Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
devel:languages:go
gosec
gosec-2.21.4.obscpio
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File gosec-2.21.4.obscpio of Package gosec
07070100000000000041ED00000000000000000000000266F5526900000000000000000000000000000000000000000000001500000000gosec-2.21.4/.github07070100000001000081A400000000000000000000000166F552690000004C000000000000000000000000000000000000002100000000gosec-2.21.4/.github/FUNDING.yml# These are supported funding model platforms github: [ccojocar, gcmurphy] 07070100000002000081A400000000000000000000000166F55269000000BE000000000000000000000000000000000000002700000000gosec-2.21.4/.github/issue_template.md### Summary ### Steps to reproduce the behavior ### gosec version ### Go version (output of 'go version') ### Operating system / Environment ### Expected behavior ### Actual behavior 07070100000003000041ED00000000000000000000000266F5526900000000000000000000000000000000000000000000001F00000000gosec-2.21.4/.github/workflows07070100000004000081A400000000000000000000000166F55269000006CC000000000000000000000000000000000000002600000000gosec-2.21.4/.github/workflows/ci.ymlname: CI on: push: branches: - master pull_request: branches: - master jobs: test: strategy: matrix: version: [{go: '1.22.7', golangci: 'latest'}, {go: '1.23.1', golangci: 'latest'}] runs-on: ubuntu-latest env: GO111MODULE: on steps: - name: Setup go ${{ matrix.version.go }} uses: actions/setup-go@v5 with: go-version: ${{ matrix.version.go }} - name: Checkout Source uses: actions/checkout@v4 - uses: actions/cache@v4 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - name: lint uses: golangci/golangci-lint-action@v6 with: version: ${{ matrix.version.golangci }} - name: Run Gosec Security Scanner uses: securego/gosec@master with: args: ./... - name: Run Tests run: make test - name: Perf Diff run: make perf-diff coverage: needs: [test] runs-on: ubuntu-latest env: GO111MODULE: on steps: - name: Setup go uses: actions/setup-go@v5 with: go-version: '1.23.1' - name: Checkout Source uses: actions/checkout@v4 - uses: actions/cache@v4 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - name: Create Test Coverage run: make test-coverage - name: Upload Test Coverage uses: codecov/codecov-action@v4 with: token: ${{ secrets.CODECOV_TOKEN }} fail_ci_if_error: true 07070100000005000081A400000000000000000000000166F5526900000956000000000000000000000000000000000000002B00000000gosec-2.21.4/.github/workflows/release.ymlname: Release on: push: tags: - 'v*' jobs: build: runs-on: ubuntu-latest env: GO111MODULE: on ACTIONS_ALLOW_UNSECURE_COMMANDS: true steps: - name: Checkout Source uses: actions/checkout@v4 - name: Unshallow run: git fetch --prune --unshallow - name: Set up Go uses: actions/setup-go@v5 with: go-version: '1.23.1' - name: Install Cosign uses: sigstore/cosign-installer@v3 with: cosign-release: 'v2.4.0' - name: Store Cosign private key in a file run: 'echo "$COSIGN_KEY" > /tmp/cosign.key' shell: bash env: COSIGN_KEY: ${{secrets.COSIGN_KEY}} - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Login to DockerHub uses: docker/login-action@v3 with: username: ${{secrets.DOCKER_USERNAME}} password: ${{secrets.DOCKER_PASSWORD}} - name: Generate SBOM uses: CycloneDX/gh-gomod-generate-sbom@v2 with: version: v1 args: mod -licenses -json -output bom.json - name: Docker meta uses: docker/metadata-action@v5 id: meta with: images: securego/gosec flavor: | latest=true tags: | type=sha,format=long type=semver,pattern={{version}} - name: Release Binaries uses: goreleaser/goreleaser-action@v6 with: version: latest args: release --clean env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} - name: Release Docker Image uses: docker/build-push-action@v6 id: relimage with: platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le tags: ${{steps.meta.outputs.tags}} labels: ${{steps.meta.outputs.labels}} push: true build-args: GO_VERSION=1.23 - name: Sign Docker Image run: cosign sign --yes --key /tmp/cosign.key ${DIGEST} env: TAGS: ${{steps.meta.outputs.tags}} COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} COSIGN_PRIVATE_KEY: /tmp/cosign.key DIGEST: ${{steps.relimage.outputs.digest}} 07070100000006000081A400000000000000000000000166F552690000031A000000000000000000000000000000000000002800000000gosec-2.21.4/.github/workflows/scan.ymlname: "Security Scan" # Run workflow each time code is pushed to your repository and on a schedule. # The scheduled workflow runs every at 00:00 on Sunday UTC time. on: push: pull_request: schedule: - cron: '0 0 * * 0' jobs: build: runs-on: ubuntu-latest steps: - name: Check out code into the Go module directory uses: actions/checkout@v4 - name: Security Scan uses: securego/gosec@master with: # we let the report trigger content trigger a failure using the GitHub Security features. args: '-no-fail -fmt sarif -out results.sarif ./...' - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: results.sarif 07070100000007000081A400000000000000000000000166F552690000017F000000000000000000000000000000000000001800000000gosec-2.21.4/.gitignore# transient files /image # Compiled Object files, Static and Dynamic libs (Shared Objects) *.o *.a *.so *.swp /gosec # Folders _obj _test vendor dist # Architecture specific extensions/prefixes *.[568vq] [568vq].out *.cgo1.go *.cgo2.c _cgo_defun.c _cgo_gotypes.go _cgo_export.* _testmain.go *.exe *.test *.prof .DS_Store .vscode .idea # SBOMs generated during CI /bom.json 107070100000008000081A400000000000000000000000166F55269000002C6000000000000000000000000000000000000001B00000000gosec-2.21.4/.golangci.ymllinters: enable: - asciicheck - bodyclose - copyloopvar - dogsled - durationcheck - errcheck - errorlint - gci - ginkgolinter - gochecknoinits - gofmt - gofumpt - goimports - gosec - gosimple - govet - importas - ineffassign - misspell - nakedret - nolintlint - revive - staticcheck - typecheck - unconvert - unparam - unused - wastedassign linters-settings: gci: sections: - standard - default - prefix(github.com/securego) staticcheck: checks: - all - '-SA1019' revive: rules: - name: dot-imports disabled: true run: timeout: 5m 07070100000009000081A400000000000000000000000166F5526900000268000000000000000000000000000000000000001D00000000gosec-2.21.4/.goreleaser.yml--- version: 2 project_name: gosec release: extra_files: - glob: ./bom.json github: owner: securego name: gosec builds: - main: ./cmd/gosec/ binary: gosec goos: - darwin - linux - windows goarch: - amd64 - arm64 - s390x - ppc64le ldflags: -X main.Version={{.Version}} -X main.GitTag={{.Tag}} -X main.BuildDate={{.Date}} env: - CGO_ENABLED=0 signs: - cmd: cosign stdin: '{{ .Env.COSIGN_PASSWORD}}' args: - "sign-blob" - "--key=/tmp/cosign.key" - "--output=${signature}" - "${artifact}" - "--yes" artifacts: all 0707010000000A000081A400000000000000000000000166F55269000001D1000000000000000000000000000000000000001800000000gosec-2.21.4/DockerfileARG GO_VERSION FROM golang:${GO_VERSION}-alpine AS builder RUN apk add --no-cache ca-certificates make git curl gcc libc-dev \ && mkdir -p /build WORKDIR /build COPY . /build/ RUN go mod download \ && make build-linux FROM golang:${GO_VERSION}-alpine RUN apk add --no-cache ca-certificates bash git gcc libc-dev openssh ENV GO111MODULE on COPY --from=builder /build/gosec /bin/gosec COPY entrypoint.sh /bin/entrypoint.sh ENTRYPOINT ["/bin/entrypoint.sh"] 0707010000000B000081A400000000000000000000000166F55269000023B2000000000000000000000000000000000000001900000000gosec-2.21.4/LICENSE.txtApache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: You must give any other recipients of the Work or Derivative Works a copy of this License; and You must cause any modified files to carry prominent notices stating that You changed the files; and You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS 0707010000000C000081A400000000000000000000000166F5526900000A55000000000000000000000000000000000000001600000000gosec-2.21.4/MakefileGIT_TAG?= $(shell git describe --always --tags) BIN = gosec FMT_CMD = $(gofmt -s -l -w $(find . -type f -name '*.go' -not -path './vendor/*') | tee /dev/stderr) IMAGE_REPO = securego DATE_FMT=+%Y-%m-%d ifdef SOURCE_DATE_EPOCH BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "$(DATE_FMT)" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "$(DATE_FMT)" 2>/dev/null || date -u "$(DATE_FMT)") else BUILD_DATE ?= $(shell date "$(DATE_FMT)") endif BUILDFLAGS := "-w -s -X 'main.Version=$(GIT_TAG)' -X 'main.GitTag=$(GIT_TAG)' -X 'main.BuildDate=$(BUILD_DATE)'" CGO_ENABLED = 0 GO := GO111MODULE=on go GOPATH ?= $(shell $(GO) env GOPATH) GOBIN ?= $(GOPATH)/bin GOSEC ?= $(GOBIN)/gosec GINKGO ?= $(GOBIN)/ginkgo GO_MINOR_VERSION = $(shell $(GO) version | cut -c 14- | cut -d' ' -f1 | cut -d'.' -f2) GOVULN_MIN_VERSION = 17 GO_VERSION = 1.23 default: $(MAKE) build install-test-deps: go install github.com/onsi/ginkgo/v2/ginkgo@latest go install golang.org/x/crypto/...@latest go install github.com/lib/pq/...@latest install-govulncheck: @if [ $(GO_MINOR_VERSION) -gt $(GOVULN_MIN_VERSION) ]; then \ go install golang.org/x/vuln/cmd/govulncheck@latest; \ fi test: install-test-deps build-race fmt vet sec govulncheck $(GINKGO) -v --fail-fast fmt: @echo "FORMATTING" @FORMATTED=`$(GO) fmt ./...` @([ ! -z "$(FORMATTED)" ] && printf "Fixed unformatted files:\n$(FORMATTED)") || true vet: @echo "VETTING" $(GO) vet ./... golangci: @echo "LINTING: golangci-lint" golangci-lint run sec: @echo "SECURITY SCANNING" ./$(BIN) ./... govulncheck: install-govulncheck @echo "CHECKING VULNERABILITIES" @if [ $(GO_MINOR_VERSION) -gt $(GOVULN_MIN_VERSION) ]; then \ govulncheck ./...; \ fi test-coverage: install-test-deps go test -race -v -count=1 -coverprofile=coverage.out ./... build: go build -o $(BIN) ./cmd/gosec/ build-race: go build -race -o $(BIN) ./cmd/gosec/ clean: rm -rf build vendor dist coverage.out rm -f release image $(BIN) release: @echo "Releasing the gosec binary..." goreleaser release build-linux: CGO_ENABLED=$(CGO_ENABLED) GOOS=linux go build -ldflags=$(BUILDFLAGS) -o $(BIN) ./cmd/gosec/ image: @echo "Building the Docker image..." docker build -t $(IMAGE_REPO)/$(BIN):$(GIT_TAG) --build-arg GO_VERSION=$(GO_VERSION) . docker tag $(IMAGE_REPO)/$(BIN):$(GIT_TAG) $(IMAGE_REPO)/$(BIN):latest touch image image-push: image @echo "Pushing the Docker image..." docker push $(IMAGE_REPO)/$(BIN):$(GIT_TAG) docker push $(IMAGE_REPO)/$(BIN):latest tlsconfig: go generate ./... perf-diff: ./perf-diff.sh .PHONY: test build clean release image image-push tlsconfig perf-diff 0707010000000D000081A400000000000000000000000166F55269000044F1000000000000000000000000000000000000001700000000gosec-2.21.4/README.md # gosec - Go Security Checker Inspects source code for security problems by scanning the Go AST and SSA code representation. <img src="https://securego.io/img/gosec.png" width="320"> ## License Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. You may obtain a copy of the License [here](http://www.apache.org/licenses/LICENSE-2.0). ## Project status [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/3218/badge)](https://bestpractices.coreinfrastructure.org/projects/3218) [![Build Status](https://github.com/securego/gosec/workflows/CI/badge.svg)](https://github.com/securego/gosec/actions?query=workflows%3ACI) [![Coverage Status](https://codecov.io/gh/securego/gosec/branch/master/graph/badge.svg)](https://codecov.io/gh/securego/gosec) [![GoReport](https://goreportcard.com/badge/github.com/securego/gosec)](https://goreportcard.com/report/github.com/securego/gosec) [![GoDoc](https://pkg.go.dev/badge/github.com/securego/gosec/v2)](https://pkg.go.dev/github.com/securego/gosec/v2) [![Docs](https://readthedocs.org/projects/docs/badge/?version=latest)](https://securego.io/) [![Downloads](https://img.shields.io/github/downloads/securego/gosec/total.svg)](https://github.com/securego/gosec/releases) [![Docker Pulls](https://img.shields.io/docker/pulls/securego/gosec.svg)](https://hub.docker.com/r/securego/gosec/tags) [![Slack](https://img.shields.io/badge/Slack-4A154B?style=for-the-badge&logo=slack&logoColor=white)](http://securego.slack.com) ## Install ### CI Installation ```bash # binary will be $(go env GOPATH)/bin/gosec curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $(go env GOPATH)/bin vX.Y.Z # or install it into ./bin/ curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z # In alpine linux (as it does not come with curl by default) wget -O - -q https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s vX.Y.Z # If you want to use the checksums provided on the "Releases" page # then you will have to download a tar.gz file for your operating system instead of a binary file wget https://github.com/securego/gosec/releases/download/vX.Y.Z/gosec_vX.Y.Z_OS.tar.gz # The file will be in the current folder where you run the command # and you can check the checksum like this echo "<check sum from the check sum file> gosec_vX.Y.Z_OS.tar.gz" | sha256sum -c - gosec --help ``` ### GitHub Action You can run `gosec` as a GitHub action as follows: ```yaml name: Run Gosec on: push: branches: - master pull_request: branches: - master jobs: tests: runs-on: ubuntu-latest env: GO111MODULE: on steps: - name: Checkout Source uses: actions/checkout@v3 - name: Run Gosec Security Scanner uses: securego/gosec@master with: args: ./... ``` ### Integrating with code scanning You can [integrate third-party code analysis tools](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/integrating-with-code-scanning) with GitHub code scanning by uploading data as SARIF files. The workflow shows an example of running the `gosec` as a step in a GitHub action workflow which outputs the `results.sarif` file. The workflow then uploads the `results.sarif` file to GitHub using the `upload-sarif` action. ```yaml name: "Security Scan" # Run workflow each time code is pushed to your repository and on a schedule. # The scheduled workflow runs every at 00:00 on Sunday UTC time. on: push: schedule: - cron: '0 0 * * 0' jobs: tests: runs-on: ubuntu-latest env: GO111MODULE: on steps: - name: Checkout Source uses: actions/checkout@v3 - name: Run Gosec Security Scanner uses: securego/gosec@master with: # we let the report trigger content trigger a failure using the GitHub Security features. args: '-no-fail -fmt sarif -out results.sarif ./...' - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository sarif_file: results.sarif ``` ### Local Installation ```bash go install github.com/securego/gosec/v2/cmd/gosec@latest ``` ## Usage Gosec can be configured to only run a subset of rules, to exclude certain file paths, and produce reports in different formats. By default all rules will be run against the supplied input files. To recursively scan from the current directory you can supply `./...` as the input argument. ### Available rules - G101: Look for hard coded credentials - G102: Bind to all interfaces - G103: Audit the use of unsafe block - G104: Audit errors not checked - G106: Audit the use of ssh.InsecureIgnoreHostKey - G107: Url provided to HTTP request as taint input - G108: Profiling endpoint automatically exposed on /debug/pprof - G109: Potential Integer overflow made by strconv.Atoi result conversion to int16/32 - G110: Potential DoS vulnerability via decompression bomb - G111: Potential directory traversal - G112: Potential slowloris attack - G113: Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772) - G114: Use of net/http serve function that has no support for setting timeouts - G115: Potential integer overflow when converting between integer types - G201: SQL query construction using format string - G202: SQL query construction using string concatenation - G203: Use of unescaped data in HTML templates - G204: Audit use of command execution - G301: Poor file permissions used when creating a directory - G302: Poor file permissions used with chmod - G303: Creating tempfile using a predictable path - G304: File path provided as taint input - G305: File traversal when extracting zip/tar archive - G306: Poor file permissions used when writing to a new file - G307: Poor file permissions used when creating a file with os.Create - G401: Detect the usage of MD5 or SHA1 - G402: Look for bad TLS connection settings - G403: Ensure minimum RSA key length of 2048 bits - G404: Insecure random number source (rand) - G405: Detect the usage of DES or RC4 - G406: Detect the usage of MD4 or RIPEMD160 - G407: Detect the usage of hardcoded Initialization Vector(IV)/Nonce - G501: Import blocklist: crypto/md5 - G502: Import blocklist: crypto/des - G503: Import blocklist: crypto/rc4 - G504: Import blocklist: net/http/cgi - G505: Import blocklist: crypto/sha1 - G506: Import blocklist: golang.org/x/crypto/md4 - G507: Import blocklist: golang.org/x/crypto/ripemd160 - G601: Implicit memory aliasing of items from a range statement (only for Go 1.21 or lower) - G602: Slice access out of bounds ### Retired rules - G105: Audit the use of math/big.Int.Exp - [CVE is fixed](https://github.com/golang/go/issues/15184) - G307: Deferring a method which returns an error - causing more inconvenience than fixing a security issue, despite the details from this [blog post](https://www.joeshaw.org/dont-defer-close-on-writable-files/) ### Selecting rules By default, gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the `-include=` flag, or to specify a set of rules to explicitly exclude using the `-exclude=` flag. ```bash # Run a specific set of rules $ gosec -include=G101,G203,G401 ./... # Run everything except for rule G303 $ gosec -exclude=G303 ./... ``` ### CWE Mapping Every issue detected by `gosec` is mapped to a [CWE (Common Weakness Enumeration)](http://cwe.mitre.org/data/index.html) which describes in more generic terms the vulnerability. The exact mapping can be found [here](https://github.com/securego/gosec/blob/master/issue/issue.go#L50). ### Configuration A number of global settings can be provided in a configuration file as follows: ```JSON { "global": { "nosec": "enabled", "audit": "enabled" } } ``` - `nosec`: this setting will overwrite all `#nosec` directives defined throughout the code base - `audit`: runs in audit mode which enables addition checks that for normal code analysis might be too nosy ```bash # Run with a global configuration file $ gosec -conf config.json . ``` Also some rules accept configuration. For instance on rule `G104`, it is possible to define packages along with a list of functions which will be skipped when auditing the not checked errors: ```JSON { "G104": { "ioutil": ["WriteFile"] } } ``` You can also configure the hard-coded credentials rule `G101` with additional patterns, or adjust the entropy threshold: ```JSON { "G101": { "pattern": "(?i)passwd|pass|password|pwd|secret|private_key|token", "ignore_entropy": false, "entropy_threshold": "80.0", "per_char_threshold": "3.0", "truncate": "32" } } ``` #### Go version Some rules require a specific Go version which is retrieved from the Go module file present in the project. If this version cannot be found, it will fallback to Go runtime version. The Go module version is parsed using the `go list` command which in some cases might lead to performance degradation. In this situation, the go module version can be easily provided by setting the environment variable `GOSECGOVERSION=go1.21.1`. ### Dependencies gosec will fetch automatically the dependencies of the code which is being analyzed when go module is turned on (e.g.`GO111MODULE=on`). If this is not the case, the dependencies need to be explicitly downloaded by running the `go get -d` command before the scan. ### Excluding test files and folders gosec will ignore test files across all packages and any dependencies in your vendor directory. The scanning of test files can be enabled with the following flag: ```bash gosec -tests ./... ``` Also additional folders can be excluded as follows: ```bash gosec -exclude-dir=rules -exclude-dir=cmd ./... ``` ### Excluding generated files gosec can ignore generated go files with default generated code comment. ``` // Code generated by some generator DO NOT EDIT. ``` ```bash gosec -exclude-generated ./... ``` ### Auto fixing vulnerabilities gosec can suggest fixes based on AI recommendation. It will call an AI API to receive a suggestion for a security finding. You can enable this feature by providing the following command line arguments: - `ai-api-provider`: the name of the AI API provider, currently only `gemini`is supported. - `ai-api-key` or set the environment variable `GOSEC_AI_API_KEY`: the key to access the AI API, For gemini, you can create an API key following [these instructions](https://ai.google.dev/gemini-api/docs/api-key). - `ai-endpoint`: the endpoint of the AI provider, this is optional argument. ```bash gosec -ai-api-provider="gemini" -ai-api-key="your_key" ./... ``` ### Annotating code As with all automated detection tools, there will be cases of false positives. In cases where gosec reports a failure that has been manually verified as being safe, it is possible to annotate the code with a comment that starts with `#nosec`. The `#nosec` comment should have the format `#nosec [RuleList] [-- Justification]`. The `#nosec` comment needs to be placed on the line where the warning is reported. ```go func main() { tr := &http.Transport{ TLSClientConfig: &tls.Config{ InsecureSkipVerify: true, // #nosec G402 }, } client := &http.Client{Transport: tr} _, err := client.Get("https://golang.org/") if err != nil { fmt.Println(err) } } ``` When a specific false positive has been identified and verified as safe, you may wish to suppress only that single rule (or a specific set of rules) within a section of code, while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within the `#nosec` annotation, e.g: `/* #nosec G401 */` or `//#nosec G201 G202 G203` You could put the description or justification text for the annotation. The justification should be after the rule(s) to suppress and start with two or more dashes, e.g: `//#nosec G101 G102 -- This is a false positive` In some cases you may also want to revisit places where `#nosec` annotations have been used. To run the scanner and ignore any `#nosec` annotations you can do the following: ```bash gosec -nosec=true ./... ``` ### Tracking suppressions As described above, we could suppress violations externally (using `-include`/ `-exclude`) or inline (using `#nosec` annotations) in gosec. This suppression inflammation can be used to generate corresponding signals for auditing purposes. We could track suppressions by the `-track-suppressions` flag as follows: ```bash gosec -track-suppressions -exclude=G101 -fmt=sarif -out=results.sarif ./... ``` - For external suppressions, gosec records suppression info where `kind` is `external` and `justification` is a certain sentence "Globally suppressed". - For inline suppressions, gosec records suppression info where `kind` is `inSource` and `justification` is the text after two or more dashes in the comment. **Note:** Only SARIF and JSON formats support tracking suppressions. ### Build tags gosec is able to pass your [Go build tags](https://golang.org/pkg/go/build/) to the analyzer. They can be provided as a comma separated list as follows: ```bash gosec -tags debug,ignore ./... ``` ### Output formats gosec currently supports `text`, `json`, `yaml`, `csv`, `sonarqube`, `JUnit XML`, `html` and `golint` output formats. By default results will be reported to stdout, but can also be written to an output file. The output format is controlled by the `-fmt` flag, and the output file is controlled by the `-out` flag as follows: ```bash # Write output in json format to results.json $ gosec -fmt=json -out=results.json *.go ``` Results will be reported to stdout as well as to the provided output file by `-stdout` flag. The `-verbose` flag overrides the output format when stdout the results while saving them in the output file ```bash # Write output in json format to results.json as well as stdout $ gosec -fmt=json -out=results.json -stdout *.go # Overrides the output format to 'text' when stdout the results, while writing it to results.json $ gosec -fmt=json -out=results.json -stdout -verbose=text *.go ``` **Note:** gosec generates the [generic issue import format](https://docs.sonarqube.org/latest/analysis/generic-issue/) for SonarQube, and a report has to be imported into SonarQube using `sonar.externalIssuesReportPaths=path/to/gosec-report.json`. ## Development ### Build You can build the binary with: ```bash make ``` ### Note on Sarif Types Generation Install the tool with : ```bash go get -u github.com/a-h/generate/cmd/schema-generate ``` Then generate the types with : ```bash schema-generate -i sarif-schema-2.1.0.json -o mypath/types.go ``` Most of the MarshallJSON/UnmarshalJSON are removed except the one for PropertyBag which is handy to inline the additional properties. The rest can be removed. The URI,ID, UUID, GUID were renamed so it fits the Go convention defined [here](https://github.com/golang/lint/blob/master/lint.go#L700) ### Tests You can run all unit tests using: ```bash make test ``` ### Release You can create a release by tagging the version as follows: ``` bash git tag v1.0.0 -m "Release version v1.0.0" git push origin v1.0.0 ``` The GitHub [release workflow](.github/workflows/release.yml) triggers immediately after the tag is pushed upstream. This flow will release the binaries using the [goreleaser](https://goreleaser.com/actions/) action and then it will build and publish the docker image into Docker Hub. The released artifacts are signed using [cosign](https://docs.sigstore.dev/). You can use the public key from [cosign.pub](cosign.pub) file to verify the signature of docker image and binaries files. The docker image signature can be verified with the following command: ``` cosign verify --key cosign.pub securego/gosec:<TAG> ``` The binary files signature can be verified with the following command: ``` cosign verify-blob --key cosign.pub --signature gosec_<VERSION>_darwin_amd64.tar.gz.sig gosec_<VERSION>_darwin_amd64.tar.gz ``` ### Docker image You can also build locally the docker image by using the command: ```bash make image ``` You can run the `gosec` tool in a container against your local Go project. You only have to mount the project into a volume as follows: ```bash docker run --rm -it -w /<PROJECT>/ -v <YOUR PROJECT PATH>/<PROJECT>:/<PROJECT> securego/gosec /<PROJECT>/... ``` **Note:** the current working directory needs to be set with `-w` option in order to get successfully resolved the dependencies from go module file ### Generate TLS rule The configuration of TLS rule can be generated from [Mozilla's TLS ciphers recommendation](https://statics.tls.security.mozilla.org/server-side-tls-conf.json). First you need to install the generator tool: ```bash go get github.com/securego/gosec/v2/cmd/tlsconfig/... ``` You can invoke now the `go generate` in the root of the project: ```bash go generate ./... ``` This will generate the `rules/tls_config.go` file which will contain the current ciphers recommendation from Mozilla. ## Who is using gosec? This is a [list](USERS.md) with some of the gosec's users. ## Sponsors Support this project by becoming a sponsor. Your logo will show up here with a link to your website <a href="https://github.com/mercedes-benz" target="_blank"><img src="https://avatars.githubusercontent.com/u/34240465?s=80&v=4"></a> 0707010000000E000081A400000000000000000000000166F5526900000535000000000000000000000000000000000000001600000000gosec-2.21.4/USERS.md# Users This is a list of gosec's users. Please send a pull request with your organisation or project name if you are using gosec. ## Companies 1. [Gitlab](https://docs.gitlab.com/ee/user/application_security/sast/) 2. [CloudBees](https://cloudbees.com) 3. [VMware](https://www.vmware.com) 4. [Codacy](https://support.codacy.com/hc/en-us/articles/213632009-Engines) 5. [Coinbase](https://github.com/coinbase/watchdog/blob/master/Makefile#L12) 6. [RedHat/OpenShift](https://github.com/openshift/openshift-azure) 7. [Guardalis](https://www.guardrails.io/) 8. [1Password](https://github.com/1Password/srp) 9. [PingCAP/tidb](https://github.com/pingcap/tidb) 10. [Checkmarx](https://www.checkmarx.com/) 11. [SeatGeek](https://www.seatgeek.com/) 12. [reMarkable](https://remarkable.com) ## Projects 1. [golangci-lint](https://github.com/golangci/golangci-lint) 2. [Kubernetes](https://github.com/kubernetes/kubernetes) (via golangci) 3. [caddy](https://github.com/caddyserver/caddy) (via golangci) 4. [Jenkins X](https://github.com/jenkins-x/jx/blob/bdc51840a41b75776159c1c7b7faa1cf477be473/hack/linter.sh#L25) 5. [HuskyCI](https://huskyci.opensource.globo.com/) 6. [GolangCI](https://golangci.com/) 7. [semgrep.live](https://semgrep.live/) 8. [gofiber](https://github.com/gofiber/fiber) 9. [KICS](https://github.com/Checkmarx/kics) 0707010000000F000081A400000000000000000000000166F5526900000157000000000000000000000000000000000000001800000000gosec-2.21.4/action.ymlname: 'Gosec Security Checker' description: 'Runs the gosec security checker' author: '@ccojocar' inputs: args: description: 'Arguments for gosec' required: true default: '-h' runs: using: 'docker' image: 'docker://securego/gosec:2.21.4' args: - ${{ inputs.args }} branding: icon: 'shield' color: 'blue' 07070100000010000081A400000000000000000000000166F55269000051A9000000000000000000000000000000000000001900000000gosec-2.21.4/analyzer.