cosmincojocar
1c58cbd378
Make the folder permissions more permissive to avoid false positives ( #175 )
2018-02-15 19:53:01 +10:00
Cosmin Cojocar
230d286f4e
Fix gofmt formatting
2018-02-10 20:04:58 +01:00
Grant Murphy
6b28d5c0e6
Merge pull request #166 from cosmincojocar/fprint_whitelist
...
Add Fprint, Fprintf, Fprintln to NoErrorCheck whitelist
2018-02-08 11:54:44 +10:00
Cosmin Cojocar
6cd7a6d7fe
Add Fprint, Fprintf, Fprintln to NoErrorCheck whitelist
2018-02-07 14:13:17 +01:00
Cosmin Cojocar
179c178924
Add some review fixes
2018-02-07 09:23:52 +01:00
Cosmin Cojocar
d3c3cd6419
Add a rule to detect the usage of ssh InsecureIgnoreHostKey function
2018-02-06 16:56:26 +01:00
Grant Murphy
a97a196160
Unused import
2018-01-30 09:35:35 +10:00
Grant Murphy
7c7fe752b6
Fix go vet errors in tests
2018-01-30 09:32:04 +10:00
Jon McClintock
1ca335016a
Rebase to master
2018-01-22 18:45:07 +00:00
Jon McClintock
8eb9cc02a4
Adjust SQL format-string rules to ignore inherently safe formats
2018-01-22 18:34:57 +00:00
Grant Murphy
085e0f65af
Merge pull request #150 from GoASTScanner/experimental
...
Use explicit packages in call lists
2018-01-05 23:14:24 +10:00
Grant Murphy
aecbc873ef
Use explicit packages in call lists
...
By allowing partial matches of selectors there are chances of collisions
such as those in issue #145 , this removes it to expect explicit packages
for each rule.
Closes #145
2018-01-05 23:05:53 +10:00
Grant Murphy
9a2bec1cd0
Merge pull request #149 from GoASTScanner/experimental
...
Fix nil pointer dereference in complit types
2018-01-05 22:20:21 +10:00
Grant Murphy
b6f85d50da
Fix nil pointer dereference in complit types
2018-01-05 22:19:08 +10:00
Grant Murphy
3520a5ae85
Merge pull request #146 from GoASTScanner/experimental
...
Merge experimental / refactor
2018-01-05 22:08:59 +10:00
Grant Murphy
e925d3c347
Migrated old test cases.
2017-12-28 16:54:10 +10:00
Grant Murphy
af25ac1f6e
fix golint errors picked up by hound-ci
2017-12-13 22:35:47 +10:00
Grant Murphy
cfa432729c
fix hound-ci errors
2017-12-13 17:39:00 +10:00
Grant Murphy
3caf7c3154
Add test cases
2017-09-16 10:12:27 +10:00
Cosmin Cojocar
c36954f04a
Add the CHACHA20 to good ciphers in modern tls check
2017-08-30 16:00:56 +02:00
Grant Murphy
6943f9e5e4
Major rework of codebase
...
- Get rid of 'core' and move CLI to cmd/gas directory
- Migrate (most) tests to use Ginkgo and testutils framework
- GAS now expects package to reside in $GOPATH
- GAS now can resolve dependencies for better type checking (if package
on GOPATH)
- Simplified public API
2017-07-19 15:17:00 -06:00
Grant Murphy
65b18da711
Hack to address circular dependency in rulelist
2017-05-09 21:26:12 -07:00
Grant Murphy
bf78d027a9
Restructure and introduce a standalone config
2017-04-28 14:46:26 -07:00
Grant Murphy
cacf21f3c0
Restructure to focus on lib rather than cli
2017-04-26 08:08:46 -07:00
Cosmin Cojocar
5b71c2b05f
Add a test for math/big.Int.Exp rule
2017-04-10 16:10:24 +02:00
Cosmin Cojocar
65b8e74ecd
Add a rule for big.Exp function call
2017-04-10 14:25:48 +02:00
mockturtl
b74c83e7e7
BindsToAllNetworkInterfaces should check TLS also
2017-03-28 13:24:22 -04:00
Grant Murphy
177fa7dde0
Merge pull request #122 from GoASTScanner/testfixes
...
Correct bad test cases and intermitent failure
2017-03-22 10:51:44 -07:00
Grant Murphy
622440f167
Correct bad test cases and intermitent failure
...
