1
0
mirror of https://github.com/securego/gosec.git synced 2025-01-10 00:28:05 +02:00
Commit Graph

245 Commits

Author SHA1 Message Date
Grant Murphy
94ac200d79 Tests broken if logger is not initialized 2016-12-02 15:39:01 -08:00
Grant Murphy
1ba8b93565 Reduce logging messages a tad
Only need to log if we're skipping a file or if we're processing it.
Should also use the [gas] prefix to aid filtering.
2016-12-02 15:34:12 -08:00
Grant Murphy
465338b05b Merge pull request #101 from GoASTScanner/bugfix
Recreate fileset each time we process a file
2016-12-02 15:25:32 -08:00
Grant Murphy
191750f44c Recreate fileset each time we process a file
Some files were being counted multiple times here and giving a skewed
result for line numbers processed.

Closes #100
2016-12-02 15:21:13 -08:00
Grant Murphy
b5308ff621 Merge pull request #98 from endophage/recursive
adding support for arbitrary paths with ellipses
2016-12-02 14:21:02 -08:00
Grant Murphy
365e9f6cbc Merge pull request #99 from mcpeak/fix-nosec
Fix nosec to work as documented
2016-12-02 14:06:55 -08:00
David Lawrence
1a481fad70 adding support for arbitrary paths with ... 2016-12-02 13:54:05 -08:00
Travis McPeak
942f40acf5 Fix nosec to work as documented
This commit fixes the nosec feature to check for '#nosec' instead
of 'nosec'.  This should help reduce false positives associated
with comments that have 'nosec' in them somewhere.
2016-12-02 15:45:59 -06:00
Grant Murphy
39113216a8 Merge pull request #97 from GoASTScanner/experimental
Address unhandled error conditions
2016-12-02 10:35:02 -08:00
Grant Murphy
6ace60b950 Address unhandled error conditions
Closes #95
2016-12-02 10:20:23 -08:00
Grant Murphy
8f78248b61 Merge pull request #92 from GoASTScanner/experimental
Resolve issues with error rules
2016-12-02 09:01:30 -08:00
Grant Murphy
e1e435cf33 Merge pull request #93 from GoASTScanner/bugfix
Remove ast.Print debug message from tryresolve
2016-12-01 09:27:52 -08:00
Grant Murphy
dcfd97c57d Remove ast.Print debug message from tryresolve 2016-12-01 09:24:58 -08:00
Grant Murphy
129be1561b Update error test case
There were several issues with the error test case that have been
addressed in this commit.

- It is possible to specify a whitelist of calls that error handling
  should be ignored for.
- Additional support for ast.ExprStmt for cases where the error is
  implicitly ignored.

There were several other additions to the helpers and call list in order
to support this type of functionality.

Fixes #54
2016-11-18 14:09:10 -08:00
Grant Murphy
5242a2c1df Extend helpers and call list
- Update call list to work directly with call expression
- Add call list test cases
- Extend helpers to add GetCallInfo to resolve call name and package or
  type if it's a var.
- Add test cases to ensure correct behaviour
2016-11-18 09:57:34 -08:00
Grant Murphy
d29c64800e Add match call by type 2016-11-17 20:18:31 -08:00
Grant Murphy
d30c5cde36 Merge pull request #91 from GoASTScanner/experimental
Update unsafe rule to match package explicitly
2016-11-15 14:00:59 -08:00
Grant Murphy
63e8b1af23 Update unsafe rule to match package explicitly
Unsafe is not tracked in Package.Imports(), the regexp was not explicit
enough and foounsafe.Blah() would trigger an error.
2016-11-15 13:53:36 -08:00
Grant Murphy
b26f5cf3c6 Merge pull request #90 from GoASTScanner/experimental
Remove debug print messages
2016-11-15 12:40:07 -08:00
Grant Murphy
39b18a1539 Remove debug print messages 2016-11-15 12:36:02 -08:00
Grant Murphy
5b3192b656 Merge pull request #88 from GoASTScanner/experimental
Initialize fresh import info for each file
2016-11-15 12:01:53 -08:00
Grant Murphy
ca42de24ba Initialize fresh import info for each file
The import information was being persisted between files. This was
causing false positives.

Fixes #87
2016-11-15 11:58:28 -08:00
Grant Murphy
6ef59ba3ae Merge pull request #86 from GoASTScanner/experimental
Handle inbalanced declaration of constants
2016-11-14 15:20:54 -08:00
Grant Murphy
c7bb2dd3b7 Fix additional crash condition
A var GenDecl may not have a value assigned. This error case must be
handled.
2016-11-14 15:15:17 -08:00
Grant Murphy
5012c34d48 Handle inbalanced declaration of constants
The following code would create a panic condition:

const foo, bar = "some thing"

Fixes #84
2016-11-14 13:57:55 -08:00
Grant Murphy
93016846d2 Merge pull request #83 from GoASTScanner/experimental
Adjust rule interface to allow interest in multiple ast node types
2016-11-13 13:08:58 -08:00
Grant Murphy
a3fcd96f57 Update hardcoded credentials rule for GenDecls
The hardcoded credentials rule will now also examine GenDecls so will
work with global vars and constants.

