Golang security checker

Overview

gosec - Golang Security Checker

Inspects source code for security problems by scanning the Go AST.

License

Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. You may obtain a copy of the License here.

Project status

CII Best Practices Build Status Coverage Status GoReport GoDoc Docs Downloads Docker Pulls Slack

Install

CI Installation

# binary will be $(go env GOPATH)/bin/gosec
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $(go env GOPATH)/bin vX.Y.Z

# or install it into ./bin/
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z

# In alpine linux (as it does not come with curl by default)
wget -O - -q https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z

# If you want to use the checksums provided on the "Releases" page
# then you will have to download a tar.gz file for your operating system instead of a binary file
wget https://github.com/securego/gosec/releases/download/vX.Y.Z/gosec_vX.Y.Z_OS.tar.gz

# The file will be in the current folder where you run the command
# and you can check the checksum like this
echo "<check sum from the check sum file>  gosec_vX.Y.Z_OS.tar.gz" | sha256sum -c -

gosec --help

GitHub Action

You can run gosec as a GitHub action as follows:

name: Run Gosec
on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master
jobs:
  tests:
    runs-on: ubuntu-latest
    env:
      GO111MODULE: on
    steps:
      - name: Checkout Source
        uses: actions/[email protected]
      - name: Run Gosec Security Scanner
        uses: securego/[email protected]
        with:
          args: ./...

Integrating with code scanning

You can integrate third-party code analysis tools with GitHub code scanning by uploading data as SARIF files.

The workflow shows an example of running the gosec as a step in a GitHub action workflow which outputs the results.sarif file. The workflow then uploads the results.sarif file to GitHub using the upload-sarif action.

name: "Security Scan"

# Run workflow each time code is pushed to your repository and on a schedule.
# The scheduled workflow runs every at 00:00 on Sunday UTC time.
on:
  push:
  schedule:
  - cron: '0 0 * * 0'

jobs:
  tests:
    runs-on: ubuntu-latest
    env:
      GO111MODULE: on
    steps:
      - name: Checkout Source
        uses: actions/[email protected]
      - name: Run Gosec Security Scanner
        uses: securego/[email protected]
        with:
          # we let the report trigger content trigger a failure using the GitHub Security features.
          args: '-no-fail -fmt sarif -out results.sarif ./...'
      - name: Upload SARIF file
        uses: github/codeql-action/[email protected]
        with:
          # Path to SARIF file relative to the root of the repository
          sarif_file: results.sarif

Local Installation

go get github.com/securego/gosec/v2/cmd/gosec

Usage

Gosec can be configured to only run a subset of rules, to exclude certain file paths, and produce reports in different formats. By default all rules will be run against the supplied input files. To recursively scan from the current directory you can supply ./... as the input argument.

Available rules

  • G101: Look for hard coded credentials
  • G102: Bind to all interfaces
  • G103: Audit the use of unsafe block
  • G104: Audit errors not checked
  • G106: Audit the use of ssh.InsecureIgnoreHostKey
  • G107: Url provided to HTTP request as taint input
  • G108: Profiling endpoint automatically exposed on /debug/pprof
  • G109: Potential Integer overflow made by strconv.Atoi result conversion to int16/32
  • G110: Potential DoS vulnerability via decompression bomb
  • G201: SQL query construction using format string
  • G202: SQL query construction using string concatenation
  • G203: Use of unescaped data in HTML templates
  • G204: Audit use of command execution
  • G301: Poor file permissions used when creating a directory
  • G302: Poor file permissions used with chmod
  • G303: Creating tempfile using a predictable path
  • G304: File path provided as taint input
  • G305: File traversal when extracting zip/tar archive
  • G306: Poor file permissions used when writing to a new file
  • G307: Deferring a method which returns an error
  • G401: Detect the usage of DES, RC4, MD5 or SHA1
  • G402: Look for bad TLS connection settings
  • G403: Ensure minimum RSA key length of 2048 bits
  • G404: Insecure random number source (rand)
  • G501: Import blocklist: crypto/md5
  • G502: Import blocklist: crypto/des
  • G503: Import blocklist: crypto/rc4
  • G504: Import blocklist: net/http/cgi
  • G505: Import blocklist: crypto/sha1
  • G601: Implicit memory aliasing of items from a range statement

Retired rules

Selecting rules

By default, gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the -include= flag, or to specify a set of rules to explicitly exclude using the -exclude= flag.

# Run a specific set of rules
$ gosec -include=G101,G203,G401 ./...

# Run everything except for rule G303
$ gosec -exclude=G303 ./...

CWE Mapping

Every issue detected by gosec is mapped to a CWE (Common Weakness Enumeration) which describes in more generic terms the vulnerability. The exact mapping can be found here.

Configuration

A number of global settings can be provided in a configuration file as follows:

{
    "global": {
        "nosec": "enabled",
        "audit": "enabled"
    }
}
  • nosec: this setting will overwrite all #nosec directives defined throughout the code base
  • audit: runs in audit mode which enables addition checks that for normal code analysis might be too nosy
# Run with a global configuration file
$ gosec -conf config.json .

Also some rules accept configuration. For instance on rule G104, it is possible to define packages along with a list of functions which will be skipped when auditing the not checked errors:

{
    "G104": {
        "io/ioutil": ["WriteFile"]
    }
}

You can also configure the hard-coded credentials rule G101 with additional patters, or adjust the entropy threshold:

{
    "G101": {
        "pattern": "(?i)passwd|pass|password|pwd|secret|private_key|token",
         "ignore_entropy": false,
         "entropy_threshold": "80.0",
         "per_char_threshold": "3.0",
         "truncate": "32"
    }
}

Dependencies

gosec will fetch automatically the dependencies of the code which is being analyzed when go module is turned on (e.g. GO111MODULE=on). If this is not the case, the dependencies need to be explicitly downloaded by running the go get -d command before the scan.

Excluding test files and folders

gosec will ignore test files across all packages and any dependencies in your vendor directory.

The scanning of test files can be enabled with the following flag:

gosec -tests ./...

Also additional folders can be excluded as follows:

 gosec -exclude-dir=rules -exclude-dir=cmd ./...

Annotating code

As with all automated detection tools, there will be cases of false positives. In cases where gosec reports a failure that has been manually verified as being safe, it is possible to annotate the code with a #nosec comment.

The annotation causes gosec to stop processing any further nodes within the AST so can apply to a whole block or more granularly to a single expression.

import "md5" // #nosec


func main(){

    /* #nosec */
    if x > y {
        h := md5.New() // this will also be ignored
    }

}

When a specific false positive has been identified and verified as safe, you may wish to suppress only that single rule (or a specific set of rules) within a section of code, while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within the #nosec annotation, e.g: /* #nosec G401 */ or // #nosec G201 G202 G203

In some cases you may also want to revisit places where #nosec annotations have been used. To run the scanner and ignore any #nosec annotations you can do the following:

gosec -nosec=true ./...

Build tags

gosec is able to pass your Go build tags to the analyzer. They can be provided as a comma separated list as follows:

gosec -tag debug,ignore ./...

Output formats

gosec currently supports text, json, yaml, csv, sonarqube, JUnit XML, html and golint output formats. By default results will be reported to stdout, but can also be written to an output file. The output format is controlled by the -fmt flag, and the output file is controlled by the -out flag as follows:

# Write output in json format to results.json
$ gosec -fmt=json -out=results.json *.go

Note: gosec generates the generic issue import format for SonarQube, and a report has to be imported into SonarQube using sonar.externalIssuesReportPaths=path/to/gosec-report.json.

Development

Build

You can build the binary with:

make

Tests

You can run all unit tests using:

make test

Release

You can create a release by tagging the version as follows:

git tag v1.0.0 -m "Release version v1.0.0"
git push origin v1.0.0

The GitHub release workflow triggers immediately after the tag is pushed upstream. This flow will release the binaries using the goreleaser action and then it will build and publish the docker image into Docker Hub.

Docker image

You can also build locally the docker image by using the command:

make image

You can run the gosec tool in a container against your local Go project. You only have to mount the project into a volume as follows:

docker run --rm -it -w /<PROJECT>/ -v <YOUR PROJECT PATH>/<PROJECT>:/<PROJECT> securego/gosec /<PROJECT>/...

Note: the current working directory needs to be set with -w option in order to get successfully resolved the dependencies from go module file

Generate TLS rule

The configuration of TLS rule can be generated from Mozilla's TLS ciphers recommendation.

First you need to install the generator tool:

go get github.com/securego/gosec/v2/cmd/tlsconfig/...

You can invoke now the go generate in the root of the project:

go generate ./...

This will generate the rules/tls_config.go file which will contain the current ciphers recommendation from Mozilla.

Who is using gosec?

This is a list with some of the gosec's users.

Issues
  • Want to have a base directory concept where I can choose my root directory

    Want to have a base directory concept where I can choose my root directory

    Summary

    Want to have a base directory concept where I can choose my root directory

    Steps to reproduce the behavior

    gosec version

    go 1.13 and above

    Go version (output of 'go version')

    Operating system / Environment

    Expected behavior

    Actual behavior

    opened by soham308 21
  • gosec sonarqube format reports a wrong path for .go files when located in inner folders

    gosec sonarqube format reports a wrong path for .go files when located in inner folders

    Summary

    gosec sonarqube format reports a wrong path for .go files when located in inner folders

    Steps to reproduce the behavior

    Running gosec -fmt=sonarqube -out gosec-report.json ./... within a cloned repo containing a helloWorld.go file in a GoProjects folder

    helloworld.go file content is:

    package main
    import "fmt"
    func main() {
            var password = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef"
            fmt.Printf("hello, world\n")
    }
    

    Here is the std output:

    [gosec] 2019/05/07 09:53:46 Including rules: default
    [gosec] 2019/05/07 09:53:46 Excluding rules: default
    [gosec] 2019/05/07 09:53:46 Import directory: /home/travis/gopath/src/github.ibm.com/andrea-tortosa/CICDBeta/GoProjects
    [gosec] 2019/05/07 09:53:47 Checking package: main
    [gosec] 2019/05/07 09:53:47 Checking file: /home/travis/gopath/src/github.ibm.com/andrea-tortosa/CICDBeta/GoProjects/helloWorld.go
    

    and the output file:

    {
    	"issues": [
    		{
    			"engineId": "gosec",
    			"ruleId": "G101",
    			"primaryLocation": {
    				"message": "Potential hardcoded credentials",
    				"filePath": "/home/travis/gopath/src/github.ibm.com/andrea-tortosa/CICDBeta/helloWorld.go",
    				"textRange": {
    					"startLine": 6,
    					"endLine": 6
    				}
    			},
    			"type": "VULNERABILITY",
    			"severity": "BLOCKER",
    			"effortMinutes": 5
    		}
    	]
    }
    

    As you can see the output file does not include the GoProjects folder and as a consequence of this sonarqube does not upload this result on the server. Everything works fine if the same file is located directly in the root repo.

    gosec version

    Installed a few minutes ago through go get github.com/securego/gosec/cmd/gosec/... and latest release in github.com is 2.0.0

    Go version (output of 'go version')

    1.12.3

    Operating system / Environment

    Operating System Details Distributor ID: Ubuntu Description: Ubuntu 16.04.6 LTS Release: 16.04 Codename: xenial

    Expected behavior

    FilePath in output file includes the GoProjects folder

    Actual behavior

    FilePath in output file DOES NOT include the GoProjects folder

    bug help wanted 
    opened by andrea-tortosa 17
  • SIGSEGV: segmentation violation

    SIGSEGV: segmentation violation

    When using gas to scan golang.org/x/crypto/acme/autocert/autocert.go, I get the following segmentation violation:

    [gas] 2018/02/13 16:08:38 Checking package: autocert
    [gas] 2018/02/13 16:08:38 Checking file: /Users/browne/workspace/go/src/golang.org/x/crypto/acme/autocert/autocert.go
    panic: runtime error: invalid memory address or nil pointer dereference
    [signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x126a7ec]
    goroutine 1 [running]:
    github.com/GoASTScanner/gas/rules.(*insecureConfigTLS).Match(0xc42007d920, 0x1474fc0, 0xc420239ec0, 0xc420054400, 0x1, 0xdc0000c420c2cb48, 0xc42017a928)
    	/Users/browne/go/src/github.com/GoASTScanner/gas/rules/tls.go:109 +0x7c
    github.com/GoASTScanner/gas.(*Analyzer).Visit(0xc4200841e0, 0x1474fc0, 0xc420239ec0, 0x2, 0x14e2fe0)
    	/Users/browne/go/src/github.com/GoASTScanner/gas/analyzer.go:171 +0x1c5
    go/ast.Walk(0x1473980, 0xc4200841e0, 0x1474fc0, 0xc420239ec0)
    	/usr/local/go/src/go/ast/walk.go:52 +0x66
    go/ast.Walk(0x1473980, 0xc4200841e0, 0x1475940, 0xc420240e80)
    	/usr/local/go/src/go/ast/walk.go:143 +0x15df
    go/ast.walkExprList(0x1473980, 0xc4200841e0, 0xc4205a7e70, 0x1, 0x1)
    	/usr/local/go/src/go/ast/walk.go:26 +0x81
    go/ast.Walk(0x1473980, 0xc4200841e0, 0x1474c40, 0xc420239f00)
    	/usr/local/go/src/go/ast/walk.go:207 +0x211f
    go/ast.walkStmtList(0x1473980, 0xc4200841e0, 0xc420244000, 0x3, 0x4)
    	/usr/local/go/src/go/ast/walk.go:32 +0x81
    go/ast.Walk(0x1473980, 0xc4200841e0, 0x1474e80, 0xc420244040)
    	/usr/local/go/src/go/ast/walk.go:238 +0x1e95
    go/ast.walkStmtList(0x1473980, 0xc4200841e0, 0xc420244100, 0x3, 0x4)
    	/usr/local/go/src/go/ast/walk.go:32 +0x81
    go/ast.Walk(0x1473980, 0xc4200841e0, 0x1474dc0, 0xc42023b350)
    	/usr/local/go/src/go/ast/walk.go:224 +0x1b71
    go/ast.Walk(0x1473980, 0xc4200841e0, 0x1475900, 0xc42023b380)
    	/usr/local/go/src/go/ast/walk.go:254 +0x1212
    go/ast.walkStmtList(0x1473980, 0xc4200841e0, 0xc4205bc780, 0x5, 0x8)
    	/usr/local/go/src/go/ast/walk.go:32 +0x81
    go/ast.Walk(0x1473980, 0xc4200841e0, 0x1474dc0, 0xc42023b560)
    	/usr/local/go/src/go/ast/walk.go:224 +0x1b71
    go/ast.Walk(0x1473980, 0xc4200841e0, 0x1475240, 0xc42023b590)
    	/usr/local/go/src/go/ast/walk.go:344 +0xd83
    go/ast.walkDeclList(0x1473980, 0xc4200841e0, 0xc42046d400, 0x2b, 0x40)
    	/usr/local/go/src/go/ast/walk.go:38 +0x81
    go/ast.Walk(0x1473980, 0xc4200841e0, 0x14751c0, 0xc4205bcf80)
    	/usr/local/go/src/go/ast/walk.go:353 +0x266f
    github.com/GoASTScanner/gas.(*Analyzer).Process(0xc4200841e0, 0xc42004a8d0, 0x1, 0x1, 0x1, 0xc42004a8d0)
    	/Users/browne/go/src/github.com/GoASTScanner/gas/analyzer.go:141 +0x57d
    main.main()
    	/Users/browne/go/src/github.com/GoASTScanner/gas/cmd/gas/main.go:224 +0x459
    

    To reproduce:

    go get golang.org/x/crypto/ssh
    cd /Users/browne/workspace/go/src/golang.org
    gas x/crypto/acme/autocert/
    
    opened by ericwb 15
  • Add G307 sample code.

