ := analyzer.Report()
|
|
|
|
Expect(nosecIssues).Should(HaveLen(sample.Errors))
|
|
|
|
})
|
|
|
|
|
2020-01-06 05:47:28 -03:00
|
|
|
It("should be possible to use an alternative nosec tag", func() {
|
2019-09-04 05:20:43 -03:00
|
|
|
// Rule for MD5 weak crypto usage
|
|
|
|
sample := testutils.SampleCodeG401[0]
|
|
|
|
source := sample.Code[0]
|
|
|
|
|
|
|
|
// overwrite nosec option
|
|
|
|
nosecIgnoreConfig := gosec.NewConfig()
|
2023-05-25 11:54:26 +02:00
|
|
|
nosecIgnoreConfig.SetGlobal(gosec.NoSecAlternative, "falsePositive")
|
2022-02-16 18:23:37 +01:00
|
|
|
customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig, tests, false, false, 1, logger)
|
2021-12-09 18:53:36 +08:00
|
|
|
customAnalyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo())
|
2019-09-04 05:20:43 -03:00
|
|
|
|
|
|
|
nosecPackage := testutils.NewTestPackage()
|
|
|
|
defer nosecPackage.Close()
|
|
|
|
nosecSource := strings.Replace(source, "h := md5.New()", "h := md5.New() // #falsePositive", 1)
|
|
|
|
nosecPackage.AddFile("md5.go", nosecSource)
|
|
|
|
err := nosecPackage.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = customAnalyzer.Process(buildTags, nosecPackage.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
nosecIssues, _, _ := customAnalyzer.Report()
|
2023-04-04 08:52:59 +02:00
|
|
|
Expect(nosecIssues).Should(BeEmpty())
|
2019-09-04 05:20:43 -03:00
|
|
|
})
|
|
|
|
|
2020-01-06 05:47:28 -03:00
|
|
|
It("should ignore vulnerabilities when the default tag is found", func() {
|
2019-09-04 05:20:43 -03:00
|
|
|
// Rule for MD5 weak crypto usage
|
|
|
|
sample := testutils.SampleCodeG401[0]
|
|
|
|
source := sample.Code[0]
|
|
|
|
|
|
|
|
// overwrite nosec option
|
|
|
|
nosecIgnoreConfig := gosec.NewConfig()
|
2023-05-25 11:54:26 +02:00
|
|
|
nosecIgnoreConfig.SetGlobal(gosec.NoSecAlternative, "falsePositive")
|
2022-02-16 18:23:37 +01:00
|
|
|
customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig, tests, false, false, 1, logger)
|
2021-12-09 18:53:36 +08:00
|
|
|
customAnalyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo())
|
2019-09-04 05:20:43 -03:00
|
|
|
|
|
|
|
nosecPackage := testutils.NewTestPackage()
|
|
|
|
defer nosecPackage.Close()
|
2021-12-15 20:31:14 +02:00
|
|
|
nosecSource := strings.Replace(source, "h := md5.New()", "h := md5.New() //#nosec", 1)
|
2019-09-04 05:20:43 -03:00
|
|
|
nosecPackage.AddFile("md5.go", nosecSource)
|
|
|
|
err := nosecPackage.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = customAnalyzer.Process(buildTags, nosecPackage.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
nosecIssues, _, _ := customAnalyzer.Report()
|
2023-04-04 08:52:59 +02:00
|
|
|
