1
0
mirror of https://github.com/securego/gosec.git synced 2024-12-24 20:14:32 +02:00
Commit Graph

81 Commits

Author SHA1 Message Date
Oleksandr Redko
36c81ed69b
Refactor AppendError to check for build.NoGoError (#1273) 2024-12-19 11:55:12 +01:00
Oleksandr Redko
4fda076e5d
Refactor AppendError to use strings.Contains (#1270) 2024-12-16 15:18:11 +01:00
Oleksandr Redko
b01f49e366
Simplify Analyzer.ignore by reducing nesting (#1269) 2024-12-16 15:17:42 +01:00
Rahul Gadi
81cda2f91f
Allow excluding analyzers globally (#1180)
* This change does not exclude analyzers for inline comment
* Changed the expected issues count for G103, G109 samples for test. Previously G115 has been included in the issue count
* Show analyzers IDs(G115, G602) in gosec usage help
* See #1175
2024-08-20 10:43:40 +02:00
Alex Gartner
007626773c Fix multifile ignores 2024-07-15 09:00:36 +02:00
Cosmin Cojocar
ac75d44f56 Fix nosec when applied to a block
Handle properly nosec directive when applied to a block or as a single
line on a multi-line issue.

Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
2024-05-28 12:54:05 +02:00
Cosmin Cojocar
48aa72e1ef Format the imports using the gci tool
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2024-03-08 12:15:42 +01:00
nobishino
b6df69cd07 Fixup: delete unused variable 2024-03-08 12:15:42 +01:00
nobishino
3a0ea5176b Refactor: use standard function to check if a file is generated
As of Go1.21, we can use https://pkg.go.dev/go/ast#IsGenerated to check if a file is generated.
Probably we want to use this instead of own implementation.
2024-03-08 12:15:42 +01:00
Cosmin Cojocar
eb256a7d70
Ignore the issues from generated files when using the analysis framework (#1079)
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-11-30 17:42:44 +01:00
Cosmin Cojocar
3188e3fb8e Ensure ignores are handled properly for multi-line issues
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-11-10 10:48:04 +01:00
Eng Zer Jun
fa1b74d4fc Avoid allocations with (*regexp.Regexp).MatchString
We should use `(*regexp.Regexp).MatchString` instead of
`(*regexp.Regexp).Match([]byte(...))` when matching string to avoid
unnecessary `[]byte` conversions and reduce allocations.

Example benchmark:

var defaultTagRegex = regexp.MustCompile("\n *#nosec")

func BenchmarkMatch(b *testing.B) {
	for i := 0; i < b.N; i++ {
		if match := defaultTagRegex.Match([]byte("\n #nosec")); !match {
			b.Fail()
		}
	}
}

func BenchmarkMatchString(b *testing.B) {
	for i := 0; i < b.N; i++ {
		if match := defaultTagRegex.MatchString("\n #nosec"); !match {
			b.Fail()
		}
	}
}

goos: linux
goarch: amd64
pkg: github.com/securego/gosec/v2
cpu: AMD Ryzen 7 PRO 4750U with Radeon Graphics
BenchmarkMatch-16          	 5367033	       210.6 ns/op	       8 B/op	       1 allocs/op
BenchmarkMatchString-16    	 9321561	       126.3 ns/op	       0 B/op	       0 allocs/op
PASS
ok  	github.com/securego/gosec/v2	3.606s

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2023-10-25 09:56:02 +02:00
Cosmin Cojocar
a2397580b6 Fix data race in the analyzer
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-10-18 15:13:27 +02:00
Cosmin Cojocar
c06903addd Fix test that checks the overriden nosec directive
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-10-18 14:33:51 +02:00
Cosmin Cojocar
d8a6d358dc Ensure the ignores are parsed before analysing the package
In addition this handles the ignores for multi-line issues

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-10-18 12:02:48 +02:00
Cosmin Cojocar
0ec6cd95d7 Refactor how ignored issues are tracked
Track ignored issues using file location instead of a AST node. There are issues linked to a different AST node than the original node used to start the scan.