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // Package gosec holds the central scanning logic used by gosec security scanner package gosec import ( "fmt" "go/ast" "go/build" "go/token" "go/types" "log" "os" "path" "path/filepath" "reflect" "regexp" "strconv" "strings" "sync" "golang.org/x/tools/go/analysis" "golang.org/x/tools/go/analysis/passes/buildssa" "golang.org/x/tools/go/packages" "github.com/securego/gosec/v2/analyzers" "github.com/securego/gosec/v2/issue" ) // LoadMode controls the amount of details to return when loading the packages const LoadMode = packages.NeedName | packages.NeedFiles | packages.NeedCompiledGoFiles | packages.NeedImports | packages.NeedTypes | packages.NeedTypesSizes | packages.NeedTypesInfo | packages.NeedSyntax | packages.NeedModule | packages.NeedEmbedFiles | packages.NeedEmbedPatterns const externalSuppressionJustification = "Globally suppressed." const aliasOfAllRules = "*" type ignore struct { start int end int suppressions map[string][]issue.SuppressionInfo } type ignores map[string][]ignore func newIgnores() ignores { return make(map[string][]ignore) } func (i ignores) parseLine(line string) (int, int) { parts := strings.Split(line, "-") start, err := strconv.Atoi(parts[0]) if err != nil { start = 0 } end := start if len(parts) > 1 { if e, err := strconv.Atoi(parts[1]); err == nil { end = e } } return start, end } func (i ignores) add(file string, line string, suppressions map[string]issue.SuppressionInfo) { is := []ignore{} if _, ok := i[file]; ok { is = i[file] } found := false start, end := i.parseLine(line) for _, ig := range is { if ig.start <= start && ig.end >= end { found = true for r, s := range suppressions { ss, ok := ig.suppressions[r] if !ok { ss = []issue.SuppressionInfo{} } ss = append(ss, s) ig.suppressions[r] = ss } break } } if !found { ig := ignore{ start: start, end: end, suppressions: map[string][]issue.SuppressionInfo{}, } for r, s := range suppressions { ig.suppressions[r] = []issue.SuppressionInfo{s} } is = append(is, ig) } i[file] = is } func (i ignores) get(file string, line string) map[string][]issue.SuppressionInfo { start, end := i.parseLine(line) if is, ok := i[file]; ok { for _, i := range is { if i.start <= start && i.end >= end || start <= i.start && end >= i.end { return i.suppressions } } } return map[string][]issue.SuppressionInfo{} } // The Context is populated with data parsed from the source code as it is scanned. // It is passed through to all rule functions as they are called. Rules may use // this data in conjunction with the encountered AST node. type Context struct { FileSet *token.FileSet Comments ast.CommentMap Info *types.Info Pkg *types.Package PkgFiles []*ast.File Root *ast.File Imports *ImportTracker Config Config Ignores ignores PassedValues map[string]interface{} } // GetFileAtNodePos returns the file at the node position in the file set available in the context. func (ctx *Context) GetFileAtNodePos(node ast.Node) *token.File { return ctx.FileSet.File(node.Pos()) } // NewIssue creates a new issue func (ctx *Context) NewIssue(node ast.Node, ruleID, desc string, severity, confidence issue.Score, ) *issue.Issue { return issue.New(ctx.GetFileAtNodePos(node), node, ruleID, desc, severity, confidence) } // Metrics used when reporting information about a scanning run. type Metrics struct { NumFiles int `json:"files"` NumLines int `json:"lines"` NumNosec int `json:"nosec"` NumFound int `json:"found"` } // Analyzer object is the main object of gosec. It has methods traverse an AST // and invoke the correct checking rules as on each node as required. type Analyzer struct { ignoreNosec bool ruleset RuleSet context *Context config Config logger *log.Logger issues []*issue.Issue stats *Metrics errors map[string][]Error // keys are file paths; values are the golang errors in those files tests bool excludeGenerated bool showIgnored bool trackSuppressions bool concurrency int analyzerSet *analyzers.AnalyzerSet mu sync.Mutex } // NewAnalyzer builds a new analyzer. func NewAnalyzer(conf Config, tests bool, excludeGenerated bool, trackSuppressions bool, concurrency int, logger *log.Logger) *Analyzer { ignoreNoSec := false if enabled, err := conf.IsGlobalEnabled(Nosec); err == nil { ignoreNoSec = enabled } showIgnored := false if enabled, err := conf.IsGlobalEnabled(ShowIgnored); err == nil { showIgnored = enabled } if logger == nil { logger = log.New(os.Stderr, "[gosec]", log.LstdFlags) } return &Analyzer{ ignoreNosec: ignoreNoSec, showIgnored: showIgnored, ruleset: NewRuleSet(), context: &Context{}, config: conf, logger: logger, issues: make([]*issue.Issue, 0, 16), stats: &Metrics{}, errors: make(map[string][]Error), tests: tests, concurrency: concurrency, excludeGenerated: excludeGenerated, trackSuppressions: trackSuppressions, analyzerSet: analyzers.NewAnalyzerSet(), } } // SetConfig updates the analyzer configuration func (gosec *Analyzer) SetConfig(conf Config) { gosec.config = conf } // Config returns the current configuration func (gosec *Analyzer) Config() Config { return gosec.config } // LoadRules instantiates all the rules to be used when analyzing source // packages func (gosec *Analyzer) LoadRules(ruleDefinitions map[string]RuleBuilder, ruleSuppressed map[string]bool) { for id, def := range ruleDefinitions { r, nodes := def(id, gosec.config) gosec.ruleset.Register(r, ruleSuppressed[id], nodes...) } } // LoadAnalyzers instantiates all the analyzers to be used when analyzing source // packages func (gosec *Analyzer) LoadAnalyzers(analyzerDefinitions map[string]analyzers.AnalyzerDefinition, analyzerSuppressed map[string]bool) { for id, def := range analyzerDefinitions { r := def.Create(def.ID, def.Description) gosec.analyzerSet.Register(r, analyzerSuppressed[id]) } } // Process kicks off the analysis process for a given package func (gosec *Analyzer) Process(buildTags []string, packagePaths ...string) error { config := &packages.Config{ Mode: LoadMode, BuildFlags: buildTags, Tests: gosec.tests, } type result struct { pkgPath string pkgs []*packages.Package err error } results := make(chan result) jobs := make(chan string, len(packagePaths)) quit := make(chan struct{}) var wg sync.WaitGroup worker := func(j chan string, r chan result, quit chan struct{}) { for { select { case s := <-j: pkgs, err := gosec.load(s, config) select { case r <- result{pkgPath: s, pkgs: pkgs, err: err}: case <-quit: // we've been told to stop, probably an error while // processing a previous result. wg.Done() return } default: // j is empty and there are no jobs left wg.Done() return } } } // fill the buffer for _, pkgPath := range packagePaths { jobs <- pkgPath } for i := 0; i < gosec.concurrency; i++ { wg.Add(1) go worker(jobs, results, quit) } go func() { wg.Wait() close(results) }() for r := range results { if r.err != nil { gosec.AppendError(r.pkgPath, r.err) } for _, pkg := range r.pkgs { if pkg.Name != "" { err := gosec.ParseErrors(pkg) if err != nil { close(quit) wg.Wait() // wait for the goroutines to stop return fmt.Errorf("parsing errors in pkg %q: %w", pkg.Name, err) } gosec.CheckRules(pkg) gosec.CheckAnalyzers(pkg) } } } sortErrors(gosec.errors) return nil } func (gosec *Analyzer) load(pkgPath string, conf *packages.Config) ([]*packages.Package, error) { abspath, err := GetPkgAbsPath(pkgPath) if err != nil { gosec.logger.Printf("Skipping: %s. Path doesn't exist.", abspath) return []*packages.Package{}, nil } gosec.logger.Println("Import directory:", abspath) // step 1/3 create build context. buildD := build.Default // step 2/3: add build tags to get env dependent files into basePackage. gosec.mu.Lock() buildD.BuildTags = conf.BuildFlags gosec.mu.Unlock() basePackage, err := buildD.ImportDir(pkgPath, build.ImportComment) if err != nil { return []*packages.Package{}, fmt.Errorf("importing dir %q: %w", pkgPath, err) } var packageFiles []string for _, filename := range basePackage.GoFiles { packageFiles = append(packageFiles, path.Join(pkgPath, filename)) } for _, filename := range basePackage.CgoFiles { packageFiles = append(packageFiles, path.Join(pkgPath, filename)) } if gosec.tests { testsFiles := make([]string, 0) testsFiles = append(testsFiles, basePackage.TestGoFiles...) testsFiles = append(testsFiles, basePackage.XTestGoFiles...) for _, filename := range testsFiles { packageFiles = append(packageFiles, path.Join(pkgPath, filename)) } } // step 3/3 remove build tags from conf to proceed build correctly. gosec.mu.Lock() conf.BuildFlags = nil defer gosec.mu.Unlock() pkgs, err := packages.Load(conf, packageFiles...) if err != nil { return []*packages.Package{}, fmt.Errorf("loading files from package %q: %w", pkgPath, err) } return pkgs, nil } // CheckRules runs analysis on the given package. func (gosec *Analyzer) CheckRules(pkg *packages.Package) { gosec.logger.Println("Checking package:", pkg.Name) for _, file := range pkg.Syntax { fp := pkg.Fset.File(file.Pos()) if fp == nil { // skip files which cannot be located continue } checkedFile := fp.Name() // Skip the no-Go file from analysis (e.g. a Cgo files is expanded in 3 different files // stored in the cache which do not need to by analyzed) if filepath.Ext(checkedFile) != ".go" { continue } if gosec.excludeGenerated && ast.IsGenerated(file) { gosec.logger.Println("Ignoring generated file:", checkedFile) continue } gosec.logger.Println("Checking file:", checkedFile) gosec.context.FileSet = pkg.Fset gosec.context.Config = gosec.config gosec.context.Comments = ast.NewCommentMap(gosec.context.FileSet, file, file.Comments) gosec.context.Root = file gosec.context.Info = pkg.TypesInfo gosec.context.Pkg = pkg.Types gosec.context.PkgFiles = pkg.Syntax gosec.context.Imports = NewImportTracker() gosec.context.PassedValues = make(map[string]interface{}) gosec.updateIgnores() ast.Walk(gosec, file) gosec.stats.NumFiles++ gosec.stats.NumLines += pkg.Fset.File(file.Pos()).LineCount() } } // CheckAnalyzers runs analyzers on a given package. func (gosec *Analyzer) CheckAnalyzers(pkg *packages.Package) { ssaResult, err := gosec.buildSSA(pkg) if err != nil || ssaResult == nil { gosec.logger.Printf("Error building the SSA representation of the package %q: %s", pkg.Name, err) return } resultMap := map[*analysis.Analyzer]interface{}{ buildssa.Analyzer: &analyzers.SSAAnalyzerResult{ Config: gosec.Config(), Logger: gosec.logger, SSA: ssaResult.(*buildssa.SSA), }, } generatedFiles := gosec.generatedFiles(pkg) for _, analyzer := range gosec.analyzerSet.Analyzers { pass := &analysis.Pass{ Analyzer: analyzer, Fset: pkg.Fset, Files: pkg.Syntax, OtherFiles: pkg.OtherFiles, IgnoredFiles: pkg.IgnoredFiles, Pkg: pkg.Types, TypesInfo: pkg.TypesInfo, TypesSizes: pkg.TypesSizes, ResultOf: resultMap, Report: func(d analysis.Diagnostic) {}, ImportObjectFact: nil, ExportObjectFact: nil, ImportPackageFact: nil, ExportPackageFact: nil, AllObjectFacts: nil, AllPackageFacts: nil, } result, err := pass.Analyzer.Run(pass) if err != nil { gosec.logger.Printf("Error running analyzer %s: %s\n", analyzer.Name, err) continue } if result != nil { if passIssues, ok := result.([]*issue.Issue); ok { for _, iss := range passIssues { if gosec.excludeGenerated { if _, ok := generatedFiles[iss.File]; ok { continue } } gosec.updateIssues(iss) } } } } } func (gosec *Analyzer) generatedFiles(pkg *packages.Package) map[string]bool { generatedFiles := map[string]bool{} for _, file := range pkg.Syntax { if ast.IsGenerated(file) { fp := pkg.Fset.File(file.Pos()) if fp == nil { // skip files which cannot be located continue } generatedFiles[fp.Name()] = true } } return generatedFiles } // buildSSA runs the SSA pass which builds the SSA representation of the package. It handles gracefully any panic. func (gosec *Analyzer) buildSSA(pkg *packages.Package) (interface{}, error) { defer func() { if r := recover(); r != nil { gosec.logger.Printf("Panic when running SSA analyser on package: %s", pkg.Name) } }() ssaPass := &analysis.Pass{ Analyzer: buildssa.Analyzer, Fset: pkg.Fset, Files: pkg.Syntax, OtherFiles: pkg.OtherFiles, IgnoredFiles: pkg.IgnoredFiles, Pkg: pkg.Types, TypesInfo: pkg.TypesInfo, TypesSizes: pkg.TypesSizes, ResultOf: nil, Report: nil, ImportObjectFact: nil, ExportObjectFact: nil, ImportPackageFact: nil, ExportPackageFact: nil, AllObjectFacts: nil, AllPackageFacts: nil, } return ssaPass.Analyzer.Run(ssaPass) } // ParseErrors parses the errors from given package func (gosec *Analyzer) ParseErrors(pkg *packages.Package) error { if len(pkg.Errors) == 0 { return nil } for _, pkgErr := range pkg.Errors { parts := strings.Split(pkgErr.Pos, ":") file := parts[0] var err error var line int if len(parts) > 1 { if line, err = strconv.Atoi(parts[1]); err != nil { return fmt.Errorf("parsing line: %w", err) } } var column int if len(parts) > 2 { if column, err = strconv.Atoi(parts[2]); err != nil { return fmt.Errorf("parsing column: %w", err) } } msg := strings.TrimSpace(pkgErr.Msg) newErr := NewError(line, column, msg) if errSlice, ok := gosec.errors[file]; ok { gosec.errors[file] = append(errSlice, *newErr) } else { errSlice = []Error{} gosec.errors[file] = append(errSlice, *newErr) } } return nil } // AppendError appends an error to the file errors func (gosec *Analyzer) AppendError(file string, err error) { // Do not report the error for empty packages (e.g. files excluded from build with a tag) r := regexp.MustCompile(`no buildable Go source files in`) if r.MatchString(err.Error()) { return } errors := make([]Error, 0) if ferrs, ok := gosec.errors[file]; ok { errors = ferrs } ferr := NewError(0, 0, err.Error()) errors = append(errors, *ferr) gosec.errors[file] = errors } // ignore a node (and sub-tree) if it is tagged with a nosec tag comment func (gosec *Analyzer) ignore(n ast.Node) map[string]issue.SuppressionInfo { if groups, ok := gosec.context.Comments[n]; ok && !gosec.ignoreNosec { // Checks if an alternative for #nosec is set and, if not, uses the default. noSecDefaultTag, err := gosec.config.GetGlobal(Nosec) if err != nil { noSecDefaultTag = NoSecTag(string(Nosec)) } else { noSecDefaultTag = NoSecTag(noSecDefaultTag) } noSecAlternativeTag, err := gosec.config.GetGlobal(NoSecAlternative) if err != nil { noSecAlternativeTag = noSecDefaultTag } else { noSecAlternativeTag = NoSecTag(noSecAlternativeTag) } for _, group := range groups { comment := strings.TrimSpace(group.Text()) foundDefaultTag := strings.HasPrefix(comment, noSecDefaultTag) || regexp.MustCompile("\n *"+noSecDefaultTag).MatchString(comment) foundAlternativeTag := strings.HasPrefix(comment, noSecAlternativeTag) || regexp.MustCompile("\n *"+noSecAlternativeTag).MatchString(comment) if foundDefaultTag || foundAlternativeTag { gosec.stats.NumNosec++ // Discard what's in front of the nosec tag. if foundDefaultTag { comment = strings.SplitN(comment, noSecDefaultTag, 2)[1] } else { comment = strings.SplitN(comment, noSecAlternativeTag, 2)[1] } // Extract the directive and the justification. justification := "" commentParts := regexp.MustCompile(`-{2,}`).Split(comment, 2) directive := commentParts[0] if len(commentParts) > 1 { justification = strings.TrimSpace(strings.TrimRight(commentParts[1], "\n")) } // Pull out the specific rules that are listed to be ignored. re := regexp.MustCompile(`(G\d{3})`) matches := re.FindAllStringSubmatch(directive, -1) suppression := issue.SuppressionInfo{ Kind: "inSource", Justification: justification, } // Find the rule IDs to ignore. ignores := make(map[string]issue.SuppressionInfo) for _, v := range matches { ignores[v[1]] = suppression } // If no specific rules were given, ignore everything. if len(matches) == 0 { ignores[aliasOfAllRules] = suppression } return ignores } } } return nil } // Visit runs the gosec visitor logic over an AST created by parsing go code. // Rule methods added with AddRule will be invoked as necessary. func (gosec *Analyzer) Visit(n ast.Node) ast.Visitor { // Using ast.File instead of ast.ImportSpec, so that we can track all imports at once. switch i := n.(type) { case *ast.File: gosec.context.Imports.TrackFile(i) } for _, rule := range gosec.ruleset.RegisteredFor(n) { issue, err := rule.Match(n, gosec.context) if err != nil { file, line := GetLocation(n, gosec.context) file = path.Base(file) gosec.logger.Printf("Rule error: %v => %s (%s:%d)\n", reflect.TypeOf(rule), err, file, line) } gosec.updateIssues(issue) } return gosec } func (gosec *Analyzer) updateIgnores() { for n := range gosec.context.Comments { gosec.updateIgnoredRulesForNode(n) } } func (gosec *Analyzer) updateIgnoredRulesForNode(n ast.Node) { ignoredRules := gosec.ignore(n) if len(ignoredRules) > 0 { if gosec.context.Ignores == nil { gosec.context.Ignores = newIgnores() } line := issue.GetLine(gosec.context.FileSet.File(n.Pos()), n) gosec.context.Ignores.add( gosec.context.FileSet.File(n.Pos()).Name(), line, ignoredRules, ) } } func (gosec *Analyzer) getSuppressionsAtLineInFile(file string, line string, id string) ([]issue.SuppressionInfo, bool) { ignoredRules := gosec.context.Ignores.get(file, line) // Check if the rule was specifically suppressed at this location. generalSuppressions, generalIgnored := ignoredRules[aliasOfAllRules] ruleSuppressions, ruleIgnored := ignoredRules[id] ignored := generalIgnored || ruleIgnored suppressions := append(generalSuppressions, ruleSuppressions...) // Track external suppressions of this rule. if gosec.ruleset.IsRuleSuppressed(id) || gosec.analyzerSet.IsSuppressed(id) { ignored = true suppressions = append(suppressions, issue.SuppressionInfo{ Kind: "external", Justification: externalSuppressionJustification, }) } return suppressions, ignored } func (gosec *Analyzer) updateIssues(issue *issue.Issue) { if issue != nil { suppressions, ignored := gosec.getSuppressionsAtLineInFile(issue.File, issue.Line, issue.RuleID) if gosec.showIgnored { issue.NoSec = ignored } if !ignored || !gosec.showIgnored { gosec.stats.NumFound++ } if ignored && gosec.trackSuppressions { issue.WithSuppressions(suppressions) gosec.issues = append(gosec.issues, issue) } else if !ignored || gosec.showIgnored || gosec.ignoreNosec { gosec.issues = append(gosec.issues, issue) } } } // Report returns the current issues discovered and the metrics about the scan func (gosec *Analyzer) Report() ([]*issue.Issue, *Metrics, map[string][]Error) { return gosec.issues, gosec.stats, gosec.errors } // Reset clears state such as context, issues and metrics from the configured analyzer func (gosec *Analyzer) Reset() { gosec.context = &Context{} gosec.issues = make([]*issue.Issue, 0, 16) gosec.stats = &Metrics{} gosec.ruleset = NewRuleSet() gosec.analyzerSet = analyzers.NewAnalyzerSet() } 07070100000011000081A400000000000000000000000166F552690001025D000000000000000000000000000000000000001E00000000gosec-2.21.4/analyzer_test.go// (c) Copyright 2024 Mercedes-Benz Tech Innovation GmbH // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package gosec_test import ( "errors" "log" "os" "regexp" "strings" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/analyzers" "github.com/securego/gosec/v2/rules" "github.com/securego/gosec/v2/testutils" "golang.org/x/tools/go/packages" ) var _ = Describe("Analyzer", func() { var ( analyzer *gosec.Analyzer logger *log.Logger buildTags []string tests bool ) BeforeEach(func() { logger, _ = testutils.NewLogger() analyzer = gosec.NewAnalyzer(nil, tests, false, false, 1, logger) }) Context("when processing a package", func() { It("should not report an error if the package contains no Go files", func() { analyzer.LoadRules(rules.Generate(false).RulesInfo()) dir, err := os.MkdirTemp("", "empty") defer os.RemoveAll(dir) Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, dir) Expect(err).ShouldNot(HaveOccurred()) _, _, errors := analyzer.Report() Expect(errors).To(BeEmpty()) }) It("should report an error if the package fails to build", func() { analyzer.LoadRules(rules.Generate(false).RulesInfo()) pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("wonky.go", `func main(){ println("forgot the package")}`) err := pkg.Build() Expect(err).Should(HaveOccurred()) err = analyzer.Process(buildTags, pkg.Path) Expect(err).ShouldNot(HaveOccurred()) _, _, errors := analyzer.Report() Expect(errors).To(HaveLen(1)) for _, ferr := range errors { Expect(ferr).To(HaveLen(1)) } }) It("should be able to analyze multiple Go files", func() { analyzer.LoadRules(rules.Generate(false).RulesInfo()) pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", ` package main func main(){ bar() }`) pkg.AddFile("bar.go", ` package main func bar(){ println("package has two files!") }`) err := pkg.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, pkg.Path) Expect(err).ShouldNot(HaveOccurred()) _, metrics, _ := analyzer.Report() Expect(metrics.NumFiles).To(Equal(2)) }) It("should be able to analyze multiple Go files concurrently", func() { customAnalyzer := gosec.NewAnalyzer(nil, true, true, false, 32, logger) customAnalyzer.LoadRules(rules.Generate(false).RulesInfo()) pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", ` package main func main(){ bar() }`) pkg.AddFile("bar.go", ` package main func bar(){ println("package has two files!") }`) err := pkg.Build() Expect(err).ShouldNot(HaveOccurred()) err = customAnalyzer.Process(buildTags, pkg.Path) Expect(err).ShouldNot(HaveOccurred()) _, metrics, _ := customAnalyzer.Report() Expect(metrics.NumFiles).To(Equal(2)) }) It("should be able to analyze multiple Go packages", func() { analyzer.LoadRules(rules.Generate(false).RulesInfo()) pkg1 := testutils.NewTestPackage() pkg2 := testutils.NewTestPackage() defer pkg1.Close() defer pkg2.Close() pkg1.AddFile("foo.go", ` package main func main(){ }`) pkg2.AddFile("bar.go", ` package main func bar(){ }`) err := pkg1.Build() Expect(err).ShouldNot(HaveOccurred()) err = pkg2.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, pkg1.Path, pkg2.Path) Expect(err).ShouldNot(HaveOccurred()) _, metrics, _ := analyzer.Report() Expect(metrics.NumFiles).To(Equal(2)) }) It("should find errors when nosec is not in use", func() { sample := testutils.SampleCodeG401[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo()) controlPackage := testutils.NewTestPackage() defer controlPackage.Close() controlPackage.AddFile("md5.go", source) err := controlPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, controlPackage.Path) Expect(err).ShouldNot(HaveOccurred()) controlIssues, _, _ := analyzer.Report() Expect(controlIssues).Should(HaveLen(sample.Errors)) }) It("should find errors when nosec is not in use", func() { sample := testutils.SampleCodeG405[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G405")).RulesInfo()) controlPackage := testutils.NewTestPackage() defer controlPackage.Close() controlPackage.AddFile("cipher.go", source) err := controlPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, controlPackage.Path) Expect(err).ShouldNot(HaveOccurred()) controlIssues, _, _ := analyzer.Report() Expect(controlIssues).Should(HaveLen(sample.Errors)) }) It("should find errors when nosec is not in use", func() { sample := testutils.SampleCodeG406[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G406")).RulesInfo()) controlPackage := testutils.NewTestPackage() defer controlPackage.Close() controlPackage.AddFile("md4.go", source) err := controlPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, controlPackage.Path) Expect(err).ShouldNot(HaveOccurred()) controlIssues, _, _ := analyzer.Report() Expect(controlIssues).Should(HaveLen(sample.Errors)) }) It("should report Go build errors and invalid files", func() { analyzer.LoadRules(rules.Generate(false).RulesInfo()) pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", ` package main func main() }`) err := pkg.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, pkg.Path) Expect(err).ShouldNot(HaveOccurred()) _, _, errors := analyzer.Report() foundErr := false for _, ferr := range errors { Expect(ferr).To(HaveLen(1)) match, err := regexp.MatchString(ferr[0].Err, `expected declaration, found '}'`) if !match || err != nil { continue } foundErr = true Expect(ferr[0].Line).To(Equal(4)) Expect(ferr[0].Column).To(Equal(5)) Expect(ferr[0].Err).Should(MatchRegexp(`expected declaration, found '}'`)) } Expect(foundErr).To(BeTrue()) }) It("should not report errors when a nosec line comment is present", func() { sample := testutils.SampleCodeG401[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md5.New()", "h := md5.New() //#nosec", 1) nosecPackage.AddFile("md5.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should not report errors when a nosec line comment is present", func() { sample := testutils.SampleCodeG405[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G405")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "c, e := des.NewCipher([]byte(\"mySecret\"))", "c, e := des.NewCipher([]byte(\"mySecret\")) //#nosec", 1) nosecPackage.AddFile("cipher.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should not report errors when a nosec line comment is present", func() { sample := testutils.SampleCodeG406[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G406")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md4.New()", "h := md4.New() //#nosec", 1) nosecPackage.AddFile("md4.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should not report errors when a nosec block comment is present", func() { sample := testutils.SampleCodeG401[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md5.New()", "h := md5.New() /* #nosec */", 1) nosecPackage.AddFile("md5.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should not report errors when a nosec block comment is present", func() { sample := testutils.SampleCodeG405[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G405")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "c, e := des.NewCipher([]byte(\"mySecret\"))", "c, e := des.NewCipher([]byte(\"mySecret\")) /* #nosec */", 1) nosecPackage.AddFile("cipher.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should not report errors when a nosec block comment is present", func() { sample := testutils.SampleCodeG406[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G406")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md4.New()", "h := md4.New() /* #nosec */", 1) nosecPackage.AddFile("md4.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should not report errors when an exclude comment is present for the correct rule", func() { // Rule for MD5 weak crypto usage sample := testutils.SampleCodeG401[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md5.New()", "h := md5.New() //#nosec G401", 1) nosecPackage.AddFile("md5.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should not report errors when an exclude comment is present for the correct rule", func() { // Rule for DES weak crypto usage sample := testutils.SampleCodeG405[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G405")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "c, e := des.NewCipher([]byte(\"mySecret\"))", "c, e := des.NewCipher([]byte(\"mySecret\")) //#nosec G405", 1) nosecPackage.AddFile("cipher.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should not report errors when an exclude comment is present for the correct rule", func() { // Rule for MD4 deprecated weak crypto usage sample := testutils.SampleCodeG406[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G406")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md4.New()", "h := md4.New() //#nosec G406", 1) nosecPackage.AddFile("md4.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should not report errors when a nosec block and line comment are present", func() { sample := testutils.SampleCodeG101[23] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G101")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecPackage.AddFile("g101.go", source) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should not report errors when only a nosec block is present", func() { sample := testutils.SampleCodeG101[24] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G101")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecPackage.AddFile("g101.go", source) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should not report errors when a single line nosec is present on a multi-line issue", func() { sample := testutils.SampleCodeG112[3] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G112")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecPackage.AddFile("g112.go", source) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should report errors when an exclude comment is present for a different rule", func() { sample := testutils.SampleCodeG401[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md5.New()", "h := md5.New() //#nosec G301", 1) nosecPackage.AddFile("md5.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(HaveLen(sample.Errors)) }) It("should report errors when an exclude comment is present for a different rule", func() { sample := testutils.SampleCodeG405[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G405")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "c, e := des.NewCipher([]byte(\"mySecret\"))", "c, e := des.NewCipher([]byte(\"mySecret\")) //#nosec G301", 1) nosecPackage.AddFile("cipher.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(HaveLen(sample.Errors)) }) It("should report errors when an exclude comment is present for a different rule", func() { sample := testutils.SampleCodeG406[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G406")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md4.New()", "h := md4.New() //#nosec G301", 1) nosecPackage.AddFile("md4.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(HaveLen(sample.Errors)) }) It("should not report errors when an exclude comment is present for multiple rules, including the correct rule", func() { sample := testutils.SampleCodeG401[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md5.New()", "h := md5.New() //#nosec G301 G401", 1) nosecPackage.AddFile("md5.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should not report errors when an exclude comment is present for multiple rules, including the correct rule", func() { sample := testutils.SampleCodeG405[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G405")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "c, e := des.NewCipher([]byte(\"mySecret\"))", "c, e := des.NewCipher([]byte(\"mySecret\")) //#nosec G301 G405", 1) nosecPackage.AddFile("cipher.