go/gosec
1
0
Fork 0
mirror of https://github.com/securego/gosec.git synced 2025-11-29 22:37:59 +02:00
Code Issues Releases Activity

Extract the issue in its own package

Browse Source
This commit is contained in:
Cosmin Cojocar
2023-02-15 20:44:13 +01:00
committed by Cosmin Cojocar
parent 31e63276f1
commit de2c6a36fa
48 changed files with 439 additions and 378 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
rules/hardcoded_credentials.go
View File

@@ -22,10 +22,11 @@ import (
zxcvbn "github.com/nbutton23/zxcvbn-go"
"github.com/securego/gosec/v2"
"github.com/securego/gosec/v2/issue"
)
type credentials struct {
gosec.MetaData
issue.MetaData
pattern *regexp.Regexp
entropyThreshold float64
perCharThreshold float64
@@ -53,7 +54,7 @@ func (r *credentials) isHighEntropyString(str string) bool {
entropyPerChar >= r.perCharThreshold))
}
func (r *credentials) Match(n ast.Node, ctx *gosec.Context) (*gosec.Issue, error) {
func (r *credentials) Match(n ast.Node, ctx *gosec.Context) (*issue.Issue, error) {
switch node := n.(type) {
case *ast.AssignStmt:
return r.matchAssign(node, ctx)
@@ -65,14 +66,14 @@ func (r *credentials) Match(n ast.Node, ctx *gosec.Context) (*gosec.Issue, error
return nil, nil
}
func (r *credentials) matchAssign(assign *ast.AssignStmt, ctx *gosec.Context) (*gosec.Issue, error) {
func (r *credentials) matchAssign(assign *ast.AssignStmt, ctx *gosec.Context) (*issue.Issue, error) {
for _, i := range assign.Lhs {
if ident, ok := i.(*ast.Ident); ok {
if r.pattern.MatchString(ident.Name) {
for _, e := range assign.Rhs {
if val, err := gosec.GetString(e); err == nil {
if r.ignoreEntropy || (!r.ignoreEntropy && r.isHighEntropyString(val)) {
return gosec.NewIssue(ctx, assign, r.ID(), r.What, r.Severity, r.Confidence), nil
return ctx.NewIssue(assign, r.ID(), r.What, r.Severity, r.Confidence), nil
}
}
}
@@ -82,7 +83,7 @@ func (r *credentials) matchAssign(assign *ast.AssignStmt, ctx *gosec.Context) (*
return nil, nil
}
func (r *credentials) matchValueSpec(valueSpec *ast.ValueSpec, ctx *gosec.Context) (*gosec.Issue, error) {
func (r *credentials) matchValueSpec(valueSpec *ast.ValueSpec, ctx *gosec.Context) (*issue.Issue, error) {
for index, ident := range valueSpec.Names {
if r.pattern.MatchString(ident.Name) && valueSpec.Values != nil {
// const foo, bar = "same value"
@@ -91,7 +92,7 @@ func (r *credentials) matchValueSpec(valueSpec *ast.ValueSpec, ctx *gosec.Contex
}
if val, err := gosec.GetString(valueSpec.Values[index]); err == nil {
if r.ignoreEntropy || (!r.ignoreEntropy && r.isHighEntropyString(val)) {
return gosec.NewIssue(ctx, valueSpec, r.ID(), r.What, r.Severity, r.Confidence), nil
return ctx.NewIssue(valueSpec, r.ID(), r.What, r.Severity, r.Confidence), nil
}
}
}
@@ -99,7 +100,7 @@ func (r *credentials) matchValueSpec(valueSpec *ast.ValueSpec, ctx *gosec.Contex
return nil, nil
}
func (r *credentials) matchEqualityCheck(binaryExpr *ast.BinaryExpr, ctx *gosec.Context) (*gosec.Issue, error) {
func (r *credentials) matchEqualityCheck(binaryExpr *ast.BinaryExpr, ctx *gosec.Context) (*issue.Issue, error) {
if binaryExpr.Op == token.EQL || binaryExpr.Op == token.NEQ {
ident, ok := binaryExpr.X.(*ast.Ident)
if !ok {
@@ -113,7 +114,7 @@ func (r *credentials) matchEqualityCheck(binaryExpr *ast.BinaryExpr, ctx *gosec.
}
if val, err := gosec.GetString(valueNode); err == nil {
if r.ignoreEntropy || (!r.ignoreEntropy && r.isHighEntropyString(val)) {
return gosec.NewIssue(ctx, binaryExpr, r.ID(), r.What, r.Severity, r.Confidence), nil
return ctx.NewIssue(binaryExpr, r.ID(), r.What, r.Severity, r.Confidence), nil
}
}
}
@@ -170,11 +171,11 @@ func NewHardcodedCredentials(id string, conf gosec.Config) (gosec.Rule, []ast.No
perCharThreshold: perCharThreshold,
ignoreEntropy: ignoreEntropy,
truncate: truncateString,
MetaData: gosec.MetaData{
MetaData: issue.MetaData{
ID: id,
What: "Potential hardcoded credentials",
Confidence: gosec.Low,
Severity: gosec.High,
Confidence: issue.Low,
Severity: issue.High,
},
}, []ast.Node{(*ast.AssignStmt)(nil), (*ast.ValueSpec)(nil), (*ast.BinaryExpr)(nil)}
}