1
0
mirror of https://github.com/securego/gosec.git synced 2024-12-28 21:08:22 +02:00
Commit Graph

108 Commits

Author SHA1 Message Date
Lars Lehtonen
df484bfa9e cmd/tlsconfig: remove support for deprecated tls.VersionSSL30 (#412)
* cmd/tlsconfig: build tags to deprecate tls.VersionSSL30 from go1.14

* cmd/tlsconfig: build tags to turn off TLSv1.3 in go1.11
2019-11-19 11:41:25 +01:00
Cosmin Cojocar
43e3664713 Build the tls config generator only with Go versions compatible with Go 1.12
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-10 11:57:18 +10:00
Cosmin Cojocar
76ce9f0147 Update to config struct to unmarshal the mozilla server-side TLS conf version 5
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-10 11:57:18 +10:00
Cosmin Cojocar
e050355b4b Update the TLS config generator to handle TLS version 1.3
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-10 11:57:18 +10:00
Cosmin Cojocar
7851918c4f Add support to exclude arbitrary folders from scanning (#353)
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-09 22:01:36 +10:00
Daniel Carlier
8932f702ce Add flag to handle '#nosec' alternative (#346)
* Add logic to check for a #nosec alternative

* Add NoSecAlternative as a new global variable

* Add nosec-tag flag
2019-09-04 10:20:43 +02:00
Juan Antonio Osorio Robles
39f7e7b9e0 Display filtered number of issues instead of total in stats
This takes into account the filtered number of issues instead of
the total number. This number is more relevant to developers, as
the intention was to not take certain issues into account anyway.
2019-07-04 10:13:09 +10:00
Cosmin Cojocar
020479a832 Support multiple root paths when generating the Sonarqube report
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-24 14:35:11 +02:00
Cosmin Cojocar
46e55b908d Fix the file path in the Sonarqube report
Add some test to validate the Sonarqube formatter.

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-24 14:10:51 +02:00
Sandor Szücs
9d9098fa97 print version string (#317)
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
2019-05-17 11:33:02 +02:00
Cosmin Cojocar
ee80733faf
Add a flag to filter issues by confidence (#316)
Refactor also how the issues are filtered by severity.

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-10 10:15:09 +02:00
Cosmin Cojocar
b49c9532a8 Add a flag which allows to scan also the tests files
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-29 06:55:24 +02:00
Cosmin Cojocar
f1d49a6945 Remove unused code
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-29 06:54:59 +02:00
Cosmin Cojocar
e419eb8f4e Exclude correctly the vendor folder from the scanned packages
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-27 14:02:43 -07:00
Cosmin Cojocar
85eb8a52ab Scan the go packages path recursively starting from a root folder
This is replacing the gotool.ImportPaths which seems to have some troubles with Go modules.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-27 14:02:43 -07:00
Cosmin Cojocar
ea16ff1f9e Remove GOPATH check to allow running gosec outside of GOPATH
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-27 14:02:43 -07:00
kencrawford
ddfe54d0a0 Add sonarqube output 2019-03-21 07:30:14 +10:00
JulesDT
c5e6c4aedd fix no-fail flag logic 2019-03-19 08:11:02 +10:00
Martin Vrachev
62b5195dd9 Report for Golang errors (#284)
* Report for Golang errors

Right now if you use Gosec to scan invalid go file and if you report the result in a text, JSON, CSV or another file format you will always receive 0 issues.
The reason for that is that Gosec can't parse the AST of invalid go files and thus will not report anything.

The real problem here is that the user will never know about the issue if he generates the output in a file.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-02-27 08:24:06 +10:00
JulesDT
04ce7baf6c add a no-fail flag 2019-01-28 09:38:18 +01:00
Cosmin Cojocar
f87af5fa72 Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274)
* Define more explicit the global options in the configuration

* Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 21:37:40 +10:00
Oleksandr Redko
3116b07de4 Fix typos in comments and rulelist (#256) 2018-10-11 14:45:31 +02:00
cschoenduve-splunk
419c9292c8 G107 - SSRF (#236)
* Initial SSRF Rule

* Added Selector evaluation

* Added source code tests

* Fixed spacing issues

* Fixed Spacingv2

* Removed resty test
2018-09-04 08:55:03 +02:00
Cosmin Cojocar
de10a7456f Fix the help message 2018-07-30 09:45:29 +02:00
Cosmin Cojocar
4702cc5da7 Add a flag to specify the severity for which the scanning will be failed 2018-07-30 09:43:41 +02:00
Cosmin Cojocar
6919d97188 Add a flag to turn on scanning on vendor folder 2018-07-30 09:11:23 +02:00
Cosmin Cojocar
f5b44b0740
Merge pull request #221 from Quasilyte/quasilyte/dupSubExpr
fix duplicated index issue in Less method
2018-07-30 08:44:30 +02:00
Iskander Sharipov
3c8707c6c4 fix duplicated index issue in Less method
Found using https://go-critic.github.io/overview#dupSubExpr-ref
2018-07-28 23:18:12 +03:00
Iskander Sharipov
2f61fad317 replace len(x)<=0 with len(x)==0
length can't be negative.