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-10-13 14:11:08 +02:00
Cosmin Cojocar
f338a98bf3 Restrict the maximum depth when tracking the slice bounds
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-10-13 10:03:27 +02:00
Cosmin Cojocar
7e2d8d35f4 Handle empty ssa results
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-10-13 10:03:27 +02:00
Cosmin Cojocar
074353a2ab Handle gracefully any panic that occurs when building the SSA representation of a package
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-10-12 10:37:29 +02:00
Cosmin Cojocar
e02e2f6d5b Redesign and reimplement the slice out of bounds check using SSA code representation
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-09-20 10:19:51 +02:00
Oleksandr Redko
1f689968ec Fix typos in comments, vars and tests 2023-05-30 08:26:41 +02:00
Cosmin Cojocar
9120883a15
Fix no-sec alternative tag (#962)
The no-sec alternative tag prepends now automatically the # symbol

Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
2023-05-25 11:54:26 +02:00
Cosmin Cojocar
f850069114 Use the gosec issue in the go analysers 2023-02-16 09:45:28 +01:00
Cosmin Cojocar
b1fd94881e Fix file formatting 2023-02-16 09:45:28 +01:00
Cosmin Cojocar
1915717875 Fix method name in the comment 2023-02-16 09:45:28 +01:00
Cosmin Cojocar
de2c6a36fa Extract the issue in its own package 2023-02-16 09:45:28 +01:00
Cosmin Cojocar
31e63276f1 Add support for Go analysis framework and SSA code representation 2023-02-16 09:45:28 +01:00
Sebastiaan van Stijn
0ae0174c25
Refactor to support duplicate imports with different aliases (#865)
The existing code assumed imports to be either imported, or imported with an
alias. Badly formatted files may have duplicate imports for a package, using
different aliases.

This patch refactors the code, and;

Introduces a new `GetImportedNames` function, which returns all name(s) and
aliase(s) for a package, which effectively combines `GetAliasedName` and
`GetImportedName`, but adding support for duplicate imports.

The old `GetAliasedName` and `GetImportedName` functions have been rewritten to
use the new function and marked deprecated, but could be removed if there are no
external consumers.

With this patch, the linter is able to detect issues in files such as;

    package main

    import (
        crand "crypto/rand"
        "math/big"
        "math/rand"
        rand2 "math/rand"
        rand3 "math/rand"
    )

    func main() {
        _, _ = crand.Int(crand.Reader, big.NewInt(int64(2))) // good

        _ = rand.Intn(2) // bad
        _ = rand2.Intn(2)  // bad
        _ = rand3.Intn(2)  // bad
    }

Before this patch, only a single issue would be detected:

    gosec --quiet .

    [main.go:14] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
        13:
      > 14: 	_ = rand.Intn(2) // bad
        15: 	_ = rand2.Intn(2)  // bad

With this patch, all issues are identified:

    gosec --quiet .

    [main.go:16] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
        15: 	_ = rand2.Intn(2)  // bad
      > 16: 	_ = rand3.Intn(2)  // bad
        17: }

    [main.go:15] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
        14: 	_ = rand.Intn(2) // bad
      > 15: 	_ = rand2.Intn(2)  // bad
        16: 	_ = rand3.Intn(2)  // bad

    [main.go:14] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
        13:
      > 14: 	_ = rand.Intn(2) // bad
        15: 	_ = rand2.Intn(2)  // bad

While working on this change, I noticed that ImportTracker.TrackFile() was not able
to find import aliases;  Analyser.Check() called both ImportTracker.TrackFile() and
ast.Walk(), which (with the updated ImportTracker) resulted in importes to be in-
correctly included multiple times (once with the correct alias, once with the default).