Expect(nosecIssues).Should(BeEmpty())
|
2019-09-04 05:20:43 -03:00
|
|
|
})
|
|
|
|
|
2019-04-30 13:53:22 +02:00
|
|
|
It("should be able to analyze Go test package", func() {
|
2022-02-16 18:23:37 +01:00
|
|
|
customAnalyzer := gosec.NewAnalyzer(nil, true, false, false, 1, logger)
|
2021-12-09 18:53:36 +08:00
|
|
|
customAnalyzer.LoadRules(rules.Generate(false).RulesInfo())
|
2019-04-30 13:53:22 +02:00
|
|
|
pkg := testutils.NewTestPackage()
|
|
|
|
defer pkg.Close()
|
|
|
|
pkg.AddFile("foo.go", `
|
2019-04-30 17:14:26 +02:00
|
|
|
package foo
|
|
|
|
func foo(){
|
|
|
|
}`)
|
2019-04-30 13:53:22 +02:00
|
|
|
pkg.AddFile("foo_test.go", `
|
2019-04-30 17:14:26 +02:00
|
|
|
package foo_test
|
|
|
|
import "testing"
|
2019-05-17 15:35:46 +02:00
|
|
|
func test() error {
|
|
|
|
return nil
|
|
|
|
}
|
2019-04-30 17:14:26 +02:00
|
|
|
func TestFoo(t *testing.T){
|
2019-05-17 15:35:46 +02:00
|
|
|
test()
|
2019-04-30 17:14:26 +02:00
|
|
|
}`)
|
2019-04-30 13:53:22 +02:00
|
|
|
err := pkg.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = customAnalyzer.Process(buildTags, pkg.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
2019-05-17 15:35:46 +02:00
|
|
|
issues, _, _ := customAnalyzer.Report()
|
|
|
|
Expect(issues).Should(HaveLen(1))
|
2019-04-30 13:53:22 +02:00
|
|
|
})
|
2021-08-04 17:33:20 +02:00
|
|
|
It("should be able to scan generated files if NOT excluded", func() {
|
2022-02-16 18:23:37 +01:00
|
|
|
customAnalyzer := gosec.NewAnalyzer(nil, true, false, false, 1, logger)
|
2021-12-09 18:53:36 +08:00
|
|
|
customAnalyzer.LoadRules(rules.Generate(false).RulesInfo())
|
2021-08-04 17:33:20 +02:00
|
|
|
pkg := testutils.NewTestPackage()
|
|
|
|
defer pkg.Close()
|
|
|
|
pkg.AddFile("foo.go", `
|
|
|
|
package foo
|
|
|
|
// Code generated some-generator DO NOT EDIT.
|
|
|
|
func test() error {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
func TestFoo(t *testing.T){
|
|
|
|
test()
|
|
|
|
}`)
|
|
|
|
err := pkg.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = customAnalyzer.Process(buildTags, pkg.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
issues, _, _ := customAnalyzer.Report()
|
|
|
|
Expect(issues).Should(HaveLen(1))
|
|
|
|
})
|
|
|
|
It("should be able to skip generated files if excluded", func() {
|
2022-02-16 18:23:37 +01:00
|
|
|
customAnalyzer := gosec.NewAnalyzer(nil, true, true, false, 1, logger)
|
2021-12-09 18:53:36 +08:00
|
|
|
customAnalyzer.LoadRules(rules.Generate(false).RulesInfo())
|
2021-08-04 17:33:20 +02:00
|
|
|
pkg := testutils.NewTestPackage()
|
|
|
|
defer pkg.Close()
|
|
|
|
pkg.AddFile("foo.go", `
|
|
|
|
package foo
|
|
|
|
// Code generated some-generator DO NOT EDIT.
