Creating a new generic blacklist rule and removing the older
specific ones. This will need configuration integration when
we have some.
The new test is immune to import aliasing but not shadowing
A CLI option can now be given to tell GAS it should parse data
from a JSON file. Fatal errors are given if the file is not
readable or is not valid JSON.
There are some cases where the '.' character would also match any
character and could lead to incorrect results. For example the
regular expression - `^ioutils.WriteFile$' would match
ioutils.WriteFile, but also ioutils_WriteFile.
Additionally made sure that all regexp were declared using raw
strings to avoid any unnecesary string escaping that potentially
make the regexp difficult to read.
The logic around annotations (nosec) was broken, meaning they were
ignored by default and would not skip sub-blocks. This fixes the
problem and also adds a test to make sure it wont be broken in the
future. Closes#25
Check right-hand side expr for literals when looking for hard-coded
credentials. This is to avoid issuing warnings for cases where a
password, token, etc. is read from a file or a terminal.
This prevents the string concat tests flagging a false positive if
joining two literal strings (eg "SELECT * FROM " + " table" ... )
or with a constant (eg const tab = "name"; "SELECT * from " + tab)
The exclude flag was only using filepath.Match which isn't intuitive
compared with some other command line tools. Added a couple of
additional cases to handle relative paths.
Fixes issue #16
Go code running under CGI is vulnerable to httpoxy attack. See
https://httpoxy.org/ this checks for an import of net/http/cgi
that might indicate code may be run under CGI.
closes#1