I updated ImportTracker.TrackFile() to fix this, but with the updated ImportTracker,
Analyser.Check() no longer has to call ImportTracker.TrackFile() separately, as ast.Walk()
already handles the file, and will find all imports.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-17 10:59:18 +02:00
kruskal
7d539ed494
feat: add concurrency option to parallelize package loading (#778)
* feat: add concurrency option to parallelize package loading

* refactor: move wg.add inside the for loop

* fix: gracefully stop the workers on error

* test: add test for concurrent scan
2022-02-16 18:23:37 +01:00
Yiwei Ding
72f1145f8a
Fix #743 (#748)
* Check if nosec tag is in front of a line

* Use \n instead of a whitespace in a test case
2022-01-03 16:48:42 +01:00
Cosmin Cojocar
63a8e789a1
Handle nil when looking up a file by position into a package (#747) 2021-12-22 17:50:46 +01:00
Yiwei Ding
2d1c1a6df7
Track both #nosec and #nosec rulelist for one violation (#741) 2021-12-20 23:33:01 +01:00
Yiwei Ding
35af340d07
Fix #736 (#738) 2021-12-13 17:45:47 +01:00
Yiwei Ding
b45f95f6ad
Add support for suppressing the findings 2021-12-09 11:53:36 +01:00
Ville Skyttä
f1f0056a90
Spelling fixes (#717) 2021-11-09 21:02:24 +01:00
Matthieu MOREL
bfb0f422fe
chore(lint): enable errorlint and gci (#698) 2021-09-13 09:40:10 +02:00
Marc Brugger
ba23b5e49a
Add possibility to list waived (nosec) marked issues but not count them as such 2021-08-18 13:00:38 +02:00
Marc Brugger
62db81342e
Allow excluding generated files 2021-08-04 17:33:20 +02:00
Matthieu MOREL
1256f16f33
Fix lint and fail on error in the ci build 2021-05-31 10:44:12 +02:00
Lukas Aron
826db1cfec
Fix the build tags propagation
The build tags are now propagated into the build context when analysing a package.
2020-05-27 12:42:19 +02:00
Cosmin Cojocar
81e8278164 Add the Cgo files to the analysed files and ingonre all non-Go files
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2020-01-16 09:06:23 +01:00
Hiroki Suezawa
9cb83e10af Add a rule which detects when there is potential integer overflow (#422)
* Add G109(Potential Integer OverFlow Detection)

Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>

* add CWE to G109(Potential Integer Overflow)

Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>

* Modify G109 to use gosec.Context

Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
2020-01-06 09:55:52 +01:00
Rafael dos Santos
f43a957359 Check for both default and alternative nosec tags (#426)
* Check both nosec tags

* Adjust test to find vulnerabilities

* Add a few alias in Makefile to get GOPATH
2020-01-06 09:47:28 +01:00
Cosmin Cojocar
e680875ea1
Replace the deprecated load mode with more specific flags are recommended in the packages docs (#400)
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-10-02 14:05:14 +02:00
Isaev Denis
b9c4c66295 Expose analyzer API (#366)
Make it possible to use gosec from e.g. golangci-lint
without modification of gosec.
2019-09-12 14:06:59 +02:00
Daniel Carlier
8932f702ce Add flag to handle '#nosec' alternative (#346)
* Add logic to check for a #nosec alternative

* Add NoSecAlternative as a new global variable

* Add nosec-tag flag
2019-09-04 10:20:43 +02:00
Cosmin Cojocar
63b44b6681 Add some more tests to make codecov happy
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 11:56:26 +02:00
Cosmin Cojocar
78a49491a8 Load rules on each code sample in order to reconfigure them
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 11:14:27 +02:00
Cosmin Cojocar
ed9934fa48 Refactor the rules tests to be able to configure the analyzer config per test sample
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 10:29:19 +02:00
Cosmin Cojocar
b68ac76dbc Fix formatting
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00