1
0
mirror of https://github.com/securego/gosec.git synced 2025-01-24 03:16:54 +02:00

17 Commits

Author SHA1 Message Date
Travis McPeak
942f40acf5 Fix nosec to work as documented
This commit fixes the nosec feature to check for '#nosec' instead
of 'nosec'.  This should help reduce false positives associated
with comments that have 'nosec' in them somewhere.
2016-12-02 15:45:59 -06:00
Grant Murphy
6ace60b950 Address unhandled error conditions
Closes #95
2016-12-02 10:20:23 -08:00
Grant Murphy
63e8b1af23 Update unsafe rule to match package explicitly
Unsafe is not tracked in Package.Imports(), the regexp was not explicit
enough and foounsafe.Blah() would trigger an error.
2016-11-15 13:53:36 -08:00
Grant Murphy
ca42de24ba Initialize fresh import info for each file
The import information was being persisted between files. This was
causing false positives.

Fixes #87
2016-11-15 11:58:28 -08:00
Grant Murphy
bf103da519 Allow rules to register against multiple ast nodes
Update the AddRule interface to allow rules to register interest in
multiple ast.Nodes. Adds more flexibility to how rules can work, and was
needed to fix the hard coded credentials test specifically.
2016-11-13 12:55:31 -08:00
Grant Murphy
be96ef273d Fix alias logic 2016-11-07 20:10:30 -08:00
Grant Murphy
7a275fd0ad MatchCallByPackage updated to avoid GetCallObject
There seems to be an inconsistency in the way that the type.Info.Uses
map is populated by the type checker in Go 1.5 and the latest release.

It is possible to ascertain the package that relates to an object 1.7.x
release but this does not work for earlier Go versions.

To work around this limitation we now track imports, and monitor if they
are aliased or initalization only imports.
2016-11-07 09:13:20 -08:00
Grant Murphy
0bce1770b5 Fix typos in godocs 2016-08-28 11:22:08 -07:00
Tim Kelsey
223cded656 Adding some inline documentation for godoc 2016-08-12 14:17:28 +01:00
Tim Kelsey
e3b1d33b95 Configuration
This re-works the way that CLI options are passed through to the
analyzer so that they can act as overrides for config options. If
not given on the CLI, options will come from a config file. If no
file is used then a default value is chosen.

Two lists are also populated with tests to include or exclude.
These lists are not used for now but will eventually replace the
way we select test to run in a future patch to follow.
2016-08-08 16:18:46 +01:00
Tim Kelsey
da55fd1326 Fixing config
It should have been in the context object, not the analyzer
2016-08-05 11:04:06 +01:00
Tim Kelsey
d2d49f1c8c Try to resolve all elements in an expression to a known const
This is used in the subprocess launching test but will be added to
others as applicable.

This also closes #28
2016-08-03 17:21:48 +01:00
Tim Kelsey
d4367de2e2 Adding a config block to the analyzer, parsed from JSON
A CLI option can now be given to tell GAS it should parse data
from a JSON file. Fatal errors are given if the file is not
readable or is not valid JSON.
2016-08-01 17:39:47 +01:00
Tim Kelsey
68aac2539a Fixing annotations
The logic around annotations (nosec) was broken, meaning they were
ignored by default and would not skip sub-blocks. This fixes the
problem and also adds a test to make sure it wont be broken in the
future. Closes #25
2016-07-29 10:34:19 +01:00
Cedric Staub
271cff19f7
Use encoding/json for -fmt json output 2016-07-25 16:40:49 -07:00
Grant Murphy
2f84b67a47 Handle import error rather than panic on failure
This should handle issue #9 more gracefully.
2016-07-25 13:49:36 -07:00
Tim Kelsey
4f3d620d37 Initial public release 2016-07-20 15:56:32 +01:00