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should not report errors when an exclude comment is present for multiple rules, including the correct rule", func() { sample := testutils.SampleCodeG406[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G406")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md4.New()", "h := md4.New() //#nosec G301 G406", 1) nosecPackage.AddFile("md4.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should pass the build tags", func() { sample := testutils.SampleCodeBuildTag[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false).RulesInfo()) pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("tags.go", source) tags := []string{"tag"} err := analyzer.Process(tags, pkg.Path) Expect(err).ShouldNot(HaveOccurred()) }) It("should process an empty package with test file", func() { analyzer.LoadRules(rules.Generate(false).RulesInfo()) pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo_test.go", ` package tests import "testing" func TestFoo(t *testing.T){ }`) err := pkg.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, pkg.Path) Expect(err).ShouldNot(HaveOccurred()) }) It("should be possible to overwrite nosec comments, and report issues", func() { // Rule for MD5 weak crypto usage sample := testutils.SampleCodeG401[0] source := sample.Code[0] // overwrite nosec option nosecIgnoreConfig := gosec.NewConfig() nosecIgnoreConfig.SetGlobal(gosec.Nosec, "true") customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig, tests, false, false, 1, logger) customAnalyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md5.New()", "h := md5.New() //#nosec", 1) nosecPackage.AddFile("md5.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = customAnalyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := customAnalyzer.Report() Expect(nosecIssues).Should(HaveLen(sample.Errors)) }) It("should be possible to overwrite nosec comments, and report issues", func() { // Rule for DES weak crypto usage sample := testutils.SampleCodeG405[0] source := sample.Code[0] // overwrite nosec option nosecIgnoreConfig := gosec.NewConfig() nosecIgnoreConfig.SetGlobal(gosec.Nosec, "true") customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig, tests, false, false, 1, logger) customAnalyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G405")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "c, e := des.NewCipher([]byte(\"mySecret\"))", "c, e := des.NewCipher([]byte(\"mySecret\")) //#nosec", 1) nosecPackage.AddFile("cipher.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = customAnalyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := customAnalyzer.Report() Expect(nosecIssues).Should(HaveLen(sample.Errors)) }) It("should be possible to overwrite nosec comments, and report issues", func() { // Rule for MD4 weak crypto usage sample := testutils.SampleCodeG406[0] source := sample.Code[0] // overwrite nosec option nosecIgnoreConfig := gosec.NewConfig() nosecIgnoreConfig.SetGlobal(gosec.Nosec, "true") customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig, tests, false, false, 1, logger) customAnalyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G406")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md4.New()", "h := md4.New() //#nosec", 1) nosecPackage.AddFile("md4.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = customAnalyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := customAnalyzer.Report() Expect(nosecIssues).Should(HaveLen(sample.Errors)) }) It("should be possible to overwrite nosec comments, and report issues but they should not be counted", func() { // Rule for MD5 weak crypto usage sample := testutils.SampleCodeG401[0] source := sample.Code[0] // overwrite nosec option nosecIgnoreConfig := gosec.NewConfig() nosecIgnoreConfig.SetGlobal(gosec.Nosec, "mynosec") nosecIgnoreConfig.SetGlobal(gosec.ShowIgnored, "true") customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig, tests, false, false, 1, logger) customAnalyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md5.New()", "h := md5.New() // #mynosec", 1) nosecPackage.AddFile("md5.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = customAnalyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, metrics, _ := customAnalyzer.Report() Expect(nosecIssues).Should(HaveLen(sample.Errors)) Expect(metrics.NumFound).Should(Equal(0)) Expect(metrics.NumNosec).Should(Equal(1)) }) It("should be possible to overwrite nosec comments, and report issues but they should not be counted", func() { // Rule for DES weak crypto usage sample := testutils.SampleCodeG405[0] source := sample.Code[0] // overwrite nosec option nosecIgnoreConfig := gosec.NewConfig() nosecIgnoreConfig.SetGlobal(gosec.Nosec, "mynosec") nosecIgnoreConfig.SetGlobal(gosec.ShowIgnored, "true") customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig, tests, false, false, 1, logger) customAnalyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G405")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "c, e := des.NewCipher([]byte(\"mySecret\"))", "c, e := des.NewCipher([]byte(\"mySecret\")) // #mynosec", 1) nosecPackage.AddFile("cipher.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = customAnalyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, metrics, _ := customAnalyzer.Report() Expect(nosecIssues).Should(HaveLen(sample.Errors)) Expect(metrics.NumFound).Should(Equal(0)) Expect(metrics.NumNosec).Should(Equal(1)) }) It("should be possible to overwrite nosec comments, and report issues but they should not be counted", func() { // Rule for MD4 weak crypto usage sample := testutils.SampleCodeG406[0] source := sample.Code[0] // overwrite nosec option nosecIgnoreConfig := gosec.NewConfig() nosecIgnoreConfig.SetGlobal(gosec.Nosec, "mynosec") nosecIgnoreConfig.SetGlobal(gosec.ShowIgnored, "true") customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig, tests, false, false, 1, logger) customAnalyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G406")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md4.New()", "h := md4.New() // #mynosec", 1) nosecPackage.AddFile("md4.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = customAnalyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, metrics, _ := customAnalyzer.Report() Expect(nosecIssues).Should(HaveLen(sample.Errors)) Expect(metrics.NumFound).Should(Equal(0)) Expect(metrics.NumNosec).Should(Equal(1)) }) It("should not report errors when nosec tag is in front of a line", func() { sample := testutils.SampleCodeG401[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md5.New()", "//Some description\n//#nosec G401\nh := md5.New()", 1) nosecPackage.AddFile("md5.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should not report errors when nosec tag is in front of a line", func() { sample := testutils.SampleCodeG405[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G405")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "c, e := des.NewCipher([]byte(\"mySecret\"))", "//Some description\n//#nosec G405\nc, e := des.NewCipher([]byte(\"mySecret\"))", 1) nosecPackage.AddFile("cipher.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should not report errors when nosec tag is in front of a line", func() { sample := testutils.SampleCodeG406[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G406")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md4.New()", "//Some description\n//#nosec G406\nh := md4.New()", 1) nosecPackage.AddFile("md4.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should report errors when nosec tag is not in front of a line", func() { sample := testutils.SampleCodeG401[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md5.New()", "//Some description\n//Another description #nosec G401\nh := md5.New()", 1) nosecPackage.AddFile("md5.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(HaveLen(sample.Errors)) }) It("should report errors when nosec tag is not in front of a line", func() { sample := testutils.SampleCodeG405[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G405")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "c, e := des.NewCipher([]byte(\"mySecret\"))", "//Some description\n//Another description #nosec G405\nc, e := des.NewCipher([]byte(\"mySecret\"))", 1) nosecPackage.AddFile("cipher.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(HaveLen(sample.Errors)) }) It("should report errors when nosec tag is not in front of a line", func() { sample := testutils.SampleCodeG406[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G406")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md4.New()", "//Some description\n//Another description #nosec G406\nh := md4.New()", 1) nosecPackage.AddFile("md4.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(HaveLen(sample.Errors)) }) It("should not report errors when rules are in front of nosec tag even rules are wrong", func() { sample := testutils.SampleCodeG401[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md5.New()", "//G301\n//#nosec\nh := md5.New()", 1) nosecPackage.AddFile("md5.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should not report errors when rules are in front of nosec tag even rules are wrong", func() { sample := testutils.SampleCodeG405[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G405")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "c, e := des.NewCipher([]byte(\"mySecret\"))", "//G301\n//#nosec\nc, e := des.NewCipher([]byte(\"mySecret\"))", 1) nosecPackage.AddFile("cipher.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should not report errors when rules are in front of nosec tag even rules are wrong", func() { sample := testutils.SampleCodeG406[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G406")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md4.New()", "//G301\n//#nosec\nh := md4.New()", 1) nosecPackage.AddFile("md4.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should report errors when there are nosec tags after a #nosec WrongRuleList annotation", func() { sample := testutils.SampleCodeG401[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md5.New()", "//#nosec\n//G301\n//#nosec\nh := md5.New()", 1) nosecPackage.AddFile("md5.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(HaveLen(sample.Errors)) }) It("should report errors when there are nosec tags after a #nosec WrongRuleList annotation", func() { sample := testutils.SampleCodeG405[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G405")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "c, e := des.NewCipher([]byte(\"mySecret\"))", "//#nosec\n//G301\n//#nosec\nc, e := des.NewCipher([]byte(\"mySecret\"))", 1) nosecPackage.AddFile("cipher.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(HaveLen(sample.Errors)) }) It("should report errors when there are nosec tags after a #nosec WrongRuleList annotation", func() { sample := testutils.SampleCodeG406[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G406")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md4.New()", "//#nosec\n//G301\n//#nosec\nh := md4.New()", 1) nosecPackage.AddFile("md4.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := analyzer.Report() Expect(nosecIssues).Should(HaveLen(sample.Errors)) }) It("should be possible to use an alternative nosec tag", func() { // Rule for MD5 weak crypto usage sample := testutils.SampleCodeG401[0] source := sample.Code[0] // overwrite nosec option nosecIgnoreConfig := gosec.NewConfig() nosecIgnoreConfig.SetGlobal(gosec.NoSecAlternative, "falsePositive") customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig, tests, false, false, 1, logger) customAnalyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md5.New()", "h := md5.New() // #falsePositive", 1) nosecPackage.AddFile("md5.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = customAnalyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := customAnalyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should be possible to use an alternative nosec tag", func() { // Rule for DES weak crypto usage sample := testutils.SampleCodeG405[0] source := sample.Code[0] // overwrite nosec option nosecIgnoreConfig := gosec.NewConfig() nosecIgnoreConfig.SetGlobal(gosec.NoSecAlternative, "falsePositive") customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig, tests, false, false, 1, logger) customAnalyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G405")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "c, e := des.NewCipher([]byte(\"mySecret\"))", "c, e := des.NewCipher([]byte(\"mySecret\")) // #falsePositive", 1) nosecPackage.AddFile("cipher.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = customAnalyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := customAnalyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should be possible to use an alternative nosec tag", func() { // Rule for MD4 deprecated weak crypto usage sample := testutils.SampleCodeG406[0] source := sample.Code[0] // overwrite nosec option nosecIgnoreConfig := gosec.NewConfig() nosecIgnoreConfig.SetGlobal(gosec.NoSecAlternative, "falsePositive") customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig, tests, false, false, 1, logger) customAnalyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G406")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md4.New()", "h := md4.New() // #falsePositive", 1) nosecPackage.AddFile("md4.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = customAnalyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := customAnalyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should ignore vulnerabilities when the default tag is found", func() { // Rule for MD5 weak crypto usage sample := testutils.SampleCodeG401[0] source := sample.Code[0] // overwrite nosec option nosecIgnoreConfig := gosec.NewConfig() nosecIgnoreConfig.SetGlobal(gosec.NoSecAlternative, "falsePositive") customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig, tests, false, false, 1, logger) customAnalyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md5.New()", "h := md5.New() //#nosec", 1) nosecPackage.AddFile("md5.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = customAnalyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := customAnalyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should ignore vulnerabilities when the default tag is found", func() { // Rule for DES weak crypto usage sample := testutils.SampleCodeG405[0] source := sample.Code[0] // overwrite nosec option nosecIgnoreConfig := gosec.NewConfig() nosecIgnoreConfig.SetGlobal(gosec.NoSecAlternative, "falsePositive") customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig, tests, false, false, 1, logger) customAnalyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G405")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "c, e := des.NewCipher([]byte(\"mySecret\"))", "c, e := des.NewCipher([]byte(\"mySecret\")) //#nosec", 1) nosecPackage.AddFile("cipher.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = customAnalyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := customAnalyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should ignore vulnerabilities when the default tag is found", func() { // Rule for MD4 deprecated weak crypto usage sample := testutils.SampleCodeG406[0] source := sample.Code[0] // overwrite nosec option nosecIgnoreConfig := gosec.NewConfig() nosecIgnoreConfig.SetGlobal(gosec.NoSecAlternative, "falsePositive") customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig, tests, false, false, 1, logger) customAnalyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G406")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md4.New()", "h := md4.New() //#nosec", 1) nosecPackage.AddFile("md4.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = customAnalyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) nosecIssues, _, _ := customAnalyzer.Report() Expect(nosecIssues).Should(BeEmpty()) }) It("should be able to analyze Go test package", func() { customAnalyzer := gosec.NewAnalyzer(nil, true, false, false, 1, logger) customAnalyzer.LoadRules(rules.Generate(false).RulesInfo()) pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", ` package foo func foo(){ }`) pkg.AddFile("foo_test.go", ` package foo_test import "testing" func test() error { return nil } func TestFoo(t *testing.T){ test() }`) err := pkg.Build() Expect(err).ShouldNot(HaveOccurred()) err = customAnalyzer.Process(buildTags, pkg.Path) Expect(err).ShouldNot(HaveOccurred()) issues, _, _ := customAnalyzer.Report() Expect(issues).Should(HaveLen(1)) }) It("should be able to scan generated files if NOT excluded when using the rules", func() { customAnalyzer := gosec.NewAnalyzer(nil, true, false, false, 1, logger) customAnalyzer.LoadRules(rules.Generate(false).RulesInfo()) pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", ` package foo // Code generated some-generator DO NOT EDIT. func test() error { return nil } func TestFoo(t *testing.T){ test() }`) err := pkg.Build() Expect(err).ShouldNot(HaveOccurred()) err = customAnalyzer.Process(buildTags, pkg.Path) Expect(err).ShouldNot(HaveOccurred()) issues, _, _ := customAnalyzer.Report() Expect(issues).Should(HaveLen(1)) }) It("should be able to skip generated files if excluded when using the rules", func() { customAnalyzer := gosec.NewAnalyzer(nil, true, true, false, 1, logger) customAnalyzer.LoadRules(rules.Generate(false).RulesInfo()) pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", ` // Code generated some-generator DO NOT EDIT. package foo func test() error { return nil } func TestFoo(t *testing.T){ test() }`) err := pkg.Build() Expect(err).ShouldNot(HaveOccurred()) err = customAnalyzer.Process(buildTags, pkg.Path) Expect(err).ShouldNot(HaveOccurred()) issues, _, _ := customAnalyzer.Report() Expect(issues).Should(BeEmpty()) }) It("should be able to scan generated files if NOT excluded when using the analyzes", func() { customAnalyzer := gosec.NewAnalyzer(nil, true, false, false, 1, logger) customAnalyzer.LoadRules(rules.Generate(false).RulesInfo()) customAnalyzer.LoadAnalyzers(analyzers.Generate(false).AnalyzersInfo()) pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", ` package main // Code generated some-generator DO NOT EDIT. import ( "fmt" ) func main() { values := []string{} fmt.Println(values[0]) }`) err := pkg.Build() Expect(err).ShouldNot(HaveOccurred()) err = customAnalyzer.Process(buildTags, pkg.Path) Expect(err).ShouldNot(HaveOccurred()) issues, _, _ := customAnalyzer.Report() Expect(issues).Should(HaveLen(1)) }) It("should be able to skip generated files if excluded when using the analyzes", func() { customAnalyzer := gosec.NewAnalyzer(nil, true, true, false, 1, logger) customAnalyzer.LoadRules(rules.Generate(false).RulesInfo()) customAnalyzer.LoadAnalyzers(analyzers.Generate(false).AnalyzersInfo()) pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", ` // Code generated some-generator DO NOT EDIT. package main import ( "fmt" ) func main() { values := []string{} fmt.Println(values[0]) }`) err := pkg.Build() Expect(err).ShouldNot(HaveOccurred()) err = customAnalyzer.Process(buildTags, pkg.Path) Expect(err).ShouldNot(HaveOccurred()) issues, _, _ := customAnalyzer.Report() Expect(issues).Should(BeEmpty()) }) }) It("should be able to analyze Cgo files", func() { analyzer.LoadRules(rules.Generate(false).RulesInfo()) sample := testutils.SampleCodeCgo[0] source := sample.Code[0] testPackage := testutils.NewTestPackage() defer testPackage.Close() testPackage.AddFile("main.go", source) err := testPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, testPackage.Path) Expect(err).ShouldNot(HaveOccurred()) issues, _, _ := analyzer.Report() Expect(issues).Should(BeEmpty()) }) Context("when parsing errors from a package", func() { It("should return no error when the error list is empty", func() { pkg := &packages.Package{} err := analyzer.ParseErrors(pkg) Expect(err).ShouldNot(HaveOccurred()) }) It("should properly parse the errors", func() { pkg := &packages.Package{ Errors: []packages.Error{ { Pos: "file:1:2", Msg: "build error", }, }, } err := analyzer.ParseErrors(pkg) Expect(err).ShouldNot(HaveOccurred()) _, _, errors := analyzer.Report() Expect(errors).To(HaveLen(1)) for _, ferr := range errors { Expect(ferr).To(HaveLen(1)) Expect(ferr[0].Line).To(Equal(1)) Expect(ferr[0].Column).To(Equal(2)) Expect(ferr[0].Err).Should(MatchRegexp(`build error`)) } }) It("should properly parse the errors without line and column", func() { pkg := &packages.Package{ Errors: []packages.Error{ { Pos: "file", Msg: "build error", }, }, } err := analyzer.ParseErrors(pkg) Expect(err).ShouldNot(HaveOccurred()) _, _, errors := analyzer.Report() Expect(errors).To(HaveLen(1)) for _, ferr := range errors { Expect(ferr).To(HaveLen(1)) Expect(ferr[0].Line).To(Equal(0)) Expect(ferr[0].Column).To(Equal(0)) Expect(ferr[0].Err).Should(MatchRegexp(`build error`)) } }) It("should properly parse the errors without column", func() { pkg := &packages.Package{ Errors: []packages.Error{ { Pos: "file", Msg: "build error", }, }, } err := analyzer.ParseErrors(pkg) Expect(err).ShouldNot(HaveOccurred()) _, _, errors := analyzer.Report() Expect(errors).To(HaveLen(1)) for _, ferr := range errors { Expect(ferr).To(HaveLen(1)) Expect(ferr[0].Line).To(Equal(0)) Expect(ferr[0].Column).To(Equal(0)) Expect(ferr[0].Err).Should(MatchRegexp(`build error`)) } }) It("should return error when line cannot be parsed", func() { pkg := &packages.Package{ Errors: []packages.Error{ { Pos: "file:line", Msg: "build error", }, }, } err := analyzer.ParseErrors(pkg) Expect(err).Should(HaveOccurred()) }) It("should return error when column cannot be parsed", func() { pkg := &packages.Package{ Errors: []packages.Error{ { Pos: "file:1:column", Msg: "build error", }, }, } err := analyzer.ParseErrors(pkg) Expect(err).Should(HaveOccurred()) }) It("should append error to the same file", func() { pkg := &packages.Package{ Errors: []packages.Error{ { Pos: "file:1:2", Msg: "error1", }, { Pos: "file:3:4", Msg: "error2", }, }, } err := analyzer.ParseErrors(pkg) Expect(err).ShouldNot(HaveOccurred()) _, _, errors := analyzer.Report() Expect(errors).To(HaveLen(1)) for _, ferr := range errors { Expect(ferr).To(HaveLen(2)) Expect(ferr[0].Line).To(Equal(1)) Expect(ferr[0].Column).To(Equal(2)) Expect(ferr[0].Err).Should(MatchRegexp(`error1`)) Expect(ferr[1].Line).To(Equal(3)) Expect(ferr[1].Column).To(Equal(4)) Expect(ferr[1].Err).Should(MatchRegexp(`error2`)) } }) It("should set the config", func() { config := gosec.NewConfig() config["test"] = "test" analyzer.SetConfig(config) found := analyzer.Config() Expect(config).To(Equal(found)) }) It("should reset the analyzer", func() { analyzer.Reset() issues, metrics, errors := analyzer.Report() Expect(issues).To(BeEmpty()) Expect(*metrics).To(Equal(gosec.Metrics{})) Expect(errors).To(BeEmpty()) }) }) Context("when appending errors", func() { It("should skip error for non-buildable packages", func() { analyzer.AppendError("test", errors.New(`loading file from package "pkg/test": no buildable Go source files in pkg/test`)) _, _, errors := analyzer.Report() Expect(errors).To(BeEmpty()) }) It("should add a new error", func() { pkg := &packages.Package{ Errors: []packages.Error{ { Pos: "file:1:2", Msg: "build error", }, }, } err := analyzer.ParseErrors(pkg) Expect(err).ShouldNot(HaveOccurred()) analyzer.AppendError("file", errors.New("file build error")) _, _, errors := analyzer.Report() Expect(errors).To(HaveLen(1)) for _, ferr := range errors { Expect(ferr).To(HaveLen(2)) } }) }) Context("when tracking suppressions", func() { BeforeEach(func() { analyzer = gosec.NewAnalyzer(nil, tests, false, true, 1, logger) }) It("should not report an error if the violation is suppressed", func() { sample := testutils.SampleCodeG401[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md5.New()", "h := md5.New() //#nosec G401 -- Justification", 1) nosecPackage.AddFile("md5.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) issues, _, _ := analyzer.Report() Expect(issues).To(HaveLen(sample.Errors)) Expect(issues[0].Suppressions).To(HaveLen(1)) Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource")) Expect(issues[0].Suppressions[0].Justification).To(Equal("Justification")) }) It("should not report an error if the violation is suppressed", func() { sample := testutils.SampleCodeG405[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G405")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "c, e := des.NewCipher([]byte(\"mySecret\"))", "c, e := des.NewCipher([]byte(\"mySecret\")) //#nosec G405 -- Justification", 1) nosecPackage.AddFile("cipher.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) issues, _, _ := analyzer.Report() Expect(issues).To(HaveLen(sample.Errors)) Expect(issues[0].Suppressions).To(HaveLen(1)) Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource")) Expect(issues[0].Suppressions[0].Justification).To(Equal("Justification")) }) It("should not report an error if the violation is suppressed", func() { sample := testutils.SampleCodeG406[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G406")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md4.New()", "h := md4.New() //#nosec G406 -- Justification", 1) nosecPackage.AddFile("md4.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) issues, _, _ := analyzer.Report() Expect(issues).To(HaveLen(sample.Errors)) Expect(issues[0].Suppressions).To(HaveLen(1)) Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource")) Expect(issues[0].Suppressions[0].Justification).To(Equal("Justification")) }) It("should not report an error if the violation is suppressed without certain rules", func() { sample := testutils.SampleCodeG401[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G401")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md5.New()", "h := md5.New() //#nosec", 1) nosecPackage.AddFile("md5.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) issues, _, _ := analyzer.Report() Expect(issues).To(HaveLen(sample.Errors)) Expect(issues[0].Suppressions).To(HaveLen(1)) Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource")) Expect(issues[0].Suppressions[0].Justification).To(Equal("")) }) It("should not report an error if the violation is suppressed without certain rules", func() { sample := testutils.SampleCodeG405[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G405")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "c, e := des.NewCipher([]byte(\"mySecret\"))", "c, e := des.NewCipher([]byte(\"mySecret\")) //#nosec", 1) nosecPackage.AddFile("cipher.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) issues, _, _ := analyzer.Report() Expect(issues).To(HaveLen(sample.Errors)) Expect(issues[0].Suppressions).To(HaveLen(1)) Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource")) Expect(issues[0].Suppressions[0].Justification).To(Equal("")) }) It("should not report an error if the violation is suppressed without certain rules", func() { sample := testutils.SampleCodeG406[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G406")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "h := md4.New()", "h := md4.New() //#nosec", 1) nosecPackage.AddFile("md4.