    Add G307 sample code.

    fixes https://github.com/securego/gosec/issues/657

    The sample should reflect a defered close that leads to data loss. Due to IDE auto-complete people tend to at least log errors, but not really care about handling.

    To my point of view this could be fixed by seeing a deferred f.Close(), without a correspondig f.Sync(), generally as a bad pattern.

    opened by elgohr 13
  • Path-based package wildcards don't work

    Path-based package wildcards don't work

    With the recent refactor, path-based package wildcards don't work. Using a wildcard in the current directory works:

    (env) [email protected]:~/go/src/github.com/GoASTScanner/gas$ gas ./... 2>&1 | head
    [gas] 2018/03/07 19:47:46 including rules: default
    [gas] 2018/03/07 19:47:46 excluding rules: default
    [gas] 2018/03/07 19:47:46 Searching directory: /home/jonm/go/src/github.com/GoASTScanner/gas
    [gas] 2018/03/07 19:47:46 Searching directory: /home/jonm/go/src/github.com/GoASTScanner/gas/cmd/gas
    [gas] 2018/03/07 19:47:46 Searching directory: /home/jonm/go/src/github.com/GoASTScanner/gas/cmd/gasutil
    [gas] 2018/03/07 19:47:46 Searching directory: /home/jonm/go/src/github.com/GoASTScanner/gas/cmd/tlsconfig
    [gas] 2018/03/07 19:47:46 Searching directory: /home/jonm/go/src/github.com/GoASTScanner/gas/output
    

    But using a real path doesn't:

    [gas] 2018/03/07 19:48:29 including rules: default
    [gas] 2018/03/07 19:48:29 excluding rules: default
    warning: "/home/jonm/go/src/github.com/GoASTScanner/gas/..." matched no packages
    [gas] 2018/03/07 19:48:29 no initial packages were loaded
    
    opened by jonmcclintock 12
  • could not import io/fs (invalid package name:

    could not import io/fs (invalid package name: "")

    Summary

    Steps to reproduce the behavior

    import "io/fs"
    

    and use filepath.WalkDir

    gosec version

    I assume 2.6.1 as I use snap. Unclear as there is no version subcommand` included in the tool.

    Go version (output of 'go version')

    go version go1.16 linux/amd64
    

    Operating system / Environment

    ubuntu 18.04

    Expected behavior

    no errors

    Actual behavior

      > [line 5 : column 2] - could not import io/fs (invalid package name: "")
    
      > [line 42 : column 22] - WalkDir not declared by package filepath
    
    go1.16 
    opened by 030 11
  • Add support for #excluding specific rules

    Add support for #excluding specific rules

    Create the ability to exclude specific rules, rather than all of them (with "#nosec"). Works like:

                cmd := exec.Command("sh", "-c", os.Getenv("FOO")) // #exclude !G001
    

    You can specify an arbitrary number of exclusions, and they have the same scoping semantics as "#nosec". You can also add comments to explain your exclusions:

                cmd := exec.Command("sh", "-c", os.Getenv("FOO")) // #exclude !G001: Doesn't apply here
    
    opened by jonmcclintock 11
  • gosec does not check `tls.Config.MinVersion` field during structure definition when the given value is a variable containing validated value

    gosec does not check `tls.Config.MinVersion` field during structure definition when the given value is a variable containing validated value

    Summary

    When I'm coding a small library package for HTTP server using TLS, gosec from golangci-lint keeps reporting:

    internal/netserver/Server.go:47:10: G402: TLS MinVersion too low. (gosec)
    

    while I have a strict checking before use where I only allow TLS 1.2 and TLS 1.3 to pass-through and anything else is set to TLS1.3.

    switch s.TLSMinVersion {                                                                    
    case tls.VersionTLS12:                                                                      
    case tls.VersionTLS13:                                                                      
    default:                                                                                    
            s.TLSMinVersion = tls.VersionTLS13                                                  
    }
    

    Here is the screenshot of the start server function (with report): screenshot-2020-09-24-19-09-56

    My biggest concern is, am I doing things right? This is my first time bumping into what looks like a severe security problem.

    Steps to reproduce the behavior

    Try create a function referencing:

    1. https://gist.github.com/denji/12b3a568f092ab951456
    2. https://blog.cloudflare.com/exposing-go-on-the-internet/

    Then, use the golangci-lint to scan it.

    gosec version

    golangci-lint has version 1.31.0 built from 3d6d0e7 on 2020-09-07T15:14:41Z

    Go version (output of 'go version')

    go version go1.15.2 linux/amd64

    Operating system / Environment

    Debian Buster (10) Stable

    Expected behavior

    Expect to be safe and sound with gosec inspectation.

    Actual behavior

    Keeps hitting G402 even the default value is changed to tls.VersionTLS12.

    bug 
    opened by hollowaykeanho 11
  • Map gosec rules to CWEs

    Map gosec rules to CWEs

    Summary

    This is more of a feature request than an actual issue.

    At the moment, gosec scans and reports security issues based on the rules listed here.

    However, in order to use a more standard way of reporting vulnerabilities, it would be great to link these rules to CWEs. I would be happy to work on a patch. I am just wondering whether you think that adding this information would be useful.

    I was thinking about adding the CWE mapping information right into the RuleList in this function

    Kindly let me know your opinion.

    enhancement help wanted 
    opened by julianthome 10
  • Parsing error in windows

    Parsing error in windows

    Summary

    gosec does not work in windows.

    Steps to reproduce the behavior

    gosec F:/data/...

    • in linux, it work.
    • but in windows, failed:
     Including rules: default
     [gosec] 2019/06/13 11:34:09 Excluding rules: default
    [gosec] 2019/06/13 11:34:09 Import directory: F:\data\src\back_media
    [gosec] 2019/06/13 11:35:17 Checking package: main
    [gosec] 2019/06/13 11:35:17 Checking file: F:\data\src\back_media\back_media.go
    [gosec] 2019/06/13 11:35:17 Checking file: F:\data\src\back_media\main.go
    [gosec] 2019/06/13 11:35:17 Import directory: F:\data\src\cdnutil
     [gosec] 2019/06/13 11:35:23 parsing errors in pkg "cdnutil": parsing line: strconv.Atoi: parsing "\\data\\src\\cdnutil\\ref_api.go": invalid syntax
    

    gosec version

    2.0.0

    Go version (output of 'go version')

    1.12.6

    Operating system / Environment

    windows 7
    set GOARCH=amd64
    set GOBIN=
    set GOCACHE=C:\Users\xxx\AppData\Local\go-build
    set GOEXE=.exe
    set GOFLAGS=
    set GOHOSTARCH=amd64
    set GOHOSTOS=windows
    set GOOS=windows
    set GOPATH=F:\tools\go-1.12.6\go
    set GOPROXY=
    set GORACE=
    set GOROOT=F:\tools\go-1.12.6
    set GOTMPDIR=
    set GOTOOLDIR=F:\tools\go-1.12.6\pkg\tool\windows_amd64
    set GCCGO=gccgo
    set CC=gcc
    set CXX=g++
    set CGO_ENABLED=1
    set GOMOD=
    set CGO_CFLAGS=-g -O2
    set CGO_CPPFLAGS=
    set CGO_CXXFLAGS=-g -O2
    set CGO_FFLAGS=-g -O2
    set CGO_LDFLAGS=-g -O2
    set PKG_CONFIG=pkg-config
    set GOGCCFLAGS=-m64 -mthreads -fno-caret-diagnostics -Qunused-arguments -fmessag
    e-length=0 -fdebug-prefix-map=C:\Users\codedog\AppData\Local\Temp\go-build106690
    454=/tmp/go-build -gno-record-gcc-switches
    

    Expected behavior

    output result.

    Actual behavior

    parsing errors in pkg "cdnutil"

    opened by cyw3 10
  • Use a better naming for the variable

    Use a better naming for the variable

    This PR uses value to replace severity in convertToScore since both severity and confidence will use this function.

    opened by rleungx 0
  • G307: gosec starts detecting G307 (CWE-703) even with proposed way to safely handle errors

    G307: gosec starts detecting G307 (CWE-703) even with proposed way to safely handle errors

    Summary

    gosec v2.9.1 starts detecting G307 (CWE-703): Deferring unsafe method "Close" on type "*os.File" (Confidence: HIGH, Severity: MEDIUM) which could have been avoided by following https://github.com/securego/gosec/issues/512 with previous version of gosec.

    Steps to reproduce the behavior

    package main
    
    import (
            "log"
            "os"
    )
    
    func main() {
            f, err := os.Open("./testfile.txt")
            if err != nil {
                    log.Fatal(err)
                    return
            }
            defer func() {
                    if err := f.Close(); err != nil {
                            log.Fatal("failed to close file")
                    }
            }()
            log.Println("success")
            return
    }
    
    (~/work/achiku/gosec-issue)
    ❯❯❯ ll
    total 8
    -rw-r--r--  1 chiku  staff  268 10 18 11:32 main.go
    -rw-r--r--  1 chiku  staff    0 10 18 11:31 testfile.txt
    (~/work/achiku/gosec-issue)
    ❯❯❯ go run main.go
    2021/10/18 11:32:22 success
    (~/work/achiku/gosec-issue)
    ❯❯❯ gosec .
    [gosec] 2021/10/18 11:32:27 Including rules: default
    [gosec] 2021/10/18 11:32:27 Excluding rules: default
    [gosec] 2021/10/18 11:32:27 Import directory: /Users/chiku/work/achiku/gosec-issue
    [gosec] 2021/10/18 11:32:28 Checking package: main
    [gosec] 2021/10/18 11:32:28 Checking file: /Users/chiku/work/achiku/gosec-issue/main.go
    Results:
    
    
    [/Users/chiku/work/achiku/gosec-issue/main.go:14-18] - G307 (CWE-703): Deferring unsafe method "Close" on type "*os.File" (Confidence: HIGH, Severity: MEDIUM)
        13:         }
      > 14:         defer func() {
      > 15:                 if err := f.Close(); err != nil {
      > 16:                         log.Fatal("failed to close file")
      > 17:                 }
      > 18:         }()
        19:         log.Println("success")
    
    
    
    Summary:
      Gosec  : 2.9.1
      Files  : 1
      Lines  : 21
      Nosec  : 0
      Issues : 1
    
    

    with v2.8.1

    (~/work/achiku/gosec-issue)
    ❯❯❯ curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $GOPATH/bin v2.8.1
    securego/gosec info checking GitHub for tag 'v2.8.1'
    securego/gosec info found version: 2.8.1 for v2.8.1/darwin/amd64
    securego/gosec info installed /Users/chiku/sdk/go1.16.7/bin/gosec
    (~/work/achiku/gosec-issue)
    ❯❯❯ gosec .
    [gosec] 2021/10/18 11:32:43 Including rules: default
    [gosec] 2021/10/18 11:32:43 Excluding rules: default
    [gosec] 2021/10/18 11:32:43 Import directory: /Users/chiku/work/achiku/gosec-issue
    [gosec] 2021/10/18 11:32:44 Checking package: main
    [gosec] 2021/10/18 11:32:44 Checking file: /Users/chiku/work/achiku/gosec-issue/main.go
    Results:
    
    
    Summary:
      Gosec  : 2.8.1
      Files  : 1
      Lines  : 21
      Nosec  : 0
      Issues : 0
    

    gosec version

    • v2.9.1
    • https://github.com/securego/gosec/releases/tag/v2.9.1

    Go version (output of 'go version')

    ❯❯❯ go version
    go version go1.16.7 darwin/amd64
    

    Operating system / Environment

    ❯❯❯ uname -a
    Darwin FVFZR19DLYWP 20.5.0 Darwin Kernel Version 20.5.0: Sat May  8 05:10:33 PDT 2021; root:xnu-7195.121.3~9/RELEASE_X86_64 x86_64
    

    Expected behavior

    No errors, or solve this error.

    Actual behavior

    gosec detects G307 (CWE-703).

    opened by achiku 0
  • False negative for SQL injection when using DB.QueryRow.Scan()

    False negative for SQL injection when using DB.QueryRow.Scan()

    Summary

    If the call to Row.Scan() is in the same expression as DB.QueryRow() SQL injection vulnerability is not detected.

    Steps to reproduce the behavior

    Works (G201 reported):

    var name string
    query := fmt.Sprintf(`
    	SELECT
    		name
    	FROM
    		users
    	WHERE user_id = '%s' LIMIT 1`, "abcd")
    row := db.QueryRow(query)
    err := row.Scan(&name)
    

    Does not work (nothing reported):

    var name string
    query := fmt.Sprintf(`
    	SELECT
    		name
    	FROM
    		users
    	WHERE user_id = '%s' LIMIT 1`, "abcd")
    err := db.QueryRow(query).Scan(&name)
    

    gosec version

    v2.9.0

    Go version (output of 'go version')

    go version go1.17.1 linux/amd64

    Operating system / Environment

    Ubuntu 20.04 64-bit / golang:1.17 Docker image

    Expected behavior

    G201 is detected

    Actual behavior

    G201 is not detected

    bug 
    opened by ilaripih 0
  • False negatives for SQL injection in multi-line queries

    False negatives for SQL injection in multi-line queries

    Summary

    SQL injection vulnerabilities in multi-line queries are not detected if the WHERE clause and the vulnerable condition are on different lines. If they're on the same line, the vulnerability is spotted correctly.