Found using https://go-critic.github.io/overview#sloppyLen-ref
2018-07-28 23:16:16 +03:00
Cosmin Cojocar
4c6396b7d4 Derive the package from given files
Move some utility functions into the helper
2018-07-23 15:16:47 +02:00
Cosmin Cojocar
893b87b343 Replace gas with gosec everywhere in the project 2018-07-19 18:42:25 +02:00
Grant Murphy
da26f64208
Rename github org (#214) 2018-07-19 17:40:28 +10:00
cosmincojocar
4ae8c95b40 Add an option for Go build tags (#201)
* Add an option for Go build tags

* Update README with a section for Go build tags
2018-04-20 09:45:03 +10:00
cosmincojocar
7790709b81 Discard the logs messages if the quite flag is set (#200) 2018-04-16 19:41:40 +10:00
Grant Murphy
830cb81b29
Support package resolution and filepaths (#187)
* Support package resolution and filepaths

This change introduces the logic to resolve packages using gotool
and build packages from filepaths. It assumes that the packages
being scanned are located within the GOPATH.

If the GOPATH environment variable is not set the GOPATH is derived
as $HOME/go.

Relates to #184

* Fix build error

* Address unhandled error

* Fix formatting error

* Handle multiple paths on GOPATH
2018-04-16 15:46:39 +10:00
cosmincojocar
e809226800 Build improvments (#179)
* Add a semantic version to the usage text

* Add a comment to the version function

* Inject the version, git tag and build date as build variables

* Update README

* Fix lint warnings

* Update README

* Manage dependencies with dep tool instead of godep

* Add a Makefile for common build tasks

* Update the build file to use the make tool

* Update Dockerfile

* Add docker entry point in to make the passing of arguments easy

* Update README

* Add missing tools to the build

* Drop 1.7 support and add 1.10

* Fix Go 1.10 according with the travis guidelines

https://docs.travis-ci.com/user/languages/go/

* Update the tls-observatory package

* Fix lint warnings

* Change the output of the tests to be more verbose

* Check if the are build errors before executing the rule test
2018-03-13 08:57:10 +10:00
cosmincojocar
a0367559a7 Fix TLS config template (#191)
* Fix TLS config template

* Update the log message for unavailable ciphers
2018-03-12 18:17:32 +10:00
Grant Murphy
58a48c471c Merge branch 'nosec-specify-rule' of git://github.com/jonmcclintock/gas into jonmcclintock-nosec-specify-rule 2018-03-09 10:54:34 +10:00
coredefend
e76b258456 New Rule Tainted file (#183)
* Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178)

* Add a tool which generates the TLS rule configuration from Mozilla server side
TLS configuration

* Update README

* Remove trailing space in README

* Update dependencies

* Fix the commends of the generated functions

* Add nil pointer check to rule. (#181)

TypeOf returns the type of expression e, or nil if not found. We are
calling .String() on a value that may be nil in this clause.

Relates to #174

* Add support for YAML output format (#177)

* Add YAML output format

* Update README

* added rule to check for tainted file path

* added #nosec to main/issue.go

* updated test case import
2018-03-09 09:23:27 +10:00
Jon McClintock
7bb6f004ae Merge branch 'master' of https://github.com/GoASTScanner/gas into nosec-specify-rule 2018-03-08 18:52:11 +00:00
cosmincojocar
1d9f816ca5 Add support for YAML output format (#177)
* Add YAML output format

* Update README
2018-03-05 22:20:24 +10:00
Jon McClintock
1429033aca Add support for #excluding specific rules 2018-03-02 23:44:51 +00:00
cosmincojocar
edb362fc9d Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178)
* Add a tool which generates the TLS rule configuration from Mozilla server side
TLS configuration

* Update README

* Remove trailing space in README

* Update dependencies

* Fix the commends of the generated functions
2018-02-21 15:59:18 +10:00
Cosmin Cojocar
84bfbbfd8c Switch to sort Interface to be backward compatible with older go versions 2018-02-10 19:45:04 +01:00
Cosmin Cojocar
d4ebb032a9 Sort the issues by severity in descending order before creating the report 2018-02-08 12:12:22 +01:00
Cosmin Cojocar
c2c21553a3 Fix some gas warnings 2018-02-07 14:07:24 +01:00
Wong Her Laang
1346bd37ca Edited README and help text. 2018-01-27 12:19:38 +08:00
Grant Murphy
5361949a13 Sending log messages to multiple streams
Use the configured logger for all log messages.
2018-01-23 10:02:20 +10:00
Andrew S. Brown
22dc89384d Do a single build for all packages.
This is much faster because the loader can reuse packages.
2018-01-07 15:02:33 -08:00
Grant Murphy
4c49716f0e move utils to separate executable 2017-12-28 16:55:12 +10:00
Grant Murphy
25d74c6b20 address review comments 2017-12-14 10:04:22 +10:00
Grant Murphy
cfa432729c fix hound-ci errors 2017-12-13 17:39:00 +10:00
Grant Murphy
e3b6fd94c2 update readme to provide info regarding package level scans 2017-12-13 16:35:54 +10:00
Adrian Lanzafame
5a1133682a remove commited binary 2017-10-01 10:31:51 +10:00
Grant Murphy
6943f9e5e4 Major rework of codebase
- Get rid of 'core' and move CLI to cmd/gas directory
- Migrate (most) tests to use Ginkgo and testutils framework
- GAS now expects package to reside in $GOPATH
- GAS now can resolve dependencies for better type checking (if package
  on GOPATH)
- Simplified public API
2017-07-19 15:17:00 -06:00
Grant Murphy
026fe4c534 Simplify analyzer and command line interface
The analyzer now only handles packages rather than one off files. This
simplifies the CLI functionality significantly.
2017-05-09 21:26:53 -07:00
Grant Murphy
bf78d027a9 Restructure and introduce a standalone config 2017-04-28 14:46:26 -07:00
Grant Murphy
cacf21f3c0 Restructure to focus on lib rather than cli 2017-04-26 08:08:46 -07:00