|
|
|
|
func test() error {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
func TestFoo(t *testing.T){
|
|
|
|
test()
|
|
|
|
}`)
|
|
|
|
err := pkg.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = customAnalyzer.Process(buildTags, pkg.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
issues, _, _ := customAnalyzer.Report()
|
2023-04-04 08:52:59 +02:00
|
|
|
Expect(issues).Should(BeEmpty())
|
2021-08-04 17:33:20 +02:00
|
|
|
})
|
2019-04-30 13:53:22 +02:00
|
|
|
})
|
2020-01-15 16:56:50 +01:00
|
|
|
It("should be able to analyze Cgo files", func() {
|
2021-12-09 18:53:36 +08:00
|
|
|
analyzer.LoadRules(rules.Generate(false).RulesInfo())
|
2020-01-15 16:56:50 +01:00
|
|
|
sample := testutils.SampleCodeCgo[0]
|
|
|
|
source := sample.Code[0]
|
|
|
|
|
|
|
|
testPackage := testutils.NewTestPackage()
|
|
|
|
defer testPackage.Close()
|
|
|
|
testPackage.AddFile("main.go", source)
|
|
|
|
err := testPackage.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = analyzer.Process(buildTags, testPackage.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
issues, _, _ := analyzer.Report()
|
2023-04-04 08:52:59 +02:00
|
|
|
Expect(issues).Should(BeEmpty())
|
2020-01-15 16:56:50 +01:00
|
|
|
})
|
2019-04-30 13:53:22 +02:00
|
|
|
|
|
|
|
Context("when parsing errors from a package", func() {
|
|
|
|
It("should return no error when the error list is empty", func() {
|
|
|
|
pkg := &packages.Package{}
|
|
|
|
err := analyzer.ParseErrors(pkg)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should properly parse the errors", func() {
|
|
|
|
pkg := &packages.Package{
|
|
|
|
Errors: []packages.Error{
|
2021-05-07 18:04:01 +02:00
|
|
|
{
|
2019-04-30 13:53:22 +02:00
|
|
|
Pos: "file:1:2",
|
|
|
|
Msg: "build error",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
err := analyzer.ParseErrors(pkg)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
_, _, errors := analyzer.Report()
|
2023-04-04 08:52:59 +02:00
|
|
|
Expect(errors).To(HaveLen(1))
|
2019-04-30 13:53:22 +02:00
|
|
|
for _, ferr := range errors {
|
2023-04-04 08:52:59 +02:00
|
|
|
Expect(ferr).To(HaveLen(1))
|
2019-04-30 13:53:22 +02:00
|
|
|
Expect(ferr[0].Line).To(Equal(1))
|
|
|
|
Expect(ferr[0].Column).To(Equal(2))
|
|
|
|
Expect(ferr[0].Err).Should(MatchRegexp(`build error`))
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should properly parse the errors without line and column", func() {
|
|
|
|
pkg := &packages.Package{
|
|
|
|
Errors: []packages.Error{
|
2021-05-07 18:04:01 +02:00
|
|
|
{
|
2019-04-30 13:53:22 +02:00
|
|
|
Pos: "file",
|
|
|
|
Msg: "build error",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
err := analyzer.ParseErrors(pkg)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
_, _, errors := analyzer.Report()
|
2023-04-04 08:52:59 +02:00
|
|
|
Expect(errors).To(HaveLen(1))
|
2019-04-30 13:53:22 +02:00
|
|
|
for _, ferr := range errors {
|
2023-04-04 08:52:59 +02:00
|
|
|
Expect(ferr).To(HaveLen(1))
|
2019-04-30 13:53:22 +02:00
|
|
|
Expect(ferr[0].Line).To(Equal(0))
|
|
|
|
Expect(ferr[0].Column).To(Equal(0))
|
|
|
|
Expect(ferr[0].Err).Should(MatchRegexp(`build error`))
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should properly parse the errors without column", func() {
|
|
|
|
pkg := &packages.Package{
|
|
|
|
Errors: []packages.Error{
|
2021-05-07 18:04:01 +02:00
|
|
|
{
|
2019-04-30 13:53:22 +02:00
|
|
|
Pos: "file",
|
|
|
|
Msg: "build error",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