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) issues, _, _ := analyzer.Report() Expect(issues).To(HaveLen(sample.Errors)) Expect(issues[0].Suppressions).To(HaveLen(1)) Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource")) Expect(issues[0].Suppressions[0].Justification).To(Equal("")) }) It("should not report an error if the rule is not included", func() { sample := testutils.SampleCodeG101[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(true, rules.NewRuleFilter(false, "G401")).RulesInfo()) controlPackage := testutils.NewTestPackage() defer controlPackage.Close() controlPackage.AddFile("pwd.go", source) err := controlPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, controlPackage.Path) Expect(err).ShouldNot(HaveOccurred()) controlIssues, _, _ := analyzer.Report() Expect(controlIssues).Should(HaveLen(sample.Errors)) Expect(controlIssues[0].Suppressions).To(HaveLen(1)) Expect(controlIssues[0].Suppressions[0].Kind).To(Equal("external")) Expect(controlIssues[0].Suppressions[0].Justification).To(Equal("Globally suppressed.")) }) It("should not report an error if the rule is excluded", func() { sample := testutils.SampleCodeG101[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(true, rules.NewRuleFilter(true, "G101")).RulesInfo()) controlPackage := testutils.NewTestPackage() defer controlPackage.Close() controlPackage.AddFile("pwd.go", source) err := controlPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, controlPackage.Path) Expect(err).ShouldNot(HaveOccurred()) issues, _, _ := analyzer.Report() Expect(issues).Should(HaveLen(sample.Errors)) Expect(issues[0].Suppressions).To(HaveLen(1)) Expect(issues[0].Suppressions[0].Kind).To(Equal("external")) Expect(issues[0].Suppressions[0].Justification).To(Equal("Globally suppressed.")) }) It("should not report an error if the analyzer is not included", func() { sample := testutils.SampleCodeG407[0] source := sample.Code[0] analyzer.LoadAnalyzers(analyzers.Generate(true, analyzers.NewAnalyzerFilter(false, "G115")).AnalyzersInfo()) controlPackage := testutils.NewTestPackage() defer controlPackage.Close() controlPackage.AddFile("cipher.go", source) err := controlPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, controlPackage.Path) Expect(err).ShouldNot(HaveOccurred()) controlIssues, _, _ := analyzer.Report() Expect(controlIssues).Should(HaveLen(sample.Errors)) Expect(controlIssues[0].Suppressions).To(HaveLen(1)) Expect(controlIssues[0].Suppressions[0].Kind).To(Equal("external")) Expect(controlIssues[0].Suppressions[0].Justification).To(Equal("Globally suppressed.")) }) It("should not report an error if the analyzer is excluded", func() { sample := testutils.SampleCodeG407[0] source := sample.Code[0] analyzer.LoadAnalyzers(analyzers.Generate(true, analyzers.NewAnalyzerFilter(true, "G407")).AnalyzersInfo()) controlPackage := testutils.NewTestPackage() defer controlPackage.Close() controlPackage.AddFile("cipher.go", source) err := controlPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, controlPackage.Path) Expect(err).ShouldNot(HaveOccurred()) issues, _, _ := analyzer.Report() Expect(issues).Should(HaveLen(sample.Errors)) Expect(issues[0].Suppressions).To(HaveLen(1)) Expect(issues[0].Suppressions[0].Kind).To(Equal("external")) Expect(issues[0].Suppressions[0].Justification).To(Equal("Globally suppressed.")) }) It("should not report an error if the analyzer is not included", func() { sample := testutils.SampleCodeG602[0] source := sample.Code[0] analyzer.LoadAnalyzers(analyzers.Generate(true, analyzers.NewAnalyzerFilter(false, "G115")).AnalyzersInfo()) controlPackage := testutils.NewTestPackage() defer controlPackage.Close() controlPackage.AddFile("cipher.go", source) err := controlPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, controlPackage.Path) Expect(err).ShouldNot(HaveOccurred()) controlIssues, _, _ := analyzer.Report() Expect(controlIssues).Should(HaveLen(sample.Errors)) Expect(controlIssues[0].Suppressions).To(HaveLen(1)) Expect(controlIssues[0].Suppressions[0].Kind).To(Equal("external")) Expect(controlIssues[0].Suppressions[0].Justification).To(Equal("Globally suppressed.")) }) It("should not report an error if the analyzer is excluded", func() { sample := testutils.SampleCodeG602[0] source := sample.Code[0] analyzer.LoadAnalyzers(analyzers.Generate(true, analyzers.NewAnalyzerFilter(true, "G602")).AnalyzersInfo()) controlPackage := testutils.NewTestPackage() defer controlPackage.Close() controlPackage.AddFile("cipher.go", source) err := controlPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, controlPackage.Path) Expect(err).ShouldNot(HaveOccurred()) issues, _, _ := analyzer.Report() Expect(issues).Should(HaveLen(sample.Errors)) Expect(issues[0].Suppressions).To(HaveLen(1)) Expect(issues[0].Suppressions[0].Kind).To(Equal("external")) Expect(issues[0].Suppressions[0].Justification).To(Equal("Globally suppressed.")) }) It("should track multiple suppressions if the violation is multiply suppressed", func() { sample := testutils.SampleCodeG101[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(true, rules.NewRuleFilter(true, "G101")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "password := \"f62e5bcda4fae4f82370da0c6f20697b8f8447ef\"", "password := \"f62e5bcda4fae4f82370da0c6f20697b8f8447ef\" //#nosec G101 -- Justification", 1) nosecPackage.AddFile("pwd.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) issues, _, _ := analyzer.Report() Expect(issues).Should(HaveLen(sample.Errors)) Expect(issues[0].Suppressions).To(HaveLen(2)) }) It("should not report an error if the violation is suppressed on a struct filed", func() { sample := testutils.SampleCodeG402[0] source := sample.Code[0] analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G402")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecSource := strings.Replace(source, "TLSClientConfig: &tls.Config{InsecureSkipVerify: true}", "TLSClientConfig: &tls.Config{InsecureSkipVerify: true} // #nosec G402", 1) nosecPackage.AddFile("tls.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) issues, _, _ := analyzer.Report() Expect(issues).To(HaveLen(sample.Errors)) Expect(issues[0].Suppressions).To(HaveLen(1)) Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource")) }) It("should not report an error if the violation is suppressed on multi-lien issue", func() { source := ` package main import ( "fmt" ) const TokenLabel = ` source += "`" + ` f62e5bcda4fae4f82370da0c6f20697b8f8447ef ` + "`" + "//#nosec G101 -- false positive, this is not a private data" + ` func main() { fmt.Printf("Label: %s ", TokenLabel) } ` analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G101")).RulesInfo()) nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() nosecPackage.AddFile("pwd.go", source) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, nosecPackage.Path) Expect(err).ShouldNot(HaveOccurred()) issues, _, _ := analyzer.Report() Expect(issues).To(HaveLen(1)) Expect(issues[0].Suppressions).To(HaveLen(1)) Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource")) Expect(issues[0].Suppressions[0].Justification).To(Equal("false positive, this is not a private data")) }) }) }) 07070100000012000041ED00000000000000000000000266F5526900000000000000000000000000000000000000000000001700000000gosec-2.21.4/analyzers07070100000013000081A400000000000000000000000166F5526900000514000000000000000000000000000000000000002800000000gosec-2.21.4/analyzers/analyzers_set.go// (c) Copyright gosec's authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package analyzers import "golang.org/x/tools/go/analysis" type AnalyzerSet struct { Analyzers []*analysis.Analyzer AnalyzerSuppressedMap map[string]bool } // NewAnalyzerSet constructs a new AnalyzerSet func NewAnalyzerSet() *AnalyzerSet { return &AnalyzerSet{nil, make(map[string]bool)} } // Register adds a trigger for the supplied analyzer func (a *AnalyzerSet) Register(analyzer *analysis.Analyzer, isSuppressed bool) { a.Analyzers = append(a.Analyzers, analyzer) a.AnalyzerSuppressedMap[analyzer.Name] = isSuppressed } // IsSuppressed will return whether the Analyzer is suppressed. func (a *AnalyzerSet) IsSuppressed(ruleID string) bool { return a.AnalyzerSuppressedMap[ruleID] } 07070100000014000081A400000000000000000000000166F5526900000714000000000000000000000000000000000000002900000000gosec-2.21.4/analyzers/analyzers_test.gopackage analyzers_test import ( "fmt" "log" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/analyzers" "github.com/securego/gosec/v2/testutils" ) var _ = Describe("gosec analyzers", func() { var ( logger *log.Logger config gosec.Config analyzer *gosec.Analyzer runner func(string, []testutils.CodeSample) buildTags []string tests bool ) BeforeEach(func() { logger, _ = testutils.NewLogger() config = gosec.NewConfig() analyzer = gosec.NewAnalyzer(config, tests, false, false, 1, logger) runner = func(analyzerId string, samples []testutils.CodeSample) { for n, sample := range samples { analyzer.Reset() analyzer.SetConfig(sample.Config) analyzer.LoadAnalyzers(analyzers.Generate(false, analyzers.NewAnalyzerFilter(false, analyzerId)).AnalyzersInfo()) pkg := testutils.NewTestPackage() defer pkg.Close() for i, code := range sample.Code { pkg.AddFile(fmt.Sprintf("sample_%d_%d.go", n, i), code) } err := pkg.Build() Expect(err).ShouldNot(HaveOccurred()) Expect(pkg.PrintErrors()).Should(BeZero()) err = analyzer.Process(buildTags, pkg.Path) Expect(err).ShouldNot(HaveOccurred()) issues, _, _ := analyzer.Report() if len(issues) != sample.Errors { fmt.Println(sample.Code) } Expect(issues).Should(HaveLen(sample.Errors)) } } }) Context("report correct errors for all samples", func() { It("should detect integer conversion overflow", func() { runner("G115", testutils.SampleCodeG115) }) It("should detect hardcoded nonce/IV", func() { runner("G407", testutils.SampleCodeG407) }) It("should detect out of bounds slice access", func() { runner("G602", testutils.SampleCodeG602) }) }) }) 07070100000015000081A400000000000000000000000166F5526900000CA3000000000000000000000000000000000000002800000000gosec-2.21.4/analyzers/analyzerslist.go// (c) Copyright gosec's authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package analyzers import ( "golang.org/x/tools/go/analysis" ) // AnalyzerDefinition contains the description of an analyzer and a mechanism to // create it. type AnalyzerDefinition struct { ID string Description string Create AnalyzerBuilder } // AnalyzerBuilder is used to register an analyzer definition with the analyzer type AnalyzerBuilder func(id string, description string) *analysis.Analyzer // AnalyzerList contains a mapping of analyzer ID's to analyzer definitions and a mapping // of analyzer ID's to whether analyzers are suppressed. type AnalyzerList struct { Analyzers map[string]AnalyzerDefinition AnalyzerSuppressed map[string]bool } // AnalyzersInfo returns all the create methods and the analyzer suppressed map for a // given list func (al *AnalyzerList) AnalyzersInfo() (map[string]AnalyzerDefinition, map[string]bool) { builders := make(map[string]AnalyzerDefinition) for _, def := range al.Analyzers { builders[def.ID] = def } return builders, al.AnalyzerSuppressed } // AnalyzerFilter can be used to include or exclude an analyzer depending on the return // value of the function type AnalyzerFilter func(string) bool // NewAnalyzerFilter is a closure that will include/exclude the analyzer ID's based on // the supplied boolean value (false means don't remove, true means exclude). func NewAnalyzerFilter(action bool, analyzerIDs ...string) AnalyzerFilter { analyzerlist := make(map[string]bool) for _, analyzer := range analyzerIDs { analyzerlist[analyzer] = true } return func(analyzer string) bool { if _, found := analyzerlist[analyzer]; found { return action } return !action } } var defaultAnalyzers = []AnalyzerDefinition{ {"G115", "Type conversion which leads to integer overflow", newConversionOverflowAnalyzer}, {"G602", "Possible slice bounds out of range", newSliceBoundsAnalyzer}, {"G407", "Use of hardcoded IV/nonce for encryption", newHardCodedNonce}, } // Generate the list of analyzers to use func Generate(trackSuppressions bool, filters ...AnalyzerFilter) *AnalyzerList { analyzerMap := make(map[string]AnalyzerDefinition) analyzerSuppressedMap := make(map[string]bool) for _, analyzer := range defaultAnalyzers { analyzerSuppressedMap[analyzer.ID] = false addToAnalyzerList := true for _, filter := range filters { if filter(analyzer.ID) { analyzerSuppressedMap[analyzer.ID] = true if !trackSuppressions { addToAnalyzerList = false } } } if addToAnalyzerList { analyzerMap[analyzer.ID] = analyzer } } return &AnalyzerList{Analyzers: analyzerMap, AnalyzerSuppressed: analyzerSuppressedMap} } 07070100000016000081A400000000000000000000000166F55269000000CB000000000000000000000000000000000000002F00000000gosec-2.21.4/analyzers/anaylzers_suite_test.gopackage analyzers_test import ( "testing" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" ) func TestAnalyzers(t *testing.T) { RegisterFailHandler(Fail) RunSpecs(t, "Analyzers Suite") } 07070100000017000081A400000000000000000000000166F5526900003970000000000000000000000000000000000000002E00000000gosec-2.21.4/analyzers/conversion_overflow.go// (c) Copyright gosec's authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package analyzers import ( "fmt" "go/token" "math" "regexp" "strconv" "strings" "golang.org/x/exp/constraints" "golang.org/x/tools/go/analysis" "golang.org/x/tools/go/analysis/passes/buildssa" "golang.org/x/tools/go/ssa" "github.com/securego/gosec/v2/issue" ) type integer struct { signed bool size int min int max uint } type rangeResult struct { minValue int maxValue uint explicitPositiveVals []uint explicitNegativeVals []int isRangeCheck bool convertFound bool } type branchResults struct { minValue *int maxValue *uint explixitPositiveVals []uint explicitNegativeVals []int convertFound bool } func newConversionOverflowAnalyzer(id string, description string) *analysis.Analyzer { return &analysis.Analyzer{ Name: id, Doc: description, Run: runConversionOverflow, Requires: []*analysis.Analyzer{buildssa.Analyzer}, } } func runConversionOverflow(pass *analysis.Pass) (interface{}, error) { ssaResult, err := getSSAResult(pass) if err != nil { return nil, fmt.Errorf("building ssa representation: %w", err) } issues := []*issue.Issue{} for _, mcall := range ssaResult.SSA.SrcFuncs { for _, block := range mcall.DomPreorder() { for _, instr := range block.Instrs { switch instr := instr.(type) { case *ssa.Convert: src := instr.X.Type().Underlying().String() dst := instr.Type().Underlying().String() if isIntOverflow(src, dst) { if isSafeConversion(instr) { continue } issue := newIssue(pass.Analyzer.Name, fmt.Sprintf("integer overflow conversion %s -> %s", src, dst), pass.Fset, instr.Pos(), issue.High, issue.Medium, ) issues = append(issues, issue) } } } } } if len(issues) > 0 { return issues, nil } return nil, nil } func isIntOverflow(src string, dst string) bool { srcInt, err := parseIntType(src) if err != nil { return false } dstInt, err := parseIntType(dst) if err != nil { return false } return srcInt.min < dstInt.min || srcInt.max > dstInt.max } func parseIntType(intType string) (integer, error) { re := regexp.MustCompile(`^(?P<type>u?int)(?P<size>\d{1,2})?$`) matches := re.FindStringSubmatch(intType) if matches == nil { return integer{}, fmt.Errorf("no integer type match found for %s", intType) } it := matches[re.SubexpIndex("type")] is := matches[re.SubexpIndex("size")] signed := it == "int" // use default system int type in case size is not present in the type. intSize := strconv.IntSize if is != "" { var err error intSize, err = strconv.Atoi(is) if err != nil { return integer{}, fmt.Errorf("failed to parse the integer type size: %w", err) } } if intSize != 8 && intSize != 16 && intSize != 32 && intSize != 64 && is != "" { return integer{}, fmt.Errorf("invalid bit size: %d", intSize) } var min int var max uint if signed { shiftAmount := intSize - 1 // Perform a bounds check. if shiftAmount < 0 { return integer{}, fmt.Errorf("invalid shift amount: %d", shiftAmount) } max = (1 << uint(shiftAmount)) - 1 min = -1 << (intSize - 1) } else { max = (1 << uint(intSize)) - 1 min = 0 } return integer{ signed: signed, size: intSize, min: min, max: max, }, nil } func isSafeConversion(instr *ssa.Convert) bool { dstType := instr.Type().Underlying().String() // Check for constant conversions. if constVal, ok := instr.X.(*ssa.Const); ok { if isConstantInRange(constVal, dstType) { return true } } // Check for string to integer conversions with specified bit size. if isStringToIntConversion(instr, dstType) { return true } // Check for explicit range checks. if hasExplicitRangeCheck(instr, dstType) { return true } return false } func isConstantInRange(constVal *ssa.Const, dstType string) bool { value, err := strconv.ParseInt(constVal.Value.String(), 10, 64) if err != nil { return false } dstInt, err := parseIntType(dstType) if err != nil { return false } if dstInt.signed { return value >= -(1<<(dstInt.size-1)) && value <= (1<<(dstInt.size-1))-1 } return value >= 0 && value <= (1<<dstInt.size)-1 } func isStringToIntConversion(instr *ssa.Convert, dstType string) bool { // Traverse the SSA instructions to find the original variable. original := instr.X for { switch v := original.(type) { case *ssa.Call: if v.Call.StaticCallee() != nil && (v.Call.StaticCallee().Name() == "ParseInt" || v.Call.StaticCallee().Name() == "ParseUint") { if len(v.Call.Args) == 3 { if bitSize, ok := v.Call.Args[2].(*ssa.Const); ok { signed := v.Call.StaticCallee().Name() == "ParseInt" bitSizeValue, err := strconv.Atoi(bitSize.Value.String()) if err != nil { return false } dstInt, err := parseIntType(dstType) if err != nil { return false } isSafe := bitSizeValue <= dstInt.size && signed == dstInt.signed return isSafe } } } return false case *ssa.Phi: original = v.Edges[0] case *ssa.Extract: original = v.Tuple default: return false } } } func hasExplicitRangeCheck(instr *ssa.Convert, dstType string) bool { dstInt, err := parseIntType(dstType) if err != nil { return false } srcInt, err := parseIntType(instr.X.Type().String()) if err != nil { return false } minValue := srcInt.min maxValue := srcInt.max explicitPositiveVals := []uint{} explicitNegativeVals := []int{} if minValue > dstInt.min && maxValue < dstInt.max { return true } visitedIfs := make(map[*ssa.If]bool) for _, block := range instr.Parent().Blocks { for _, blockInstr := range block.Instrs { switch v := blockInstr.(type) { case *ssa.If: result := getResultRange(v, instr, visitedIfs) if result.isRangeCheck { minValue = max(minValue, &result.minValue) maxValue = min(maxValue, &result.maxValue) explicitPositiveVals = append(explicitPositiveVals, result.explicitPositiveVals...) explicitNegativeVals = append(explicitNegativeVals, result.explicitNegativeVals...) } case *ssa.Call: // These function return an int of a guaranteed size. if v != instr.X { continue } if fn, isBuiltin := v.Call.Value.(*ssa.Builtin); isBuiltin { switch fn.Name() { case "len", "cap": minValue = 0 } } } if explicitValsInRange(explicitPositiveVals, explicitNegativeVals, dstInt) { return true } else if minValue >= dstInt.min && maxValue <= dstInt.max { return true } } } return false } // getResultRange is a recursive function that walks the branches of the if statement to find the range of the variable. func getResultRange(ifInstr *ssa.If, instr *ssa.Convert, visitedIfs map[*ssa.If]bool) rangeResult { if visitedIfs[ifInstr] { return rangeResult{minValue: math.MinInt, maxValue: math.MaxUint} } visitedIfs[ifInstr] = true cond := ifInstr.Cond binOp, ok := cond.(*ssa.BinOp) if !ok || !isRangeCheck(binOp, instr.X) { return rangeResult{minValue: math.MinInt, maxValue: math.MaxUint} } result := rangeResult{ minValue: math.MinInt, maxValue: math.MaxUint, isRangeCheck: true, } thenBounds := walkBranchForConvert(ifInstr.Block().Succs[0], instr, visitedIfs) elseBounds := walkBranchForConvert(ifInstr.Block().Succs[1], instr, visitedIfs) updateResultFromBinOp(&result, binOp, instr, thenBounds.convertFound) if thenBounds.convertFound { result.convertFound = true result.minValue = max(result.minValue, thenBounds.minValue) result.maxValue = min(result.maxValue, thenBounds.maxValue) } else if elseBounds.convertFound { result.convertFound = true result.minValue = max(result.minValue, elseBounds.minValue) result.maxValue = min(result.maxValue, elseBounds.maxValue) } result.explicitPositiveVals = append(result.explicitPositiveVals, thenBounds.explixitPositiveVals...) result.explicitNegativeVals = append(result.explicitNegativeVals, thenBounds.explicitNegativeVals...) result.explicitPositiveVals = append(result.explicitPositiveVals, elseBounds.explixitPositiveVals...) result.explicitNegativeVals = append(result.explicitNegativeVals, elseBounds.explicitNegativeVals...) return result } // updateResultFromBinOp updates the rangeResult based on the BinOp instruction and the location of the Convert instruction. func updateResultFromBinOp(result *rangeResult, binOp *ssa.BinOp, instr *ssa.Convert, successPathConvert bool) { x, y := binOp.X, binOp.Y operandsFlipped := false compareVal, op := getRealValueFromOperation(instr.X) // Handle FieldAddr if fieldAddr, ok := compareVal.(*ssa.FieldAddr); ok { compareVal = fieldAddr } if !isSameOrRelated(x, compareVal) { y = x operandsFlipped = true } constVal, ok := y.(*ssa.Const) if !ok { return } // TODO: constVal.Value nil check avoids #1229 panic but seems to be hiding a bug in the code above or in x/tools/go/ssa. if constVal.Value == nil { // log.Fatalf("[gosec] constVal.Value is nil flipped=%t, constVal=%#v, binOp=%#v", operandsFlipped, constVal, binOp) return } switch binOp.Op { case token.LEQ, token.LSS: updateMinMaxForLessOrEqual(result, constVal, binOp.Op, operandsFlipped, successPathConvert) case token.GEQ, token.GTR: updateMinMaxForGreaterOrEqual(result, constVal, binOp.Op, operandsFlipped, successPathConvert) case token.EQL: if !successPathConvert { break } updateExplicitValues(result, constVal) case token.NEQ: if successPathConvert { break } updateExplicitValues(result, constVal) } if op == "neg" { min := result.minValue max := result.maxValue if min >= 0 { result.maxValue = uint(min) } if max <= math.MaxInt { result.minValue = int(max) } } } func updateExplicitValues(result *rangeResult, constVal *ssa.Const) { if strings.Contains(constVal.String(), "-") { result.explicitNegativeVals = append(result.explicitNegativeVals, int(constVal.Int64())) } else { result.explicitPositiveVals = append(result.explicitPositiveVals, uint(constVal.Uint64())) } } func updateMinMaxForLessOrEqual(result *rangeResult, constVal *ssa.Const, op token.Token, operandsFlipped bool, successPathConvert bool) { // If the success path has a conversion and the operands are not flipped, then the constant value is the maximum value. if successPathConvert && !operandsFlipped { result.maxValue = uint(constVal.Uint64()) if op == token.LEQ { result.maxValue-- } } else { result.minValue = int(constVal.Int64()) if op == token.GTR { result.minValue++ } } } func updateMinMaxForGreaterOrEqual(result *rangeResult, constVal *ssa.Const, op token.Token, operandsFlipped bool, successPathConvert bool) { // If the success path has a conversion and the operands are not flipped, then the constant value is the minimum value. if successPathConvert && !operandsFlipped { result.minValue = int(constVal.Int64()) if op == token.GEQ { result.minValue++ } } else { result.maxValue = uint(constVal.Uint64()) if op == token.LSS { result.maxValue-- } } } // walkBranchForConvert walks the branch of the if statement to find the range of the variable and where the conversion is. func walkBranchForConvert(block *ssa.BasicBlock, instr *ssa.Convert, visitedIfs map[*ssa.If]bool) branchResults { bounds := branchResults{} for _, blockInstr := range block.Instrs { switch v := blockInstr.(type) { case *ssa.If: result := getResultRange(v, instr, visitedIfs) bounds.convertFound = bounds.convertFound || result.convertFound if result.isRangeCheck { bounds.minValue = toPtr(max(result.minValue, bounds.minValue)) bounds.maxValue = toPtr(min(result.maxValue, bounds.maxValue)) bounds.explixitPositiveVals = append(bounds.explixitPositiveVals, result.explicitPositiveVals...) bounds.explicitNegativeVals = append(bounds.explicitNegativeVals, result.explicitNegativeVals...) } case *ssa.Call: if v == instr.X { if fn, isBuiltin := v.Call.Value.(*ssa.Builtin); isBuiltin && (fn.Name() == "len" || fn.Name() == "cap") { bounds.minValue = toPtr(0) } } case *ssa.Convert: if v == instr { bounds.convertFound = true return bounds } } } return bounds } func isRangeCheck(v ssa.Value, x ssa.Value) bool { compareVal, _ := getRealValueFromOperation(x) switch op := v.(type) { case *ssa.BinOp: switch op.Op { case token.LSS, token.LEQ, token.GTR, token.GEQ, token.EQL, token.NEQ: leftMatch := isSameOrRelated(op.X, compareVal) rightMatch := isSameOrRelated(op.Y, compareVal) return leftMatch || rightMatch } } return false } func getRealValueFromOperation(v ssa.Value) (ssa.Value, string) { switch v := v.(type) { case *ssa.UnOp: if v.Op == token.SUB { val, _ := getRealValueFromOperation(v.X) return val, "neg" } return getRealValueFromOperation(v.X) case *ssa.FieldAddr: return v, "field" case *ssa.Alloc: return v, "alloc" } return v, "" } func isSameOrRelated(a, b ssa.Value) bool { aVal, _ := getRealValueFromOperation(a) bVal, _ := getRealValueFromOperation(b) if aVal == bVal { return true } // Check if both are FieldAddr operations referring to the same field of the same struct if aField, aOk := aVal.(*ssa.FieldAddr); aOk { if bField, bOk := bVal.(*ssa.FieldAddr); bOk { return aField.X == bField.X && aField.Field == bField.Field } } return false } func explicitValsInRange(explicitPosVals []uint, explicitNegVals []int, dstInt integer) bool { if len(explicitPosVals) == 0 && len(explicitNegVals) == 0 { return false } for _, val := range explicitPosVals { if val > dstInt.max { return false } } for _, val := range explicitNegVals { if val < dstInt.min { return false } } return true } func min[T constraints.Integer](a T, b *T) T { if b == nil { return a } if a < *b { return a } return *b } func max[T constraints.Integer](a T, b *T) T { if b == nil { return a } if a > *b { return a } return *b } func toPtr[T any](a T) *T { return &a } 07070100000018000081A400000000000000000000000166F5526900001784000000000000000000000000000000000000003300000000gosec-2.21.4/analyzers/conversion_overflow_test.gopackage analyzers import ( "math" "strconv" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" ) var _ = Describe("ParseIntType", func() { Context("with valid input", func() { DescribeTable("should correctly parse and calculate bounds for", func(intType string, expectedSigned bool, expectedSize int, expectedMin int, expectedMax uint) { result, err := parseIntType(intType) Expect(err).NotTo(HaveOccurred()) Expect(result.signed).To(Equal(expectedSigned)) Expect(result.size).To(Equal(expectedSize)) Expect(result.min).To(Equal(expectedMin)) Expect(result.max).To(Equal(expectedMax)) }, Entry("uint8", "uint8", false, 8, 0, uint(math.MaxUint8)), Entry("int8", "int8", true, 8, math.MinInt8, uint(math.MaxInt8)), Entry("uint16", "uint16", false, 16, 0, uint(math.MaxUint16)), Entry("int16", "int16", true, 16, math.MinInt16, uint(math.MaxInt16)), Entry("uint32", "uint32", false, 32, 0, uint(math.MaxUint32)), Entry("int32", "int32", true, 32, math.MinInt32, uint(math.MaxInt32)), Entry("uint64", "uint64", false, 64, 0, uint(math.MaxUint64)), Entry("int64", "int64", true, 64, math.MinInt64, uint(math.MaxInt64)), ) It("should use system's int size for 'int' and 'uint'", func() { intResult, err := parseIntType("int") Expect(err).NotTo(HaveOccurred()) Expect(intResult.size).To(Equal(strconv.IntSize)) uintResult, err := parseIntType("uint") Expect(err).NotTo(HaveOccurred()) Expect(uintResult.size).To(Equal(strconv.IntSize)) }) }) Context("with invalid input", func() { DescribeTable("should return an error for", func(intType string, expectedErrorString string) { _, err := parseIntType(intType) Expect(err).To(HaveOccurred()) Expect(err.Error()).To(ContainSubstring(expectedErrorString)) }, Entry("empty string", "", "no integer type match found for "), Entry("invalid type", "float64", "no integer type match found for float64"), Entry("invalid size", "int65", "invalid bit size: 65"), Entry("negative size", "int-8", "no integer type match found for int-8"), Entry("non-numeric size", "intABC", "no integer type match found for intABC"), ) }) }) var _ = Describe("IsIntOverflow", func() { DescribeTable("should correctly identify overflow scenarios on a 64-bit system", func(src string, dst string, expectedOverflow bool) { result := isIntOverflow(src, dst) Expect(result).To(Equal(expectedOverflow)) }, // Unsigned to Signed conversions Entry("uint8 to int8", "uint8", "int8", true), Entry("uint8 to int16", "uint8", "int16", false), Entry("uint8 to int32", "uint8", "int32", false), Entry("uint8 to int64", "uint8", "int64", false), Entry("uint16 to int8", "uint16", "int8", true), Entry("uint16 to int16", "uint16", "int16", true), Entry("uint16 to int32", "uint16", "int32", false), Entry("uint16 to int64", "uint16", "int64", false), Entry("uint32 to int8", "uint32", "int8", true), Entry("uint32 to int16", "uint32", "int16", true), Entry("uint32 to int32", "uint32", "int32", true), Entry("uint32 to int64", "uint32", "int64", false), Entry("uint64 to int8", "uint64", "int8", true), Entry("uint64 to int16", "uint64", "int16", true), Entry("uint64 to int32", "uint64", "int32", true), Entry("uint64 to int64", "uint64", "int64", true), // Unsigned to Unsigned conversions Entry("uint8 to uint16", "uint8", "uint16", false), Entry("uint8 to uint32", "uint8", "uint32", false), Entry("uint8 to uint64", "uint8", "uint64", false), Entry("uint16 to uint8", "uint16", "uint8", true), Entry("uint16 to uint32", "uint16", "uint32", false), Entry("uint16 to uint64", "uint16", "uint64", false), Entry("uint32 to uint8", "uint32", "uint8", true), Entry("uint32 to uint16", "uint32", "uint16", true), Entry("uint32 to uint64", "uint32", "uint64", false), Entry("uint64 to uint8", "uint64", "uint8", true), Entry("uint64 to uint16", "uint64", "uint16", true), Entry("uint64 to uint32", "uint64", "uint32", true), // Signed to Unsigned conversions Entry("int8 to uint8", "int8", "uint8", true), Entry("int8 to uint16", "int8", "uint16", true), Entry("int8 to uint32", "int8", "uint32", true), Entry("int8 to uint64", "int8", "uint64", true), Entry("int16 to uint8", "int16", "uint8", true), Entry("int16 to uint16", "int16", "uint16", true), Entry("int16 to uint32", "int16", "uint32", true), Entry("int16 to uint64", "int16", "uint64", true), Entry("int32 to uint8", "int32", "uint8", true), Entry("int32 to uint16", "int32", "uint16", true), Entry("int32 to uint32", "int32", "uint32", true), Entry("int32 to uint64", "int32", "uint64", true), Entry("int64 to uint8", "int64", "uint8", true), Entry("int64 to uint16", "int64", "uint16", true), Entry("int64 to uint32", "int64", "uint32", true), Entry("int64 to uint64", "int64", "uint64", true), // Signed to Signed conversions Entry("int8 to int16", "int8", "int16", false), Entry("int8 to int32", "int8", "int32", false), Entry("int8 to int64", "int8", "int64", false), Entry("int16 to int8", "int16", "int8", true), Entry("int16 to int32", "int16", "int32", false), Entry("int16 to int64", "int16", "int64", false), Entry("int32 to int8", "int32", "int8", true), Entry("int32 to int16", "int32", "int16", true), Entry("int32 to int64", "int32", "int64", false), Entry("int64 to int8", "int64", "int8", true), Entry("int64 to int16", "int64", "int16", true), Entry("int64 to int32", "int64", "int32", true), // Same type conversions (should never overflow) Entry("uint8 to uint8", "uint8", "uint8", false), Entry("uint16 to uint16", "uint16", "uint16", false), Entry("uint32 to uint32", "uint32", "uint32", false), Entry("uint64 to uint64", "uint64", "uint64", false), Entry("int8 to int8", "int8", "int8", false), Entry("int16 to int16", "int16", "int16", false), Entry("int32 to int32", "int32", "int32", false), Entry("int64 to int64", "int64", "int64", false), ) }) 07070100000019000081A400000000000000000000000166F55269000024D7000000000000000000000000000000000000002900000000gosec-2.21.4/analyzers/hardcodedNonce.go// (c) Copyright gosec's authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package analyzers import ( "errors" "fmt" "go/token" "strings" "golang.org/x/tools/go/analysis" "golang.org/x/tools/go/analysis/passes/buildssa" "golang.org/x/tools/go/ssa" "github.com/securego/gosec/v2/issue" ) const defaultIssueDescription = "Use of hardcoded IV/nonce for encryption" func newHardCodedNonce(id string, description string) *analysis.Analyzer { return &analysis.Analyzer{ Name: id, Doc: description, Run: runHardCodedNonce, Requires: []*analysis.Analyzer{buildssa.Analyzer}, } } func runHardCodedNonce(pass *analysis.Pass) (interface{}, error) { ssaResult, err := getSSAResult(pass) if err != nil { return nil, fmt.Errorf("building ssa representation: %w", err) } // Holds the function name as key, the number of arguments that the function accepts, and at which index of those accepted arguments is the nonce/IV // Example "Test" 3, 1 -- means the function "Test" which accepts 3 arguments, and has the nonce arg as second argument calls := map[string][]int{ "(crypto/cipher.AEAD).Seal": {4, 1}, "(crypto/cipher.AEAD).Open": {4, 1}, "crypto/cipher.NewCBCDecrypter": {2, 1}, "crypto/cipher.NewCBCEncrypter": {2, 1}, "crypto/cipher.NewCFBDecrypter": {2, 1}, "crypto/cipher.NewCFBEncrypter": {2, 1}, "crypto/cipher.NewCTR": {2, 1}, "crypto/cipher.NewOFB": {2, 1}, } ssaPkgFunctions := ssaResult.SSA.SrcFuncs args := getArgsFromTrackedFunctions(ssaPkgFunctions, calls) if args == nil { return nil, errors.New("no tracked functions found, resulting in no variables to track") } var issues []*issue.Issue for _, arg := range args { if arg == nil { continue } i, err := raiseIssue(*arg, calls, ssaPkgFunctions, pass, "") if err != nil { return issues, fmt.Errorf("raising issue error: %w", err) } issues = append(issues, i...) } return issues, nil } func raiseIssue(val ssa.Value, funcsToTrack map[string][]int, ssaFuncs []*ssa.Function, pass *analysis.Pass, issueDescription string, ) ([]*issue.Issue, error) { if issueDescription == "" { issueDescription = defaultIssueDescription } var err error var allIssues []*issue.Issue var issues []*issue.Issue switch valType := (val).