    Steps to reproduce the behavior

    Here G201 is not detected:

    query := fmt.Sprintf(`
    	SELECT
    		name
    	FROM
    		users
    	WHERE
    		user_id = '%s' LIMIT 1`, "abcd")
    

    But when I put the condition on the same line as the WHERE clause, G201 is correctly detected:

    query := fmt.Sprintf(`
    	SELECT
    		name
    	FROM
    		users
    	WHERE user_id = '%s' LIMIT 1`, "abcd")
    

    gosec version

    v2.9.0

    Go version (output of 'go version')

    go version go1.17.1 linux/amd64

    Operating system / Environment

    Ubuntu 20.04 64-bit / golang:1.17 Docker image

    Expected behavior

    G201 is detected

    Actual behavior

    G201 is not detected

    bug 
    opened by ilaripih 0
  • Exclude rules in config file

    Exclude rules in config file

    Summary

    How can I set the exclude/include in the config.json?

    Steps to reproduce the behavior

    I created a file gosec.config.json with:

    {
        "exclude": "G104"
    }
    

    I'm running gosec -conf gosec.config.json ./..., but the error G104 still exists.

    gosec version

    Version: dev
    Git tag: 
    Build date:
    

    Go version (output of 'go version')

    go version go1.17.1 linux/amd64

    Operating system / Environment

    Inside a VSCode dev-caontainer:

    No LSB modules are available.
    Distributor ID: Debian
    Description:    Debian GNU/Linux 11 (bullseye)
    Release:        11
    Codename:       bullseye
    

    Expected behavior

    All the available configs should be able to configure from CLI and from the config file.

    Actual behavior

    The gosec not accept the exclude config from the config file.

    Related: #505

    enhancement help wanted 
    opened by baruchiro 0
  • Renovate(bot) : dependency dashboard

    Renovate(bot) : dependency dashboard

    This issue provides visibility into Renovate updates and their statuses. Learn more

    Awaiting Schedule

    These updates are awaiting their schedule. Click on a checkbox to get an update now.

    • [ ] chore(deps): update module github.com/onsi/ginkgo to v1.16.5

    • [ ] Check this box to trigger a request for Renovate to run again on this repository
    opened by renovate[bot] 0
  • Proposal: New branch to enable FIPS 140-2 spec in weak crypto

    Proposal: New branch to enable FIPS 140-2 spec in weak crypto

    Would adding the list of disallowed ciphers as a new branch be helpful? It seems many enterprise users will be able to run static scans to start off their efforts in FIPS compliance goals.

    enhancement 
    opened by push7joshi 2
  • Dependency Dashboard

    Dependency Dashboard

    This issue provides visibility into Renovate updates and their statuses. Learn more

    Awaiting Schedule

    These updates are awaiting their schedule. Click on a checkbox to get an update now.

    • [ ] chore(deps): update all dependencies (golang.org/x/crypto, golang.org/x/tools)

    • [ ] Check this box to trigger a request for Renovate to run again on this repository
    opened by renovate[bot] 8
  • invalid package name

    invalid package name "" when importing tview

    Summary

    When running gosec against a package on alpine/edge (but not on Feora 34) I get the error:

      > [line 26 : column 2] - could not import github.com/rivo/tview (invalid package name: "")
    

    Steps to reproduce the behavior

    go get -u github.com/securego/gosec/cmd/gosec
    cd project-that-imports-tview/
    gosec ./...
    

    gosec version

    Always pulled in CI using go get as above. Last run I see was:

    go: downloading github.com/securego/gosec v0.0.0-20200401082031-e946c8c39989
    

    Go version (output of 'go version')

    + go version
    go version go1.16.4 linux/amd64
    

    Operating system / Environment

    alpine/edge

    + go env
    GO111MODULE="on"
    GOARCH="amd64"
    GOBIN=""
    GOCACHE="/home/build/.cache/go-build"
    GOENV="/home/build/.config/go/env"
    GOEXE=""
    GOFLAGS=""
    GOHOSTARCH="amd64"
    GOHOSTOS="linux"
    GOINSECURE=""
    GOMODCACHE="/home/build/go/pkg/mod"
    GONOPROXY=""
    GONOSUMDB=""
    GOOS="linux"
    GOPATH="/home/build/go"
    GOPRIVATE=""
    GOPROXY="https://proxy.golang.org,direct"
    GOROOT="/usr/lib/go"
    GOSUMDB="sum.golang.org"
    GOTMPDIR=""
    GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
    GOVCS=""
    GOVERSION="go1.16.4"
    GCCGO="gccgo"
    AR="ar"
    CC="gcc"
    CXX="g++"
    CGO_ENABLED="1"
    GOMOD="/dev/null"
    CGO_CFLAGS="-g -O2"
    CGO_CPPFLAGS=""
    CGO_CXXFLAGS="-g -O2"
    CGO_FFLAGS="-g -O2"
    CGO_LDFLAGS="-g -O2"
    PKG_CONFIG="pkg-config"
    GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build254833280=/tmp/go-build -gno-record-gcc-switches"
    

    Expected behavior

    It should run like it used to before this project imported tview.

    Actual behavior

      > [line 26 : column 2] - could not import github.com/rivo/tview (invalid package name: "")
    

    This is similar to #580 except not in the standard library so I'm opening this separately.

    opened by SamWhited 15
  • SARIF : format's specification conformity

    SARIF : format's specification conformity

    Github is using fingerprints in SARIF format. It helps avoiding duplicates.

    Cf. https://docs.github.com/en/code-security/secure-coding/sarif-support-for-code-scanning#preventing-duplicate-alerts-using-fingerprints

    The fingerprint shall be translated from TypeScript to Golang to be used to fulfill the partialFingerprints field in the SARIF format.

    With the use of https://sarifweb.azurewebsites.net/Validation we can see the following remarks :

    • [ ] SARIF2003: Provide 'versionControlProvenance' to record which version of the code was analyzed, and to enable paths to be expressed relative to the root of the repository.

    • [ ] SARIF2011: Provide context regions to enable users to see a portion of the code that surrounds each result, even if they are not enlisted in the code.

    • [X] GH1001: Each result location must provide the property 'physicalLocation.artifactLocation.uri'. GitHub Advanced Security code scanning will not display a result whose location does not provide the URI of the artifact that contains the result.

    • [X] SARIF2010 : Provide code snippets to enable users to see the code that triggered each result, even if they are not enlisted in the code.

    • [ ] SARIF2002: In result messages, use the 'message.id' and 'message.arguments' properties rather than 'message.text'. This has several advantages. If 'text' is lengthy, using 'id' and 'arguments' makes the SARIF file smaller. If the rule metadata is stored externally to the SARIF log file, the message text can be improved (for example, by adding more text, clarifying the phrasing, or fixing typos), and the result messages will pick up the improvements the next time it is displayed. Finally, SARIF supports localizing messages into different languages, which is possible if the SARIF file contains 'message.id' and 'message.arguments', but not if it contains 'message.text' directly.

    • [ ] SARIF2012: Rule metadata should provide information that makes it easy to understand and fix the problem. Provide the 'name' property, which contains a "friendly name" that helps users see at a glance the purpose of the rule. For uniformity of experience across all tools that produce SARIF, the friendly name should be a single Pascal-case identifier, for example, 'ProvideRuleFriendlyName'. Provide the 'helpUri' property, which contains a URI where users can find detailed information about the rule. This information should include a detailed description of the invalid pattern, an explanation of why the pattern is poor practice (particularly in contexts such as security or accessibility where driving considerations might not be readily apparent), guidance for resolving the problem (including describing circumstances in which ignoring the problem altogether might be appropriate), examples of invalid and valid patterns, and special considerations (such as noting when a violation should never be ignored or suppressed, noting when a violation could cause downstream tool noise, and noting when a rule can be configured in some way to refine or alter the analysis).

    enhancement 
    opened by mmorel-35 2
Releases(v2.9.1)
  • v2.8.1(Jun 17, 2021)

    Changelog

    3f800cc Fix the unit tests (#652) df10b65 Fix gosimple lint warning (#651) 731d0d5 Results must always be present in the SARIF report (#650) 3c230ac errors.go: add Hash.Write() to the white list. (#648) e72b1e5 Use of vars instead of func c81cff0 Update all dependencies (#646) 3ff0a2c Fixes #644 (#645) e3dffd6 Update renovate configuration aa35eb5 Delete renovate.json (#642) 3b1b77e add onboarding (#640) 03360ba Update renovate configuration 8a8dbec Tidy up the dependencies (#637) 3a4d09b Update all dependencies (#635) 6cde6b3 Disable cache in golangci job (#636) 1256f16 Fix lint and fail on error in the ci build dbb9811 Add crypto and lint to the tools modules 244adc6 Update the github ci action to use cache and matrix strategy df1249d Update install.sh with more installation options af27673 Update README.md

    Source code(tar.gz)
    Source code(zip)
    gosec_2.8.1_checksums.txt(489 bytes)
    gosec_2.8.1_darwin_amd64.tar.gz(4.56 MB)
    gosec_2.8.1_darwin_arm64.tar.gz(4.47 MB)
    gosec_2.8.1_linux_amd64.tar.gz(4.61 MB)
    gosec_2.8.1_linux_arm64.tar.gz(4.33 MB)
    gosec_2.8.1_windows_amd64.tar.gz(4.88 MB)
  • v2.8.0(May 26, 2021)

    Changelog

    9fc8e20 Add favicon for HTML template (#628) 91dae7f Update the design of HTML report e72f54e Fix HTML template and display the gosec version c3f25b8 fix html report tag styling (#623) 433a674 show nosec in html report summary (#621) d040f07 Handle gosec version in SARIF report 51f7411 Add arm64 support (#618) e7ac882 Update go version to 1.16 (#616) 3a9a6ad Sarif provide Snippet with Issue.Code 1325319 Create dependabot.yml (#614) d8cfcd6 Allow the user to enable/disable colorisation of the text report in the stdout a8b633f Adding stdout and verbose flags and refactor how the report is saved 103c429 Enable golangcli and improve testing for formatters 4df7f1c Fix typos, Go Report link and Gofmt f4ea33d Update how the test coverage is generated c4f5932 Refactor : Replace Cwe with cwe.Weakness ddfa253 Define a report package with core and per format sub-packages cc83d4c Generate the SARIF types, handle taxonomies and separate responsibilities 0fa5d0b Fix the go modules after updating to get the tests passing (#605) 3763953 Migrate sonar types in a dedicated package (#604) b519743 chore(deps): update all dependencies (#599) 569328e Fix typos (#594) 0695fa0 Add -u to local install instructions (#595) 7f2308b Tidy up the moduels after updating (#593) f21b0b8 chore(deps): update all dependencies (#592) 148e608 Adding KICS to USERS.md (#590)

    Source code(tar.gz)
    Source code(zip)
    gosec_2.8.0_checksums.txt(489 bytes)
    gosec_2.8.0_darwin_amd64.tar.gz(4.56 MB)
    gosec_2.8.0_darwin_arm64.tar.gz(4.47 MB)
    gosec_2.8.0_linux_amd64.tar.gz(4.61 MB)
    gosec_2.8.0_linux_arm64.tar.gz(4.33 MB)
    gosec_2.8.0_windows_amd64.tar.gz(4.88 MB)
  • v2.7.0(Mar 4, 2021)

    Changelog

    27a5ffb Quiet warnings about integer truncation (#586) bf2cd23 Update all dependencies (#585) 01ee764 Fix typo in USERS.md (#583) 9c047e3 Add support for Go 1.16 in the CI and release workflows (#581) 1fce461 fix: WriteParams rule to work also with golang 1.16 (#577) dcbcc4d Use a more generic path for sonarqube import path (#573) 2777e50 Update README with a note which describes how to import a SonarQube report (#572) 897c203 Reset the state of TLS rule after each version check (#570) 6c57ae1 Fix sarif formatting issues (#565) b6524ce Update all dependencies

    Source code(tar.gz)
    Source code(zip)
    gosec_2.7.0_checksums.txt(294 bytes)
    gosec_2.7.0_darwin_amd64.tar.gz(4.48 MB)
    gosec_2.7.0_linux_amd64.tar.gz(4.53 MB)
    gosec_2.7.0_windows_amd64.tar.gz(4.59 MB)
  • v2.5.0(Oct 26, 2020)

