cb4f343eaf
Update all dependencies ( #417 )
2019-12-17 09:31:52 +01:00
df484bfa9e
cmd/tlsconfig: remove support for deprecated tls.VersionSSL30 ( #412 )
...
* cmd/tlsconfig: build tags to deprecate tls.VersionSSL30 from go1.14
* cmd/tlsconfig: build tags to turn off TLSv1.3 in go1.11
2019-11-19 11:41:25 +01:00
b4c76d4234
Update all dependencies ( #410 )
2019-11-04 16:45:32 +01:00
99170e0d76
Update the README with some details about the CWE mapping ( #407 )
...
* Fix some typos in the README file
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
* Update the README with some details about the CWE mapping
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-10-31 11:56:17 +01:00
53be8dd864
Add CWE rule mappings ( #405 )
...
* added mappings
* added cwe to template
* link in function to template
* moved mappings and added test cases
* wording
* cleanup
2019-10-31 09:22:38 +01:00
28c1128b73
Add more tests to improve the coverage of resolve
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-10-08 11:56:58 +02:00
d78f02634a
Format import to make codecov happy
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-10-08 11:56:58 +02:00
50e1fe267d
Improve the SSRF rule to report an issue for package scoped variables
...
Made also the rule to not report an issue when encountering function
scoped variable which terminate in a basic literal such as a string.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-10-08 11:56:58 +02:00
07770ae76d
Add a test for composite literals when trying to resolve an AST tree node
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-10-08 11:56:58 +02:00
f413f1436d
Handle the ValueSpec when trying to resolve an AST tree node
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-10-08 11:56:58 +02:00
c1970ff5c9
Handle the ValueSpec when trying to resolve an AST tree node
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-10-08 11:56:58 +02:00
ea9faae22d
Update the Go version to 1.13 in the Dockerfile ( #403 )
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-10-08 09:44:34 +02:00
186dec7b26
Convert the global settings to correct type when reading them from file ( #399 )
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-10-08 09:44:17 +02:00
e680875ea1
Replace the deprecated load mode with more specific flags are recommended in the packages docs ( #400 )
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-10-02 14:05:14 +02:00
ad375d3b8f
Update golang.org/x/tools commit hash to 7c411de ( #389 )
2019-10-01 09:10:45 +02:00
607f2408a5
reconfigure rennoavate bot ( #395 )
...
I *think* this schedule only monthly semver updates but still give us
vulnerability alerts.
See: https://docs.renovatebot.com/presets for more information.
2019-10-01 09:10:23 +02:00
832d7bb398
Update README with CII Best Practicies badge
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-09-27 08:53:58 +10:00
29341f6e9c
Fix the rule G108/pporf to handle the case when the pporf import has not name
...
This is causing a crash.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-09-24 18:16:45 +10:00
b504783a71
Change unit tests to check for one thing ( #381 )
...
The unit tests should check for a single thing at a time.
This was not true for some the tests.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com >
2019-09-24 10:15:56 +02:00
7dbc65b199
Update golang.org/x/tools commit hash to 3ac2a5b ( #387 )
2019-09-24 10:14:45 +02:00
f3bd9fb960
Update golang.org/x/tools commit hash to 0f9bb8f
2019-09-24 11:40:53 +10:00
c6ac709aa8
Update golang.org/x/net commit hash to aa69164
2019-09-24 00:41:44 +00:00
7a6460dde9
Update golang.org/x/crypto commit hash to 9ee001b
2019-09-24 09:35:22 +10:00
d8f249a079
Update README with rule G108
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-09-24 09:32:09 +10:00
9cee24cccd
Add a rule which detects when pprof endpoint is automatically exposed
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-09-24 09:32:09 +10:00
73fbc9ba49
Update golang.org/x/net commit hash to 1a5e07d
2019-09-23 09:54:52 +00:00
124da07009
Update golang.org/x/tools commit hash to 5eefd05 ( #378 )
2019-09-23 11:54:36 +02:00
915e9eeba8
Update golang.org/x/sys commit hash to b4ddaad ( #374 )
2019-09-17 12:37:15 +02:00
e7b3ae9c54
Clarify and add new unit tests for rule G107 ( #376 )
...
