diff --git a/README.md b/README.md index 25e28e8..4d16c58 100644 --- a/README.md +++ b/README.md @@ -60,10 +60,6 @@ paths, and produce reports in different formats. By default all rules will be run against the supplied input files. To recursively scan from the current directory you can supply './...' as the input argument. -### Selecting rules - -By default gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the '-include=' flag, -or to specify a set of rules to explicitly exclude using the '-exclude=' flag. ### Available rules @@ -71,7 +67,6 @@ or to specify a set of rules to explicitly exclude using the '-exclude=' flag. - G102: Bind to all interfaces - G103: Audit the use of unsafe block - G104: Audit errors not checked -- G105: Audit the use of math/big.Int.Exp - G106: Audit the use of ssh.InsecureIgnoreHostKey - G107: Url provided to HTTP request as taint input - G201: SQL query construction using format string @@ -93,6 +88,15 @@ or to specify a set of rules to explicitly exclude using the '-exclude=' flag. - G504: Import blacklist: net/http/cgi - G505: Import blacklist: crypto/sha1 +### Retired rules + +- G105: Audit the use of math/big.Int.Exp - [CVE is fixed](https://github.com/golang/go/issues/15184) + +### Selecting rules + +By default gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the '-include=' flag, +or to specify a set of rules to explicitly exclude using the '-exclude=' flag. + ```bash # Run a specific set of rules $ gosec -include=G101,G203,G401 ./... diff --git a/rules/big.go b/rules/big.go deleted file mode 100644 index 8c45a53..0000000 --- a/rules/big.go +++ /dev/null @@ -1,52 +0,0 @@ -// (c) Copyright 2016 Hewlett Packard Enterprise Development LP -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package rules - -import ( - "go/ast" - - "github.com/securego/gosec" -) - -type usingBigExp struct { - gosec.MetaData - pkg string - calls []string -} - -func (r *usingBigExp) ID() string { - return r.MetaData.ID -} - -func (r *usingBigExp) Match(n ast.Node, c *gosec.Context) (gi *gosec.Issue, err error) { - if _, matched := gosec.MatchCallByType(n, c, r.pkg, r.calls...); matched { - return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil - } - return nil, nil -} - -// NewUsingBigExp detects issues with modulus == 0 for Bignum -func NewUsingBigExp(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { - return &usingBigExp{ - pkg: "*math/big.Int", - calls: []string{"Exp"}, - MetaData: gosec.MetaData{ - ID: id, - What: "Use of math/big.Int.Exp function should be audited for modulus == 0", - Severity: gosec.Low, - Confidence: gosec.High, - }, - }, []ast.Node{(*ast.CallExpr)(nil)} -} diff --git a/rules/rulelist.go b/rules/rulelist.go index 08d655b..b8a28a8 100644 --- a/rules/rulelist.go +++ b/rules/rulelist.go @@ -63,7 +63,6 @@ func Generate(filters ...RuleFilter) RuleList { {"G102", "Bind to all interfaces", NewBindsToAllNetworkInterfaces}, {"G103", "Audit the use of unsafe block", NewUsingUnsafe}, {"G104", "Audit errors not checked", NewNoErrorCheck}, - {"G105", "Audit the use of big.Exp function", NewUsingBigExp}, {"G106", "Audit the use of ssh.InsecureIgnoreHostKey function", NewSSHHostKey}, {"G107", "Url provided to HTTP request as taint input", NewSSRFCheck}, diff --git a/rules/rules_test.go b/rules/rules_test.go index 29ed663..98e122c 100644 --- a/rules/rules_test.go +++ b/rules/rules_test.go @@ -71,10 +71,6 @@ var _ = Describe("gosec rules", func() { runner("G104", testutils.SampleCodeG104Audit) }) - It("should detect of big.Exp function", func() { - runner("G105", testutils.SampleCodeG105) - }) - It("should detect of ssh.InsecureIgnoreHostKey function", func() { runner("G106", testutils.SampleCodeG106) }) diff --git a/testutils/source.go b/testutils/source.go index e4c9117..750ab8e 100644 --- a/testutils/source.go +++ b/testutils/source.go @@ -304,22 +304,6 @@ func main() { package main func dummy(){} `}, 0, gosec.Config{gosec.Globals: map[gosec.GlobalOption]string{gosec.Audit: "enabled"}}}} - // SampleCodeG105 - bignum overflow - SampleCodeG105 = []CodeSample{{[]string{` -package main -import ( - "math/big" -) -func main() { - z := new(big.Int) - x := new(big.Int) - x = x.SetUint64(2) - y := new(big.Int) - y = y.SetUint64(4) - m := new(big.Int) - m = m.SetUint64(0) - z = z.Exp(x, y, m) -}`}, 1, gosec.NewConfig()}} // SampleCodeG106 - ssh InsecureIgnoreHostKey SampleCodeG106 = []CodeSample{{[]string{`