    Changelog

    a4746e1 Update all dependencies (#533) 6bd6e4b Use $(go env GOPATH) that works even when GOPATH is not set aef335a Fix typo in README.md 0ce48a5 Reproducible junit report (#529) 868556b Update README with the correct path to tlsconfig command 13519fd Update the tls configuration generate to handle also the NSS alternative names e351067 Update all dependencies 166e4f5 Update README file with some more details required to run successfully a scan with the docker image f5cc32a Update the Go version to 1.15 in the Makefile ea0fa28 Update the Github go action version to 1.6.0 feea8bb Fix the action tag 6688a97 Fix the github action for Go 1.15 7234349 Add Go 1.15 to the supported version and phase out the Go 1.12 a3895d5 Fix typo in README file 17c9555 Incorrect local installation instructions for v2 f13b8bc Add also filepath.Rel as a sanitization method for input argument in the G304 rule 047729a Fix the rule G304 to handle the case when the input is cleaned as a variable assignment b60ddc2 feat: adds support for path.Join and for tar archives in G305 673a139 Update all dependencies 110b62b Add io.CopyBuffer function to rule G110 6bcd89a Mark all lines of a multi-line finding 4d4e594 Add some comments d1467ac Extend the code snippet included in the issue and refactored how the code snippet is printed 37d1af0 Expand the arguments to a list of strings when they are provided as a single string 59cbe00 Update all dependencies ade81d3 Rename file for consistency 03f12f3 Change naming rule from blacklist to blocklist 3784ffe Fix panic when reading the version from debug info in Go 1.13 55d368f Improve the TLS version checking ad1cb7e Make sure some version information is set when no version was injected into the binary 1d2c951 Extend the rule G304 with os.OpenFile and add a test to cover it 0c1a71b Add more tests samples to increase coverage fe07fcf Fix unit test when checking a mix of good and bad random functions 6bbf8f9 Extend the insecure random rule with more insecure random functions af699f6 Exclude .git directory from scan (#485) 6202b38 Update all dependencies (#484) 6a130d5 Update the link pointing to issues to CWE mapping to use the master version (#483) 826db1c Fix the build tags propagation 7da9248 Change the issue test to verify that a multi-line finding contains a line range 7aedcc5 Remove print line from tests 30e93bf Improve the SQL strings concat rules to handle multiple string concatenation 68bce94 Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context 32be4a5 Make sure all rules are mapped to CWE numbers 8630c43 Add null pointer check in G601 1418b85 ondisk -> onDisk b2cfc5d USERS.md type in the title fixed. 425b8f9 Display a sponsor button in the repository 0714a1e Update the users file with some more projects and companies 1b915dd Set up a gosec's users list 668512f Update bad_defer.go ee3146e Rule which detects aliasing of values in RangeStmt 8662624 Update the build badge to ge the status from GitHub workflow a5db4e1 Run mod tidy to clean up the dependencies fb44007 Enhance the hardcoded credentials rule to check the equality and non-equality of strings a2a40de Update the README with an example to configure the hard-coded credentials rule 802292c Fix the configuration parsing for hardcoded credentials c58f356 Set the default color on only for text format 1a113d6 Turn the color always on when the text format is set c4417de Use the latest color package to get the color working with tmux 656691b feature(formatter/text): Add color option on text format (#460) 51e4317 Automate the release process using a GitHub workflow 341059e Update the GitHub action name to be more desriptive 3b6c3f1 Update README with some instruction how to run gosec as a GitHub action 08202fe Add a GitHub action to run gosec c6e10af Handle properly the gosec module version v2 e946c8c Update all dependencies e030aa4 Remove the go 1.14 version from github action ee176ff Fix the job names in the Github workflow cabccc7 Add to GitHub workflow some jobs for go1.13 and go1.12 a111777 Change the GitHub workflow to use only the latest Go version 722acb6 Change the GitHub workflow to run the builds only on ubuntu-latest platform 5284f34 Change the GitHub workflow to use an action which install Go using a Go version from the matrix 8de5fb6 Migrate the build to GitHub Actions 7da9f46 Fix the call list info to handle selector expressions cf25904 Fix the subproc rule to handle correctly the CommandContext check f97f861 Update the subproc rule to detect the syscall.ForkExec and syscall.StartProces calls c998389 re-generate install.sh with latest godownloader (#446) 7525fe4 Rule for defering methods which return errors (#441) a2ac0bf Update all dependencies (#445) a305f10 Fileperms (#442) 00363ed remove support for go 1.11 (#444) d13bb6d Update all dependencies 17df5b3 Fix typos 3e069e7 Fix the errors rule whitelist to work on types methods 459e2d3 Modify rule for integer overflow to have more acurate results (#434) a4d7b36 Add G110(Potential DoS vulnerability via decompression bomb) 3d5c97b Add a test sample for Cgo files 81e8278 Add the Cgo files to the analysed files and ingonre all non-Go files a1969e2 Handle all errors in the formatter tests (#431) 9cb83e1 Add a rule which detects when there is potential integer overflow (#422) f43a957 Check for both default and alternative nosec tags (#426) 79fbf3a Add golint format to output format (#428) 57c3788 Update all dependencies (#427) 5d61373 fix(docker) gcc and libc-dev required bindings cb4f343 Update all dependencies (#417) df484bf cmd/tlsconfig: remove support for deprecated tls.VersionSSL30 (#412) b4c76d4 Update all dependencies (#410) 99170e0 Update the README with some details about the CWE mapping (#407) 53be8dd Add CWE rule mappings (#405) 28c1128 Add more tests to improve the coverage of resolve d78f026 Format import to make codecov happy 50e1fe2 Improve the SSRF rule to report an issue for package scoped variables 07770ae Add a test for composite literals when trying to resolve an AST tree node f413f14 Handle the ValueSpec when trying to resolve an AST tree node c1970ff Handle the ValueSpec when trying to resolve an AST tree node ea9faae Update the Go version to 1.13 in the Dockerfile (#403) 186dec7 Convert the global settings to correct type when reading them from file (#399) e680875 Replace the deprecated load mode with more specific flags are recommended in the packages docs (#400) ad375d3 Update golang.org/x/tools commit hash to 7c411de (#389) 607f240 reconfigure rennoavate bot (#395) 832d7bb Update README with CII Best Practicies badge 29341f6 Fix the rule G108/pporf to handle the case when the pporf import has not name b504783 Change unit tests to check for one thing (#381) 7dbc65b Update golang.org/x/tools commit hash to 3ac2a5b (#387) f3bd9fb Update golang.org/x/tools commit hash to 0f9bb8f c6ac709 Update golang.org/x/net commit hash to aa69164 7a6460d Update golang.org/x/crypto commit hash to 9ee001b d8f249a Update README with rule G108 9cee24c Add a rule which detects when pprof endpoint is automatically exposed 73fbc9b Update golang.org/x/net commit hash to 1a5e07d 124da07 Update golang.org/x/tools commit hash to 5eefd05 (#378) 915e9ee Update golang.org/x/sys commit hash to b4ddaad (#374) e7b3ae9 Clarify and add new unit tests for rule G107 (#376) f90efff Update golang.org/x/tools commit hash to 2dc213d (#375) 90e9759 Update golang.org/x/net commit hash to c858923 (#373) 709ed1b Change rule G204 to be less restrictive (#339) 98749b7 Update golang.org/x/net commit hash to 24e19bd (#372) d8f6c4f Update golang.org/x/sys commit hash to c3b328c (#371) 3204194 Update golang.org/x/tools commit hash to 92af9d6 (#370) 140048b Update golang.org/x/sys commit hash to 7ad0cfa a65402b Update golang.org/x/tools commit hash to 6bfd74c (#365) b9c4c66 Expose analyzer API (#366) 29fddff turn on automerge for rennovate bot bee7b5a Update golang.org/x/crypto commit hash to 227b76d (#363) 069c31f Update golang.org/x/tools commit hash to 16c5e0f (#362) 3e65f8f Update golang.org/x/sys commit hash to bbd1755 (#361) f5d5e20 Update golang.org/x/tools commit hash to dd2b5c8 (#360) a1c9c76 Remove the unused code to increase the test coverage 338b50d Remove rule G105 which detects the use of math/big#Int.Exp 43e3664 Build the tls config generator only with Go versions compatible with Go 1.12 81b6dc8 Regenerate the TLS configuration based on latest Mozilla's recommended ciphers 76ce9f0 Update to config struct to unmarshal the mozilla server-side TLS conf version 5 e050355 Update the TLS config generator to handle TLS version 1.3 c0510fc Update golang.org/x/tools commit hash to 0673112 (#359) a57a033 Update golang.org/x/sys commit hash to f460065 (#356) 8063751 Update golang.org/x/crypto commit hash to 094676d (#355) 7851918 Add support to exclude arbitrary folders from scanning (#353) 1c35be8 Add renovate.json (#354) fde1f82 Update the tag format in the release steps (#348) 992f173 Update README file with a note on dependencies (#351) e442cf3 Add Go 1.13 to the tested version in the travis build file (#350) 4ecbe32 Update go modules to latest compatible version and removed unused dependencies (#349) 8932f70 Add flag to handle '#nosec' alternative (#346) 4b59c94 Prevent null pointer exception in Sonarqube (#334) 39f7e7b Display filtered number of issues instead of total in stats e28a56a Merge pull request #330 from ccojocar/fix-whitelist-G104 63b44b6 Add some more tests to make codecov happy 1412357 Add some documentation for G104 whitelist configuration Signed-off-by: Cosmin Cojocar [email protected] f344524 Fix the whitelist on G104 rule and add a test 78a4949 Load rules on each code sample in order to reconfigure them ed9934f Refactor the rules tests to be able to configure the analyzer config per test sample 36a82ea Merge pull request #328 from ccojocar/fix-sonarqute-report 020479a Support multiple root paths when generating the Sonarqube report 46e55b9 Fix the file path in the Sonarqube report 04dc713 One approach for fixing the false positive identified in #325. 196edd3 Add checksum clarification in README 0ebfa2f Rework analyzer unit test to pass the go tip version (#318) 9d9098f print version string (#317) ee80733 Add a flag to filter issues by confidence (#316) 29cec13 Fix formatting in README, remove prerequisite and reworked the Makefile tests goals (#313) b68ac76 Fix formatting 3e69a8c Append the package load errors to analyser's errors aac9b00 Refactor properly the package error parsing and cover all test cases 625718d Refactor the test for Go build errors 3af4ae9 Fix some lint warnings bac6f0f Add tests for an empty package without any test file 76b2c12 Add a test to cover the processing of empty packages b04c1ce Fix error parsing from package 92b3644 Fix error parsing when the loaded package is empty 48e3932 Remove tests case from import tracker 25b5a1a Add tests to cover the import tracker from file 5ef2bee Track only the import from the file which is checked f1ea7f6 Add tests for analyser test pacakge check 6e5135f Update README with some instructions to enable the tests and vendor folder scanning b49c953 Add a flag which allows to scan also the tests files f1d49a6 Remove unused code ed2e0aa Update local install command in README file 4dfaf0a Refactor the analyzer to process one package at the time adcfe94 Fix test for helpers 5ae5266 Add some tests that covers the helper function which list the package paths e419eb8 Exclude correctly the vendor folder from the scanned packages 85eb8a5 Scan the go packages path recursively starting from a root folder 8522199 Improve logging in the analyser ea16ff1 Remove GOPATH check to allow running gosec outside of GOPATH 6c174a6 Update README file 7935fd8 Rework the Dockerfile for Go modules 806908a Remove the dep tool installation from travis CI 950e84c Handle errors to fix lint warnings ee73b9e Remove dep and Use only Go modules to manage dependencies 85d1808 Go modules support for 1.12 (#297) eaba99d fix comment. 4cd14f9 remove panic 66e7c8d Extract to a constant 1b28d32 fix sonarIssues struct 8eab50e update README.md to add support of sonarqube. 989eb3f Update Hound errors ddfe54d Add sonarqube output c5e6c4a fix no-fail flag logic 2bd007e Update README 8b27d1c Update go version to 1.11.5 in the docker file 9cd538f Fix README typo 62b5195 Report for Golang errors (#284) 9cdfec4 Change test 8048b15 Add more badges in the README file e2752bc revert to default GOPATH if necessary (#279) 04ce7ba add a no-fail flag a966ff7 Fix -conf example in README.md b662615 Fix typo 5d33e6e Update the README with some details about the configuration file f87af5f Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274) 14ed63d Do not flag the unhandled errors which are explicitly ignored 12400f9 Update README with the code coverage batch 72e95e8 Geneate and upload the test coverage report to codecove.io 24e3094 Extend the bind rule to handle the case when the net.Listen address in provided from a const 9b32fca Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call f14f17f Add a helper function which extracts the string parameters values of a call expression 2695567 Build the code sample for string builder only fron Go 1.10 onwards ae82798 Fix the WriteSring test by handling the error adb4222 whitelist strings.Builder method in rule G104 9b966a4 add test case for strings.Builder G104 whitelist inclusion 4180994 Make G201 ignore CallExpr with no args (#262) 443f84f Fix golint link (#263) 3116b07 Fix typos in comments and rulelist (#256) e0a150b Merge pull request #254 from kishaningithub/253 97bc137 Add CI Installation steps and correct markdown lint errors 8c09a83 Add install.sh script d032909 Merge pull request #251 from NeverOddOrEven/fix-html-template 027dc2b This fixes the html template when using '-fmt=html' - resolves HTML escaping issues within the template - resolves reference issues to reportInfo struct i.e. issues -> Issues, metrics -> Stats f9b4187 Merge pull request #249 from andrewhsu/go 1ecd47e bump Dockerfile golang from 1.10 to 1.11 2cc6838 Merge pull request #248 from ccojocar/code-samples-multiple-files 64d58c2 Refactor the test code sample to support multiple files per sample d3f1980 Fix false positives for SQL string concatenation with constants from another file (#247) 5f98926 Refactor Dockerfile (#245) 7f6509a Update README.md (#246) 762ff3a Allow quoted strings to be used to format SQL queries (#240) ec32ce6 Support Go 1.11 (#239) 145f1a0 Removed wrapping feature (#238) 419c929 G107 - SSRF (#236) 63b25c1 Fix typo in README (#235) 7fd9446 update to G304 which adds binary expressions and file joining (#233) e4ba96a Update README ec0f8ec Set the GOROOT and GOPATH env variables in Dockerfile 247828c Update docker base image to 1.10.3-alpine3.8 b689199 Add Fprintf to Rule G201 a7cff91 Small update to G201 and added ConcatString Function (#228) 1c438e3 Tweak makefile to match up with docker repo (#231) 9577fd0 Update README e543f46 Use the Linux build for Docker image dbd0f8f Use the make build goal when creeating the docker image f06a84e Merge pull request #227 from ccojocar/sha1 8dfa8dc Update README fb0dc73 Add sha1 to weak crypto primitives 90a1c1d Merge pull request #225 from jvmatl/jvmatl-patch-1 0d2e16d Document #nosec use with a list of rules 639987a Merge pull request #223 from ccojocar/fail_by_severity de10a74 Fix the help message 4702cc5 Add a flag to specify the severity for which the scanning will be failed c0db486 Merge pull request #222 from ccojocar/vendor_folder_flag 6919d97 Add a flag to turn on scanning on vendor folder f5b44b0 Merge pull request #221 from Quasilyte/quasilyte/dupSubExpr 7d767b4 Merge pull request #220 from Quasilyte/quasilyte/sloppyLen 3c8707c fix duplicated index issue in Less method 2f61fad replace len(x)<=0 with len(x)==0 5fb530c Merge pull request #219 from ccojocar/goreleaser a8edd07 Update locked dependencies 2a6e887 Use the goreleaser tool to perform releases 5ba6475 Merge pull request #211 from WillAbides/commandcontext 1f9d09d remove extra bracket from test source 6a156e2 Merge branch 'master' into commandcontext 2785f7a Merge pull request #217 from ccojocar/derive_pkg_from_files 4c6396b Derive the package from given files 3f2b814 Update README.md 138e6de Add slack community link (#215) f254cec Merge pull request #216 from ccojocar/rename_gas_with_gosec e6641c6 Replace gas with gosec in the README file 893b87b Replace gas with gosec everywhere in the project da26f64 Rename github org (#214) 1923b6d Rule which detects a potential path traversal when extracting zip archives (#208) d7ec2fc add CommandContext as subprocess launcher 4ae8c95 Add an option for Go build tags (#201) 7790709 Discard the logs messages if the quite flag is set (#200) 830cb81 Support package resolution and filepaths (#187) b643ac2 Add rule ID to text output (#198) c25269e Regenerate the TLS config (#199) 542d0c0 Fix up some mistakes in the README instructions (#195) e809226 Build improvments (#179) 2115402 Add the rule ID to issues (#188) a036755 Fix TLS config template (#191) 7116c4d fix fmt errors ff2b30f Cleanup test output 66aea5c fix gofmt errors 15095a8 Merge branch 'jonmcclintock-nosec-specify-rule' 90fe5cb Port readfile rule to include ID and metadata 58a48c4 Merge branch 'nosec-specify-rule' of git://github.com/jonmcclintock/gas into jonmcclintock-nosec-specify-rule f3c8d59 Switch to valuespec instead of gendecl for hardcoded credential rule (#186) e76b258 New Rule Tainted file (#183) 429ac07 Change the exclude syntax to be a part of #nosec 7bb6f00 Merge branch 'master' of https://github.com/GoASTScanner/gas into nosec-specify-rule 57dd25a Add an issue template to the project (#185) 1d9f816 Add support for YAML output format (#177) 18700c2 Style tweak 6b484e7 Run gofmt 105edba Leftover from merge. 