err := analyzer.ParseErrors(pkg)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
_, _, errors := analyzer.Report()
|
2023-04-04 08:52:59 +02:00
|
|
|
Expect(errors).To(HaveLen(1))
|
2019-04-30 13:53:22 +02:00
|
|
|
for _, ferr := range errors {
|
2023-04-04 08:52:59 +02:00
|
|
|
Expect(ferr).To(HaveLen(1))
|
2019-04-30 13:53:22 +02:00
|
|
|
Expect(ferr[0].Line).To(Equal(0))
|
|
|
|
Expect(ferr[0].Column).To(Equal(0))
|
|
|
|
Expect(ferr[0].Err).Should(MatchRegexp(`build error`))
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should return error when line cannot be parsed", func() {
|
|
|
|
pkg := &packages.Package{
|
|
|
|
Errors: []packages.Error{
|
2021-05-07 18:04:01 +02:00
|
|
|
{
|
2019-04-30 13:53:22 +02:00
|
|
|
Pos: "file:line",
|
|
|
|
Msg: "build error",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
err := analyzer.ParseErrors(pkg)
|
|
|
|
Expect(err).Should(HaveOccurred())
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should return error when column cannot be parsed", func() {
|
|
|
|
pkg := &packages.Package{
|
|
|
|
Errors: []packages.Error{
|
2021-05-07 18:04:01 +02:00
|
|
|
{
|
2019-04-30 13:53:22 +02:00
|
|
|
Pos: "file:1:column",
|
|
|
|
Msg: "build error",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
err := analyzer.ParseErrors(pkg)
|
|
|
|
Expect(err).Should(HaveOccurred())
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should append error to the same file", func() {
|
|
|
|
pkg := &packages.Package{
|
|
|
|
Errors: []packages.Error{
|
2021-05-07 18:04:01 +02:00
|
|
|
{
|
2019-04-30 13:53:22 +02:00
|
|
|
Pos: "file:1:2",
|
|
|
|
Msg: "error1",
|
|
|
|
},
|
2021-05-07 18:04:01 +02:00
|
|
|
{
|
2019-04-30 13:53:22 +02:00
|
|
|
Pos: "file:3:4",
|
|
|
|
Msg: "error2",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
err := analyzer.ParseErrors(pkg)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
_, _, errors := analyzer.Report()
|
2023-04-04 08:52:59 +02:00
|
|
|
Expect(errors).To(HaveLen(1))
|
2019-04-30 13:53:22 +02:00
|
|
|
for _, ferr := range errors {
|
2023-04-04 08:52:59 +02:00
|
|
|
Expect(ferr).To(HaveLen(2))
|
2019-04-30 13:53:22 +02:00
|
|
|
Expect(ferr[0].Line).To(Equal(1))
|
|
|
|
Expect(ferr[0].Column).To(Equal(2))
|
|
|
|
Expect(ferr[0].Err).Should(MatchRegexp(`error1`))
|
|
|
|
Expect(ferr[1].Line).To(Equal(3))
|
|
|
|
Expect(ferr[1].Column).To(Equal(4))
|
|
|
|
Expect(ferr[1].Err).Should(MatchRegexp(`error2`))
|
|
|
|
}
|
|
|
|
})
|
2019-06-25 11:56:26 +02:00
|
|
|
|
|
|
|
It("should set the config", func() {
|
|
|
|
config := gosec.NewConfig()
|
|
|
|
config["test"] = "test"
|
|
|
|
analyzer.SetConfig(config)
|
|
|
|
found := analyzer.Config()
|
|
|
|
Expect(config).To(Equal(found))
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should reset the analyzer", func() {
|
|
|
|
analyzer.Reset()
|
|
|
|
issues, metrics, errors := analyzer.Report()
|
|
|
|
Expect(issues).To(BeEmpty())
|
|
|
|
Expect(*metrics).To(Equal(gosec.Metrics{}))
|
|
|
|
Expect(errors).To(BeEmpty())
|
|
|
|
})
|
2019-04-28 22:30:08 +02:00
|
|
|
})
|
2019-04-30 16:57:32 +02:00
|
|
|
|
|
|
|
Context("when appending errors", func() {
|
|
|
|
It("should skip error for non-buildable packages", func() {
|
|
|
|
analyzer.AppendError("test", errors.New(`loading file from package "pkg/test": no buildable Go source files in pkg/test`))
|
|
|
|
_, _, errors := analyzer.Report()
|
2023-04-04 08:52:59 +02:00
|
|
|
Expect(errors).To(BeEmpty())
|
2019-04-30 16:57:32 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
