03f12f3f5d
Change naming rule from blacklist to blocklist
2020-06-29 13:45:44 +02:00
55d368f2e5
Improve the TLS version checking
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2020-06-25 09:21:14 +02:00
1d2c951f2c
Extend the rule G304 with os.OpenFile and add a test to cover it
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2020-06-17 13:14:08 +02:00
0c1a71b8a1
Add more tests samples to increase coverage
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2020-06-15 15:12:02 +02:00
fe07fcf276
Fix unit test when checking a mix of good and bad random functions
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2020-06-15 15:12:02 +02:00
30e93bf865
Improve the SQL strings concat rules to handle multiple string concatenation
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2020-05-27 10:16:56 +02:00
68bce94323
Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context
...
In addition makes pattern matching used by the rules cases insensitive.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2020-05-27 10:16:56 +02:00
8630c43b66
Add null pointer check in G601
...
fixes : #475
2020-05-21 05:51:45 +02:00
ee3146e637
Rule which detects aliasing of values in RangeStmt
2020-04-24 07:46:25 -07:00
fb44007c6e
Enhance the hardcoded credentials rule to check the equality and non-equality of strings
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2020-04-20 03:08:39 -07:00
c6e10af40f
Handle properly the gosec module version v2
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2020-04-06 09:06:23 -07:00
7da9f46445
Fix the call list info to handle selector expressions
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2020-03-16 09:44:57 +01:00
cf2590442c
Fix the subproc rule to handle correctly the CommandContext check
...
In this case, we need to skip the first argument because it is the context.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2020-03-13 13:25:35 +01:00
f97f86103c
Update the subproc rule to detect the syscall.ForkExec and syscall.StartProces calls
...
Also add the corresponding tests for this.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2020-03-13 13:25:35 +01:00
7525fe4bb7
Rule for defering methods which return errors ( #441 )
2020-03-01 21:45:37 +01:00
a305f10eb9
Fileperms ( #442 )
2020-02-28 12:48:18 +01:00
3e069e7756
Fix the errors rule whitelist to work on types methods
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2020-01-29 09:41:46 +01:00
459e2d3e91
Modify rule for integer overflow to have more acurate results ( #434 )
...
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com >
2020-01-21 10:13:11 +01:00
a4d7b3628b
Add G110(Potential DoS vulnerability via decompression bomb)
...
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com >
2020-01-20 10:37:56 +01:00
3d5c97b418
Add a test sample for Cgo files
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2020-01-16 09:06:23 +01:00
9cb83e10af
Add a rule which detects when there is potential integer overflow ( #422 )
...
* Add G109(Potential Integer OverFlow Detection)
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com >
* add CWE to G109(Potential Integer Overflow)
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com >
* Modify G109 to use gosec.Context
Signed-off-by: Hiroki Suezawa <suezawa@gmail.com >
2020-01-06 09:55:52 +01:00
50e1fe267d
Improve the SSRF rule to report an issue for package scoped variables
...
Made also the rule to not report an issue when encountering function
scoped variable which terminate in a basic literal such as a string.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-10-08 11:56:58 +02:00
29341f6e9c
Fix the rule G108/pporf to handle the case when the pporf import has not name
...
This is causing a crash.
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-09-24 18:16:45 +10:00
b504783a71
Change unit tests to check for one thing ( #381 )
...
The unit tests should check for a single thing at a time.
This was not true for some the tests.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com >
2019-09-24 10:15:56 +02:00
9cee24cccd
Add a rule which detects when pprof endpoint is automatically exposed
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-09-24 09:32:09 +10:00
e7b3ae9c54
Clarify and add new unit tests for rule G107 ( #376 )
...
The existing unit tests for G107 didn't have any comments why
a certain code is problematic.
Other than that we need more unit tests for rule G107 for the
different scenarios.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com >
2019-09-17 12:22:43 +02:00
709ed1ba65
Change rule G204 to be less restrictive ( #339 )
...
Currently, rule G204 warns you about every single use of the
functions syscall.Exec, os.exec.CommandContext and os.Exec.Command.
This can create false positives and it's not accurate because you can
use those functions with perfectly secure arguments like hardcoded
strings for example.