(type) { case *ssa.Slice: issueDescription += " by passing hardcoded slice/array" issues, err = iterateThroughReferrers(val, funcsToTrack, pass.Analyzer.Name, issueDescription, pass.Fset, issue.High) allIssues = append(allIssues, issues...) case *ssa.UnOp: // Check if it's a dereference operation (a.k.a pointer) if valType.Op == token.MUL { issueDescription += " by passing pointer which points to hardcoded variable" issues, err = iterateThroughReferrers(val, funcsToTrack, pass.Analyzer.Name, issueDescription, pass.Fset, issue.Low) allIssues = append(allIssues, issues...) } // When the value assigned to a variable is a function call. // It goes and check if this function contains call to crypto/rand.Read // in it's body(Assuming that calling crypto/rand.Read in a function, // is used for the generation of nonce/iv ) case *ssa.Call: if callValue := valType.Call.Value; callValue != nil { if calledFunction, ok := callValue.(*ssa.Function); ok { if contains, funcErr := isFuncContainsCryptoRand(calledFunction); !contains && funcErr == nil { issueDescription += " by passing a value from function which doesn't use crypto/rand" issues, err = iterateThroughReferrers(val, funcsToTrack, pass.Analyzer.Name, issueDescription, pass.Fset, issue.Medium) allIssues = append(allIssues, issues...) } else if funcErr != nil { err = funcErr } } } // only checks from strings->[]byte // might need to add additional types case *ssa.Convert: if valType.Type().String() == "[]byte" && valType.X.Type().String() == "string" { issueDescription += " by passing converted string" issues, err = iterateThroughReferrers(val, funcsToTrack, pass.Analyzer.Name, issueDescription, pass.Fset, issue.High) allIssues = append(allIssues, issues...) } case *ssa.Parameter: // arg given to tracked function is wrapped in another function, example: // func encrypt(..,nonce,...){ // aesgcm.Seal(nonce) // } // save parameter position, by checking the name of the variable used in // tracked functions and comparing it with the name of the arg if valType.Parent() != nil { trackedFunctions := make(map[string][]int) for index, funcArgs := range valType.Parent().Params { if funcArgs.Name() == valType.Name() && funcArgs.Type() == valType.Type() { trackedFunctions[valType.Parent().String()] = []int{len(valType.Parent().Params), index} } } args := getArgsFromTrackedFunctions(ssaFuncs, trackedFunctions) issueDescription += " by passing a parameter to a function and" // recursively backtrack to where the origin of a variable passed to multiple functions is for _, arg := range args { if arg == nil { continue } issues, err = raiseIssue(*arg, trackedFunctions, ssaFuncs, pass, issueDescription) allIssues = append(allIssues, issues...) } } } return allIssues, err } // iterateThroughReferrers iterates through all places that use the `variable` argument and check if it's used in one of the tracked functions. func iterateThroughReferrers(variable ssa.Value, funcsToTrack map[string][]int, analyzerID string, issueDescription string, fileSet *token.FileSet, issueConfidence issue.Score, ) ([]*issue.Issue, error) { if funcsToTrack == nil || variable == nil || analyzerID == "" || issueDescription == "" || fileSet == nil { return nil, errors.New("received a nil object") } var gosecIssues []*issue.Issue refs := variable.Referrers() if refs == nil { return gosecIssues, nil } // Go trough all functions that use the given arg variable for _, ref := range *refs { // Iterate trough the functions we are interested for trackedFunc := range funcsToTrack { // Split the functions we are interested in, by the '.' because we will use the function name to do the comparison // MIGHT GIVE SOME FALSE POSITIVES THIS WAY trackedFuncParts := strings.Split(trackedFunc, ".") trackedFuncPartsName := trackedFuncParts[len(trackedFuncParts)-1] if strings.Contains(ref.String(), trackedFuncPartsName) { gosecIssues = append(gosecIssues, newIssue(analyzerID, issueDescription, fileSet, ref.Pos(), issue.High, issueConfidence)) } } } return gosecIssues, nil } // isFuncContainsCryptoRand checks whether a function contains a call to crypto/rand.Read in it's function body. func isFuncContainsCryptoRand(funcCall *ssa.Function) (bool, error) { if funcCall == nil { return false, errors.New("passed ssa.Function object is nil") } for _, block := range funcCall.Blocks { for _, instr := range block.Instrs { if call, ok := instr.(*ssa.Call); ok { if calledFunction, ok := call.Call.Value.(*ssa.Function); ok { if calledFunction.Pkg != nil && calledFunction.Pkg.Pkg.Path() == "crypto/rand" && calledFunction.Name() == "Read" { return true, nil } } } } } return false, nil } func addToVarsMap(value ssa.Value, mapToAddTo map[string]*ssa.Value) { key := value.Name() + value.Type().String() + value.String() + value.Parent().String() mapToAddTo[key] = &value } func isContainedInMap(value ssa.Value, mapToCheck map[string]*ssa.Value) bool { key := value.Name() + value.Type().String() + value.String() + value.Parent().String() _, contained := mapToCheck[key] return contained } func getArgsFromTrackedFunctions(ssaFuncs []*ssa.Function, trackedFunc map[string][]int) map[string]*ssa.Value { values := make(map[string]*ssa.Value) for _, pkgFunc := range ssaFuncs { for _, funcBlock := range pkgFunc.Blocks { for _, funcBlocInstr := range funcBlock.Instrs { iterateTrackedFunctionsAndAddArgs(funcBlocInstr, trackedFunc, values) } } } return values } func iterateTrackedFunctionsAndAddArgs(funcBlocInstr ssa.Instruction, trackedFunc map[string][]int, values map[string]*ssa.Value) { if funcCall, ok := (funcBlocInstr).(*ssa.Call); ok { for trackedFuncName, trackedFuncArgsInfo := range trackedFunc { // only process functions that have the same number of arguments as the ones we track if len(funcCall.Call.Args) == trackedFuncArgsInfo[0] { tmpArg := funcCall.Call.Args[trackedFuncArgsInfo[1]] // check if the function is called from an object or directly from the package if funcCall.Call.Method != nil { if methodFullname := funcCall.Call.Method.FullName(); methodFullname == trackedFuncName { if !isContainedInMap(tmpArg, values) { addToVarsMap(tmpArg, values) } } } else if funcCall.Call.Value.String() == trackedFuncName { if !isContainedInMap(tmpArg, values) { addToVarsMap(tmpArg, values) } } } } } } 0707010000001A000081A400000000000000000000000166F55269000026E6000000000000000000000000000000000000002700000000gosec-2.21.4/analyzers/slice_bounds.go// (c) Copyright gosec's authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package analyzers import ( "errors" "fmt" "go/token" "regexp" "strconv" "strings" "golang.org/x/tools/go/analysis" "golang.org/x/tools/go/analysis/passes/buildssa" "golang.org/x/tools/go/ssa" "github.com/securego/gosec/v2/issue" ) type bound int const ( lowerUnbounded bound = iota upperUnbounded unbounded upperBounded ) const maxDepth = 20 func newSliceBoundsAnalyzer(id string, description string) *analysis.Analyzer { return &analysis.Analyzer{ Name: id, Doc: description, Run: runSliceBounds, Requires: []*analysis.Analyzer{buildssa.Analyzer}, } } func runSliceBounds(pass *analysis.Pass) (interface{}, error) { ssaResult, err := getSSAResult(pass) if err != nil { return nil, err } issues := map[ssa.Instruction]*issue.Issue{} ifs := map[ssa.If]*ssa.BinOp{} for _, mcall := range ssaResult.SSA.SrcFuncs { for _, block := range mcall.DomPreorder() { for _, instr := range block.Instrs { switch instr := instr.(type) { case *ssa.Alloc: sliceCap, err := extractSliceCapFromAlloc(instr.String()) if err != nil { break } allocRefs := instr.Referrers() if allocRefs == nil { break } for _, instr := range *allocRefs { if slice, ok := instr.(*ssa.Slice); ok { if _, ok := slice.X.(*ssa.Alloc); ok { if slice.Parent() != nil { l, h := extractSliceBounds(slice) newCap := computeSliceNewCap(l, h, sliceCap) violations := []ssa.Instruction{} trackSliceBounds(0, newCap, slice, &violations, ifs) for _, s := range violations { switch s := s.(type) { case *ssa.Slice: issue := newIssue( pass.Analyzer.Name, "slice bounds out of range", pass.Fset, s.Pos(), issue.Low, issue.High) issues[s] = issue case *ssa.IndexAddr: issue := newIssue( pass.Analyzer.Name, "slice index out of range", pass.Fset, s.Pos(), issue.Low, issue.High) issues[s] = issue } } } } } } } } } } for ifref, binop := range ifs { bound, value, err := extractBinOpBound(binop) if err != nil { continue } for i, block := range ifref.Block().Succs { if i == 1 { bound = invBound(bound) } var processBlock func(block *ssa.BasicBlock, depth int) processBlock = func(block *ssa.BasicBlock, depth int) { if depth == maxDepth { return } depth++ for _, instr := range block.Instrs { if _, ok := issues[instr]; ok { switch bound { case lowerUnbounded: break case upperUnbounded, unbounded: delete(issues, instr) case upperBounded: switch tinstr := instr.(type) { case *ssa.Slice: lower, upper := extractSliceBounds(tinstr) if isSliceInsideBounds(0, value, lower, upper) { delete(issues, instr) } case *ssa.IndexAddr: indexValue, err := extractIntValue(tinstr.Index.String()) if err != nil { break } if isSliceIndexInsideBounds(0, value, indexValue) { delete(issues, instr) } } } } else if nestedIfInstr, ok := instr.(*ssa.If); ok { for _, nestedBlock := range nestedIfInstr.Block().Succs { processBlock(nestedBlock, depth) } } } } processBlock(block, 0) } } foundIssues := []*issue.Issue{} for _, issue := range issues { foundIssues = append(foundIssues, issue) } if len(foundIssues) > 0 { return foundIssues, nil } return nil, nil } func trackSliceBounds(depth int, sliceCap int, slice ssa.Node, violations *[]ssa.Instruction, ifs map[ssa.If]*ssa.BinOp) { if depth == maxDepth { return } depth++ if violations == nil { violations = &[]ssa.Instruction{} } referrers := slice.Referrers() if referrers != nil { for _, refinstr := range *referrers { switch refinstr := refinstr.(type) { case *ssa.Slice: checkAllSlicesBounds(depth, sliceCap, refinstr, violations, ifs) switch refinstr.X.(type) { case *ssa.Alloc, *ssa.Parameter: l, h := extractSliceBounds(refinstr) newCap := computeSliceNewCap(l, h, sliceCap) trackSliceBounds(depth, newCap, refinstr, violations, ifs) } case *ssa.IndexAddr: indexValue, err := extractIntValue(refinstr.Index.String()) if err == nil && !isSliceIndexInsideBounds(0, sliceCap, indexValue) { *violations = append(*violations, refinstr) } case *ssa.Call: if ifref, cond := extractSliceIfLenCondition(refinstr); ifref != nil && cond != nil { ifs[*ifref] = cond } else { parPos := -1 for pos, arg := range refinstr.Call.Args { if a, ok := arg.(*ssa.Slice); ok && a == slice { parPos = pos } } if fn, ok := refinstr.Call.Value.(*ssa.Function); ok { if len(fn.Params) > parPos && parPos > -1 { param := fn.Params[parPos] trackSliceBounds(depth, sliceCap, param, violations, ifs) } } } } } } } func checkAllSlicesBounds(depth int, sliceCap int, slice *ssa.Slice, violations *[]ssa.Instruction, ifs map[ssa.If]*ssa.BinOp) { if depth == maxDepth { return } depth++ if violations == nil { violations = &[]ssa.Instruction{} } sliceLow, sliceHigh := extractSliceBounds(slice) if !isSliceInsideBounds(0, sliceCap, sliceLow, sliceHigh) { *violations = append(*violations, slice) } switch slice.X.(type) { case *ssa.Alloc, *ssa.Parameter, *ssa.Slice: l, h := extractSliceBounds(slice) newCap := computeSliceNewCap(l, h, sliceCap) trackSliceBounds(depth, newCap, slice, violations, ifs) } references := slice.Referrers() if references == nil { return } for _, ref := range *references { switch s := ref.(type) { case *ssa.Slice: checkAllSlicesBounds(depth, sliceCap, s, violations, ifs) switch s.X.(type) { case *ssa.Alloc, *ssa.Parameter: l, h := extractSliceBounds(s) newCap := computeSliceNewCap(l, h, sliceCap) trackSliceBounds(depth, newCap, s, violations, ifs) } } } } func extractSliceIfLenCondition(call *ssa.Call) (*ssa.If, *ssa.BinOp) { if builtInLen, ok := call.Call.Value.(*ssa.Builtin); ok { if builtInLen.Name() == "len" { refs := call.Referrers() if refs != nil { for _, ref := range *refs { if binop, ok := ref.(*ssa.BinOp); ok { binoprefs := binop.Referrers() for _, ref := range *binoprefs { if ifref, ok := ref.(*ssa.If); ok { return ifref, binop } } } } } } } return nil, nil } func computeSliceNewCap(l, h, oldCap int) int { if l == 0 && h == 0 { return oldCap } if l > 0 && h == 0 { return oldCap - l } if l == 0 && h > 0 { return h } return h - l } func invBound(bound bound) bound { switch bound { case lowerUnbounded: return upperUnbounded case upperUnbounded: return lowerUnbounded case upperBounded: return unbounded case unbounded: return upperBounded default: return unbounded } } func extractBinOpBound(binop *ssa.BinOp) (bound, int, error) { if binop.X != nil { if x, ok := binop.X.(*ssa.Const); ok { value, err := strconv.Atoi(x.Value.String()) if err != nil { return lowerUnbounded, value, err } switch binop.Op { case token.LSS, token.LEQ: return upperUnbounded, value, nil case token.GTR, token.GEQ: return lowerUnbounded, value, nil case token.EQL: return upperBounded, value, nil case token.NEQ: return unbounded, value, nil } } } if binop.Y != nil { if y, ok := binop.Y.(*ssa.Const); ok { value, err := strconv.Atoi(y.Value.String()) if err != nil { return lowerUnbounded, value, err } switch binop.Op { case token.LSS, token.LEQ: return lowerUnbounded, value, nil case token.GTR, token.GEQ: return upperUnbounded, value, nil case token.EQL: return upperBounded, value, nil case token.NEQ: return unbounded, value, nil } } } return lowerUnbounded, 0, fmt.Errorf("unable to extract constant from binop") } func isSliceIndexInsideBounds(l, h int, index int) bool { return (l <= index && index < h) } func isSliceInsideBounds(l, h int, cl, ch int) bool { return (l <= cl && h >= ch) && (l <= ch && h >= cl) } func extractSliceBounds(slice *ssa.Slice) (int, int) { var low int if slice.Low != nil { l, err := extractIntValue(slice.Low.String()) if err == nil { low = l } } var high int if slice.High != nil { h, err := extractIntValue(slice.High.String()) if err == nil { high = h } } return low, high } func extractIntValue(value string) (int, error) { parts := strings.Split(value, ":") if len(parts) != 2 { return 0, fmt.Errorf("invalid value: %s", value) } if parts[1] != "int" { return 0, fmt.Errorf("invalid value: %s", value) } return strconv.Atoi(parts[0]) } func extractSliceCapFromAlloc(instr string) (int, error) { re := regexp.MustCompile(`new \[(\d+)\]*`) var sliceCap int matches := re.FindAllStringSubmatch(instr, -1) if matches == nil { return sliceCap, errors.New("no slice cap found") } if len(matches) > 0 { m := matches[0] if len(m) > 1 { return strconv.Atoi(m[1]) } } return 0, errors.New("no slice cap found") } 0707010000001B000081A400000000000000000000000166F5526900000B38000000000000000000000000000000000000001F00000000gosec-2.21.4/analyzers/util.go// (c) Copyright gosec's authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package analyzers import ( "fmt" "go/token" "log" "os" "strconv" "golang.org/x/tools/go/analysis" "golang.org/x/tools/go/analysis/passes/buildssa" "github.com/securego/gosec/v2/issue" ) // SSAAnalyzerResult contains various information returned by the // SSA analysis along with some configuration type SSAAnalyzerResult struct { Config map[string]interface{} Logger *log.Logger SSA *buildssa.SSA } // BuildDefaultAnalyzers returns the default list of analyzers func BuildDefaultAnalyzers() []*analysis.Analyzer { return []*analysis.Analyzer{ newConversionOverflowAnalyzer("G115", "Type conversion which leads to integer overflow"), newSliceBoundsAnalyzer("G602", "Possible slice bounds out of range"), newHardCodedNonce("G407", "Use of hardcoded IV/nonce for encryption"), } } // getSSAResult retrieves the SSA result from analysis pass func getSSAResult(pass *analysis.Pass) (*SSAAnalyzerResult, error) { result, ok := pass.ResultOf[buildssa.Analyzer] if !ok { return nil, fmt.Errorf("no SSA result found in the analysis pass") } ssaResult, ok := result.(*SSAAnalyzerResult) if !ok { return nil, fmt.Errorf("the analysis pass result is not of type SSA") } return ssaResult, nil } // newIssue creates a new gosec issue func newIssue(analyzerID string, desc string, fileSet *token.FileSet, pos token.Pos, severity, confidence issue.Score, ) *issue.Issue { file := fileSet.File(pos) line := file.Line(pos) col := file.Position(pos).Column return &issue.Issue{ RuleID: analyzerID, File: file.Name(), Line: strconv.Itoa(line), Col: strconv.Itoa(col), Severity: severity, Confidence: confidence, What: desc, Cwe: issue.GetCweByRule(analyzerID), Code: issueCodeSnippet(fileSet, pos), } } func issueCodeSnippet(fileSet *token.FileSet, pos token.Pos) string { file := fileSet.File(pos) start := (int64)(file.Line(pos)) if start-issue.SnippetOffset > 0 { start = start - issue.SnippetOffset } end := (int64)(file.Line(pos)) end = end + issue.SnippetOffset var code string if file, err := os.Open(file.Name()); err == nil { defer file.Close() // #nosec code, err = issue.CodeSnippet(file, start, end) if err != nil { return err.Error() } } return code } 0707010000001C000041ED00000000000000000000000266F5526900000000000000000000000000000000000000000000001500000000gosec-2.21.4/autofix0707010000001D000081A400000000000000000000000166F5526900001013000000000000000000000000000000000000001B00000000gosec-2.21.4/autofix/ai.gopackage autofix import ( "context" "errors" "fmt" "time" "github.com/google/generative-ai-go/genai" "google.golang.org/api/option" "github.com/securego/gosec/v2/issue" ) const ( GeminiModel = "gemini-1.5-flash" AIPrompt = `Provide a brief explanation and a solution to fix this security issue in Go programming language: %q. Answer in markdown format and keep the response limited to 200 words.` GeminiProvider = "gemini" timeout = 30 * time.Second ) // GenAIClient defines the interface for the GenAI client. type GenAIClient interface { // Close clean up and close the client. Close() error // GenerativeModel build the generative mode. GenerativeModel(name string) GenAIGenerativeModel } // GenAIGenerativeModel defines the interface for the Generative Model. type GenAIGenerativeModel interface { // GenerateContent generates an response for given prompt. GenerateContent(ctx context.Context, prompt string) (string, error) } // genAIClientWrapper wraps the genai.Client to implement GenAIClient. type genAIClientWrapper struct { client *genai.Client } // Close closes the gen AI client. func (w *genAIClientWrapper) Close() error { return w.client.Close() } // GenerativeModel builds the generative Model. func (w *genAIClientWrapper) GenerativeModel(name string) GenAIGenerativeModel { return &genAIGenerativeModelWrapper{model: w.client.GenerativeModel(name)} } // genAIGenerativeModelWrapper wraps the genai.GenerativeModel to implement GenAIGenerativeModel type genAIGenerativeModelWrapper struct { // model is the underlying generative model model *genai.GenerativeModel } // GenerateContent generates a response for the given prompt using gemini API. func (w *genAIGenerativeModelWrapper) GenerateContent(ctx context.Context, prompt string) (string, error) { resp, err := w.model.GenerateContent(ctx, genai.Text(prompt)) if err != nil { return "", fmt.Errorf("generating autofix: %w", err) } if len(resp.Candidates) == 0 { return "", errors.New("no autofix returned by gemini") } if len(resp.Candidates[0].Content.Parts) == 0 { return "", errors.New("nothing found in the first autofix returned by gemini") } // Return the first candidate return fmt.Sprintf("%+v", resp.Candidates[0].Content.Parts[0]), nil } // NewGenAIClient creates a new gemini API client. func NewGenAIClient(ctx context.Context, aiApiKey, endpoint string) (GenAIClient, error) { clientOptions := []option.ClientOption{option.WithAPIKey(aiApiKey)} if endpoint != "" { clientOptions = append(clientOptions, option.WithEndpoint(endpoint)) } client, err := genai.NewClient(ctx, clientOptions...) if err != nil { return nil, fmt.Errorf("calling gemini API: %w", err) } return &genAIClientWrapper{client: client}, nil } func generateSolutionByGemini(client GenAIClient, issues []*issue.Issue) error { ctx, cancel := context.WithTimeout(context.Background(), timeout) defer cancel() model := client.GenerativeModel(GeminiModel) cachedAutofix := make(map[string]string) for _, issue := range issues { if val, ok := cachedAutofix[issue.What]; ok { issue.Autofix = val continue } prompt := fmt.Sprintf(AIPrompt, issue.What) resp, err := model.GenerateContent(ctx, prompt) if err != nil { return fmt.Errorf("generating autofix with gemini: %w", err) } if resp == "" { return errors.New("no autofix returned by gemini") } issue.Autofix = resp cachedAutofix[issue.What] = issue.Autofix } return nil } // GenerateSolution generates a solution for the given issues using the specified AI provider func GenerateSolution(aiApiProvider, aiApiKey, endpoint string, issues []*issue.Issue) error { ctx, cancel := context.WithTimeout(context.Background(), timeout) defer cancel() var client GenAIClient switch aiApiProvider { case GeminiProvider: var err error client, err = NewGenAIClient(ctx, aiApiKey, endpoint) if err != nil { return fmt.Errorf("generating autofix: %w", err) } default: return errors.New("ai provider not supported") } defer client.Close() return generateSolutionByGemini(client, issues) } 0707010000001E000081A400000000000000000000000166F5526900000B78000000000000000000000000000000000000002000000000gosec-2.21.4/autofix/ai_test.gopackage autofix import ( "context" "errors" "testing" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/mock" "github.com/securego/gosec/v2/issue" ) // MockGenAIClient is a mock of the GenAIClient interface type MockGenAIClient struct { mock.Mock } func (m *MockGenAIClient) Close() error { args := m.Called() return args.Error(0) } func (m *MockGenAIClient) GenerativeModel(name string) GenAIGenerativeModel { args := m.Called(name) return args.Get(0).(GenAIGenerativeModel) } // MockGenAIGenerativeModel is a mock of the GenAIGenerativeModel interface type MockGenAIGenerativeModel struct { mock.Mock } func (m *MockGenAIGenerativeModel) GenerateContent(ctx context.Context, prompt string) (string, error) { args := m.Called(ctx, prompt) return args.String(0), args.Error(1) } func TestGenerateSolutionByGemini_Success(t *testing.T) { // Arrange issues := []*issue.Issue{ {What: "Example issue 1"}, } mockClient := new(MockGenAIClient) mockModel := new(MockGenAIGenerativeModel) mockClient.On("GenerativeModel", GeminiModel).Return(mockModel) mockModel.On("GenerateContent", mock.Anything, mock.Anything).Return("Autofix for issue 1", nil) // Act err := generateSolutionByGemini(mockClient, issues) // Assert assert.NoError(t, err) assert.Equal(t, "Autofix for issue 1", issues[0].Autofix) mockClient.AssertExpectations(t) mockModel.AssertExpectations(t) } func TestGenerateSolutionByGemini_NoCandidates(t *testing.T) { // Arrange issues := []*issue.Issue{ {What: "Example issue 2"}, } mockClient := new(MockGenAIClient) mockModel := new(MockGenAIGenerativeModel) mockClient.On("GenerativeModel", GeminiModel).Return(mockModel) mockModel.On("GenerateContent", mock.Anything, mock.Anything).Return("", nil) // Act err := generateSolutionByGemini(mockClient, issues) // Assert assert.Error(t, err) assert.Equal(t, "no autofix returned by gemini", err.Error()) mockClient.AssertExpectations(t) mockModel.AssertExpectations(t) } func TestGenerateSolutionByGemini_APIError(t *testing.T) { // Arrange issues := []*issue.Issue{ {What: "Example issue 3"}, } mockClient := new(MockGenAIClient) mockModel := new(MockGenAIGenerativeModel) mockClient.On("GenerativeModel", GeminiModel).Return(mockModel) mockModel.On("GenerateContent", mock.Anything, mock.Anything).Return("", errors.New("API error")) // Act err := generateSolutionByGemini(mockClient, issues) // Assert assert.Error(t, err) assert.Equal(t, "generating autofix with gemini: API error", err.Error()) mockClient.AssertExpectations(t) mockModel.AssertExpectations(t) } func TestGenerateSolution_UnsupportedProvider(t *testing.T) { // Arrange issues := []*issue.Issue{ {What: "Example issue 4"}, } // Act err := GenerateSolution("unsupported-provider", "test-api-key", "", issues) // Assert assert.Error(t, err) assert.Equal(t, "ai provider not supported", err.Error()) } 0707010000001F000081A400000000000000000000000166F5526900000D24000000000000000000000000000000000000001A00000000gosec-2.21.4/call_list.go// // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package gosec import ( "go/ast" "strings" ) const vendorPath = "vendor/" type set map[string]bool // CallList is used to check for usage of specific packages // and functions. type CallList map[string]set // NewCallList creates a new empty CallList func NewCallList() CallList { return make(CallList) } // AddAll will add several calls to the call list at once func (c CallList) AddAll(selector string, idents ...string) { for _, ident := range idents { c.Add(selector, ident) } } // Add a selector and call to the call list func (c CallList) Add(selector, ident string) { if _, ok := c[selector]; !ok { c[selector] = make(set) } c[selector][ident] = true } // Contains returns true if the package and function are // members of this call list. func (c CallList) Contains(selector, ident string) bool { if idents, ok := c[selector]; ok { _, found := idents[ident] return found } return false } // ContainsPointer returns true if a pointer to the selector type or the type // itself is a members of this call list. func (c CallList) ContainsPointer(selector, indent string) bool { if strings.HasPrefix(selector, "*") { if c.Contains(selector, indent) { return true } s := strings.TrimPrefix(selector, "*") return c.Contains(s, indent) } return false } // ContainsPkgCallExpr resolves the call expression name and type, and then further looks // up the package path for that type. Finally, it determines if the call exists within the call list func (c CallList) ContainsPkgCallExpr(n ast.Node, ctx *Context, stripVendor bool) *ast.CallExpr { selector, ident, err := GetCallInfo(n, ctx) if err != nil { return nil } // Selector can have two forms: // 1. A short name if a module function is called (expr.Name). // E.g., "big" if called function from math/big. // 2. A full name if a structure function is called (TypeOf(expr)). // E.g., "math/big.Rat" if called function of Rat structure from math/big. if !strings.ContainsRune(selector, '.') { // Use only explicit path (optionally strip vendor path prefix) to reduce conflicts path, ok := GetImportPath(selector, ctx) if !ok { return nil } selector = path } if stripVendor { if vendorIdx := strings.Index(selector, vendorPath); vendorIdx >= 0 { selector = selector[vendorIdx+len(vendorPath):] } } if !c.Contains(selector, ident) { return nil } return n.(*ast.CallExpr) } // ContainsCallExpr resolves the call expression name and type, and then determines // if the call exists with the call list func (c CallList) ContainsCallExpr(n ast.Node, ctx *Context) *ast.CallExpr { selector, ident, err := GetCallInfo(n, ctx) if err != nil { return nil } if !c.Contains(selector, ident) && !c.ContainsPointer(selector, ident) { return nil } return n.