// (c) Copyright 2016 Hewlett Packard Enterprise Development LP
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package main
import (
"flag"
"fmt"
"log"
"os"
"path/filepath"
"strings"
gas "github.com/HewlettPackard/gas/core"
"github.com/HewlettPackard/gas/output"
)
// #nosec flag
var flagNoSec = flag.Bool("nosec", false, "Ignores #nosec comments when set")
// format output
var flagFormat = flag.String("fmt", "text", "Set output format. Valid options are: json, csv of text")
// output file
var flagOutput = flag.String("out", "", "Set output file for results")
var usageText = `
GAS - Go AST Scanner
Gas analyzes Go source code to look for common programming mistakes that
can lead to security problems.
USAGE:
# Check a single Go file
$ gas example.go
# Check all files under the current directory and save results in
# json format.
$ gas -fmt=json -out=results.json ./...
# Run a specific set of rules (by default all rules will be run):
$ gas -rule=sql -rule=sql ./...
`
func usage() {
fmt.Fprintln(os.Stderr, usageText)
fmt.Fprint(os.Stderr, "OPTIONS:\n\n")
flag.PrintDefaults()
}
func main() {
// Setup usage description
flag.Usage = usage
// Exclude files
var excluded filelist = []string{"*_test.go"}
flag.Var(&excluded, "exclude", "File pattern to exclude from scan")
// Rule configuration
rules := newRulelist()
flag.Var(&rules, "rule", "GAS rules enabled when performing a scan")
// Custom commands / utilities to run instead of default analyzer
tools := newUtils()
flag.Var(tools, "tool", "GAS utilities to assist with rule development")
// Parse command line arguments
flag.Parse()
// Setup logging
logger := log.New(os.Stderr, "[gas]", log.LstdFlags)
// Ensure at least one file was specified
if flag.NArg() == 0 {
fmt.Fprintf(os.Stderr, "\nerror: FILE [FILE...] or './...' expected\n")
flag.Usage()
os.Exit(1)
}
// Run utils instead of analysis
if len(tools.call) > 0 {
tools.run(flag.Args()...)
os.Exit(0)
}
// Setup analyzer
analyzer := gas.NewAnalyzer(*flagNoSec, logger)
if !rules.overwritten {
rules.useDefaults()
}
rules.apply(&analyzer)
// Traverse directory structure if './...'
if flag.NArg() == 1 && flag.Arg(0) == "./..." {
cwd, err := os.Getwd()
if err != nil {
logger.Fatalf("Unable to traverse path %s, reason - %s", flag.Arg(0), err)
}
filepath.Walk(cwd, func(path string, info os.FileInfo, err error) error {
if excluded.Contains(path) && info.IsDir() {
logger.Printf("Skipping %s\n", path)
return filepath.SkipDir
}
if !info.IsDir() && !excluded.Contains(path) &&
strings.HasSuffix(path, ".go") {
err = analyzer.Process(path)
if err != nil {
logger.Fatal(err)
}
}
return nil
})
} else {
// Process each file individually
for _, filename := range flag.Args() {
if finfo, err := os.Stat(filename); err == nil {
if !finfo.IsDir() && !excluded.Contains(filename) &&
strings.HasSuffix(filename, ".go") {
if err = analyzer.Process(filename); err != nil {
logger.Fatal(err)
}
}
} else {
logger.Fatal(err)
}
}
}
// Create output report
if *flagOutput != "" {
outfile, err := os.Create(*flagOutput)
if err != nil {
logger.Fatalf("Couldn't open: %s for writing. Reason - %s", *flagOutput, err)
}
defer outfile.Close()
output.CreateReport(outfile, *flagFormat, &analyzer)
} else {
output.CreateReport(os.Stdout, *flagFormat, &analyzer)
}
}