It("should add a new error", func() {
|
|
|
|
pkg := &packages.Package{
|
|
|
|
Errors: []packages.Error{
|
2021-05-07 18:04:01 +02:00
|
|
|
{
|
2019-04-30 16:57:32 +02:00
|
|
|
Pos: "file:1:2",
|
|
|
|
Msg: "build error",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
err := analyzer.ParseErrors(pkg)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
analyzer.AppendError("file", errors.New("file build error"))
|
|
|
|
_, _, errors := analyzer.Report()
|
2023-04-04 08:52:59 +02:00
|
|
|
Expect(errors).To(HaveLen(1))
|
2019-04-30 16:57:32 +02:00
|
|
|
for _, ferr := range errors {
|
2023-04-04 08:52:59 +02:00
|
|
|
Expect(ferr).To(HaveLen(2))
|
2019-04-30 16:57:32 +02:00
|
|
|
}
|
|
|
|
})
|
|
|
|
})
|
2021-12-09 18:53:36 +08:00
|
|
|
|
|
|
|
Context("when tracking suppressions", func() {
|
|
|
|
BeforeEach(func() {
|
2022-02-16 18:23:37 +01:00
|
|
|
analyzer = gosec.NewAnalyzer(nil, tests, false, true, 1, logger)
|
2021-12-09 18:53:36 +08:00
|
|
|
})
|
|
|
|
|
|
|
|
It("should not report an error if the violation is suppressed", func() {
|
|
|
|
sample := testutils.SampleCodeG401[0]
|
|
|
|
source := sample.Code[0]
|
|
|
|
analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo())
|
|
|
|
|
|
|
|
nosecPackage := testutils.NewTestPackage()
|
|
|
|
defer nosecPackage.Close()
|
2021-12-15 20:31:14 +02:00
|
|
|
nosecSource := strings.Replace(source, "h := md5.New()", "h := md5.New() //#nosec G401 -- Justification", 1)
|
2021-12-09 18:53:36 +08:00
|
|
|
nosecPackage.AddFile("md5.go", nosecSource)
|
|
|
|
err := nosecPackage.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = analyzer.Process(buildTags, nosecPackage.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
issues, _, _ := analyzer.Report()
|
2021-12-21 06:33:01 +08:00
|
|
|
Expect(issues).To(HaveLen(sample.Errors))
|
2021-12-09 18:53:36 +08:00
|
|
|
Expect(issues[0].Suppressions).To(HaveLen(1))
|
|
|
|
Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource"))
|
|
|
|
Expect(issues[0].Suppressions[0].Justification).To(Equal("Justification"))
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should not report an error if the violation is suppressed without certain rules", func() {
|
|
|
|
sample := testutils.SampleCodeG401[0]
|
|
|
|
source := sample.Code[0]
|
|
|
|
analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo())
|
|
|
|
|
|
|
|
nosecPackage := testutils.NewTestPackage()
|
|
|
|
defer nosecPackage.Close()
|
2021-12-15 20:31:14 +02:00
|
|
|
nosecSource := strings.Replace(source, "h := md5.New()", "h := md5.New() //#nosec", 1)
|
2021-12-09 18:53:36 +08:00
|
|
|
nosecPackage.AddFile("md5.go", nosecSource)
|
|
|
|
err := nosecPackage.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = analyzer.Process(buildTags, nosecPackage.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
issues, _, _ := analyzer.Report()
|
2021-12-21 06:33:01 +08:00
|
|
|
Expect(issues).To(HaveLen(sample.Errors))
|
2021-12-09 18:53:36 +08:00
|
|
|
Expect(issues[0].Suppressions).To(HaveLen(1))
|
|
|
|
Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource"))
|
|
|
|
Expect(issues[0].Suppressions[0].Justification).To(Equal(""))
|
|
|
|
})
|
|
|
|
|
2021-12-21 06:33:01 +08:00
|
|
|
It("should track multiple suppressions if the violation is suppressed by both #nosec and #nosec RuleList", func() {
|
|
|
|
sample := testutils.SampleCodeG101[0]
|
|
|
|
source := sample.Code[0]
|
|
|
|
analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G101")).RulesInfo())
|
|