The existing unit tests for G107 didn't have any comments why
a certain code is problematic.
Other than that we need more unit tests for rule G107 for the
different scenarios.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com >
2019-09-17 12:22:43 +02:00
f90efff866
Update golang.org/x/tools commit hash to 2dc213d ( #375 )
2019-09-17 12:22:00 +02:00
90e975912b
Update golang.org/x/net commit hash to c858923 ( #373 )
2019-09-17 12:20:44 +02:00
709ed1ba65
Change rule G204 to be less restrictive ( #339 )
...
Currently, rule G204 warns you about every single use of the
functions syscall.Exec, os.exec.CommandContext and os.Exec.Command.
This can create false positives and it's not accurate because you can
use those functions with perfectly secure arguments like hardcoded
strings for example.
With this change, G204 will warn you in 3 cases when passing arguments
to a function which starts a new process the arguments:
1) are variables initialized by calling another function
2) are functions
3) are command-line arguments or environmental variables
Closes: https://github.com/securego/gosec/issues/338
Signed-off-by: Martin Vrachev <mvrachev@vmware.com >
2019-09-16 16:15:06 +02:00
98749b7357
Update golang.org/x/net commit hash to 24e19bd ( #372 )
2019-09-16 10:25:16 +02:00
d8f6c4f7f7
Update golang.org/x/sys commit hash to c3b328c ( #371 )
2019-09-16 10:23:55 +02:00
32041942e8
Update golang.org/x/tools commit hash to 92af9d6 ( #370 )
2019-09-16 10:23:43 +02:00
140048b2a2
Update golang.org/x/sys commit hash to 7ad0cfa
2019-09-12 12:07:52 +00:00
a65402bc5a
Update golang.org/x/tools commit hash to 6bfd74c ( #365 )
2019-09-12 14:07:35 +02:00
b9c4c66295
Expose analyzer API ( #366 )
...
Make it possible to use gosec from e.g. golangci-lint
without modification of gosec.
2019-09-12 14:06:59 +02:00
29fddff3b4
turn on automerge for rennovate bot
2019-09-11 21:29:05 +10:00
bee7b5aa0d
Update golang.org/x/crypto commit hash to 227b76d ( #363 )
2019-09-11 09:51:50 +02:00
069c31f980
Update golang.org/x/tools commit hash to 16c5e0f ( #362 )
2019-09-11 09:51:26 +02:00
3e65f8ff9d
Update golang.org/x/sys commit hash to bbd1755 ( #361 )
2019-09-11 09:51:06 +02:00
f5d5e20b3e
Update golang.org/x/tools commit hash to dd2b5c8 ( #360 )
2019-09-10 09:18:49 +02:00
a1c9c76277
Remove the unused code to increase the test coverage
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-09-10 11:59:05 +10:00
338b50debb
Remove rule G105 which detects the use of math/big#Int.Exp
...
The big#Int.Exp used to be vulnerable in older versions of Go, but in the
meantime has been fixed (https://github.com/golang/go/issues/15184 ).
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-09-10 11:59:05 +10:00
43e3664713
Build the tls config generator only with Go versions compatible with Go 1.12
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-09-10 11:57:18 +10:00
81b6dc8872
Regenerate the TLS configuration based on latest Mozilla's recommended ciphers
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-09-10 11:57:18 +10:00
76ce9f0147
Update to config struct to unmarshal the mozilla server-side TLS conf version 5
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-09-10 11:57:18 +10:00
e050355b4b
Update the TLS config generator to handle TLS version 1.3
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-09-10 11:57:18 +10:00
c0510fc45b
Update golang.org/x/tools commit hash to 0673112 ( #359 )
2019-09-10 11:55:33 +10:00