Fixes #74
2016-11-13 12:57:59 -08:00
Grant Murphy
bf103da519 Allow rules to register against multiple ast nodes
Update the AddRule interface to allow rules to register interest in
multiple ast.Nodes. Adds more flexibility to how rules can work, and was
needed to fix the hard coded credentials test specifically.
2016-11-13 12:55:31 -08:00
Grant Murphy
c6587df4a5 Merge pull request #82 from GoASTScanner/experimental
Ensure os.OpenFile file permissions are checked
2016-11-12 18:03:20 -08:00
Grant Murphy
1d732b8ae3 Ensure os.OpenFile file permissions are checked
In addition configuration file may be used to set the permission level.

Closes #53
2016-11-12 17:57:20 -08:00
Grant Murphy
423a303712 Merge pull request #81 from GoASTScanner/experimental
Incorrect rule mapping in rulelist
2016-11-08 09:22:18 -08:00
Grant Murphy
97dcc72a8b Incorrect rule mapping in rulelist 2016-11-08 08:48:45 -08:00
Grant Murphy
7dd3032823 Merge pull request #76 from GoASTScanner/experimental
Fix alias logic
2016-11-07 20:13:48 -08:00
Grant Murphy
be96ef273d Fix alias logic 2016-11-07 20:10:30 -08:00
Grant Murphy
c833bfae02 Merge branch 'tam7t-rand-pkg-helper' 2016-11-07 20:04:40 -08:00
Grant Murphy
e0db3f404a Merge branch 'rand-pkg-helper' of git://github.com/tam7t/gas into tam7t-rand-pkg-helper 2016-11-07 20:03:51 -08:00
Grant Murphy
9f54d257fe Merge pull request #75 from GoASTScanner/experimental
Track package imports and aliases
2016-11-07 19:40:26 -08:00
Grant Murphy
20f2a98ce8 Ensure initialization only imports are ignored
Blacklisted imports should not report failures when a module is imported
for side-effects only using the blank identifier.

Closes #59
2016-11-07 09:28:37 -08:00
Grant Murphy
7a275fd0ad MatchCallByPackage updated to avoid GetCallObject
There seems to be an inconsistency in the way that the type.Info.Uses
map is populated by the type checker in Go 1.5 and the latest release.

It is possible to ascertain the package that relates to an object 1.7.x
release but this does not work for earlier Go versions.

To work around this limitation we now track imports, and monitor if they
are aliased or initalization only imports.
2016-11-07 09:13:20 -08:00
Grant Murphy
d16326051f Merge pull request #71 from GoASTScanner/call_list
Add an experimental way to whitelist/blacklist calls
2016-11-06 17:35:50 -08:00
Grant Murphy
238d1e0692 Merge pull request #73 from GoASTScanner/tools
Add some more useful debugging tools
2016-11-06 17:35:08 -08:00
Grant Murphy
b02c0fa2fc Add imports dumper 2016-11-06 12:15:32 -08:00
Grant Murphy
2c9d8fc461 Skip files if they don't exist 2016-11-06 12:04:52 -08:00
Grant Murphy
d20506048f Update to dump specific context information
Added output printers for comments, types, defs, and uses maps.
2016-11-06 11:59:24 -08:00
Grant Murphy
d8bf436007 Merge pull request #72 from GoASTScanner/tools
Add tool to inspect call objects in file
2016-11-06 11:22:27 -08:00
Grant Murphy
14e6635ca6 Add tool to inspect call objects in file 2016-11-06 11:17:10 -08:00
Grant Murphy
0bc4d4808d Add an experimental way to whitelist calls
A call list is a way of grouping a number of packages and function calls
into a blacklist or whitelist. Could be useful to exclude certain
functions from results or looking for a specific set of functions.
2016-11-06 11:07:50 -08:00
Tommy Murphy
afb84ff20c
rand: use a MatchCallByPackage helper 2016-11-06 12:31:12 -05:00
Grant Murphy
8a473c7e4b Merge pull request #69 from GoASTScanner/helpers
Split out MatchCallByObject into two functions
2016-11-04 15:13:06 -07:00
Grant Murphy
0fef3ad40a Split out MatchCallByObject into two functions
Allows direct call to GetCallObject.
2016-11-04 14:39:22 -07:00