(*ast.CallExpr) } 07070100000020000081A400000000000000000000000166F552690000126E000000000000000000000000000000000000001F00000000gosec-2.21.4/call_list_test.gopackage gosec_test import ( "go/ast" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/testutils" ) var _ = Describe("Call List", func() { var calls gosec.CallList BeforeEach(func() { calls = gosec.NewCallList() }) It("should not return any matches when empty", func() { Expect(calls.Contains("foo", "bar")).Should(BeFalse()) }) It("should be possible to add a single call", func() { Expect(calls).Should(BeEmpty()) calls.Add("foo", "bar") Expect(calls).Should(HaveLen(1)) expected := make(map[string]bool) expected["bar"] = true actual := map[string]bool(calls["foo"]) Expect(actual).Should(Equal(expected)) }) It("should be possible to add multiple calls at once", func() { Expect(calls).Should(BeEmpty()) calls.AddAll("fmt", "Sprint", "Sprintf", "Printf", "Println") expected := map[string]bool{ "Sprint": true, "Sprintf": true, "Printf": true, "Println": true, } actual := map[string]bool(calls["fmt"]) Expect(actual).Should(Equal(expected)) }) It("should be possible to add pointer call", func() { Expect(calls).Should(BeEmpty()) calls.Add("*bytes.Buffer", "WriteString") actual := calls.ContainsPointer("*bytes.Buffer", "WriteString") Expect(actual).Should(BeTrue()) }) It("should be possible to check pointer call", func() { Expect(calls).Should(BeEmpty()) calls.Add("bytes.Buffer", "WriteString") actual := calls.ContainsPointer("*bytes.Buffer", "WriteString") Expect(actual).Should(BeTrue()) }) It("should not return a match if none are present", func() { calls.Add("ioutil", "Copy") Expect(calls.Contains("fmt", "Println")).Should(BeFalse()) }) It("should match a call based on selector and ident", func() { calls.Add("ioutil", "Copy") Expect(calls.Contains("ioutil", "Copy")).Should(BeTrue()) }) It("should match a package call expression", func() { // Create file to be scanned pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("md5.go", testutils.SampleCodeG401[0].Code[0]) ctx := pkg.CreateContext("md5.go") // Search for md5.New() calls.Add("crypto/md5", "New") // Stub out visitor and count number of matched call expr matched := 0 v := testutils.NewMockVisitor() v.Context = ctx v.Callback = func(n ast.Node, ctx *gosec.Context) bool { if _, ok := n.(*ast.CallExpr); ok && calls.ContainsPkgCallExpr(n, ctx, false) != nil { matched++ } return true } ast.Walk(v, ctx.Root) Expect(matched).Should(Equal(1)) }) It("should match a package call expression", func() { // Create file to be scanned pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("cipher.go", testutils.SampleCodeG405[0].Code[0]) ctx := pkg.CreateContext("cipher.go") // Search for des.NewCipher() calls.Add("crypto/des", "NewCipher") // Stub out visitor and count number of matched call expr matched := 0 v := testutils.NewMockVisitor() v.Context = ctx v.Callback = func(n ast.Node, ctx *gosec.Context) bool { if _, ok := n.(*ast.CallExpr); ok && calls.ContainsPkgCallExpr(n, ctx, false) != nil { matched++ } return true } ast.Walk(v, ctx.Root) Expect(matched).Should(Equal(1)) }) It("should match a package call expression", func() { // Create file to be scanned pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("md4.go", testutils.SampleCodeG406[0].Code[0]) ctx := pkg.CreateContext("md4.go") // Search for md4.New() calls.Add("golang.org/x/crypto/md4", "New") // Stub out visitor and count number of matched call expr matched := 0 v := testutils.NewMockVisitor() v.Context = ctx v.Callback = func(n ast.Node, ctx *gosec.Context) bool { if _, ok := n.(*ast.CallExpr); ok && calls.ContainsPkgCallExpr(n, ctx, false) != nil { matched++ } return true } ast.Walk(v, ctx.Root) Expect(matched).Should(Equal(1)) }) It("should match a call expression", func() { // Create file to be scanned pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("main.go", testutils.SampleCodeG104[6].Code[0]) ctx := pkg.CreateContext("main.go") calls.Add("bytes.Buffer", "WriteString") calls.Add("strings.Builder", "WriteString") calls.Add("io.Pipe", "CloseWithError") calls.Add("fmt", "Fprintln") // Stub out visitor and count number of matched call expr matched := 0 v := testutils.NewMockVisitor() v.Context = ctx v.Callback = func(n ast.Node, ctx *gosec.Context) bool { if _, ok := n.(*ast.CallExpr); ok && calls.ContainsCallExpr(n, ctx) != nil { matched++ } return true } ast.Walk(v, ctx.Root) Expect(matched).Should(Equal(5)) }) }) 07070100000021000041ED00000000000000000000000266F5526900000000000000000000000000000000000000000000001100000000gosec-2.21.4/cmd07070100000022000041ED00000000000000000000000266F5526900000000000000000000000000000000000000000000001700000000gosec-2.21.4/cmd/gosec07070100000023000081A400000000000000000000000166F5526900003E1A000000000000000000000000000000000000001F00000000gosec-2.21.4/cmd/gosec/main.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package main import ( "flag" "fmt" "io" "log" "os" "runtime" "sort" "strings" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/analyzers" "github.com/securego/gosec/v2/autofix" "github.com/securego/gosec/v2/cmd/vflag" "github.com/securego/gosec/v2/issue" "github.com/securego/gosec/v2/report" "github.com/securego/gosec/v2/rules" ) const ( usageText = ` gosec - Golang security checker gosec analyzes Go source code to look for common programming mistakes that can lead to security problems. VERSION: %s GIT TAG: %s BUILD DATE: %s USAGE: # Check a single package $ gosec $GOPATH/src/github.com/example/project # Check all packages under the current directory and save results in # json format. $ gosec -fmt=json -out=results.json ./... # Run a specific set of rules (by default all rules will be run): $ gosec -include=G101,G203,G401 ./... # Run all rules except the provided $ gosec -exclude=G101 $GOPATH/src/github.com/example/project/... ` // Environment variable for AI API key. aiApiKeyEnv = "GOSEC_AI_API_KEY" // #nosec G101 ) type arrayFlags []string func (a *arrayFlags) String() string { return strings.Join(*a, " ") } func (a *arrayFlags) Set(value string) error { *a = append(*a, value) return nil } var ( // #nosec flag flagIgnoreNoSec = flag.Bool("nosec", false, "Ignores #nosec comments when set") // show ignored flagShowIgnored = flag.Bool("show-ignored", false, "If enabled, ignored issues are printed") // format output flagFormat = flag.String("fmt", "text", "Set output format. Valid options are: json, yaml, csv, junit-xml, html, sonarqube, golint, sarif or text") // #nosec alternative tag flagAlternativeNoSec = flag.String("nosec-tag", "", "Set an alternative string for #nosec. Some examples: #dontanalyze, #falsepositive") // flagEnableAudit enables audit mode flagEnableAudit = flag.Bool("enable-audit", false, "Enable audit mode") // output file flagOutput = flag.String("out", "", "Set output file for results") // config file flagConfig = flag.String("conf", "", "Path to optional config file") // quiet flagQuiet = flag.Bool("quiet", false, "Only show output when errors are found") // rules to explicitly include flagRulesInclude = flag.String("include", "", "Comma separated list of rules IDs to include. (see rule list)") // rules to explicitly exclude flagRulesExclude = vflag.ValidatedFlag{} // rules to explicitly exclude flagExcludeGenerated = flag.Bool("exclude-generated", false, "Exclude generated files") // log to file or stderr flagLogfile = flag.String("log", "", "Log messages to file rather than stderr") // sort the issues by severity flagSortIssues = flag.Bool("sort", true, "Sort issues by severity") // go build tags flagBuildTags = flag.String("tags", "", "Comma separated list of build tags") // fail by severity flagSeverity = flag.String("severity", "low", "Filter out the issues with a lower severity than the given value. Valid options are: low, medium, high") // fail by confidence flagConfidence = flag.String("confidence", "low", "Filter out the issues with a lower confidence than the given value. Valid options are: low, medium, high") // concurrency value flagConcurrency = flag.Int("concurrency", runtime.NumCPU(), "Concurrency value") // do not fail flagNoFail = flag.Bool("no-fail", false, "Do not fail the scanning, even if issues were found") // scan tests files flagScanTests = flag.Bool("tests", false, "Scan tests files") // print version and quit with exit code 0 flagVersion = flag.Bool("version", false, "Print version and quit with exit code 0") // stdout the results as well as write it in the output file flagStdOut = flag.Bool("stdout", false, "Stdout the results as well as write it in the output file") // print the text report with color, this is enabled by default flagColor = flag.Bool("color", true, "Prints the text format report with colorization when it goes in the stdout") // append ./... to the target dir. flagRecursive = flag.Bool("r", false, "Appends \"./...\" to the target dir.") // overrides the output format when stdout the results while saving them in the output file flagVerbose = flag.String("verbose", "", "Overrides the output format when stdout the results while saving them in the output file.\nValid options are: json, yaml, csv, junit-xml, html, sonarqube, golint, sarif or text") // output suppression information for auditing purposes flagTrackSuppressions = flag.Bool("track-suppressions", false, "Output suppression information, including its kind and justification") // flagTerse shows only the summary of scan discarding all the logs flagTerse = flag.Bool("terse", false, "Shows only the results and summary") // AI platform provider to generate solutions to issues flagAiApiProvider = flag.String("ai-api-provider", "", "AI API provider to generate auto fixes to issues.\nValid options are: gemini") // key to implementing AI provider services flagAiApiKey = flag.String("ai-api-key", "", "key to access the AI API") // endpoint to the AI provider flagAiEndpoint = flag.String("ai-endpoint", "", "endpoint AI API.\nThis is optional, the default API endpoint will be used when not provided.") // exclude the folders from scan flagDirsExclude arrayFlags logger *log.Logger ) // #nosec func usage() { usageText := fmt.Sprintf(usageText, Version, GitTag, BuildDate) fmt.Fprintln(os.Stderr, usageText) fmt.Fprint(os.Stderr, "OPTIONS:\n\n") flag.PrintDefaults() fmt.Fprint(os.Stderr, "\n\nRULES:\n\n") // sorted rule list for ease of reading rl := rules.Generate(*flagTrackSuppressions) al := analyzers.Generate(*flagTrackSuppressions) keys := make([]string, 0, len(rl.Rules)+len(al.Analyzers)) for key := range rl.Rules { keys = append(keys, key) } for key := range al.Analyzers { keys = append(keys, key) } sort.Strings(keys) for _, k := range keys { var description string if rule, ok := rl.Rules[k]; ok { description = rule.Description } else if analyzer, ok := al.Analyzers[k]; ok { description = analyzer.Description } fmt.Fprintf(os.Stderr, "\t%s: %s\n", k, description) } fmt.Fprint(os.Stderr, "\n") } func loadConfig(configFile string) (gosec.Config, error) { config := gosec.NewConfig() if configFile != "" { // #nosec file, err := os.Open(configFile) if err != nil { return nil, err } defer file.Close() // #nosec G307 if _, err := config.ReadFrom(file); err != nil { return nil, err } } if *flagIgnoreNoSec { config.SetGlobal(gosec.Nosec, "true") } if *flagShowIgnored { config.SetGlobal(gosec.ShowIgnored, "true") } if *flagAlternativeNoSec != "" { config.SetGlobal(gosec.NoSecAlternative, *flagAlternativeNoSec) } if *flagEnableAudit { config.SetGlobal(gosec.Audit, "true") } // set global option IncludeRules, when flag set or global option IncludeRules is nil if v, _ := config.GetGlobal(gosec.IncludeRules); *flagRulesInclude != "" || v == "" { config.SetGlobal(gosec.IncludeRules, *flagRulesInclude) } // set global option ExcludeRules, when flag set or global option ExcludeRules is nil if v, _ := config.GetGlobal(gosec.ExcludeRules); flagRulesExclude.String() != "" || v == "" { config.SetGlobal(gosec.ExcludeRules, flagRulesExclude.String()) } return config, nil } func loadRules(include, exclude string) rules.RuleList { var filters []rules.RuleFilter if include != "" { logger.Printf("Including rules: %s", include) including := strings.Split(include, ",") filters = append(filters, rules.NewRuleFilter(false, including...)) } else { logger.Println("Including rules: default") } if exclude != "" { logger.Printf("Excluding rules: %s", exclude) excluding := strings.Split(exclude, ",") filters = append(filters, rules.NewRuleFilter(true, excluding...)) } else { logger.Println("Excluding rules: default") } return rules.Generate(*flagTrackSuppressions, filters...) } func loadAnalyzers(include, exclude string) *analyzers.AnalyzerList { var filters []analyzers.AnalyzerFilter if include != "" { logger.Printf("Including analyzers: %s", include) including := strings.Split(include, ",") filters = append(filters, analyzers.NewAnalyzerFilter(false, including...)) } else { logger.Println("Including analyzers: default") } if exclude != "" { logger.Printf("Excluding analyzers: %s", exclude) excluding := strings.Split(exclude, ",") filters = append(filters, analyzers.NewAnalyzerFilter(true, excluding...)) } else { logger.Println("Excluding analyzers: default") } return analyzers.Generate(*flagTrackSuppressions, filters...) } func getRootPaths(paths []string) []string { rootPaths := make([]string, 0) for _, path := range paths { rootPath, err := gosec.RootPath(path) if err != nil { logger.Fatal(fmt.Errorf("failed to get the root path of the projects: %w", err)) } rootPaths = append(rootPaths, rootPath) } return rootPaths } // If verbose is defined it overwrites the defined format // Otherwise the actual format is used func getPrintedFormat(format string, verbose string) string { if verbose != "" { return verbose } return format } func printReport(format string, color bool, rootPaths []string, reportInfo *gosec.ReportInfo) error { err := report.CreateReport(os.Stdout, format, color, rootPaths, reportInfo) if err != nil { return err } return nil } func saveReport(filename, format string, rootPaths []string, reportInfo *gosec.ReportInfo) error { outfile, err := os.Create(filename) // #nosec G304 if err != nil { return err } defer outfile.Close() // #nosec G307 err = report.CreateReport(outfile, format, false, rootPaths, reportInfo) if err != nil { return err } return nil } func convertToScore(value string) (issue.Score, error) { value = strings.ToLower(value) switch value { case "low": return issue.Low, nil case "medium": return issue.Medium, nil case "high": return issue.High, nil default: return issue.Low, fmt.Errorf("provided value '%s' not valid. Valid options: low, medium, high", value) } } func filterIssues(issues []*issue.Issue, severity issue.Score, confidence issue.Score) ([]*issue.Issue, int) { result := make([]*issue.Issue, 0) trueIssues := 0 for _, issue := range issues { if issue.Severity >= severity && issue.Confidence >= confidence { result = append(result, issue) if (!issue.NoSec || !*flagShowIgnored) && len(issue.Suppressions) == 0 { trueIssues++ } } } return result, trueIssues } func exit(issues []*issue.Issue, errors map[string][]gosec.Error, noFail bool) { nsi := 0 for _, issue := range issues { if len(issue.Suppressions) == 0 { nsi++ } } if (nsi > 0 || len(errors) > 0) && !noFail { os.Exit(1) } os.Exit(0) } func main() { // Makes sure some version information is set prepareVersionInfo() // Setup usage description flag.Usage = usage // Setup the excluded folders from scan flag.Var(&flagDirsExclude, "exclude-dir", "Exclude folder from scan (can be specified multiple times)") err := flag.Set("exclude-dir", "vendor") if err != nil { fmt.Fprintf(os.Stderr, "\nError: failed to exclude the %q directory from scan", "vendor") } err = flag.Set("exclude-dir", "\\.git/") if err != nil { fmt.Fprintf(os.Stderr, "\nError: failed to exclude the %q directory from scan", "\\.git/") } // set for exclude flag.Var(&flagRulesExclude, "exclude", "Comma separated list of rules IDs to exclude. (see rule list)") // Parse command line arguments flag.Parse() if *flagVersion { fmt.Printf("Version: %s\nGit tag: %s\nBuild date: %s\n", Version, GitTag, BuildDate) os.Exit(0) } // Ensure at least one file was specified or that the recursive -r flag was set. if flag.NArg() == 0 && !*flagRecursive { fmt.Fprintf(os.Stderr, "\nError: FILE [FILE...] or './...' or -r expected\n") // #nosec flag.Usage() os.Exit(1) } // Setup logging logWriter := os.Stderr if *flagLogfile != "" { var e error logWriter, e = os.Create(*flagLogfile) if e != nil { flag.Usage() log.Fatal(e) } } if *flagQuiet || *flagTerse { logger = log.New(io.Discard, "", 0) } else { logger = log.New(logWriter, "[gosec] ", log.LstdFlags) } failSeverity, err := convertToScore(*flagSeverity) if err != nil { logger.Fatalf("Invalid severity value: %v", err) } failConfidence, err := convertToScore(*flagConfidence) if err != nil { logger.Fatalf("Invalid confidence value: %v", err) } // Load the analyzer configuration config, err := loadConfig(*flagConfig) if err != nil { logger.Fatal(err) } // Load enabled rule definitions excludeRules, err := config.GetGlobal(gosec.ExcludeRules) if err != nil { logger.Fatal(err) } includeRules, err := config.GetGlobal(gosec.IncludeRules) if err != nil { logger.Fatal(err) } ruleList := loadRules(includeRules, excludeRules) analyzerList := loadAnalyzers(includeRules, excludeRules) if len(ruleList.Rules) == 0 && len(analyzerList.Analyzers) == 0 { logger.Fatal("No rules/analyzers are configured") } // Create the analyzer analyzer := gosec.NewAnalyzer(config, *flagScanTests, *flagExcludeGenerated, *flagTrackSuppressions, *flagConcurrency, logger) analyzer.LoadRules(ruleList.RulesInfo()) analyzer.LoadAnalyzers(analyzerList.AnalyzersInfo()) excludedDirs := gosec.ExcludedDirsRegExp(flagDirsExclude) var packages []string paths := flag.Args() if len(paths) == 0 { paths = append(paths, "./...") } for _, path := range paths { pcks, err := gosec.PackagePaths(path, excludedDirs) if err != nil { logger.Fatal(err) } packages = append(packages, pcks...) } if len(packages) == 0 { logger.Fatal("No packages found") } var buildTags []string if *flagBuildTags != "" { buildTags = strings.Split(*flagBuildTags, ",") } if err := analyzer.Process(buildTags, packages...); err != nil { logger.Fatal(err) } // Collect the results issues, metrics, errors := analyzer.Report() // Sort the issue by severity if *flagSortIssues { sortIssues(issues) } // Filter the issues by severity and confidence var trueIssues int issues, trueIssues = filterIssues(issues, failSeverity, failConfidence) if metrics.NumFound != trueIssues { metrics.NumFound = trueIssues } // Exit quietly if nothing was found if len(issues) == 0 && *flagQuiet { os.Exit(0) } // Create output report rootPaths := getRootPaths(flag.Args()) reportInfo := gosec.NewReportInfo(issues, metrics, errors).WithVersion(Version) // Call AI request to solve the issues aiApiKey := os.Getenv(aiApiKeyEnv) if aiApiKeyEnv == "" { aiApiKey = *flagAiApiKey } if *flagAiApiProvider != "" && aiApiKey != "" { err := autofix.GenerateSolution(*flagAiApiProvider, aiApiKey, *flagAiEndpoint, issues) if err != nil { logger.Print(err) } } if *flagOutput == "" || *flagStdOut { fileFormat := getPrintedFormat(*flagFormat, *flagVerbose) if err := printReport(fileFormat, *flagColor, rootPaths, reportInfo); err != nil { logger.Fatal(err) } } if *flagOutput != "" { if err := saveReport(*flagOutput, *flagFormat, rootPaths, reportInfo); err != nil { logger.Fatal(err) } } // Finalize logging logWriter.Close() // #nosec exit(issues, errors, *flagNoFail) } 07070100000024000081A400000000000000000000000166F552690000035B000000000000000000000000000000000000002600000000gosec-2.21.4/cmd/gosec/sort_issues.gopackage main import ( "sort" "strconv" "strings" "github.com/securego/gosec/v2/issue" ) // handle ranges func extractLineNumber(s string) int { lineNumber, _ := strconv.Atoi(strings.Split(s, "-")[0]) return lineNumber } type sortBySeverity []*issue.Issue func (s sortBySeverity) Len() int { return len(s) } func (s sortBySeverity) Less(i, j int) bool { if s[i].Severity == s[j].Severity { if s[i].What == s[j].What { if s[i].File == s[j].File { return extractLineNumber(s[i].Line) > extractLineNumber(s[j].Line) } return s[i].File > s[j].File } return s[i].What > s[j].What } return s[i].Severity > s[j].Severity } func (s sortBySeverity) Swap(i, j int) { s[i], s[j] = s[j], s[i] } // sortIssues sorts the issues by severity in descending order func sortIssues(issues []*issue.Issue) { sort.Sort(sortBySeverity(issues)) } 07070100000025000081A400000000000000000000000166F5526900000661000000000000000000000000000000000000002B00000000gosec-2.21.4/cmd/gosec/sort_issues_test.gopackage main import ( "testing" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/securego/gosec/v2/issue" ) var defaultIssue = issue.Issue{ File: "/home/src/project/test.go", Line: "1", Col: "1", RuleID: "ruleID", What: "test", Confidence: issue.High, Severity: issue.High, Code: "1: testcode", Cwe: issue.GetCweByRule("G101"), } func createIssue() issue.Issue { return defaultIssue } func TestRules(t *testing.T) { RegisterFailHandler(Fail) RunSpecs(t, "Sort issues Suite") } func firstIsGreater(less, greater *issue.Issue) { slice := []*issue.Issue{less, greater} sortIssues(slice) ExpectWithOffset(0, slice[0]).To(Equal(greater)) } var _ = Describe("Sorting by Severity", func() { It("sorts by severity", func() { less := createIssue() less.Severity = issue.Low greater := createIssue() less.Severity = issue.High firstIsGreater(&less, &greater) }) Context("Severity is same", func() { It("sorts by What", func() { less := createIssue() less.What = "test1" greater := createIssue() greater.What = "test2" firstIsGreater(&less, &greater) }) }) Context("Severity and What is same", func() { It("sorts by File", func() { less := createIssue() less.File = "test1" greater := createIssue() greater.File = "test2" firstIsGreater(&less, &greater) }) }) Context("Severity, What and File is same", func() { It("sorts by line number", func() { less := createIssue() less.Line = "1" greater := createIssue() greater.Line = "2" firstIsGreater(&less, &greater) }) }) }) 07070100000026000081A400000000000000000000000166F55269000002C4000000000000000000000000000000000000002200000000gosec-2.21.4/cmd/gosec/version.gopackage main // Version is the build version var Version string // GitTag is the git tag of the build var GitTag string // BuildDate is the date when the build was created var BuildDate string // prepareVersionInfo sets some runtime version when the version value // was not injected by the build into the binary (e.g. go get). // This returns currently "(devel)" but not an effective version until // https://github.com/golang/go/issues/29814 gets resolved. func prepareVersionInfo() { if Version == "" { // bi, _ := debug.ReadBuildInfo() // Version = bi.Main.Version // TODO use the debug information when it will provide more details // It seems to panic with Go 1.13. Version = "dev" } } 07070100000027000041ED00000000000000000000000266F5526900000000000000000000000000000000000000000000001B00000000gosec-2.21.4/cmd/gosecutil07070100000028000081A400000000000000000000000166F552690000199C000000000000000000000000000000000000002400000000gosec-2.21.4/cmd/gosecutil/tools.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package main import ( "flag" "fmt" "go/ast" "go/importer" "go/parser" "go/token" "go/types" "os" "strings" ) type ( command func(args ...string) utilities struct { commands map[string]command call []string } ) // Custom commands / utilities to run instead of default analyzer func newUtils() *utilities { utils := make(map[string]command) utils["ast"] = dumpAst utils["callobj"] = dumpCallObj utils["uses"] = dumpUses utils["types"] = dumpTypes utils["defs"] = dumpDefs utils["comments"] = dumpComments utils["imports"] = dumpImports return &utilities{utils, make([]string, 0)} } func (u *utilities) String() string { i := 0 keys := make([]string, len(u.commands)) for k := range u.commands { keys[i] = k i++ } return strings.Join(keys, ", ") } func (u *utilities) Set(opt string) error { if _, ok := u.commands[opt]; !ok { return fmt.Errorf("valid tools are: %s", u.String()) } u.call = append(u.call, opt) return nil } func (u *utilities) run(args ...string) { for _, util := range u.call { if cmd, ok := u.commands[util]; ok { cmd(args...) } } } func shouldSkip(path string) bool { st, e := os.Stat(path) if e != nil { //#nosec fmt.Fprintf(os.Stderr, "Skipping: %s - %s\n", path, e) return true } if st.IsDir() { //#nosec fmt.Fprintf(os.Stderr, "Skipping: %s - directory\n", path) return true } return false } func dumpAst(files ...string) { for _, arg := range files { // Ensure file exists and not a directory if shouldSkip(arg) { continue } // Create the AST by parsing src. fset := token.NewFileSet() // positions are relative to fset f, err := parser.ParseFile(fset, arg, nil, 0) if err != nil { //#nosec fmt.Fprintf(os.Stderr, "Unable to parse file %s\n", err) continue } //#nosec -- Print the AST. ast.Print(fset, f) } } type context struct { fileset *token.FileSet comments ast.CommentMap info *types.Info pkg *types.Package config *types.Config root *ast.File } func createContext(filename string) *context { fileset := token.NewFileSet() root, e := parser.ParseFile(fileset, filename, nil, parser.ParseComments) if e != nil { //#nosec fmt.Fprintf(os.Stderr, "Unable to parse file: %s. Reason: %s\n", filename, e) return nil } comments := ast.NewCommentMap(fileset, root, root.Comments) info := &types.Info{ Types: make(map[ast.Expr]types.TypeAndValue), Defs: make(map[*ast.Ident]types.Object), Uses: make(map[*ast.Ident]types.Object), Selections: make(map[*ast.SelectorExpr]*types.Selection), Scopes: make(map[ast.Node]*types.Scope), Implicits: make(map[ast.Node]types.Object), } config := types.Config{Importer: importer.Default()} pkg, e := config.Check("main.go", fileset, []*ast.File{root}, info) if e != nil { //#nosec fmt.Fprintf(os.Stderr, "Type check failed for file: %s. Reason: %s\n", filename, e) return nil } return &context{fileset, comments, info, pkg, &config, root} } func printObject(obj types.Object) { fmt.Println("OBJECT") if obj == nil { fmt.Println("object is nil") return } fmt.Printf(" Package = %v\n", obj.Pkg()) if obj.Pkg() != nil { fmt.Println(" Path = ", obj.Pkg().Path()) fmt.Println(" Name = ", obj.Pkg().Name()) fmt.Println(" String = ", obj.Pkg().String()) } fmt.Printf(" Name = %v\n", obj.Name()) fmt.Printf(" Type = %v\n", obj.Type()) fmt.Printf(" Id = %v\n", obj.Id()) } func checkContext(ctx *context, file string) bool { //#nosec if ctx == nil { fmt.Fprintln(os.Stderr, "Failed to create context for file: ", file) return false } return true } func dumpCallObj(files ...string) { for _, file := range files { if shouldSkip(file) { continue } context := createContext(file) if !checkContext(context, file) { return } ast.Inspect(context.root, func(n ast.Node) bool { var obj types.Object switch node := n.(type) { case *ast.Ident: obj = context.info.ObjectOf(node) // context.info.Uses[node] case *ast.SelectorExpr: obj = context.info.ObjectOf(node.Sel) // context.info.Uses[node.Sel] default: obj = nil } if obj != nil { printObject(obj) } return true }) } } func dumpUses(files ...string) { for _, file := range files { if shouldSkip(file) { continue } context := createContext(file) if !checkContext(context, file) { return } for ident, obj := range context.info.Uses { fmt.Printf("IDENT: %v, OBJECT: %v\n", ident, obj) } } } func dumpTypes(files ...string) { for _, file := range files { if shouldSkip(file) { continue } context := createContext(file) if !checkContext(context, file) { return } for expr, tv := range context.info.Types { fmt.Printf("EXPR: %v, TYPE: %v\n", expr, tv) } } } func dumpDefs(files ...string) { for _, file := range files { if shouldSkip(file) { continue } context := createContext(file) if !checkContext(context, file) { return } for ident, obj := range context.info.Defs { fmt.Printf("IDENT: %v, OBJ: %v\n", ident, obj) } } } func dumpComments(files ...string) { for _, file := range files { if shouldSkip(file) { continue } context := createContext(file) if !checkContext(context, file) { return } for _, group := range context.comments.Comments() { fmt.Println(group.Text()) } } } func dumpImports(files ...string) { for _, file := range files { if shouldSkip(file) { continue } context := createContext(file) if !checkContext(context, file) { return } for _, pkg := range context.pkg.Imports() { fmt.Println(pkg.Path(), pkg.Name()) for _, name := range pkg.Scope().Names() { fmt.Println(" => ", name) } } } } func main() { tools := newUtils() flag.Var(tools, "tool", "Utils to assist with rule development") flag.Parse() if len(tools.call) > 0 { tools.run(flag.Args()...) os.Exit(0) } } 07070100000029000041ED00000000000000000000000266F5526900000000000000000000000000000000000000000000001B00000000gosec-2.21.4/cmd/tlsconfig0707010000002A000081A400000000000000000000000166F55269000000DF000000000000000000000000000000000000002E00000000gosec-2.21.4/cmd/tlsconfig/header_template.gopackage main import "text/template" var generatedHeaderTmpl = template.Must(template.New("generated").Parse(` package {{.