48d59d2 Merge branch 'nosec-specify-rule' of github.com:jonmcclintock/gas into nosec-specify-rule 1429033 Add support for #excluding specific rules 3713168 Merge remote-tracking branch 'upstream/master' c6183b4 Add nil pointer check to rule. (#181) edb362f Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178) 1c58cbd Make the folder permissions more permissive to avoid false positives (#175) d48668e Merge pull request #170 from cosmincojocar/build_more_checks 777b706 Merge pull request #167 from cosmincojocar/sort_by_severity 7355f0a Fix some gas warnings 230d286 Fix gofmt formatting e385ab8 Update the build file with more checks e15c057 Update the build file to validate gas from go version 1.7 onward 84bfbbf Switch to sort Interface to be backward compatible with older go versions d4ebb03 Sort the issues by severity in descending order before creating the report 6b28d5c Merge pull request #166 from cosmincojocar/fprint_whitelist ac4622d Merge pull request #165 from cosmincojocar/fix_gas_warnings a72a21b Merge pull request #164 from cosmincojocar/ssh_rule 6cd7a6d Add Fprint, Fprintf, Fprintln to NoErrorCheck whitelist c2c2155 Fix some gas warnings a7cdd9c Add ssh package to the build 179c178 Add some review fixes f1b903f Update README d3c3cd6 Add a rule to detect the usage of ssh InsecureIgnoreHostKey function 8b87505 Merge pull request #163 from wongherlung/fix-junit-failure-text 33fff95 Excape html string for junit output. e92170b Merge pull request #160 from wongherlung/junit-xml-output 862295c Return err instead of panic. 187a711 Unused import 485bc31 Fix go vet errors in tests f7c31f2 Using godep not glide for dependency management 846c9ff [Issue 159] Allow loader errors so that processing continues if there's a package loading problem. a293098 Merge pull request #161 from jonmcclintock/allow-loader-errors 8125622 Merge pull request #162 from gcmurphy/bugfix a97a196 Unused import 7c7fe75 Fix go vet errors in tests b49fef7 Using godep not glide for dependency management f111d5d [Issue 159] Allow loader errors so that processing continues if there's a package loading problem. 143df04 Fixed typo. 5b91afe Unexport junit xml structs and some further refactoring. fdc78c0 Changed failure text from json to plaintext. 4059fac Pretty print xml result for better viewing. 1346bd3 Edited README and help text. 2c1a0b8 Refactored code. 7539b37 Added xml header format. b8cdc32 Working version of xml result format. 07a2eec Merge pull request #156 from gcmurphy/bugfix 5361949 Sending log messages to multiple streams 51b4a4d Merge pull request #138 from jonmcclintock/sqli-format-whitelist bc2a61b Merge branch 'sqli-format-whitelist' of github.com:jonmcclintock/gas into sqli-format-whitelist 1ca3350 Rebase to master 8eb9cc0 Adjust SQL format-string rules to ignore inherently safe formats a0fc089 Merge pull request #154 from GoASTScanner/issue/153 806c1d0 Add install instructions b068284 Merge pull request #152 from ashanbrown/one-build 22dc893 Do a single build for all packages. 085e0f6 Merge pull request #150 from GoASTScanner/experimental aecbc87 Use explicit packages in call lists 9a2bec1 Merge pull request #149 from GoASTScanner/experimental b6f85d5 Fix nil pointer dereference in complit types 3520a5a Merge pull request #146 from GoASTScanner/experimental 867d300 Fix lint issues d452dcb Fix ginko invocation 4c49716 move utils to separate executable e925d3c Migrated old test cases. 25d74c6 address review comments af25ac1 fix golint errors picked up by hound-ci cfa4327 fix hound-ci errors 97cde35 update travis-ci to use ginkgo tests e3b6fd9 update readme to provide info regarding package level scans 02901b9 actually skip tests until implementation exists d4311c9 make it clear that these tests have not been implemented yet 67dc432 use godep instead of glide 2b2999b Add tests for excludes with comments 37cada1 Add support for #excluding specific rules 7dfebaf Adjust SQL format-string rules to ignore inherently safe formats 27b2fd9 Merge pull request #136 from lanzafame/experimental 6de76c9 Merge pull request #135 from cosmincojocar/update_mondern_tls_chipers 5a11336 remove commited binary 9c959ca Issue.Line is already a string 3caf7c3 Add test cases c36954f Add the CHACHA20 to good ciphers in modern tls check f22c701 Merge pull request #133 from awiens/master b120a3e Updating Dockerfile with requested changes 5f0f8f8 Adding Docker container and changing README 6943f9e Major rework of codebase f4b705a Use glide to manage vendored dependencies 026fe4c Simplify analyzer and command line interface 65b18da Hack to address circular dependency in rulelist 5160048 Move rule definitions into own file 50bbc53 Isolate import tracking functionality bf78d02 Restructure and introduce a standalone config cacf21f Restructure to focus on lib rather than cli 8df48f9 Fix to reporting to use output formats 9b08174 Process via packages instead of files 1beec25 Merge pull request #128 from cosmincojocar/improve_skip e94e232 Merge pull request #129 from cosmincojocar/big_exp 7dc4638 Update the README 5b71c2b Add a test for math/big.Int.Exp rule 65b8e74 Add a rule for big.Exp function call 3ae2762 Add support for partial path match in the skip option 0573847 Merge pull request #125 from mockturtl/patch-1 b74c83e BindsToAllNetworkInterfaces should check TLS also 177fa7d Merge pull request #122 from GoASTScanner/testfixes 622440f Correct bad test cases and intermitent failure 5c302fb Merge pull request #121 from cosmincojocar/tls 2262f5d Add a check for PreferServerCipherSuites flag of tls.Config 1c8e7ff Merge pull request #118 from GoASTScanner/issue/117 1c99e45 Fix recursive case on Windows platforms 72caf3d Merge pull request #115 from GoASTScanner/bugfix 3e9b66a Temporarily disable typechecker fatal error f6aeaa8 Merge pull request #114 from GoASTScanner/feature 4099783 Go 1.5 does not support width precision specifier 4b70300 Exclude vendor directory from go vet aaddac5 Add the zxcvbn library to vendor list 9bc0239 Introduce entropy checking of string cc52ef5 Merge pull request #112 from GoASTScanner/bugfix a7ec9cc Backport test case for 1.5 f9868aa Fix additional test case ab4867b Fix test cases with invalid sample code d3f0a08 Report a failure and exit if type checking fails bc21a39 Merge pull request #110 from GoASTScanner/bugfix d1303fe Improve specitivity of error message for GenDecl 0545d13 Merge pull request #109 from GoASTScanner/bugfix 1e736c8 Fix test case (invalid sample code) d1e67fc Ensure hardcoded credentials only examines strings d4f9b88 Merge pull request #104 from endophage/help_fix 5f1c2df updating skip cli help and readme description c68ed64 Merge pull request #102 from GoASTScanner/bugfix 94ac200 Tests broken if logger is not initialized 1ba8b93 Reduce logging messages a tad 465338b Merge pull request #101 from GoASTScanner/bugfix 191750f Recreate fileset each time we process a file b5308ff Merge pull request #98 from endophage/recursive 365e9f6 Merge pull request #99 from mcpeak/fix-nosec 1a481fa adding support for arbitrary paths with ... 942f40a Fix nosec to work as documented 3911321 Merge pull request #97 from GoASTScanner/experimental 6ace60b Address unhandled error conditions 8f78248 Merge pull request #92 from GoASTScanner/experimental e1e435c Merge pull request #93 from GoASTScanner/bugfix dcfd97c Remove ast.Print debug message from tryresolve 129be15 Update error test case 5242a2c Extend helpers and call list d29c648 Add match call by type d30c5cd Merge pull request #91 from GoASTScanner/experimental 63e8b1a Update unsafe rule to match package explicitly b26f5cf Merge pull request #90 from GoASTScanner/experimental 39b18a1 Remove debug print messages 5b3192b Merge pull request #88 from GoASTScanner/experimental ca42de2 Initialize fresh import info for each file 6ef59ba Merge pull request #86 from GoASTScanner/experimental c7bb2dd Fix additional crash condition 5012c34 Handle inbalanced declaration of constants 9301684 Merge pull request #83 from GoASTScanner/experimental a3fcd96 Update hardcoded credentials rule for GenDecls bf103da Allow rules to register against multiple ast nodes c6587df Merge pull request #82 from GoASTScanner/experimental 1d732b8 Ensure os.OpenFile file permissions are checked 423a303 Merge pull request #81 from GoASTScanner/experimental 97dcc72 Incorrect rule mapping in rulelist 7dd3032 Merge pull request #76 from GoASTScanner/experimental be96ef2 Fix alias logic c833bfa Merge branch 'tam7t-rand-pkg-helper' e0db3f4 Merge branch 'rand-pkg-helper' of git://github.com/tam7t/gas into tam7t-rand-pkg-helper 9f54d25 Merge pull request #75 from GoASTScanner/experimental 20f2a98 Ensure initialization only imports are ignored 7a275fd MatchCallByPackage updated to avoid GetCallObject d163260 Merge pull request #71 from GoASTScanner/call_list 238d1e0 Merge pull request #73 from GoASTScanner/tools b02c0fa Add imports dumper 2c9d8fc Skip files if they don't exist d205060 Update to dump specific context information d8bf436 Merge pull request #72 from GoASTScanner/tools 14e6635 Add tool to inspect call objects in file 0bc4d48 Add an experimental way to whitelist calls afb84ff rand: use a MatchCallByPackage helper 8a473c7 Merge pull request #69 from GoASTScanner/helpers 0fef3ad Split out MatchCallByObject into two functions ce2c328 Merge pull request #68 from GoASTScanner/command_line_fixes f71ade6 Update usage to indicate html is supported d72cee8 Add quiet mode 9fa0b72 Merge pull request #67 from GoASTScanner/use_types c405754 Add MatchCall helper that utilizes type checker 9e2abd5 Merge pull request #66 from csstaub/cs/html-output aadcf8d Merge pull request #60 from tam7t/fix-rand 4ff5915 rand: refactor to use types package 75e0e1a rand: resolve math/rand package 068e8a8 Merge pull request #65 from GoASTScanner/sql_fix d60a2b4 Confirmed correct behavior for SQL tests 853b097 Merge pull request #63 from GoASTScanner/travis_ci 686927c Address go vet failure in SQL rule 344ebd1 Add go vet to travis-ci 65d572f Merge pull request #62 from GoASTScanner/correct_imports 74b6633 Updated imports to new repository location. b8ce40e Remove debugging println 4cd269f Merge pull request #58 from levigross/master 9c3c102 Fixed comment b92fa02 Make sure to exit 1 if we find an issue fadc6d4 Merge pull request #52 from gcmurphy/use_glob b8e78c6 Merge pull request #56 from s7v7nislands/fix_unsafe eedb0c2 fix fmt 92dda9c fix unsafe check 911c696 Add support for HTML output 59fbf74 Refactor path matching logic a4fd848 Merge pull request #49 from gcmurphy/master 7f4bdd5 Merge pull request #48 from gcmurphy/godoc d05a241 MatcMatchCompLit should be MatchCompList b5a98c1 Add godocs.org bagdge 9ca975d Add gas to .gitignore 0ee8e1b Merge pull request #47 from gcmurphy/readme 0bce177 Fix typos in godocs bb42840 Merge pull request #42 from HewlettPackard/code_docs e4b1e28 Merge pull request #46 from drewwells/feature/exclusions a2b7f3e Add LICENSE information to README.md 929edb4 Update README.md to use rule ID's 365ae31 prefix patterns with **/ to match subdirectories 223cded Adding some inline documentation for godoc 37205e9 Merge pull request #41 from HewlettPackard/usage df373b8 Fix usage information 82947bb Merge pull request #39 from HewlettPackard/rule_selection 713949f Rule selection rules 51ffe1b Merge pull request #40 from dragonndev/master b29e45f Merge pull request #38 from HewlettPackard/cli_docs 5b867f2 Clarified output format options. 6d831c0 Updating docs for new CLI "skip" option 235308f Merge pull request #35 from HewlettPackard/config_cli e3b1d33 Configuration 4e30ca3 Merge pull request #37 from HewlettPackard/travis_ci 9521472 Add build status to README.md 58e6823 Merge pull request #36 from HewlettPackard/travis_ci f36388a Merge pull request #34 from HewlettPackard/blacklist 9bd62d1 Add travis ci profile 45f3b5f Creating blacklist import rules 7e1d7ee Merge pull request #33 from HewlettPackard/config_fix da55fd1 Fixing config 84f0162 Merge pull request #32 from HewlettPackard/resolve_1 d2d49f1 Try to resolve all elements in an expression to a known const 12d370b Merge pull request #31 from HewlettPackard/config d4367de Adding a config block to the analyzer, parsed from JSON 8261ee5 Merge pull request #29 from HewlettPackard/fix_regexp cee5fad Fix incorrect regexp matches 0bf1ece Merge pull request #27 from cwkuo/fix-windows-file-contains 0737ea6 Fix os.IsExist() condition in filelist.Contains() b659538 Merge pull request #26 from HewlettPackard/fix_annotations 68aac25 Fixing annotations 28f0f1a Merge pull request #23 from csstaub/cs/detect-math-rand c53af75 Detect use of rand.Read from math/rand c5d2715 Merge pull request #24 from csstaub/cs/smarter-creds-check e86addb Merge pull request #22 from csstaub/cs/csv 3cd0ebe Smarter hard-coded credentials check 2ec102c Use encoding/csv for CSV output 81b5e98 Merge pull request #21 from HewlettPackard/better_sql 3e4d96e Better SQLi testing 2d0a26d Merge pull request #18 from HewlettPackard/issue16 48910f5 Merge pull request #20 from hyakuhei/Fix_Readme 9651a40 Fixed-up some language in README.md 0dd7ec9 Merge pull request #19 from HewlettPackard/issue17 1cff726 Fix exclude documentation a7ebf35 Expand cases accepted by -exclude debb1f5 Merge pull request #14 from csstaub/cs/fix-json 271cff1 Use encoding/json for -fmt json output 50fb7f4 Merge pull request #10 from HewlettPackard/issue9 37cc56d Merge pull request #11 from csstaub/cs/fix-json c6e25a9 Make sure -fmt json produces valid output 2f84b67 Handle import error rather than panic on failure 9ce14dc Disclaimer about project status f9bf428 Merge pull request #6 from HewlettPackard/tools 0bd254c Check input files and handle panic condition e2caa92 Merge pull request #5 from HewlettPackard/docs 2cac390 Update the README to include newer rules 59deedb Merge pull request #4 from HewlettPackard/httpoxy 3615933 Adding check for httpoxy 4f3d620 Initial public release