|
|
|
|
|
|
nosecPackage := testutils.NewTestPackage()
|
|
|
|
defer nosecPackage.Close()
|
|
|
|
nosecSource := strings.Replace(source, "}", "} //#nosec G101 -- Justification", 1)
|
|
|
|
nosecSource = strings.Replace(nosecSource, "func", "//#nosec\nfunc", 1)
|
|
|
|
nosecPackage.AddFile("pwd.go", nosecSource)
|
|
|
|
err := nosecPackage.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = analyzer.Process(buildTags, nosecPackage.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
issues, _, _ := analyzer.Report()
|
|
|
|
Expect(issues).To(HaveLen(sample.Errors))
|
|
|
|
Expect(issues[0].Suppressions).To(HaveLen(2))
|
|
|
|
})
|
|
|
|
|
2021-12-09 18:53:36 +08:00
|
|
|
It("should not report an error if the rule is not included", func() {
|
|
|
|
sample := testutils.SampleCodeG101[0]
|
|
|
|
source := sample.Code[0]
|
|
|
|
analyzer.LoadRules(rules.Generate(true, rules.NewRuleFilter(false, "G401")).RulesInfo())
|
|
|
|
|
|
|
|
controlPackage := testutils.NewTestPackage()
|
|
|
|
defer controlPackage.Close()
|
|
|
|
controlPackage.AddFile("pwd.go", source)
|
|
|
|
err := controlPackage.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = analyzer.Process(buildTags, controlPackage.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
controlIssues, _, _ := analyzer.Report()
|
|
|
|
Expect(controlIssues).Should(HaveLen(sample.Errors))
|
|
|
|
Expect(controlIssues[0].Suppressions).To(HaveLen(1))
|
|
|
|
Expect(controlIssues[0].Suppressions[0].Kind).To(Equal("external"))
|
|
|
|
Expect(controlIssues[0].Suppressions[0].Justification).To(Equal("Globally suppressed."))
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should not report an error if the rule is excluded", func() {
|
|
|
|
sample := testutils.SampleCodeG101[0]
|
|
|
|
source := sample.Code[0]
|
|
|
|
analyzer.LoadRules(rules.Generate(true, rules.NewRuleFilter(true, "G101")).RulesInfo())
|
|
|
|
|
|
|
|
controlPackage := testutils.NewTestPackage()
|
|
|
|
defer controlPackage.Close()
|
|
|
|
controlPackage.AddFile("pwd.go", source)
|
|
|
|
err := controlPackage.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = analyzer.Process(buildTags, controlPackage.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
issues, _, _ := analyzer.Report()
|
|
|
|
Expect(issues).Should(HaveLen(sample.Errors))
|
|
|
|
Expect(issues[0].Suppressions).To(HaveLen(1))
|
|
|
|
Expect(issues[0].Suppressions[0].Kind).To(Equal("external"))
|
|
|
|
Expect(issues[0].Suppressions[0].Justification).To(Equal("Globally suppressed."))
|
|
|
|
})
|
|
|
|
|
|
|
|
It("should track multiple suppressions if the violation is multiply suppressed", func() {
|
|
|
|
sample := testutils.SampleCodeG101[0]
|
|
|
|
source := sample.Code[0]
|
|
|
|
analyzer.LoadRules(rules.Generate(true, rules.NewRuleFilter(true, "G101")).RulesInfo())
|
|
|
|
|
|
|
|
nosecPackage := testutils.NewTestPackage()
|
|
|
|
defer nosecPackage.Close()
|
2021-12-15 20:31:14 +02:00
|
|
|
nosecSource := strings.Replace(source, "}", "} //#nosec G101 -- Justification", 1)
|
2021-12-09 18:53:36 +08:00
|
|
|
nosecPackage.AddFile("pwd.go", nosecSource)
|
|
|
|
err := nosecPackage.Build()
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
err = analyzer.Process(buildTags, nosecPackage.Path)
|
|
|
|
Expect(err).ShouldNot(HaveOccurred())
|
|
|
|
issues, _, _ := analyzer.Report()
|
|
|
|
Expect(issues).Should(HaveLen(sample.Errors))
|
|
|
|
Expect(issues[0].Suppressions).To(HaveLen(2))
|
|
|
|
})
|
|
|
|
})
|
2017-07-19 15:17:00 -06:00
|
|
|
})
|