}} import ( "go/ast" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) `)) 0707010000002B000081A400000000000000000000000166F552690000028C000000000000000000000000000000000000002C00000000gosec-2.21.4/cmd/tlsconfig/rule_template.gopackage main import "text/template" var generatedRuleTmpl = template.Must(template.New("generated").Parse(` // New{{.Name}}TLSCheck creates a check for {{.Name}} TLS ciphers // DO NOT EDIT - generated by tlsconfig tool func New{{.Name}}TLSCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { return &insecureConfigTLS{ MetaData: issue.MetaData{ID: id}, requiredType: "crypto/tls.Config", MinVersion: {{ .MinVersion }}, MaxVersion: {{ .MaxVersion }}, goodCiphers: []string{ {{range $cipherName := .Ciphers }} "{{$cipherName}}", {{end}} }, }, []ast.Node{(*ast.CompositeLit)(nil), (*ast.AssignStmt)(nil)} } `)) 0707010000002C000081A400000000000000000000000166F5526900000206000000000000000000000000000000000000002A00000000gosec-2.21.4/cmd/tlsconfig/tls_version.gopackage main import ( "crypto/tls" "sort" ) func mapTLSVersions(tlsVersions []string) []int { var versions []int for _, tlsVersion := range tlsVersions { switch tlsVersion { case "TLSv1.3": versions = append(versions, tls.VersionTLS13) case "TLSv1.2": versions = append(versions, tls.VersionTLS12) case "TLSv1.1": versions = append(versions, tls.VersionTLS11) case "TLSv1": versions = append(versions, tls.VersionTLS10) default: continue } } sort.Ints(versions) return versions } 0707010000002D000081A400000000000000000000000166F552690000165C000000000000000000000000000000000000002800000000gosec-2.21.4/cmd/tlsconfig/tlsconfig.gopackage main import ( "bytes" "encoding/json" "errors" "flag" "fmt" "go/format" "log" "net/http" "os" "path/filepath" "github.com/mozilla/tls-observatory/constants" "golang.org/x/text/cases" "golang.org/x/text/language" ) var ( pkg = flag.String("pkg", "rules", "package name to be added to the output file") outputFile = flag.String("outputFile", "tls_config.go", "name of the output file") ) // TLSConfURL url where Mozilla publishes the TLS ciphers recommendations const TLSConfURL = "https://statics.tls.security.mozilla.org/server-side-tls-conf.json" // ServerSideTLSJson contains all the available configurations and the version of the current document. type ServerSideTLSJson struct { Configurations map[string]Configuration `json:"configurations"` Version float64 `json:"version"` } // Configuration represents configurations levels declared by the Mozilla server-side-tls // see https://wiki.mozilla.org/Security/Server_Side_TLS type Configuration struct { OpenSSLCiphersuites []string `json:"openssl_ciphersuites"` OpenSSLCiphers []string `json:"openssl_ciphers"` TLSVersions []string `json:"tls_versions"` TLSCurves []string `json:"tls_curves"` CertificateTypes []string `json:"certificate_types"` CertificateCurves []string `json:"certificate_curves"` CertificateSignatures []string `json:"certificate_signatures"` RsaKeySize float64 `json:"rsa_key_size"` DHParamSize float64 `json:"dh_param_size"` ECDHParamSize float64 `json:"ecdh_param_size"` HstsMinAge float64 `json:"hsts_min_age"` OldestClients []string `json:"oldest_clients"` OCSPStaple bool `json:"ocsp_staple"` ServerPreferredOrder bool `json:"server_preferred_order"` MaxCertLifespan float64 `json:"maximum_certificate_lifespan"` } type goCipherConfiguration struct { Name string Ciphers []string MinVersion string MaxVersion string } type goTLSConfiguration struct { cipherConfigs []goCipherConfiguration } // getTLSConfFromURL retrieves the json containing the TLS configurations from the specified URL. func getTLSConfFromURL(url string) (*ServerSideTLSJson, error) { r, err := http.Get(url) //#nosec G107 if err != nil { return nil, err } defer r.Body.Close() //#nosec G307 var sstls ServerSideTLSJson err = json.NewDecoder(r.Body).Decode(&sstls) if err != nil { return nil, err } return &sstls, nil } func getGoCipherConfig(name string, sstls ServerSideTLSJson) (goCipherConfiguration, error) { caser := cases.Title(language.English) cipherConf := goCipherConfiguration{Name: caser.String(name)} conf, ok := sstls.Configurations[name] if !ok { return cipherConf, fmt.Errorf("TLS configuration '%s' not found", name) } // These ciphers are already defined in IANA format cipherConf.Ciphers = append(cipherConf.Ciphers, conf.OpenSSLCiphersuites...) for _, cipherName := range conf.OpenSSLCiphers { cipherSuite, ok := constants.CipherSuites[cipherName] if !ok { log.Printf("'%s' cipher is not available in crypto/tls package\n", cipherName) } if len(cipherSuite.IANAName) > 0 { cipherConf.Ciphers = append(cipherConf.Ciphers, cipherSuite.IANAName) if len(cipherSuite.NSSName) > 0 && cipherSuite.NSSName != cipherSuite.IANAName { cipherConf.Ciphers = append(cipherConf.Ciphers, cipherSuite.NSSName) } } } versions := mapTLSVersions(conf.TLSVersions) if len(versions) > 0 { cipherConf.MinVersion = fmt.Sprintf("0x%04x", versions[0]) cipherConf.MaxVersion = fmt.Sprintf("0x%04x", versions[len(versions)-1]) } else { return cipherConf, fmt.Errorf("No TLS versions found for configuration '%s'", name) } return cipherConf, nil } func getGoTLSConf() (goTLSConfiguration, error) { sstls, err := getTLSConfFromURL(TLSConfURL) if err != nil || sstls == nil { msg := fmt.Sprintf("Could not load the Server Side TLS configuration from Mozilla's website. Check the URL: %s. Error: %v\n", TLSConfURL, err) panic(msg) } tlsConfig := goTLSConfiguration{} modern, err := getGoCipherConfig("modern", *sstls) if err != nil { return tlsConfig, err } tlsConfig.cipherConfigs = append(tlsConfig.cipherConfigs, modern) intermediate, err := getGoCipherConfig("intermediate", *sstls) if err != nil { return tlsConfig, err } tlsConfig.cipherConfigs = append(tlsConfig.cipherConfigs, intermediate) old, err := getGoCipherConfig("old", *sstls) if err != nil { return tlsConfig, err } tlsConfig.cipherConfigs = append(tlsConfig.cipherConfigs, old) return tlsConfig, nil } func getCurrentDir() (string, error) { dir := "." if args := flag.Args(); len(args) == 1 { dir = args[0] } else if len(args) > 1 { return "", errors.New("only one directory at a time") } dir, err := filepath.Abs(dir) if err != nil { return "", err } return dir, nil } func main() { dir, err := getCurrentDir() if err != nil { log.Fatalln(err) } tlsConfig, err := getGoTLSConf() if err != nil { log.Fatalln(err) } var buf bytes.Buffer err = generatedHeaderTmpl.Execute(&buf, *pkg) if err != nil { log.Fatalf("Failed to generate the header: %v", err) } for _, cipherConfig := range tlsConfig.cipherConfigs { err := generatedRuleTmpl.Execute(&buf, cipherConfig) if err != nil { log.Fatalf("Failed to generated the cipher config: %v", err) } } src, err := format.Source(buf.Bytes()) if err != nil { log.Printf("warnings: Failed to format the code: %v", err) src = buf.Bytes() } outputPath := filepath.Join(dir, *outputFile) if err := os.WriteFile(outputPath, src, 0o644); err != nil /*#nosec G306*/ { log.Fatalf("Writing output: %s", err) } } 0707010000002E000041ED00000000000000000000000266F5526900000000000000000000000000000000000000000000001700000000gosec-2.21.4/cmd/vflag0707010000002F000081A400000000000000000000000166F55269000001A5000000000000000000000000000000000000001F00000000gosec-2.21.4/cmd/vflag/flag.gopackage vflag import ( "errors" "strings" ) // ValidatedFlag cli string type type ValidatedFlag struct { Value string } func (f *ValidatedFlag) String() string { return f.Value } // Set will be called for flag that is of validateFlag type func (f *ValidatedFlag) Set(value string) error { if strings.Contains(value, "-") { return errors.New("flag value cannot start with -") } f.Value = value return nil } 07070100000030000081A400000000000000000000000166F5526900000FAD000000000000000000000000000000000000001700000000gosec-2.21.4/config.gopackage gosec import ( "bytes" "encoding/json" "fmt" "io" ) const ( // Globals are applicable to all rules and used for general // configuration settings for gosec. Globals = "global" ) // GlobalOption defines the name of the global options type GlobalOption string const ( // Nosec global option for #nosec directive Nosec GlobalOption = "nosec" // ShowIgnored defines whether nosec issues are counted as finding or not ShowIgnored GlobalOption = "show-ignored" // Audit global option which indicates that gosec runs in audit mode Audit GlobalOption = "audit" // NoSecAlternative global option alternative for #nosec directive NoSecAlternative GlobalOption = "#nosec" // ExcludeRules global option for some rules should not be load ExcludeRules GlobalOption = "exclude" // IncludeRules global option for should be load IncludeRules GlobalOption = "include" // SSA global option to enable go analysis framework with SSA support SSA GlobalOption = "ssa" ) // NoSecTag returns the tag used to disable gosec for a line of code. func NoSecTag(tag string) string { return fmt.Sprintf("%s%s", "#", tag) } // Config is used to provide configuration and customization to each of the rules. type Config map[string]interface{} // NewConfig initializes a new configuration instance. The configuration data then // needs to be loaded via c.ReadFrom(strings.NewReader("config data")) // or from a *os.File. func NewConfig() Config { cfg := make(Config) cfg[Globals] = make(map[GlobalOption]string) return cfg } func (c Config) keyToGlobalOptions(key string) GlobalOption { return GlobalOption(key) } func (c Config) convertGlobals() { if globals, ok := c[Globals]; ok { if settings, ok := globals.(map[string]interface{}); ok { validGlobals := map[GlobalOption]string{} for k, v := range settings { validGlobals[c.keyToGlobalOptions(k)] = fmt.Sprintf("%v", v) } c[Globals] = validGlobals } } } // ReadFrom implements the io.ReaderFrom interface. This // should be used with io.Reader to load configuration from // file or from string etc. func (c Config) ReadFrom(r io.Reader) (int64, error) { data, err := io.ReadAll(r) if err != nil { return int64(len(data)), err } if err = json.Unmarshal(data, &c); err != nil { return int64(len(data)), err } c.convertGlobals() return int64(len(data)), nil } // WriteTo implements the io.WriteTo interface. This should // be used to save or print out the configuration information. func (c Config) WriteTo(w io.Writer) (int64, error) { data, err := json.Marshal(c) if err != nil { return int64(len(data)), err } return io.Copy(w, bytes.NewReader(data)) } // Get returns the configuration section for the supplied key func (c Config) Get(section string) (interface{}, error) { settings, found := c[section] if !found { return nil, fmt.Errorf("Section %s not in configuration", section) } return settings, nil } // Set section in the configuration to specified value func (c Config) Set(section string, value interface{}) { c[section] = value } // GetGlobal returns value associated with global configuration option func (c Config) GetGlobal(option GlobalOption) (string, error) { if globals, ok := c[Globals]; ok { if settings, ok := globals.(map[GlobalOption]string); ok { if value, ok := settings[option]; ok { return value, nil } return "", fmt.Errorf("global setting for %s not found", option) } } return "", fmt.Errorf("no global config options found") } // SetGlobal associates a value with a global configuration option func (c Config) SetGlobal(option GlobalOption, value string) { if globals, ok := c[Globals]; ok { if settings, ok := globals.(map[GlobalOption]string); ok { settings[option] = value } } } // IsGlobalEnabled checks if a global option is enabled func (c Config) IsGlobalEnabled(option GlobalOption) (bool, error) { value, err := c.GetGlobal(option) if err != nil { return false, err } return (value == "true" || value == "enabled"), nil } 07070100000031000081A400000000000000000000000166F552690000103C000000000000000000000000000000000000001C00000000gosec-2.21.4/config_test.gopackage gosec_test import ( "bytes" "strings" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/securego/gosec/v2" ) var _ = Describe("Configuration", func() { var configuration gosec.Config BeforeEach(func() { configuration = gosec.NewConfig() }) Context("when loading from disk", func() { It("should be possible to load configuration from a file", func() { json := `{"G101": {}}` buffer := bytes.NewBufferString(json) nread, err := configuration.ReadFrom(buffer) Expect(nread).Should(Equal(int64(len(json)))) Expect(err).ShouldNot(HaveOccurred()) }) It("should return an error if configuration file is invalid", func() { var err error invalidBuffer := bytes.NewBuffer([]byte{0xc0, 0xff, 0xee}) _, err = configuration.ReadFrom(invalidBuffer) Expect(err).Should(HaveOccurred()) emptyBuffer := bytes.NewBuffer([]byte{}) _, err = configuration.ReadFrom(emptyBuffer) Expect(err).Should(HaveOccurred()) }) }) Context("when saving to disk", func() { It("should be possible to save an empty configuration to file", func() { expected := `{"global":{}}` buffer := bytes.NewBuffer([]byte{}) nbytes, err := configuration.WriteTo(buffer) Expect(int(nbytes)).Should(Equal(len(expected))) Expect(err).ShouldNot(HaveOccurred()) Expect(buffer.String()).Should(Equal(expected)) }) It("should be possible to save configuration to file", func() { configuration.Set("G101", map[string]string{ "mode": "strict", }) buffer := bytes.NewBuffer([]byte{}) nbytes, err := configuration.WriteTo(buffer) Expect(int(nbytes)).ShouldNot(BeZero()) Expect(err).ShouldNot(HaveOccurred()) Expect(buffer.String()).Should(Equal(`{"G101":{"mode":"strict"},"global":{}}`)) }) }) Context("when configuring rules", func() { It("should be possible to get configuration for a rule", func() { settings := map[string]string{ "ciphers": "AES256-GCM", } configuration.Set("G101", settings) retrieved, err := configuration.Get("G101") Expect(err).ShouldNot(HaveOccurred()) Expect(retrieved).Should(HaveKeyWithValue("ciphers", "AES256-GCM")) Expect(retrieved).ShouldNot(HaveKey("foobar")) }) }) Context("when using global configuration options", func() { It("should have a default global section", func() { settings, err := configuration.Get("global") Expect(err).ShouldNot(HaveOccurred()) expectedType := make(map[gosec.GlobalOption]string) Expect(settings).Should(BeAssignableToTypeOf(expectedType)) }) It("should save global settings to correct section", func() { configuration.SetGlobal(gosec.Nosec, "enabled") settings, err := configuration.Get("global") Expect(err).ShouldNot(HaveOccurred()) if globals, ok := settings.(map[gosec.GlobalOption]string); ok { Expect(globals["nosec"]).Should(MatchRegexp("enabled")) } else { Fail("globals are not defined as map") } setValue, err := configuration.GetGlobal(gosec.Nosec) Expect(err).ShouldNot(HaveOccurred()) Expect(setValue).Should(MatchRegexp("enabled")) }) It("should find global settings which are enabled", func() { configuration.SetGlobal(gosec.Nosec, "enabled") enabled, err := configuration.IsGlobalEnabled(gosec.Nosec) Expect(err).ShouldNot(HaveOccurred()) Expect(enabled).Should(BeTrue()) }) It("should parse the global settings of type string from file", func() { config := ` { "global": { "nosec": "enabled" } }` cfg := gosec.NewConfig() _, err := cfg.ReadFrom(strings.NewReader(config)) Expect(err).ShouldNot(HaveOccurred()) value, err := cfg.GetGlobal(gosec.Nosec) Expect(err).ShouldNot(HaveOccurred()) Expect(value).Should(Equal("enabled")) }) It("should parse the global settings of other types from file", func() { config := ` { "global": { "nosec": true } }` cfg := gosec.NewConfig() _, err := cfg.ReadFrom(strings.NewReader(config)) Expect(err).ShouldNot(HaveOccurred()) value, err := cfg.GetGlobal(gosec.Nosec) Expect(err).ShouldNot(HaveOccurred()) Expect(value).Should(Equal("true")) }) }) }) 07070100000032000081A400000000000000000000000166F55269000000B2000000000000000000000000000000000000001800000000gosec-2.21.4/cosign.pub-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFphl7f2VuFRfsi4wqiLUCQ9xHQgV O2VMDNcvh+kxiymLXa+GkPzSKExFYIlVwfg13URvCiB+kFvITmLzuLiGQg== -----END PUBLIC KEY----- 07070100000033000041ED00000000000000000000000266F5526900000000000000000000000000000000000000000000001100000000gosec-2.21.4/cwe07070100000034000081A400000000000000000000000166F55269000000B9000000000000000000000000000000000000002300000000gosec-2.21.4/cwe/cwe_suite_test.gopackage cwe_test import ( "testing" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" ) func TestCwe(t *testing.T) { RegisterFailHandler(Fail) RunSpecs(t, "Cwe Suite") } 07070100000035000081A400000000000000000000000166F552690000205A000000000000000000000000000000000000001900000000gosec-2.21.4/cwe/data.gopackage cwe const ( // Acronym is the acronym of CWE Acronym = "CWE" // Version the CWE version Version = "4.4" // ReleaseDateUtc the release Date of CWE Version ReleaseDateUtc = "2021-03-15" // Organization MITRE Organization = "MITRE" // Description the description of CWE Description = "The MITRE Common Weakness Enumeration" // InformationURI link to the published CWE PDF InformationURI = "https://cwe.mitre.org/data/published/cwe_v" + Version + ".pdf/" // DownloadURI link to the zipped XML of the CWE list DownloadURI = "https://cwe.mitre.org/data/xml/cwec_v" + Version + ".xml.zip" ) var idWeaknesses = map[string]*Weakness{ "22": { ID: "22", Description: "The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.", Name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, "78": { ID: "78", Description: "The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.", Name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", }, "79": { ID: "79", Description: "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.", Name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, "88": { ID: "88", Description: "The software constructs a string for a command to executed by a separate component\nin another control sphere, but it does not properly delimit the\nintended arguments, options, or switches within that command string.", Name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", }, "89": { ID: "89", Description: "The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.", Name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", }, "118": { ID: "118", Description: "The software does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.", Name: "Incorrect Access of Indexable Resource ('Range Error')", }, "190": { ID: "190", Description: "The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.", Name: "Integer Overflow or Wraparound", }, "200": { ID: "200", Description: "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.", Name: "Exposure of Sensitive Information to an Unauthorized Actor", }, "242": { ID: "242", Description: "The program calls a function that can never be guaranteed to work safely.", Name: "Use of Inherently Dangerous Function", }, "276": { ID: "276", Description: "During installation, installed file permissions are set to allow anyone to modify those files.", Name: "Incorrect Default Permissions", }, "295": { ID: "295", Description: "The software does not validate, or incorrectly validates, a certificate.", Name: "Improper Certificate Validation", }, "310": { ID: "310", Description: "Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.", Name: "Cryptographic Issues", }, "322": { ID: "322", Description: "The software performs a key exchange with an actor without verifying the identity of that actor.", Name: "Key Exchange without Entity Authentication", }, "326": { ID: "326", Description: "The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.", Name: "Inadequate Encryption Strength", }, "327": { ID: "327", Description: "The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.", Name: "Use of a Broken or Risky Cryptographic Algorithm", }, "328": { ID: "328", Description: "The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack). ", Name: "Use of Weak Hash", }, "338": { ID: "338", Description: "The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.", Name: "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)", }, "377": { ID: "377", Description: "Creating and using insecure temporary files can leave application and system data vulnerable to attack.", Name: "Insecure Temporary File", }, "400": { ID: "400", Description: "The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.", Name: "Uncontrolled Resource Consumption", }, "409": { ID: "409", Description: "The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.", Name: "Improper Handling of Highly Compressed Data (Data Amplification)", }, "676": { ID: "676", Description: "The program invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.", Name: "Use of Potentially Dangerous Function", }, "703": { ID: "703", Description: "The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.", Name: "Improper Check or Handling of Exceptional Conditions", }, "798": { ID: "798", Description: "The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.", Name: "Use of Hard-coded Credentials", }, "1204": { ID: "1204", Description: "The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.", Name: "Generation of Weak Initialization Vector (IV)", }, } // Get Retrieves a CWE weakness by it's id func Get(id string) *Weakness { weakness, ok := idWeaknesses[id] if ok && weakness != nil { return weakness } return nil } 07070100000036000081A400000000000000000000000166F55269000001F7000000000000000000000000000000000000001E00000000gosec-2.21.4/cwe/data_test.gopackage cwe_test import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/securego/gosec/v2/cwe" ) var _ = Describe("CWE data", func() { BeforeEach(func() { }) Context("when consulting cwe data", func() { It("it should retrieves the weakness", func() { weakness := cwe.Get("798") Expect(weakness).ShouldNot(BeNil()) Expect(weakness.ID).ShouldNot(BeNil()) Expect(weakness.Name).ShouldNot(BeNil()) Expect(weakness.Description).ShouldNot(BeNil()) }) }) }) 07070100000037000081A400000000000000000000000166F55269000002F1000000000000000000000000000000000000001A00000000gosec-2.21.4/cwe/types.gopackage cwe import ( "encoding/json" "fmt" ) // Weakness defines a CWE weakness based on http://cwe.mitre.org/data/xsd/cwe_schema_v6.4.xsd type Weakness struct { ID string Name string Description string } // SprintURL format the CWE URL func (w *Weakness) SprintURL() string { return fmt.Sprintf("https://cwe.mitre.org/data/definitions/%s.html", w.ID) } // SprintID format the CWE ID func (w *Weakness) SprintID() string { id := "0000" if w != nil { id = w.ID } return fmt.Sprintf("%s-%s", Acronym, id) } // MarshalJSON print only id and URL func (w *Weakness) MarshalJSON() ([]byte, error) { return json.Marshal(&struct { ID string `json:"id"` URL string `json:"url"` }{ ID: w.ID, URL: w.SprintURL(), }) } 07070100000038000081A400000000000000000000000166F552690000031A000000000000000000000000000000000000001F00000000gosec-2.21.4/cwe/types_test.gopackage cwe_test import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/securego/gosec/v2/cwe" ) var _ = Describe("CWE Types", func() { BeforeEach(func() { }) Context("when consulting cwe types", func() { It("it should retrieves the information and download URIs", func() { Expect(cwe.InformationURI).To(Equal("https://cwe.mitre.org/data/published/cwe_v4.4.pdf/")) Expect(cwe.DownloadURI).To(Equal("https://cwe.mitre.org/data/xml/cwec_v4.4.xml.zip")) }) It("it should retrieves the weakness ID and URL", func() { weakness := &cwe.Weakness{ID: "798"} Expect(weakness).ShouldNot(BeNil()) Expect(weakness.SprintID()).To(Equal("CWE-798")) Expect(weakness.SprintURL()).To(Equal("https://cwe.mitre.org/data/definitions/798.html")) }) }) }) 07070100000039000081ED00000000000000000000000166F552690000018B000000000000000000000000000000000000001B00000000gosec-2.21.4/entrypoint.sh#!/usr/bin/env bash # Expand the arguments into an array of strings. This is required because the GitHub action # provides all arguments concatenated as a single string. ARGS=("$@") if [[ ! -z "${GITHUB_AUTHENTICATION_TOKEN}" ]]; then git config --global --add url."https://x-access-token:${GITHUB_AUTHENTICATION_TOKEN}@github.com/".insteadOf "https://github.com/" fi /bin/gosec ${ARGS[*]} 0707010000003A000081A400000000000000000000000166F55269000002B4000000000000000000000000000000000000001700000000gosec-2.21.4/errors.gopackage gosec import ( "sort" ) // Error is used when there are golang errors while parsing the AST type Error struct { Line int `json:"line"` Column int `json:"column"` Err string `json:"error"` } // NewError creates Error object func NewError(line, column int, err string) *Error { return &Error{ Line: line, Column: column, Err: err, } } // sortErrors sorts the golang errors by line func sortErrors(allErrors map[string][]Error) { for _, errors := range allErrors { sort.Slice(errors, func(i, j int) bool { if errors[i].Line == errors[j].Line { return errors[i].Column <= errors[j].Column } return errors[i].Line < errors[j].Line }) } } 0707010000003B000081A400000000000000000000000166F55269000005A1000000000000000000000000000000000000001A00000000gosec-2.21.4/flag_test.gopackage gosec_test import ( "flag" "os" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/securego/gosec/v2/cmd/vflag" ) var _ = Describe("Cli", func() { Context("vflag test", func() { It("value must be empty as parameter value contains invalid character", func() { os.Args = []string{"gosec", "-flag1=-incorrect"} f := vflag.ValidatedFlag{} flag.CommandLine = flag.NewFlagSet(os.Args[0], flag.ContinueOnError) flag.Var(&f, "falg1", "") flag.CommandLine.Init("flag1", flag.ContinueOnError) flag.Parse() Expect(flag.Parsed()).Should(BeTrue()) Expect(f.Value).Should(Equal(``)) }) It("value must be empty as parameter value contains invalid character without equal sign", func() { os.Args = []string{"gosec", "-test2= -incorrect"} f := vflag.ValidatedFlag{} flag.CommandLine = flag.NewFlagSet(os.Args[0], flag.ContinueOnError) flag.Var(&f, "test2", "") flag.CommandLine.Init("test2", flag.ContinueOnError) flag.Parse() Expect(flag.Parsed()).Should(BeTrue()) Expect(f.Value).Should(Equal(``)) }) It("value must not be empty as parameter value contains valid character", func() { os.Args = []string{"gosec", "-test3=correct"} f := vflag.ValidatedFlag{} flag.Var(&f, "test3", "") flag.CommandLine.Init("test3", flag.ContinueOnError) flag.Parse() Expect(flag.Parsed()).Should(BeTrue()) Expect(f.Value).Should(Equal(`correct`)) }) }) }) 0707010000003C000081A400000000000000000000000166F5526900000A29000000000000000000000000000000000000001400000000gosec-2.21.4/go.modmodule github.com/securego/gosec/v2 require ( github.com/ccojocar/zxcvbn-go v1.0.2 github.com/google/generative-ai-go v0.18.0 github.com/google/uuid v1.6.0 github.com/gookit/color v1.5.4 github.com/lib/pq v1.10.9 github.com/mozilla/tls-observatory v0.0.0-20210609171429-7bc42856d2e5 github.com/onsi/ginkgo/v2 v2.20.2 github.com/onsi/gomega v1.34.2 github.com/stretchr/testify v1.9.0 golang.org/x/crypto v0.27.0 golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 golang.org/x/text v0.18.0 golang.org/x/tools v0.25.0 google.golang.org/api v0.198.0 gopkg.in/yaml.v3 v3.0.1 ) require ( cloud.google.com/go v0.115.1 // indirect cloud.google.com/go/ai v0.8.0 // indirect cloud.google.com/go/auth v0.9.4 // indirect cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect cloud.google.com/go/compute/metadata v0.5.1 // indirect cloud.google.com/go/longrunning v0.5.7 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/go-logr/logr v1.4.2 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-task/slim-sprig/v3 v3.0.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 // indirect github.com/google/s2a-go v0.1.8 // indirect github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect github.com/googleapis/gax-go/v2 v2.13.0 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/stretchr/objx v0.5.2 // indirect github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect go.opentelemetry.io/otel v1.29.0 // indirect go.opentelemetry.io/otel/metric v1.29.0 // indirect go.opentelemetry.io/otel/trace v1.29.0 // indirect golang.org/x/mod v0.21.0 // indirect golang.org/x/net v0.29.0 // indirect golang.org/x/oauth2 v0.23.0 // indirect golang.org/x/sync v0.8.0 // indirect golang.org/x/sys v0.25.0 // indirect golang.org/x/time v0.6.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240725223205-93522f1f2a9f // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect google.golang.org/grpc v1.66.2 // indirect google.golang.org/protobuf v1.34.2 // indirect ) go 1.22.0 0707010000003D000081A400000000000000000000000166F5526900011E1C000000000000000000000000000000000000001400000000gosec-2.21.4/go.sumbitbucket.org/creachadair/shell v0.0.6/go.mod h1:8Qqi/cYk7vPnsOePHroKXDJYmb5x7ENhtiFtfZq8K+M= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= cloud.google.com/go v0.60.0/go.mod h1:yw2G51M9IfRboUH61Us8GqCeF1PzPblB823Mn2q2eAU= cloud.google.com/go v0.115.1 h1:Jo0SM9cQnSkYfp44+v+NQXHpcHqlnRJk2qxh6yvxxxQ= cloud.google.com/go v0.115.1/go.mod h1:DuujITeaufu3gL68/lOFIirVNJwQeyf5UXyi+Wbgknc= cloud.google.com/go/ai v0.8.0 h1:rXUEz8Wp2OlrM8r1bfmpF2+VKqc1VJpafE3HgzRnD/w= cloud.google.com/go/ai v0.8.0/go.mod h1:t3Dfk4cM61sytiggo2UyGsDVW3RF1qGZaUKDrZFyqkE= cloud.google.com/go/auth v0.9.4 h1:DxF7imbEbiFu9+zdKC6cKBko1e8XeJnipNqIbWZ+kDI= cloud.google.com/go/auth v0.9.4/go.mod h1:SHia8n6//Ya940F1rLimhJCjjx7KE17t0ctFEci3HkA= cloud.google.com/go/auth/oauth2adapt v0.2.4 h1:0GWE/FUsXhf6C+jAkWgYm7X9tK8cuEIfy19DBn6B6bY= cloud.google.com/go/auth/oauth2adapt v0.2.4/go.mod h1:jC/jOpwFP6JBxhB3P5Rr0a9HLMC/Pe3eaL4NmdvqPtc= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= cloud.google.com/go/compute/metadata v0.5.1 h1:NM6oZeZNlYjiwYje+sYFjEpP0Q0zCan1bmQW/KmIrGs= cloud.google.com/go/compute/metadata v0.5.1/go.mod h1:C66sj2AluDcIqakBq/M8lw8/ybHgOZqin2obFxa/E5k= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= cloud.google.com/go/longrunning v0.5.7 h1:WLbHekDbjK1fVFD3ibpFFVoyizlLRl73I7YKuAKilhU= cloud.google.com/go/longrunning v0.5.7/go.mod h1:8GClkudohy1Fxm3owmBGid8W0pSgodEMwEAztp38Xng= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= cloud.google.com/go/pubsub v1.5.0/go.mod h1:ZEwJccE3z93Z2HWvstpri00jOg7oO4UZDtKhwDwqF0w= cloud.google.com/go/spanner v1.7.0/go.mod h1:sd3K2gZ9Fd0vMPLXzeCrF6fq4i63Q7aTLW/lBIfBkIk= cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= contrib.go.opencensus.io/exporter/stackdriver v0.13.4/go.mod h1:aXENhDJ1Y4lIg4EUaVTwzvYETVNZk10Pu26tevFKLUc= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/Masterminds/goutils v1.1.0/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= github.com/Masterminds/sprig v2.15.