    Source code(tar.gz)
    Source code(zip)
    gosec_2.5.0_checksums.txt(294 bytes)
    gosec_2.5.0_darwin_amd64.tar.gz(4.54 MB)
    gosec_2.5.0_linux_amd64.tar.gz(4.59 MB)
    gosec_2.5.0_windows_amd64.tar.gz(4.65 MB)
  • v2.4.0(Jul 24, 2020)

    Changelog

    6bcd89a Mark all lines of a multi-line finding 4d4e594 Add some comments d1467ac Extend the code snippet included in the issue and refactored how the code snippet is printed 37d1af0 Expand the arguments to a list of strings when they are provided as a single string 59cbe00 Update all dependencies ade81d3 Rename file for consistency 03f12f3 Change naming rule from blacklist to blocklist 3784ffe Fix panic when reading the version from debug info in Go 1.13 55d368f Improve the TLS version checking ad1cb7e Make sure some version information is set when no version was injected into the binary 1d2c951 Extend the rule G304 with os.OpenFile and add a test to cover it 0c1a71b Add more tests samples to increase coverage fe07fcf Fix unit test when checking a mix of good and bad random functions 6bbf8f9 Extend the insecure random rule with more insecure random functions af699f6 Exclude .git directory from scan (#485) 6202b38 Update all dependencies (#484) 6a130d5 Update the link pointing to issues to CWE mapping to use the master version (#483) 826db1c Fix the build tags propagation 7da9248 Change the issue test to verify that a multi-line finding contains a line range 7aedcc5 Remove print line from tests 30e93bf Improve the SQL strings concat rules to handle multiple string concatenation 68bce94 Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context 32be4a5 Make sure all rules are mapped to CWE numbers 8630c43 Add null pointer check in G601 1418b85 ondisk -> onDisk b2cfc5d USERS.md type in the title fixed. 425b8f9 Display a sponsor button in the repository 0714a1e Update the users file with some more projects and companies 1b915dd Set up a gosec's users list 668512f Update bad_defer.go

    Source code(tar.gz)
    Source code(zip)
    gosec_2.4.0_checksums.txt(294 bytes)
    gosec_2.4.0_darwin_amd64.tar.gz(4.76 MB)
    gosec_2.4.0_linux_amd64.tar.gz(4.81 MB)
    gosec_2.4.0_windows_amd64.tar.gz(4.85 MB)
  • v2.3.0(May 4, 2020)

    Changelog

    ee3146e Rule which detects aliasing of values in RangeStmt 8662624 Update the build badge to ge the status from GitHub workflow a5db4e1 Run mod tidy to clean up the dependencies fb44007 Enhance the hardcoded credentials rule to check the equality and non-equality of strings a2a40de Update the README with an example to configure the hard-coded credentials rule 802292c Fix the configuration parsing for hardcoded credentials c58f356 Set the default color on only for text format 1a113d6 Turn the color always on when the text format is set c4417de Use the latest color package to get the color working with tmux 656691b feature(formatter/text): Add color option on text format (#460) 51e4317 Automate the release process using a GitHub workflow 341059e Update the GitHub action name to be more desriptive 3b6c3f1 Update README with some instruction how to run gosec as a GitHub action 08202fe Add a GitHub action to run gosec c6e10af Handle properly the gosec module version v2 e946c8c Update all dependencies e030aa4 Remove the go 1.14 version from github action ee176ff Fix the job names in the Github workflow cabccc7 Add to GitHub workflow some jobs for go1.13 and go1.12 a111777 Change the GitHub workflow to use only the latest Go version 722acb6 Change the GitHub workflow to run the builds only on ubuntu-latest platform 5284f34 Change the GitHub workflow to use an action which install Go using a Go version from the matrix 8de5fb6 Migrate the build to GitHub Actions 7da9f46 Fix the call list info to handle selector expressions cf25904 Fix the subproc rule to handle correctly the CommandContext check f97f861 Update the subproc rule to detect the syscall.ForkExec and syscall.StartProces calls c998389 re-generate install.sh with latest godownloader (#446) 7525fe4 Rule for defering methods which return errors (#441) a2ac0bf Update all dependencies (#445) a305f10 Fileperms (#442) 00363ed remove support for go 1.11 (#444) d13bb6d Update all dependencies

    Source code(tar.gz)
    Source code(zip)
    gosec_2.3.0_checksums.txt(294 bytes)
    gosec_2.3.0_darwin_amd64.tar.gz(4.53 MB)
    gosec_2.3.0_linux_amd64.tar.gz(4.61 MB)
    gosec_2.3.0_windows_amd64.tar.gz(4.67 MB)
  • v2.2.0(Jan 30, 2020)

    Changelog

    17df5b3 Fix typos 3e069e7 Fix the errors rule whitelist to work on types methods 459e2d3 Modify rule for integer overflow to have more acurate results (#434) a4d7b36 Add G110(Potential DoS vulnerability via decompression bomb) 3d5c97b Add a test sample for Cgo files 81e8278 Add the Cgo files to the analysed files and ingonre all non-Go files a1969e2 Handle all errors in the formatter tests (#431) 9cb83e1 Add a rule which detects when there is potential integer overflow (#422) f43a957 Check for both default and alternative nosec tags (#426) 79fbf3a Add golint format to output format (#428) 57c3788 Update all dependencies (#427) 5d61373 fix(docker) gcc and libc-dev required bindings cb4f343 Update all dependencies (#417) df484bf cmd/tlsconfig: remove support for deprecated tls.VersionSSL30 (#412) b4c76d4 Update all dependencies (#410) 99170e0 Update the README with some details about the CWE mapping (#407) 53be8dd Add CWE rule mappings (#405)

    Source code(tar.gz)
    Source code(zip)
    gosec_2.2.0_checksums.txt(294 bytes)
    gosec_2.2.0_darwin_amd64.tar.gz(4.49 MB)
    gosec_2.2.0_linux_amd64.tar.gz(4.57 MB)
    gosec_2.2.0_windows_amd64.tar.gz(4.64 MB)
  • v2.1.0(Oct 9, 2019)

    Changelog

    28c1128 Add more tests to improve the coverage of resolve d78f026 Format import to make codecov happy 50e1fe2 Improve the SSRF rule to report an issue for package scoped variables 07770ae Add a test for composite literals when trying to resolve an AST tree node f413f14 Handle the ValueSpec when trying to resolve an AST tree node c1970ff Handle the ValueSpec when trying to resolve an AST tree node ea9faae Update the Go version to 1.13 in the Dockerfile (#403) 186dec7 Convert the global settings to correct type when reading them from file (#399) e680875 Replace the deprecated load mode with more specific flags are recommended in the packages docs (#400) ad375d3 Update golang.org/x/tools commit hash to 7c411de (#389) 607f240 reconfigure rennoavate bot (#395) 832d7bb Update README with CII Best Practicies badge 29341f6 Fix the rule G108/pporf to handle the case when the pporf import has not name b504783 Change unit tests to check for one thing (#381) 7dbc65b Update golang.org/x/tools commit hash to 3ac2a5b (#387) f3bd9fb Update golang.org/x/tools commit hash to 0f9bb8f c6ac709 Update golang.org/x/net commit hash to aa69164 7a6460d Update golang.org/x/crypto commit hash to 9ee001b d8f249a Update README with rule G108 9cee24c Add a rule which detects when pprof endpoint is automatically exposed 73fbc9b Update golang.org/x/net commit hash to 1a5e07d 124da07 Update golang.org/x/tools commit hash to 5eefd05 (#378) 915e9ee Update golang.org/x/sys commit hash to b4ddaad (#374) e7b3ae9 Clarify and add new unit tests for rule G107 (#376) f90efff Update golang.org/x/tools commit hash to 2dc213d (#375) 90e9759 Update golang.org/x/net commit hash to c858923 (#373) 709ed1b Change rule G204 to be less restrictive (#339) 98749b7 Update golang.org/x/net commit hash to 24e19bd (#372) d8f6c4f Update golang.org/x/sys commit hash to c3b328c (#371) 3204194 Update golang.org/x/tools commit hash to 92af9d6 (#370) 140048b Update golang.org/x/sys commit hash to 7ad0cfa a65402b Update golang.org/x/tools commit hash to 6bfd74c (#365) b9c4c66 Expose analyzer API (#366) 29fddff turn on automerge for rennovate bot bee7b5a Update golang.org/x/crypto commit hash to 227b76d (#363) 069c31f Update golang.org/x/tools commit hash to 16c5e0f (#362) 3e65f8f Update golang.org/x/sys commit hash to bbd1755 (#361) f5d5e20 Update golang.org/x/tools commit hash to dd2b5c8 (#360) a1c9c76 Remove the unused code to increase the test coverage 338b50d Remove rule G105 which detects the use of math/big#Int.Exp 43e3664 Build the tls config generator only with Go versions compatible with Go 1.12 81b6dc8 Regenerate the TLS configuration based on latest Mozilla's recommended ciphers 76ce9f0 Update to config struct to unmarshal the mozilla server-side TLS conf version 5 e050355 Update the TLS config generator to handle TLS version 1.3 c0510fc Update golang.org/x/tools commit hash to 0673112 (#359) a57a033 Update golang.org/x/sys commit hash to f460065 (#356) 8063751 Update golang.org/x/crypto commit hash to 094676d (#355) 7851918 Add support to exclude arbitrary folders from scanning (#353) 1c35be8 Add renovate.json (#354) fde1f82 Update the tag format in the release steps (#348) 992f173 Update README file with a note on dependencies (#351) e442cf3 Add Go 1.13 to the tested version in the travis build file (#350) 4ecbe32 Update go modules to latest compatible version and removed unused dependencies (#349) 8932f70 Add flag to handle '#nosec' alternative (#346) 4b59c94 Prevent null pointer exception in Sonarqube (#334) 39f7e7b Display filtered number of issues instead of total in stats e28a56a Merge pull request #330 from ccojocar/fix-whitelist-G104 63b44b6 Add some more tests to make codecov happy 1412357 Add some documentation for G104 whitelist configuration Signed-off-by: Cosmin Cojocar [email protected] f344524 Fix the whitelist on G104 rule and add a test 78a4949 Load rules on each code sample in order to reconfigure them ed9934f Refactor the rules tests to be able to configure the analyzer config per test sample 36a82ea Merge pull request #328 from ccojocar/fix-sonarqute-report 020479a Support multiple root paths when generating the Sonarqube report 46e55b9 Fix the file path in the Sonarqube report 04dc713 One approach for fixing the false positive identified in #325. 196edd3 Add checksum clarification in README 0ebfa2f Rework analyzer unit test to pass the go tip version (#318) 9d9098f print version string (#317) ee80733 Add a flag to filter issues by confidence (#316)

    Source code(tar.gz)
    Source code(zip)
    gosec_2.1.0_checksums.txt(294 bytes)
    gosec_2.1.0_darwin_amd64.tar.gz(4.50 MB)
    gosec_2.1.0_linux_amd64.tar.gz(4.54 MB)
    gosec_2.1.0_windows_amd64.tar.gz(4.59 MB)
  • 2.0.0(May 2, 2019)