With this change, G204 will warn you in 3 cases when passing arguments
to a function which starts a new process the arguments:
1) are variables initialized by calling another function
2) are functions
3) are command-line arguments or environmental variables
Closes: https://github.com/securego/gosec/issues/338
Signed-off-by: Martin Vrachev <mvrachev@vmware.com >
2019-09-16 16:15:06 +02:00
338b50debb
Remove rule G105 which detects the use of math/big#Int.Exp
...
The big#Int.Exp used to be vulnerable in older versions of Go, but in the
meantime has been fixed (https://github.com/golang/go/issues/15184 ).
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-09-10 11:59:05 +10:00
81b6dc8872
Regenerate the TLS configuration based on latest Mozilla's recommended ciphers
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-09-10 11:57:18 +10:00
f3445245a2
Fix the whitelist on G104 rule and add a test
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-06-25 11:15:11 +02:00
ed9934fa48
Refactor the rules tests to be able to configure the analyzer config per test sample
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-06-25 10:29:19 +02:00
04dc713f22
One approach for fixing the false positive identified in #325 .
2019-06-13 08:22:48 +10:00
3e69a8c8a2
Append the package load errors to analyser's errors
...
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch >
2019-05-01 08:52:23 +02:00
9cdfec40ca
Change test
...
I thought that an example where the user inputs a URL is more realistic.
Because if your operating system is already hacked then you are already screwed.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com >
2019-02-13 11:47:59 +01:00
f87af5fa72
Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration ( #274 )
...
* Define more explicit the global options in the configuration
* Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 21:37:40 +10:00
14ed63d558
Do not flag the unhandled errors which are explicitly ignored
...
fixes #270
2019-01-14 10:06:30 +01:00
24e3094d2a
Extend the bind rule to handle the case when the net.Listen address in provided from a const
2018-12-04 09:22:06 +01:00
9b32fcac16
Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call
2018-12-04 09:22:06 +01:00
2695567487
Build the code sample for string builder only fron Go 1.10 onwards
2018-11-11 09:57:28 +01:00
ae82798b9c
Fix the WriteSring test by handling the error
2018-11-11 09:57:28 +01:00
9b966a447e
add test case for strings.Builder G104 whitelist inclusion
2018-11-11 09:57:28 +01:00
41809946d4
Make G201 ignore CallExpr with no args ( #262 )
2018-11-05 09:28:47 +01:00
64d58c2e51
Refactor the test code sample to support multiple files per sample
2018-09-28 11:42:25 +03:00
d3f1980e7a
Fix false positives for SQL string concatenation with constants from another file ( #247 )
...
* Allow for SQL concatenation of nodes that resolve to literals
If node.Y resolves to a literal, it will not be considered as an issue.
* Fix typo in comment.
* Go through all files in package to resolve that identifier
* Refactor code and added comments.
* Changed checking to not var or func.
* Allow for supporting code for test cases.
* Resolve merge conflict changes.
2018-09-28 10:46:59 +03:00
762ff3a709
Allow quoted strings to be used to format SQL queries ( #240 )
...
* Support stripping vendor paths when matching calls
* Factor out matching of formatter string
* Quoted strings are safe to use with SQL str formatted strings
* Add test for allowing quoted strings with string formatters
* Install the pq package for tests to pass
2018-09-25 10:40:05 +03:00
145f1a0bf4
Removed wrapping feature ( #238 )
2018-09-04 18:08:37 +02:00
419c9292c8
G107 - SSRF ( #236 )
...
* Initial SSRF Rule
* Added Selector evaluation
* Added source code tests
* Fixed spacing issues
* Fixed Spacingv2
* Removed resty test
2018-09-04 08:55:03 +02:00
7fd94463ed
update to G304 which adds binary expressions and file joining ( #233 )
...
* Added features to G304
* Linted
* Added path selectors
* Used better solution
* removed debugging lines
* fixed comments
* Added test code
* fixed a spacing change
2018-08-28 14:34:07 +10:00
fb0dc73a96
Add sha1 to weak crypto primitives
2018-08-08 16:38:57 +02:00
1f9d09d456
remove extra bracket from test source
2018-07-26 09:27:39 -05:00