The filelist test was non-deterministic and causing intermittent
failures due to ordering. This change will ensure that the file list
returns an ordered list of files in the String() method now.
Additionally there were a number of test cases that the sample code
was incorrect, or would not compile. These have also been corrected.
2017-03-15 08:47:40 -07:00
Cosmin Cojocar
2262f5d474
Add a check for PreferServerCipherSuites flag of tls.Config
2017-03-15 15:05:44 +01:00
Grant Murphy
4099783722
Go 1.5 does not support width precision specifier
2017-01-14 14:39:22 -08:00
Grant Murphy
9bc02396e8
Introduce entropy checking of string
...
This will hopefully reduce the number of false positives when it comes
to hard coded credentials. The zxcvbn library is used to calculate the
entropy of the string. By default the first 16 characters are considered
as doing the entropy check for strings much longer than that introduces
a fairly significant performance hit.
2017-01-14 13:45:34 -08:00
Grant Murphy
a7ec9ccc63
Backport test case for 1.5
...
Go 1.5 does not have a rand.Read function so need to adjust test
definitions accordingly.
2017-01-13 13:31:22 -08:00
Grant Murphy
f9868aa8c8
Fix additional test case
2017-01-13 12:46:16 -08:00
Grant Murphy
ab4867bc76
Fix test cases with invalid sample code
2017-01-13 12:40:49 -08:00
Grant Murphy
d1303fee0b
Improve specitivity of error message for GenDecl
2017-01-11 10:12:11 -08:00
Grant Murphy
1e736c8838
Fix test case (invalid sample code)
2017-01-11 09:51:25 -08:00
Grant Murphy
d1e67fc995
Ensure hardcoded credentials only examines strings
...
The hardcoded credentials test should only consider assignment of const strings.
Related to issue #108
2017-01-11 09:43:05 -08:00
Grant Murphy
191750f44c
Recreate fileset each time we process a file
...
Some files were being counted multiple times here and giving a skewed
result for line numbers processed.
Closes #100
2016-12-02 15:21:13 -08:00
Grant Murphy
6ace60b950
Address unhandled error conditions
...
Closes #95
2016-12-02 10:20:23 -08:00
Grant Murphy
129be1561b
Update error test case
...
There were several issues with the error test case that have been
addressed in this commit.
- It is possible to specify a whitelist of calls that error handling
should be ignored for.
- Additional support for ast.ExprStmt for cases where the error is
implicitly ignored.
There were several other additions to the helpers and call list in order
to support this type of functionality.
Fixes #54
2016-11-18 14:09:10 -08:00
Grant Murphy
63e8b1af23
Update unsafe rule to match package explicitly
...
Unsafe is not tracked in Package.Imports(), the regexp was not explicit
enough and foounsafe.Blah() would trigger an error.
2016-11-15 13:53:36 -08:00
Grant Murphy
39b18a1539
Remove debug print messages
2016-11-15 12:36:02 -08:00
Grant Murphy
ca42de24ba
Initialize fresh import info for each file
...
The import information was being persisted between files. This was
causing false positives.
Fixes #87
2016-11-15 11:58:28 -08:00
Grant Murphy
c7bb2dd3b7
Fix additional crash condition
...
A var GenDecl may not have a value assigned. This error case must be
handled.
2016-11-14 15:15:17 -08:00
Grant Murphy
5012c34d48
Handle inbalanced declaration of constants
...
The following code would create a panic condition:
const foo, bar = "some thing"
Fixes #84
2016-11-14 13:57:55 -08:00
Grant Murphy
a3fcd96f57
Update hardcoded credentials rule for GenDecls
...
The hardcoded credentials rule will now also examine GenDecls so will
work with global vars and constants.
Fixes #74
2016-11-13 12:57:59 -08:00
Grant Murphy
bf103da519
Allow rules to register against multiple ast nodes
...
Update the AddRule interface to allow rules to register interest in
multiple ast.Nodes. Adds more flexibility to how rules can work, and was
needed to fix the hard coded credentials test specifically.
2016-11-13 12:55:31 -08:00
Grant Murphy
1d732b8ae3
Ensure os.OpenFile file permissions are checked
...
In addition configuration file may be used to set the permission level.
Closes #53
2016-11-12 17:57:20 -08:00
Grant Murphy
be96ef273d
Fix alias logic
2016-11-07 20:10:30 -08:00