    Changelog

    29cec13 Fix formatting in README, remove prerequisite and reworked the Makefile tests goals (#313) b68ac76 Fix formatting 3e69a8c Append the package load errors to analyser's errors aac9b00 Refactor properly the package error parsing and cover all test cases 625718d Refactor the test for Go build errors 3af4ae9 Fix some lint warnings bac6f0f Add tests for an empty package without any test file 76b2c12 Add a test to cover the processing of empty packages b04c1ce Fix error parsing from package 92b3644 Fix error parsing when the loaded package is empty 48e3932 Remove tests case from import tracker 25b5a1a Add tests to cover the import tracker from file 5ef2bee Track only the import from the file which is checked f1ea7f6 Add tests for analyser test pacakge check 6e5135f Update README with some instructions to enable the tests and vendor folder scanning b49c953 Add a flag which allows to scan also the tests files f1d49a6 Remove unused code ed2e0aa Update local install command in README file 4dfaf0a Refactor the analyzer to process one package at the time adcfe94 Fix test for helpers 5ae5266 Add some tests that covers the helper function which list the package paths e419eb8 Exclude correctly the vendor folder from the scanned packages 85eb8a5 Scan the go packages path recursively starting from a root folder 8522199 Improve logging in the analyser ea16ff1 Remove GOPATH check to allow running gosec outside of GOPATH 6c174a6 Update README file 7935fd8 Rework the Dockerfile for Go modules 806908a Remove the dep tool installation from travis CI 950e84c Handle errors to fix lint warnings ee73b9e Remove dep and Use only Go modules to manage dependencies 85d1808 Go modules support for 1.12 (#297) eaba99d fix comment. 4cd14f9 remove panic 66e7c8d Extract to a constant 1b28d32 fix sonarIssues struct 8eab50e update README.md to add support of sonarqube. 989eb3f Update Hound errors ddfe54d Add sonarqube output c5e6c4a fix no-fail flag logic 2bd007e Update README 8b27d1c Update go version to 1.11.5 in the docker file 9cd538f Fix README typo

    Source code(tar.gz)
    Source code(zip)
    gosec_2.0.0_checksums.txt(294 bytes)
    gosec_2.0.0_darwin_amd64.tar.gz(4.45 MB)
    gosec_2.0.0_linux_amd64.tar.gz(4.49 MB)
    gosec_2.0.0_windows_amd64.tar.gz(4.55 MB)
  • 1.3.0(Feb 28, 2019)

    Changelog

    62b5195 Report for Golang errors (#284) 9cdfec4 Change test 8048b15 Add more badges in the README file e2752bc revert to default GOPATH if necessary (#279) 04ce7ba add a no-fail flag a966ff7 Fix -conf example in README.md b662615 Fix typo 5d33e6e Update the README with some details about the configuration file f87af5f Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274) 14ed63d Do not flag the unhandled errors which are explicitly ignored 12400f9 Update README with the code coverage batch 72e95e8 Geneate and upload the test coverage report to codecove.io 24e3094 Extend the bind rule to handle the case when the net.Listen address in provided from a const 9b32fca Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call f14f17f Add a helper function which extracts the string parameters values of a call expression

    Source code(tar.gz)
    Source code(zip)
    gosec_1.3.0_checksums.txt(294 bytes)
    gosec_1.3.0_darwin_amd64.tar.gz(3.93 MB)
    gosec_1.3.0_linux_amd64.tar.gz(3.98 MB)
    gosec_1.3.0_windows_amd64.tar.gz(4.05 MB)
  • 1.2.0(Nov 11, 2018)

    Changelog

    2695567 Build the code sample for string builder only fron Go 1.10 onwards ae82798 Fix the WriteSring test by handling the error adb4222 whitelist strings.Builder method in rule G104 9b966a4 add test case for strings.Builder G104 whitelist inclusion 4180994 Make G201 ignore CallExpr with no args (#262) 443f84f Fix golint link (#263) 3116b07 Fix typos in comments and rulelist (#256) e0a150b Merge pull request #254 from kishaningithub/253 97bc137 Add CI Installation steps and correct markdown lint errors 8c09a83 Add install.sh script d032909 Merge pull request #251 from NeverOddOrEven/fix-html-template 027dc2b This fixes the html template when using '-fmt=html' - resolves HTML escaping issues within the template - resolves reference issues to reportInfo struct i.e. issues -> Issues, metrics -> Stats f9b4187 Merge pull request #249 from andrewhsu/go 1ecd47e bump Dockerfile golang from 1.10 to 1.11 2cc6838 Merge pull request #248 from ccojocar/code-samples-multiple-files 64d58c2 Refactor the test code sample to support multiple files per sample d3f1980 Fix false positives for SQL string concatenation with constants from another file (#247) 5f98926 Refactor Dockerfile (#245) 7f6509a Update README.md (#246) 762ff3a Allow quoted strings to be used to format SQL queries (#240) ec32ce6 Support Go 1.11 (#239) 145f1a0 Removed wrapping feature (#238) 419c929 G107 - SSRF (#236) 63b25c1 Fix typo in README (#235) 7fd9446 update to G304 which adds binary expressions and file joining (#233)

    Source code(tar.gz)
    Source code(zip)
    gosec_1.2.0_checksums.txt(294 bytes)
    gosec_1.2.0_darwin_amd64.tar.gz(3.92 MB)
    gosec_1.2.0_linux_amd64.tar.gz(3.96 MB)
    gosec_1.2.0_windows_amd64.tar.gz(4.03 MB)
  • 1.1.0(Aug 21, 2018)

    Changelog

    e4ba96a Update README ec0f8ec Set the GOROOT and GOPATH env variables in Dockerfile 247828c Update docker base image to 1.10.3-alpine3.8 b689199 Add Fprintf to Rule G201 a7cff91 Small update to G201 and added ConcatString Function (#228) 1c438e3 Tweak makefile to match up with docker repo (#231) 9577fd0 Update README e543f46 Use the Linux build for Docker image dbd0f8f Use the make build goal when creeating the docker image f06a84e Merge pull request #227 from ccojocar/sha1 8dfa8dc Update README fb0dc73 Add sha1 to weak crypto primitives 90a1c1d Merge pull request #225 from jvmatl/jvmatl-patch-1 0d2e16d Document #nosec use with a list of rules 639987a Merge pull request #223 from ccojocar/fail_by_severity de10a74 Fix the help message 4702cc5 Add a flag to specify the severity for which the scanning will be failed c0db486 Merge pull request #222 from ccojocar/vendor_folder_flag 6919d97 Add a flag to turn on scanning on vendor folder f5b44b0 Merge pull request #221 from Quasilyte/quasilyte/dupSubExpr 7d767b4 Merge pull request #220 from Quasilyte/quasilyte/sloppyLen 3c8707c fix duplicated index issue in Less method 2f61fad replace len(x)<=0 with len(x)==0

    Source code(tar.gz)
    Source code(zip)
    gosec_1.1.0_checksums.txt(294 bytes)
    gosec_1.1.0_darwin_amd64.tar.gz(2.84 MB)
    gosec_1.1.0_linux_amd64.tar.gz(2.87 MB)
    gosec_1.1.0_windows_amd64.tar.gz(2.92 MB)
  • 1.0.0(Jul 27, 2018)

