1
0
mirror of https://github.com/securego/gosec.git synced 2025-01-24 03:16:54 +02:00

27 Commits

Author SHA1 Message Date
Travis McPeak
942f40acf5 Fix nosec to work as documented
This commit fixes the nosec feature to check for '#nosec' instead
of 'nosec'.  This should help reduce false positives associated
with comments that have 'nosec' in them somewhere.
2016-12-02 15:45:59 -06:00
Grant Murphy
6ace60b950 Address unhandled error conditions
Closes #95
2016-12-02 10:20:23 -08:00
Grant Murphy
8f78248b61 Merge pull request #92 from GoASTScanner/experimental
Resolve issues with error rules
2016-12-02 09:01:30 -08:00
Grant Murphy
dcfd97c57d Remove ast.Print debug message from tryresolve 2016-12-01 09:24:58 -08:00
Grant Murphy
129be1561b Update error test case
There were several issues with the error test case that have been
addressed in this commit.

- It is possible to specify a whitelist of calls that error handling
  should be ignored for.
- Additional support for ast.ExprStmt for cases where the error is
  implicitly ignored.

There were several other additions to the helpers and call list in order
to support this type of functionality.

Fixes #54
2016-11-18 14:09:10 -08:00
Grant Murphy
5242a2c1df Extend helpers and call list
- Update call list to work directly with call expression
- Add call list test cases
- Extend helpers to add GetCallInfo to resolve call name and package or
  type if it's a var.
- Add test cases to ensure correct behaviour
2016-11-18 09:57:34 -08:00
Grant Murphy
d29c64800e Add match call by type 2016-11-17 20:18:31 -08:00
Grant Murphy
63e8b1af23 Update unsafe rule to match package explicitly
Unsafe is not tracked in Package.Imports(), the regexp was not explicit
enough and foounsafe.Blah() would trigger an error.
2016-11-15 13:53:36 -08:00
Grant Murphy
ca42de24ba Initialize fresh import info for each file
The import information was being persisted between files. This was
causing false positives.

Fixes #87
2016-11-15 11:58:28 -08:00
Grant Murphy
bf103da519 Allow rules to register against multiple ast nodes
Update the AddRule interface to allow rules to register interest in
multiple ast.Nodes. Adds more flexibility to how rules can work, and was
needed to fix the hard coded credentials test specifically.
2016-11-13 12:55:31 -08:00
Grant Murphy
be96ef273d Fix alias logic 2016-11-07 20:10:30 -08:00
Grant Murphy
7a275fd0ad MatchCallByPackage updated to avoid GetCallObject
There seems to be an inconsistency in the way that the type.Info.Uses
map is populated by the type checker in Go 1.5 and the latest release.

It is possible to ascertain the package that relates to an object 1.7.x
release but this does not work for earlier Go versions.

To work around this limitation we now track imports, and monitor if they
are aliased or initalization only imports.
2016-11-07 09:13:20 -08:00
Grant Murphy
d16326051f Merge pull request #71 from GoASTScanner/call_list
Add an experimental way to whitelist/blacklist calls
2016-11-06 17:35:50 -08:00
Grant Murphy
0bc4d4808d Add an experimental way to whitelist calls
A call list is a way of grouping a number of packages and function calls
into a blacklist or whitelist. Could be useful to exclude certain
functions from results or looking for a specific set of functions.
2016-11-06 11:07:50 -08:00
Grant Murphy
0fef3ad40a Split out MatchCallByObject into two functions
Allows direct call to GetCallObject.
2016-11-04 14:39:22 -07:00
Grant Murphy
c4057545ae Add MatchCall helper that utilizes type checker
This introduces a helper function that will significantly reduce the
number of false positives that occur due to the use of regexp based
call matching.

It resolves the object related to a CallExpr and checks that against the
supplied package and identifier name. If both of these match the
returned value is the CallExpr and Object.
2016-11-04 11:20:28 -07:00
Grant Murphy
d05a2416a2 MatcMatchCompLit should be MatchCompList 2016-08-28 11:44:14 -07:00
Grant Murphy
0bce1770b5 Fix typos in godocs 2016-08-28 11:22:08 -07:00
Tim Kelsey
223cded656 Adding some inline documentation for godoc 2016-08-12 14:17:28 +01:00
Tim Kelsey
e3b1d33b95 Configuration
This re-works the way that CLI options are passed through to the
analyzer so that they can act as overrides for config options. If
not given on the CLI, options will come from a config file. If no
file is used then a default value is chosen.

Two lists are also populated with tests to include or exclude.
These lists are not used for now but will eventually replace the
way we select test to run in a future patch to follow.
2016-08-08 16:18:46 +01:00
Tim Kelsey
da55fd1326 Fixing config
It should have been in the context object, not the analyzer
2016-08-05 11:04:06 +01:00
Tim Kelsey
d2d49f1c8c Try to resolve all elements in an expression to a known const
This is used in the subprocess launching test but will be added to
others as applicable.

This also closes #28
2016-08-03 17:21:48 +01:00
Tim Kelsey
d4367de2e2 Adding a config block to the analyzer, parsed from JSON
A CLI option can now be given to tell GAS it should parse data
from a JSON file. Fatal errors are given if the file is not
readable or is not valid JSON.
2016-08-01 17:39:47 +01:00
Tim Kelsey
68aac2539a Fixing annotations
The logic around annotations (nosec) was broken, meaning they were
ignored by default and would not skip sub-blocks. This fixes the
problem and also adds a test to make sure it wont be broken in the
future. Closes #25
2016-07-29 10:34:19 +01:00
Cedric Staub
271cff19f7
Use encoding/json for -fmt json output 2016-07-25 16:40:49 -07:00
Grant Murphy
2f84b67a47 Handle import error rather than panic on failure
This should handle issue #9 more gracefully.
2016-07-25 13:49:36 -07:00
Tim Kelsey
4f3d620d37 Initial public release 2016-07-20 15:56:32 +01:00