    Changelog

    5fb530c Merge pull request #219 from ccojocar/goreleaser a8edd07 Update locked dependencies 2a6e887 Use the goreleaser tool to perform releases 5ba6475 Merge pull request #211 from WillAbides/commandcontext 1f9d09d remove extra bracket from test source 6a156e2 Merge branch 'master' into commandcontext 2785f7a Merge pull request #217 from ccojocar/derive_pkg_from_files 4c6396b Derive the package from given files 3f2b814 Update README.md 138e6de Add slack community link (#215) f254cec Merge pull request #216 from ccojocar/rename_gas_with_gosec e6641c6 Replace gas with gosec in the README file 893b87b Replace gas with gosec everywhere in the project da26f64 Rename github org (#214) 1923b6d Rule which detects a potential path traversal when extracting zip archives (#208) d7ec2fc add CommandContext as subprocess launcher 4ae8c95 Add an option for Go build tags (#201) 7790709 Discard the logs messages if the quite flag is set (#200) 830cb81 Support package resolution and filepaths (#187) b643ac2 Add rule ID to text output (#198) c25269e Regenerate the TLS config (#199) 542d0c0 Fix up some mistakes in the README instructions (#195) e809226 Build improvments (#179) 2115402 Add the rule ID to issues (#188) a036755 Fix TLS config template (#191) 7116c4d fix fmt errors ff2b30f Cleanup test output 66aea5c fix gofmt errors 15095a8 Merge branch 'jonmcclintock-nosec-specify-rule' 90fe5cb Port readfile rule to include ID and metadata 58a48c4 Merge branch 'nosec-specify-rule' of git://github.com/jonmcclintock/gas into jonmcclintock-nosec-specify-rule f3c8d59 Switch to valuespec instead of gendecl for hardcoded credential rule (#186) e76b258 New Rule Tainted file (#183) 429ac07 Change the exclude syntax to be a part of #nosec 7bb6f00 Merge branch 'master' of https://github.com/GoASTScanner/gas into nosec-specify-rule 57dd25a Add an issue template to the project (#185) 1d9f816 Add support for YAML output format (#177) 18700c2 Style tweak 6b484e7 Run gofmt 105edba Leftover from merge. 48d59d2 Merge branch 'nosec-specify-rule' of github.com:jonmcclintock/gas into nosec-specify-rule 1429033 Add support for #excluding specific rules 3713168 Merge remote-tracking branch 'upstream/master' c6183b4 Add nil pointer check to rule. (#181) edb362f Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178) 1c58cbd Make the folder permissions more permissive to avoid false positives (#175) d48668e Merge pull request #170 from cosmincojocar/build_more_checks 777b706 Merge pull request #167 from cosmincojocar/sort_by_severity 7355f0a Fix some gas warnings 230d286 Fix gofmt formatting e385ab8 Update the build file with more checks e15c057 Update the build file to validate gas from go version 1.7 onward 84bfbbf Switch to sort Interface to be backward compatible with older go versions d4ebb03 Sort the issues by severity in descending order before creating the report 6b28d5c Merge pull request #166 from cosmincojocar/fprint_whitelist ac4622d Merge pull request #165 from cosmincojocar/fix_gas_warnings a72a21b Merge pull request #164 from cosmincojocar/ssh_rule 6cd7a6d Add Fprint, Fprintf, Fprintln to NoErrorCheck whitelist c2c2155 Fix some gas warnings a7cdd9c Add ssh package to the build 179c178 Add some review fixes f1b903f Update README d3c3cd6 Add a rule to detect the usage of ssh InsecureIgnoreHostKey function 8b87505 Merge pull request #163 from wongherlung/fix-junit-failure-text 33fff95 Excape html string for junit output. e92170b Merge pull request #160 from wongherlung/junit-xml-output 862295c Return err instead of panic. 187a711 Unused import 485bc31 Fix go vet errors in tests f7c31f2 Using godep not glide for dependency management 846c9ff [Issue 159] Allow loader errors so that processing continues if there's a package loading problem. a293098 Merge pull request #161 from jonmcclintock/allow-loader-errors 8125622 Merge pull request #162 from gcmurphy/bugfix a97a196 Unused import 7c7fe75 Fix go vet errors in tests b49fef7 Using godep not glide for dependency management f111d5d [Issue 159] Allow loader errors so that processing continues if there's a package loading problem. 143df04 Fixed typo. 5b91afe Unexport junit xml structs and some further refactoring. fdc78c0 Changed failure text from json to plaintext. 4059fac Pretty print xml result for better viewing. 1346bd3 Edited README and help text. 2c1a0b8 Refactored code. 7539b37 Added xml header format. b8cdc32 Working version of xml result format. 07a2eec Merge pull request #156 from gcmurphy/bugfix 5361949 Sending log messages to multiple streams 51b4a4d Merge pull request #138 from jonmcclintock/sqli-format-whitelist bc2a61b Merge branch 'sqli-format-whitelist' of github.com:jonmcclintock/gas into sqli-format-whitelist 1ca3350 Rebase to master 8eb9cc0 Adjust SQL format-string rules to ignore inherently safe formats a0fc089 Merge pull request #154 from GoASTScanner/issue/153 806c1d0 Add install instructions b068284 Merge pull request #152 from ashanbrown/one-build 22dc893 Do a single build for all packages. 085e0f6 Merge pull request #150 from GoASTScanner/experimental aecbc87 Use explicit packages in call lists 9a2bec1 Merge pull request #149 from GoASTScanner/experimental b6f85d5 Fix nil pointer dereference in complit types 3520a5a Merge pull request #146 from GoASTScanner/experimental 867d300 Fix lint issues d452dcb Fix ginko invocation 4c49716 move utils to separate executable e925d3c Migrated old test cases. 25d74c6 address review comments af25ac1 fix golint errors picked up by hound-ci cfa4327 fix hound-ci errors 97cde35 update travis-ci to use ginkgo tests e3b6fd9 update readme to provide info regarding package level scans 02901b9 actually skip tests until implementation exists d4311c9 make it clear that these tests have not been implemented yet 67dc432 use godep instead of glide 2b2999b Add tests for excludes with comments 37cada1 Add support for #excluding specific rules 7dfebaf Adjust SQL format-string rules to ignore inherently safe formats 27b2fd9 Merge pull request #136 from lanzafame/experimental 6de76c9 Merge pull request #135 from cosmincojocar/update_mondern_tls_chipers 5a11336 remove commited binary 9c959ca Issue.Line is already a string 3caf7c3 Add test cases c36954f Add the CHACHA20 to good ciphers in modern tls check f22c701 Merge pull request #133 from awiens/master b120a3e Updating Dockerfile with requested changes 5f0f8f8 Adding Docker container and changing README 6943f9e Major rework of codebase f4b705a Use glide to manage vendored dependencies 026fe4c Simplify analyzer and command line interface 65b18da Hack to address circular dependency in rulelist 5160048 Move rule definitions into own file 50bbc53 Isolate import tracking functionality bf78d02 Restructure and introduce a standalone config cacf21f Restructure to focus on lib rather than cli 8df48f9 Fix to reporting to use output formats 9b08174 Process via packages instead of files 1beec25 Merge pull request #128 from cosmincojocar/improve_skip e94e232 Merge pull request #129 from cosmincojocar/big_exp 7dc4638 Update the README 5b71c2b Add a test for math/big.Int.Exp rule 65b8e74 Add a rule for big.Exp function call 3ae2762 Add support for partial path match in the skip option 0573847 Merge pull request #125 from mockturtl/patch-1 b74c83e BindsToAllNetworkInterfaces should check TLS also 177fa7d Merge pull request #122 from GoASTScanner/testfixes 622440f Correct bad test cases and intermitent failure 5c302fb Merge pull request #121 from cosmincojocar/tls 2262f5d Add a check for PreferServerCipherSuites flag of tls.Config 1c8e7ff Merge pull request #118 from GoASTScanner/issue/117 1c99e45 Fix recursive case on Windows platforms 72caf3d Merge pull request #115 from GoASTScanner/bugfix 3e9b66a Temporarily disable typechecker fatal error f6aeaa8 Merge pull request #114 from GoASTScanner/feature 4099783 Go 1.5 does not support width precision specifier 4b70300 Exclude vendor directory from go vet aaddac5 Add the zxcvbn library to vendor list 9bc0239 Introduce entropy checking of string cc52ef5 Merge pull request #112 from GoASTScanner/bugfix a7ec9cc Backport test case for 1.5 f9868aa Fix additional test case ab4867b Fix test cases with invalid sample code d3f0a08 Report a failure and exit if type checking fails bc21a39 Merge pull request #110 from GoASTScanner/bugfix d1303fe Improve specitivity of error message for GenDecl 0545d13 Merge pull request #109 from GoASTScanner/bugfix 1e736c8 Fix test case (invalid sample code) d1e67fc Ensure hardcoded credentials only examines strings d4f9b88 Merge pull request #104 from endophage/help_fix 5f1c2df updating skip cli help and readme description c68ed64 Merge pull request #102 from GoASTScanner/bugfix 94ac200 Tests broken if logger is not initialized 1ba8b93 Reduce logging messages a tad 465338b Merge pull request #101 from GoASTScanner/bugfix 191750f Recreate fileset each time we process a file b5308ff Merge pull request #98 from endophage/recursive 365e9f6 Merge pull request #99 from mcpeak/fix-nosec 1a481fa adding support for arbitrary paths with ... 942f40a Fix nosec to work as documented 3911321 Merge pull request #97 from GoASTScanner/experimental 6ace60b Address unhandled error conditions 8f78248 Merge pull request #92 from GoASTScanner/experimental e1e435c Merge pull request #93 from GoASTScanner/bugfix dcfd97c Remove ast.Print debug message from tryresolve 129be15 Update error test case 5242a2c Extend helpers and call list d29c648 Add match call by type d30c5cd Merge pull request #91 from GoASTScanner/experimental 63e8b1a Update unsafe rule to match package explicitly b26f5cf Merge pull request #90 from GoASTScanner/experimental 39b18a1 Remove debug print messages 5b3192b Merge pull request #88 from GoASTScanner/experimental ca42de2 Initialize fresh import info for each file 6ef59ba Merge pull request #86 from GoASTScanner/experimental c7bb2dd Fix additional crash condition 5012c34 Handle inbalanced declaration of constants 9301684 Merge pull request #83 from GoASTScanner/experimental a3fcd96 Update hardcoded credentials rule for GenDecls bf103da Allow rules to register against multiple ast nodes c6587df Merge pull request #82 from GoASTScanner/experimental 1d732b8 Ensure os.OpenFile file permissions are checked 423a303 Merge pull request #81 from GoASTScanner/experimental 97dcc72 Incorrect rule mapping in rulelist 7dd3032 Merge pull request #76 from GoASTScanner/experimental be96ef2 Fix alias logic c833bfa Merge branch 'tam7t-rand-pkg-helper' e0db3f4 Merge branch 'rand-pkg-helper' of git://github.com/tam7t/gas into tam7t-rand-pkg-helper 9f54d25 Merge pull request #75 from GoASTScanner/experimental 20f2a98 Ensure initialization only imports are ignored 7a275fd MatchCallByPackage updated to avoid GetCallObject d163260 Merge pull request #71 from GoASTScanner/call_list 238d1e0 Merge pull request #73 from GoASTScanner/tools b02c0fa Add imports dumper 2c9d8fc Skip files if they don't exist d205060 Update to dump specific context information d8bf436 Merge pull request #72 from GoASTScanner/tools 14e6635 Add tool to inspect call objects in file 0bc4d48 Add an experimental way to whitelist calls afb84ff rand: use a MatchCallByPackage helper 8a473c7 Merge pull request #69 from GoASTScanner/helpers 0fef3ad Split out MatchCallByObject into two functions ce2c328 Merge pull request #68 from GoASTScanner/command_line_fixes f71ade6 Update usage to indicate html is supported d72cee8 Add quiet mode 9fa0b72 Merge pull request #67 from GoASTScanner/use_types c405754 Add MatchCall helper that utilizes type checker 9e2abd5 Merge pull request #66 from csstaub/cs/html-output aadcf8d Merge pull request #60 from tam7t/fix-rand 4ff5915 rand: refactor to use types package 75e0e1a rand: resolve math/rand package 068e8a8 Merge pull request #65 from GoASTScanner/sql_fix d60a2b4 Confirmed correct behavior for SQL tests 853b097 Merge pull request #63 from GoASTScanner/travis_ci 686927c Address go vet failure in SQL rule 344ebd1 Add go vet to travis-ci 65d572f Merge pull request #62 from GoASTScanner/correct_imports 74b6633 Updated imports to new repository location. b8ce40e Remove debugging println 4cd269f Merge pull request #58 from levigross/master 9c3c102 Fixed comment b92fa02 Make sure to exit 1 if we find an issue fadc6d4 Merge pull request #52 from gcmurphy/use_glob b8e78c6 Merge pull request #56 from s7v7nislands/fix_unsafe eedb0c2 fix fmt 92dda9c fix unsafe check 911c696 Add support for HTML output 59fbf74 Refactor path matching logic a4fd848 Merge pull request #49 from gcmurphy/master 7f4bdd5 Merge pull request #48 from gcmurphy/godoc d05a241 MatcMatchCompLit should be MatchCompList b5a98c1 Add godocs.org bagdge 9ca975d Add gas to .gitignore 0ee8e1b Merge pull request #47 from gcmurphy/readme 0bce177 Fix typos in godocs bb42840 Merge pull request #42 from HewlettPackard/code_docs e4b1e28 Merge pull request #46 from drewwells/feature/exclusions a2b7f3e Add LICENSE information to README.md 929edb4 Update README.md to use rule ID's 365ae31 prefix patterns with **/ to match subdirectories 223cded Adding some inline documentation for godoc 37205e9 Merge pull request #41 from HewlettPackard/usage df373b8 Fix usage information 82947bb Merge pull request #39 from HewlettPackard/rule_selection 713949f Rule selection rules 51ffe1b Merge pull request #40 from dragonndev/master b29e45f Merge pull request #38 from HewlettPackard/cli_docs 5b867f2 Clarified output format options. 6d831c0 Updating docs for new CLI "skip" option 235308f Merge pull request #35 from HewlettPackard/config_cli e3b1d33 Configuration 4e30ca3 Merge pull request #37 from HewlettPackard/travis_ci 9521472 Add build status to README.md 58e6823 Merge pull request #36 from HewlettPackard/travis_ci f36388a Merge pull request #34 from HewlettPackard/blacklist 9bd62d1 Add travis ci profile 45f3b5f Creating blacklist import rules 7e1d7ee Merge pull request #33 from HewlettPackard/config_fix da55fd1 Fixing config 84f0162 Merge pull request #32 from HewlettPackard/resolve_1 d2d49f1 Try to resolve all elements in an expression to a known const 12d370b Merge pull request #31 from HewlettPackard/config d4367de Adding a config block to the analyzer, parsed from JSON 8261ee5 Merge pull request #29 from HewlettPackard/fix_regexp cee5fad Fix incorrect regexp matches 0bf1ece Merge pull request #27 from cwkuo/fix-windows-file-contains 0737ea6 Fix os.IsExist() condition in filelist.Contains() b659538 Merge pull request #26 from HewlettPackard/fix_annotations 68aac25 Fixing annotations 28f0f1a Merge pull request #23 from csstaub/cs/detect-math-rand c53af75 Detect use of rand.Read from math/rand c5d2715 Merge pull request #24 from csstaub/cs/smarter-creds-check e86addb Merge pull request #22 from csstaub/cs/csv 3cd0ebe Smarter hard-coded credentials check 2ec102c Use encoding/csv for CSV output 81b5e98 Merge pull request #21 from HewlettPackard/better_sql 3e4d96e Better SQLi testing 2d0a26d Merge pull request #18 from HewlettPackard/issue16 48910f5 Merge pull request #20 from hyakuhei/Fix_Readme 9651a40 Fixed-up some language in README.md 0dd7ec9 Merge pull request #19 from HewlettPackard/issue17 1cff726 Fix exclude documentation a7ebf35 Expand cases accepted by -exclude debb1f5 Merge pull request #14 from csstaub/cs/fix-json 271cff1 Use encoding/json for -fmt json output 50fb7f4 Merge pull request #10 from HewlettPackard/issue9 37cc56d Merge pull request #11 from csstaub/cs/fix-json c6e25a9 Make sure -fmt json produces valid output 2f84b67 Handle import error rather than panic on failure 9ce14dc Disclaimer about project status f9bf428 Merge pull request #6 from HewlettPackard/tools 0bd254c Check input files and handle panic condition e2caa92 Merge pull request #5 from HewlettPackard/docs 2cac390 Update the README to include newer rules 59deedb Merge pull request #4 from HewlettPackard/httpoxy 3615933 Adding check for httpoxy 4f3d620 Initial public release

    Source code(tar.gz)
    Source code(zip)
    gosec_1.0.0_checksums.txt(294 bytes)
    gosec_1.0.0_darwin_amd64.tar.gz(2.84 MB)
    gosec_1.0.0_linux_amd64.tar.gz(2.87 MB)
    gosec_1.0.0_windows_amd64.tar.gz(2.91 MB)
Owner
Secure Go
Project devoted to secure programming in the Go language
Secure Go
Golang security checker

gosec - Golang Security Checker Inspects source code for security problems by scanning the Go AST. License Licensed under the Apache License, Version

Secure Go 5.5k Oct 22, 2021
A Simple and Comprehensive Vulnerability Scanner for Container Images, Git Repositories and Filesystems. Suitable for CI

A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI. Table of Contents Abstract Features Installation

Aqua Security 8.9k Oct 23, 2021
A curated list of awesome Kubernetes tools and resources.

Awesome Kubernetes Resources A curated list of awesome Kubernetes tools and resources. Inspired by awesome list and donnemartin/awesome-aws. The Fiery

Tom Huang 913 Oct 23, 2021
GitHub中文排行榜,帮助你发现高分优秀中文项目、更高效地吸收国人的优秀经验成果;榜单每周更新一次,敬请关注!

榜单设立目的 ???? GitHub中文排行榜,帮助你发现高分优秀中文项目; 各位开发者伙伴可以更高效地吸收国人的优秀经验、成果; 中文项目只能满足阶段性的需求,想要有进一步提升,还请多花时间学习高分神级英文项目; 榜单设立范围 设立1个总榜(所有语言项目汇总排名)、18个分榜(单个语言项目排名);

kon9chunkit 38.9k Oct 24, 2021
A controller to create K8s Ingresses for Openshift routes.

route-to-ingress-operator A controller to create corresponding ingress.networking.k8s.io/v1 resources for route.openshift.io/v1 TODO int port string p

Mohammad Yosefpor 4 Jul 22, 2021
Vilicus is an open source tool that orchestrates security scans of container images(docker/oci) and centralizes all results into a database for further analysis and metrics.

Vilicus Table of Contents Overview How does it work? Architecture Development Run deployment manually Usage Example of analysis Overview Vilicus is an

Ederson Brilhante 72 Oct 8, 2021
Devtron is an open source software delivery workflow for kubernetes written in go.

Devtron is an open source software delivery workflow for kubernetes written in go.

Devtron Labs 1.4k Oct 16, 2021
An operator to manage node labels, annotations, and taints.

NodeConfig Operator An operator to manage node labels, annotations and taints based on NodeConfig Custom Resource. Comparison to alternatives: https:/

Snapp Cab Incubators 6 Oct 14, 2021
ecsk is a CLI tool to interactively use frequently used functions of docker command in Amazon ECS. (docker run, exec, cp, logs, stop)

English / 日本語 ecsk ECS + Task = ecsk ?? ecsk is a CLI tool to interactively use frequently used functions of docker command in Amazon ECS. (docker run

null 68 Oct 18, 2021
Hubble - Network, Service & Security Observability for Kubernetes using eBPF

Network, Service & Security Observability for Kubernetes What is Hubble? Getting Started Features Service Dependency Graph Metrics & Monitoring Flow V

Cilium 1.6k Oct 16, 2021
Go Trusted Execution Environment (TEE)

Introduction The GoTEE framework implements concurrent instantiation of TamaGo based unikernels in privileged and unprivileged modes, interacting with

F-Secure Foundry 44 Oct 5, 2021
A best practices checker for Kubernetes clusters. 🤠

Clusterlint As clusters scale and become increasingly difficult to maintain, clusterlint helps operators conform to Kubernetes best practices around r

DigitalOcean 428 Sep 24, 2021
Lightweight Kubernetes

K3s - Lightweight Kubernetes Lightweight Kubernetes. Production ready, easy to install, half the memory, all in a binary less than 100 MB. Great for:

null 18.2k Oct 22, 2021
operator to install cluster manager and klusterlet.

registration-operator Minimum cluster registration and work Community, discussion, contribution, and support Check the CONTRIBUTING Doc for how to con

Open Cluster Management 27 Oct 21, 2021
The OCI Service Operator for Kubernetes (OSOK) makes it easy to connect and manage OCI services from a cloud native application running in a Kubernetes environment.

OCI Service Operator for Kubernetes Introduction The OCI Service Operator for Kubernetes (OSOK) makes it easy to create, manage, and connect to Oracle

Oracle 9 Sep 24, 2021
This repository contains Prowjob configurations for Amazon EKS Anywhere.

Amazon EKS Anywhere Prow Jobs This repository contains Prowjob configuration for the Amazon EKS Anywhere project, which includes the eks-anywhere and

Amazon Web Services 11 Oct 20, 2021
Run Amazon EKS on your own infrastructure 🚀

Amazon EKS Anywhere Conformance test status: Amazon EKS Anywhere is a new deployment option for Amazon EKS that enables you to easily create and opera

Amazon Web Services 1.3k Oct 24, 2021
Build powerful pipelines in any programming language.

Gaia is an open source automation platform which makes it easy and fun to build powerful pipelines in any programming language. Based on HashiCorp's g

Gaia 4.5k Oct 24, 2021
Dynamic Application Security Testing (DAST) for Cloud

Dynamic Application Security Testing (DAST) for Cloud Probr analyzes the complex behaviours and interactions in your cloud resources to enable enginee

null 20 Jun 14, 2021