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/antihax/optional v0.0.0-20180407024304-ca021399b1a6/go.mod h1:V8iCPQYkqmusNa815XgQio277wI47sdRh1dUOLdyC6Q= github.com/aokoli/goutils v1.0.1/go.mod h1:SijmP0QR8LtwsmDs8Yii5Z/S4trXFGFC2oO5g9DP+DQ= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= github.com/aws/aws-sdk-go v1.23.20/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.36.30/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= github.com/ccojocar/zxcvbn-go v1.0.2 h1:na/czXU8RrhXO4EZme6eQJLR4PzcGsahsBOAwU6I3Vg= github.com/ccojocar/zxcvbn-go v1.0.2/go.mod h1:g1qkXtUSvHP8lhHp5GrSmTz6uWALGRMQdw6Qnz/hi60= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190620071333-e64a0ec8b42a/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/davecgh/go-spew v0.0.0-20161028175848-04cdfd42973b/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/protoc-gen-validate v0.0.14/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fullstorydev/grpcurl v1.6.0/go.mod h1:ZQ+ayqbKMJNhzLmbpCiurTVlaK2M/3nqZCxaQ2Ze/sM= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-redis/redis v6.15.8+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg= github.com/google/certificate-transparency-go v1.1.1/go.mod h1:FDKqPvSXawb2ecErVRrD+nfy23RCzyl7eqVCEmlT1Zs= github.com/google/generative-ai-go v0.18.0 h1:6ybg9vOCLcI/UpBBYXOTVgvKmcUKFRNj+2Cj3GnebSo= github.com/google/generative-ai-go v0.18.0/go.mod h1:JYolL13VG7j79kM5BtHz4qwONHkeJQzOCkKXnpqtS/E= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200507031123-427632fa3b1c/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 h1:5iH8iuqE5apketRbSFBy+X1V0o+l+8NF1avt4HWl7cA= github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/s2a-go v0.1.8 h1:zZDs9gcbt9ZPLV0ndSyQk6Kacx2g/X+SKYovpnz3SMM= github.com/google/s2a-go v0.1.8/go.mod h1:6iNWHTpQ+nfNRN5E00MSdfDwVesa8hhS32PhPO8deJA= github.com/google/trillian v1.3.11/go.mod h1:0tPraVHrSDkA3BO6vKX67zgLXs6SsOAbHEivX+9mPgw= github.com/google/uuid v0.0.0-20161128191214-064e2069ce9c/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/enterprise-certificate-proxy v0.3.4 h1:XYIDZApgAnrN1c855gTgghdIA6Stxb52D5RnLI1SLyw= github.com/googleapis/enterprise-certificate-proxy v0.3.4/go.mod h1:YKe7cfqYXjKGpGvmSg28/fFvhNzinZQm8DGnaburhGA= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gax-go/v2 v2.13.0 h1:yitjD5f7jQHhyDsnhKEBU52NdvvdSeGzlAnDPT0hH1s= github.com/googleapis/gax-go/v2 v2.13.0/go.mod h1:Z/fvTZXF8/uw7Xu5GuslPw+bplx6SS338j1Is2S+B7A= github.com/gookit/color v1.5.4 h1:FZmqs7XOyGgCAxmWyPslpiok1k05wmY3SJTytgvYFs0= github.com/gookit/color v1.5.4/go.mod h1:pZJOeOS8DM43rXbp4AZo1n9zCU2qjpcRko0b6/QJi9w= github.com/gordonklaus/ineffassign v0.0.0-20200309095847-7953dde2c7bf/go.mod h1:cuNKsD1zp2v6XfE/orVX2QE1LC+i254ceGcVeDT3pTU= github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75/go.mod h1:g2644b03hfBX9Ov0ZBDgXXens4rxSxmqFBbhvKv2yVA= github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-middleware v1.2.2/go.mod h1:EaizFBKfUKtMIF5iaDEhniwNedqGo9FuLFzppDr3uwI= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.12.1/go.mod h1:8XEsbTttt/W+VvjtQhLACqCisSPWTxCZ7sBRjU6iH9c= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/huandu/xstrings v1.0.0/go.mod h1:4qWG/gcEcfX4z/mBDHJ++3ReCw9ibxbsNJbcucJdbSo= github.com/huandu/xstrings v1.2.0/go.mod h1:DvyZB1rfVYsBIigL8HwpZgxHwXozlTgGqn63UyNX5k4= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.4/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/jhump/protoreflect v1.6.1/go.mod h1:RZQ/lnuN+zqeRVpQigTwO6o0AJUkxbnSnpuG7toUTG4= github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= github.com/jonboulle/clockwork v0.2.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/juju/ratelimit v1.0.1/go.mod h1:qapgC/Gy+xNh9UxzV13HGGl/6UXNN+ct+vwSgWNm/qk= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q1U84EfirKl04SVQ/s7nPm1ZPhiXd34z40TNz36k= github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/letsencrypt/pkcs11key/v4 v4.0.0/go.mod h1:EFUvBDay26dErnNb70Nd0/VW3tJiIbETBPTl9ATXQag= github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.9.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw= github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.8/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84= github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= github.com/mattn/go-runewidth v0.0.6/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/miekg/dns v1.1.35/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM= github.com/miekg/pkcs11 v1.0.2/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/mitchellh/reflectwalk v1.0.1/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8= github.com/mozilla/scribe v0.0.0-20180711195314-fb71baf557c1/go.mod h1:FIczTrinKo8VaLxe6PWTPEXRXDIHz2QAwiaBaP5/4a8= github.com/mozilla/tls-observatory v0.0.0-20210609171429-7bc42856d2e5 h1:0KqC6/sLy7fDpBdybhVkkv4Yz+PmB7c9Dz9z3dLW804= github.com/mozilla/tls-observatory v0.0.0-20210609171429-7bc42856d2e5/go.mod h1:FUqVoUPHSEdDR0MnFM3Dh8AU0pZHLXUD127SAJGER/s= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mwitkow/go-proto-validators v0.0.0-20180403085117-0950a7990007/go.mod h1:m2XC9Qq0AlmmVksL6FktJCdTYyLk7V3fKyp0sl1yWQo= github.com/mwitkow/go-proto-validators v0.2.0/go.mod h1:ZfA1hW+UH/2ZHOWvQ3HnQaU0DtnpXu850MZiy+YUgcc= github.com/nishanths/predeclared v0.0.0-20190419143655-18a43bb90ffc/go.mod h1:62PewwiQTlm/7Rj+cxVYqZvDIUc+JjZq6GHAC1fsObQ= github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= github.com/olekukonko/tablewriter v0.0.1/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= github.com/olekukonko/tablewriter v0.0.2/go.mod h1:rSAaSIOAGT9odnlyGlUfAJaoc5w2fSBUmeGDbRWPxyQ= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo/v2 v2.20.2 h1:7NVCeyIWROIAheY21RLS+3j2bb52W0W82tkberYytp4= github.com/onsi/ginkgo/v2 v2.20.2/go.mod h1:K9gyxPIlb+aIvnZ8bd9Ak+YP18w3APlR+5coaZoE2ag= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8= github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/pseudomuto/protoc-gen-doc v1.3.2/go.mod h1:y5+P6n3iGrbKG+9O04V5ld71in3v/bX88wUwgt+U8EA= github.com/pseudomuto/protokit v0.2.0/go.mod h1:2PdH30hxVHsup8KpBTOXTBeMVhJZVio3Q8ViKSAXT0Q= github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= github.com/stretchr/testify v0.0.0-20170130113145-4d4bfba8f1d1/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20200427203606-3cfed13b9966/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce/go.mod h1:o8v6yHRoik09Xen7gje4m9ERNah1d1PPsVq1VEx9vE4= github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/viki-org/dnscache v0.0.0-20130720023526-c70c1f23c5d8/go.mod h1:dniwbG03GafCjFohMDmz6Zc6oCuiqgH6tGNyXTkHzXE= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 h1:QldyIu/L63oPpyvQmHgvgickp1Yw510KJOqX7H24mg8= github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778/go.mod h1:2MuV+tbUrU1zIOPMxZ5EncGwgmMJsa+9ucAQZXxsObs= github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= github.com/yudai/gojsondiff v1.0.0/go.mod h1:AY32+k2cwILAkW1fbgxQ5mUmMiZFgLIV+FBNExI05xg= github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82/go.mod h1:lgjkn3NuSvDfVJdfcVVdX+jpBxNmX4rDAzaS45IcYoM= github.com/yudai/pp v2.0.1+incompatible/go.mod h1:PuxR/8QJ7cyCkFp/aUDS+JY727OFEZkTdatxwunjIkc= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= go.etcd.io/etcd v0.0.0-20200513171258-e048e166ab9c/go.mod h1:xCI7ZzBfRuGgBXyXO6yfWfDmlWd35khcWpUa4L0xI/k= go.mozilla.org/mozlog v0.0.0-20170222151521-4bb13139d403/go.mod h1:jHoPAGnDrCy6kaI2tAze5Prf0Nr0w/oNkROt2lw3n3o= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 h1:r6I7RJCN86bpD/FQwedZ0vSixDpwuWREjW9oRMsmqDc= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0/go.mod h1:B9yO6b04uB80CzjedvewuqDhxJxi11s7/GtiGa8bAjI= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0/go.mod h1:L7UH0GbB0p47T4Rri3uHjbpCFYrVrwc1I25QhNPiGK8= go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw= go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8= go.opentelemetry.io/otel/metric v1.29.0 h1:vPf/HFWTNkPu1aYeIsc98l4ktOQaL6LeSoeV2g+8YLc= go.opentelemetry.io/otel/metric v1.29.0/go.mod h1:auu/QWieFVWx+DmQOUMgj0F8LHWdgalxXqvp7BII/W8= go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4= go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4= go.uber.org/multierr v1.4.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4= go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA= go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM= golang.org/x/crypto v0.0.0-20180501155221-613d6eafa307/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A= golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= golang.org/x/exp v0.0.0-20200331195152-e8c3332aa8e5/go.mod h1:4M0jN8W1tt0AVLNr8HDosyJCDCDuyL9N9+3m7wDWgKw= golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWBtpfqks2bwGcexMxgtk= golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs1QcRcFwyucIwBGpK1p2f1YFFY= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 h1:VLliZ0d+/avPrXXH+OakdXhpJuEoBZuwh1m2j7U6Iug= golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0= golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191002035440-2ec189313ef0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200421231249-e086a090c8fd/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs= golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190412183630-56d357773e84/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM= golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U= golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191010075000-0337d82405ff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= golang.org/x/tools v0.0.0-20200426102838-f3a5411a4c3b/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200626171337-aa94e735be7f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200630154851-b2d8b0336632/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200706234117-b22de6825cf7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.25.0 h1:oFU9pkj/iJgs+0DT+VMHrx+oBKs/LJMV+Uvg78sl+fE= golang.org/x/tools v0.25.0/go.mod h1:/vtpO8WL1N9cQC3FN5zPqb//fRXskFHbLKk4OW1Q7rg= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= google.golang.org/api v0.10.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= google.golang.org/api v0.198.0 h1:OOH5fZatk57iN0A7tjJQzt6aPfYQ1JiWkt1yGseazks= google.golang.org/api v0.198.0/go.mod h1:/Lblzl3/Xqqk9hw/yS97TImKTUwnf1bv89v7+OagJzc= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= google.golang.org/appengine v1.6.2/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/genproto v0.0.0-20170818010345-ee236bd376b0/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20181107211654-5fc9ac540362/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= google.golang.org/genproto v0.0.0-20190927181202-20e1ac93f88c/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20200626011028-ee7919e894b5/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200707001353-8e8330bf89df/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto/googleapis/api v0.0.0-20240725223205-93522f1f2a9f h1:b1Ln/PG8orm0SsBbHZWke8dDp2lrCD4jSmfglFpTZbk= google.golang.org/genproto/googleapis/api v0.0.0-20240725223205-93522f1f2a9f/go.mod h1:AHT0dDg3SoMOgZGnZk29b5xTbPHMoEC8qthmBLJCpys= google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ= google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= google.golang.org/grpc v1.29.0/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= google.golang.org/grpc v1.66.2 h1:3QdXkuq3Bkh7w+ywLdLvM56cmGvQHUMZpiCzt6Rqaoo= google.golang.org/grpc v1.66.2/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/gcfg.v1 v1.2.3/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.6/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= 0707010000003E000081A400000000000000000000000166F55269000000BF000000000000000000000000000000000000002100000000gosec-2.21.4/gosec_suite_test.gopackage gosec_test import ( "testing" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" ) func TestGosec(t *testing.T) { RegisterFailHandler(Fail) RunSpecs(t, "gosec Suite") } 0707010000003F000081A400000000000000000000000166F5526900003E9C000000000000000000000000000000000000001800000000gosec-2.21.4/helpers.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package gosec import ( "bytes" "encoding/json" "errors" "fmt" "go/ast" "go/token" "go/types" "os" "os/exec" "os/user" "path/filepath" "regexp" "runtime" "strconv" "strings" ) // envGoModVersion overrides the Go version detection. const envGoModVersion = "GOSECGOVERSION" // MatchCallByPackage ensures that the specified package is imported, // adjusts the name for any aliases and ignores cases that are // initialization only imports. // // Usage: // // node, matched := MatchCallByPackage(n, ctx, "math/rand", "Read") func MatchCallByPackage(n ast.Node, c *Context, pkg string, names ...string) (*ast.CallExpr, bool) { importedNames, found := GetImportedNames(pkg, c) if !found { return nil, false } if callExpr, ok := n.(*ast.CallExpr); ok { packageName, callName, err := GetCallInfo(callExpr, c) if err != nil { return nil, false } for _, in := range importedNames { if packageName != in { continue } for _, name := range names { if callName == name { return callExpr, true } } } } return nil, false } // MatchCompLit will match an ast.CompositeLit based on the supplied type func MatchCompLit(n ast.Node, ctx *Context, required string) *ast.CompositeLit { if complit, ok := n.(*ast.CompositeLit); ok { typeOf := ctx.Info.TypeOf(complit) if typeOf.String() == required { return complit } } return nil } // GetInt will read and return an integer value from an ast.BasicLit func GetInt(n ast.Node) (int64, error) { if node, ok := n.(*ast.BasicLit); ok && node.Kind == token.INT { return strconv.ParseInt(node.Value, 0, 64) } return 0, fmt.Errorf("Unexpected AST node type: %T", n) } // GetFloat will read and return a float value from an ast.BasicLit func GetFloat(n ast.Node) (float64, error) { if node, ok := n.(*ast.BasicLit); ok && node.Kind == token.FLOAT { return strconv.ParseFloat(node.Value, 64) } return 0.0, fmt.Errorf("Unexpected AST node type: %T", n) } // GetChar will read and return a char value from an ast.BasicLit func GetChar(n ast.Node) (byte, error) { if node, ok := n.(*ast.BasicLit); ok && node.Kind == token.CHAR { return node.Value[0], nil } return 0, fmt.Errorf("Unexpected AST node type: %T", n) } // GetStringRecursive will recursively walk down a tree of *ast.BinaryExpr. It will then concat the results, and return. // Unlike the other getters, it does _not_ raise an error for unknown ast.Node types. At the base, the recursion will hit a non-BinaryExpr type, // either BasicLit or other, so it's not an error case. It will only error if `strconv.Unquote` errors. This matters, because there's // currently functionality that relies on error values being returned by GetString if and when it hits a non-basiclit string node type, // hence for cases where recursion is needed, we use this separate function, so that we can still be backwards compatible. // // This was added to handle a SQL injection concatenation case where the injected value is infixed between two strings, not at the start or end. See example below // // Do note that this will omit non-string values. So for example, if you were to use this node: // ```go // q := "SELECT * FROM foo WHERE name = '" + os.Args[0] + "' AND 1=1" // will result in "SELECT * FROM foo WHERE ” AND 1=1" func GetStringRecursive(n ast.Node) (string, error) { if node, ok := n.(*ast.BasicLit); ok && node.Kind == token.STRING { return strconv.Unquote(node.Value) } if expr, ok := n.(*ast.BinaryExpr); ok { x, err := GetStringRecursive(expr.X) if err != nil { return "", err } y, err := GetStringRecursive(expr.Y) if err != nil { return "", err } return x + y, nil } return "", nil } // GetString will read and return a string value from an ast.BasicLit func GetString(n ast.Node) (string, error) { if node, ok := n.(*ast.BasicLit); ok && node.Kind == token.STRING { return strconv.Unquote(node.Value) } return "", fmt.Errorf("Unexpected AST node type: %T", n) } // GetCallObject returns the object and call expression and associated // object for a given AST node. nil, nil will be returned if the // object cannot be resolved. func GetCallObject(n ast.Node, ctx *Context) (*ast.CallExpr, types.Object) { switch node := n.(type) { case *ast.CallExpr: switch fn := node.Fun.(type) { case *ast.Ident: return node, ctx.Info.Uses[fn] case *ast.SelectorExpr: return node, ctx.Info.Uses[fn.Sel] } } return nil, nil } // GetCallInfo returns the package or type and name associated with a // call expression. func GetCallInfo(n ast.Node, ctx *Context) (string, string, error) { switch node := n.(type) { case *ast.CallExpr: switch fn := node.Fun.(type) { case *ast.SelectorExpr: switch expr := fn.X.(type) { case *ast.Ident: if expr.Obj != nil && expr.Obj.Kind == ast.Var { t := ctx.Info.TypeOf(expr) if t != nil { return t.String(), fn.Sel.Name, nil } return "undefined", fn.Sel.Name, fmt.Errorf("missing type info") } return expr.Name, fn.Sel.Name, nil case *ast.SelectorExpr: if expr.Sel != nil { t := ctx.Info.TypeOf(expr.Sel) if t != nil { return t.String(), fn.Sel.Name, nil } return "undefined", fn.Sel.Name, fmt.Errorf("missing type info") } case *ast.CallExpr: switch call := expr.Fun.(type) { case *ast.Ident: if call.Name == "new" && len(expr.Args) > 0 { t := ctx.Info.TypeOf(expr.Args[0]) if t != nil { return t.String(), fn.Sel.Name, nil } return "undefined", fn.Sel.Name, fmt.Errorf("missing type info") } if call.Obj != nil { switch decl := call.Obj.Decl.(type) { case *ast.FuncDecl: ret := decl.Type.Results if ret != nil && len(ret.List) > 0 { ret1 := ret.List[0] if ret1 != nil { t := ctx.Info.TypeOf(ret1.Type) if t != nil { return t.String(), fn.Sel.Name, nil } return "undefined", fn.Sel.Name, fmt.Errorf("missing type info") } } } } } } case *ast.Ident: return ctx.Pkg.Name(), fn.Name, nil } } return "", "", fmt.Errorf("unable to determine call info") } // GetCallStringArgsValues returns the values of strings arguments if they can be resolved func GetCallStringArgsValues(n ast.Node, _ *Context) []string { values := []string{} switch node := n.(type) { case *ast.CallExpr: for _, arg := range node.Args { switch param := arg.(type) { case *ast.BasicLit: value, err := GetString(param) if err == nil { values = append(values, value) } case *ast.Ident: values = append(values, GetIdentStringValues(param)...) } } } return values } func getIdentStringValues(ident *ast.Ident, stringFinder func(ast.Node) (string, error)) []string { values := []string{} obj := ident.Obj if obj != nil { switch decl := obj.Decl.(type) { case *ast.ValueSpec: for _, v := range decl.Values { value, err := stringFinder(v) if err == nil { values = append(values, value) } } case *ast.AssignStmt: for _, v := range decl.Rhs { value, err := stringFinder(v) if err == nil { values = append(values, value) } } } } return values } // GetIdentStringValuesRecursive returns the string of values of an Ident if they can be resolved // The difference between this and GetIdentStringValues is that it will attempt to resolve the strings recursively, // if it is passed a *ast.BinaryExpr. See GetStringRecursive for details func GetIdentStringValuesRecursive(ident *ast.Ident) []string { return getIdentStringValues(ident, GetStringRecursive) } // GetIdentStringValues return the string values of an Ident if they can be resolved func GetIdentStringValues(ident *ast.Ident) []string { return getIdentStringValues(ident, GetString) } // GetBinaryExprOperands returns all operands of a binary expression by traversing // the expression tree func GetBinaryExprOperands(be *ast.BinaryExpr) []ast.Node { var traverse func(be *ast.BinaryExpr) result := []ast.Node{} traverse = func(be *ast.BinaryExpr) { if lhs, ok := be.X.(*ast.BinaryExpr); ok { traverse(lhs) } else { result = append(result, be.X) } if rhs, ok := be.Y.(*ast.BinaryExpr); ok { traverse(rhs) } else { result = append(result, be.Y) } } traverse(be) return result } // GetImportedNames returns the name(s)/alias(es) used for the package within // the code. It ignores initialization-only imports. func GetImportedNames(path string, ctx *Context) (names []string, found bool) { importNames, imported := ctx.Imports.Imported[path] return importNames, imported } // GetImportPath resolves the full import path of an identifier based on // the imports in the current context(including aliases). func GetImportPath(name string, ctx *Context) (string, bool) { for path := range ctx.Imports.Imported { if imported, ok := GetImportedNames(path, ctx); ok { for _, n := range imported { if n == name { return path, true } } } } return "", false } // GetLocation returns the filename and line number of an ast.Node func GetLocation(n ast.Node, ctx *Context) (string, int) { fobj := ctx.FileSet.File(n.Pos()) return fobj.Name(), fobj.Line(n.Pos()) } // Gopath returns all GOPATHs func Gopath() []string { defaultGoPath := runtime.GOROOT() if u, err := user.Current(); err == nil { defaultGoPath = filepath.Join(u.HomeDir, "go") } path := Getenv("GOPATH", defaultGoPath) paths := strings.Split(path, string(os.PathListSeparator)) for idx, path := range paths { if abs, err := filepath.Abs(path); err == nil { paths[idx] = abs } } return paths } // Getenv returns the values of the environment variable, otherwise // returns the default if variable is not set func Getenv(key, userDefault string) string { if val := os.Getenv(key); val != "" { return val } return userDefault } // GetPkgRelativePath returns the Go relative path derived // form the given path func GetPkgRelativePath(path string) (string, error) { abspath, err := filepath.Abs(path) if err != nil { abspath = path } if strings.HasSuffix(abspath, ".go") { abspath = filepath.Dir(abspath) } for _, base := range Gopath() { projectRoot := filepath.FromSlash(fmt.Sprintf("%s/src/", base)) if strings.HasPrefix(abspath, projectRoot) { return strings.TrimPrefix(abspath, projectRoot), nil } } return "", errors.New("no project relative path found") } // GetPkgAbsPath returns the Go package absolute path derived from // the given path func GetPkgAbsPath(pkgPath string) (string, error) { absPath, err := filepath.Abs(pkgPath) if err != nil { return "", err } if _, err := os.Stat(absPath); os.IsNotExist(err) { return "", errors.New("no project absolute path found") } return absPath, nil } // ConcatString recursively concatenates strings from a binary expression func ConcatString(n *ast.BinaryExpr) (string, bool) { var s string // sub expressions are found in X object, Y object is always last BasicLit if rightOperand, ok := n.Y.(*ast.BasicLit); ok { if str, err := GetString(rightOperand); err == nil { s = str + s } } else { return "", false } if leftOperand, ok := n.X.(*ast.BinaryExpr); ok { if recursion, ok := ConcatString(leftOperand); ok { s = recursion + s } } else if leftOperand, ok := n.X.(*ast.BasicLit); ok { if str, err := GetString(leftOperand); err == nil { s = str + s } } else { return "", false } return s, true } // FindVarIdentities returns array of all variable identities in a given binary expression func FindVarIdentities(n *ast.BinaryExpr, c *Context) ([]*ast.Ident, bool) { identities := []*ast.Ident{} // sub expressions are found in X object, Y object is always the last term if rightOperand, ok := n.Y.(*ast.Ident); ok { obj := c.Info.ObjectOf(rightOperand) if _, ok := obj.(*types.Var); ok && !TryResolve(rightOperand, c) { identities = append(identities, rightOperand) } } if leftOperand, ok := n.X.(*ast.BinaryExpr); ok { if leftIdentities, ok := FindVarIdentities(leftOperand, c); ok { identities = append(identities, leftIdentities...) } } else { if leftOperand, ok := n.X.(*ast.Ident); ok { obj := c.Info.ObjectOf(leftOperand) if _, ok := obj.(*types.Var); ok && !TryResolve(leftOperand, c) { identities = append(identities, leftOperand) } } } if len(identities) > 0 { return identities, true } // if nil or error, return false return nil, false } // PackagePaths returns a slice with all packages path at given root directory func PackagePaths(root string, excludes []*regexp.Regexp) ([]string, error) { if strings.HasSuffix(root, "...") { root = root[0 : len(root)-3] } else { return []string{root}, nil } paths := map[string]bool{} err := filepath.Walk(root, func(path string, f os.FileInfo, err error) error { if filepath.Ext(path) == ".go" { path = filepath.Dir(path) if isExcluded(filepath.ToSlash(path), excludes) { return nil } paths[path] = true } return nil }) if err != nil { return []string{}, err } result := []string{} for path := range paths { result = append(result, path) } return result, nil } // isExcluded checks if a string matches any of the exclusion regexps func isExcluded(str string, excludes []*regexp.Regexp) bool { if excludes == nil { return false } for _, exclude := range excludes { if exclude != nil && exclude.MatchString(str) { return true } } return false } // ExcludedDirsRegExp builds the regexps for a list of excluded dirs provided as strings func ExcludedDirsRegExp(excludedDirs []string) []*regexp.Regexp { var exps []*regexp.Regexp for _, excludedDir := range excludedDirs { str := fmt.Sprintf(`([\\/])?%s([\\/])?`, strings.ReplaceAll(filepath.ToSlash(excludedDir), "/", `\/`)) r := regexp.MustCompile(str) exps = append(exps, r) } return exps } // RootPath returns the absolute root path of a scan func RootPath(root string) (string, error) { root = strings.TrimSuffix(root, "...") return filepath.Abs(root) } // GoVersion returns parsed version of Go mod version and fallback to runtime version if not found. func GoVersion() (int, int, int) { if env, ok := os.LookupEnv(envGoModVersion); ok { return parseGoVersion(strings.TrimPrefix(env, "go")) } goVersion, err := goModVersion() if err != nil { return parseGoVersion(strings.TrimPrefix(runtime.Version(), "go")) } return parseGoVersion(goVersion) } type goListOutput struct { GoVersion string `json:"GoVersion"` } func goModVersion() (string, error) { cmd := exec.Command("go", "list", "-m", "-json") raw, err := cmd.CombinedOutput() if err != nil { return "", fmt.Errorf("command go list: %w: %s", err, string(raw)) } var v goListOutput err = json.NewDecoder(bytes.NewBuffer(raw)).Decode(&v) if err != nil { return "", fmt.Errorf("unmarshaling error: %w: %s", err, string(raw)) } return v.GoVersion, nil } // parseGoVersion parses Go version. // example: // - 1.19rc2 // - 1.19beta2 // - 1.19.4 // - 1.19 func parseGoVersion(version string) (int, int, int) { exp := regexp.MustCompile(`(\d+).(\d+)(?:.(\d+))?.*`) parts := exp.FindStringSubmatch(version) if len(parts) <= 1 { return 0, 0, 0 } major, _ := strconv.Atoi(parts[1]) minor, _ := strconv.Atoi(parts[2]) build, _ := strconv.Atoi(parts[3]) return major, minor, build } 07070100000040000081A400000000000000000000000166F55269000024DE000000000000000000000000000000000000001D00000000gosec-2.21.4/helpers_test.gopackage gosec_test import ( "go/ast" "os" "path/filepath" "regexp" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/testutils" ) var _ = Describe("Helpers", func() { Context("when listing package paths", func() { var dir string JustBeforeEach(func() { var err error dir, err = os.MkdirTemp("", "gosec") Expect(err).ShouldNot(HaveOccurred()) _, err = os.MkdirTemp(dir, "test*.go") Expect(err).ShouldNot(HaveOccurred()) }) AfterEach(func() { err := os.RemoveAll(dir) Expect(err).ShouldNot(HaveOccurred()) }) It("should return the root directory as package path", func() { paths, err := gosec.PackagePaths(dir, nil) Expect(err).ShouldNot(HaveOccurred()) Expect(paths).Should(Equal([]string{dir})) }) It("should return the package path", func() { paths, err := gosec.PackagePaths(dir+"/...", nil) Expect(err).ShouldNot(HaveOccurred()) Expect(paths).Should(Equal([]string{dir})) }) It("should exclude folder", func() { nested := dir + "/vendor" err := os.Mkdir(nested, 0o755) Expect(err).ShouldNot(HaveOccurred()) _, err = os.Create(nested + "/test.go") Expect(err).ShouldNot(HaveOccurred()) exclude, err := regexp.Compile(`([\\/])?vendor([\\/])?`) Expect(err).ShouldNot(HaveOccurred()) paths, err := gosec.PackagePaths(dir+"/...", []*regexp.Regexp{exclude}) Expect(err).ShouldNot(HaveOccurred()) Expect(paths).Should(Equal([]string{dir})) }) It("should exclude folder with subpath", func() { nested := dir + "/pkg/generated" err := os.MkdirAll(nested, 0o755) Expect(err).ShouldNot(HaveOccurred()) _, err = os.Create(nested + "/test.go") Expect(err).ShouldNot(HaveOccurred()) exclude, err := regexp.Compile(`([\\/])?/pkg\/generated([\\/])?`) Expect(err).ShouldNot(HaveOccurred()) paths, err := gosec.PackagePaths(dir+"/...", []*regexp.Regexp{exclude}) Expect(err).ShouldNot(HaveOccurred()) Expect(paths).Should(Equal([]string{dir})) }) It("should be empty when folder does not exist", func() { nested := dir + "/test" paths, err := gosec.PackagePaths(nested+"/...", nil) Expect(err).ShouldNot(HaveOccurred()) Expect(paths).Should(BeEmpty()) }) }) Context("when getting the root path", func() { It("should return the absolute path from relative path", func() { base := "test" cwd, err := os.Getwd() Expect(err).ShouldNot(HaveOccurred()) root, err := gosec.RootPath(base) Expect(err).ShouldNot(HaveOccurred()) Expect(root).Should(Equal(filepath.Join(cwd, base))) }) It("should return the absolute path from ellipsis path", func() { base := "test" cwd, err := os.Getwd() Expect(err).ShouldNot(HaveOccurred()) root, err := gosec.RootPath(filepath.Join(base, "...")) Expect(err).ShouldNot(HaveOccurred()) Expect(root).Should(Equal(filepath.Join(cwd, base))) }) }) Context("when excluding the dirs", func() { It("should create a proper regexp", func() { r := gosec.ExcludedDirsRegExp([]string{"test"}) Expect(r).Should(HaveLen(1)) match := r[0].MatchString("/home/go/src/project/test/pkg") Expect(match).Should(BeTrue()) match = r[0].MatchString("/home/go/src/project/vendor/pkg") Expect(match).Should(BeFalse()) }) It("should create a proper regexp for dir with subdir", func() { r := gosec.ExcludedDirsRegExp([]string{`test/generated`}) Expect(r).Should(HaveLen(1)) match := r[0].MatchString("/home/go/src/project/test/generated") Expect(match).Should(BeTrue()) match = r[0].MatchString("/home/go/src/project/test/pkg") Expect(match).Should(BeFalse()) match = r[0].MatchString("/home/go/src/project/vendor/pkg") Expect(match).Should(BeFalse()) }) It("should create no regexp when dir list is empty", func() { r := gosec.ExcludedDirsRegExp(nil) Expect(r).Should(BeEmpty()) r = gosec.ExcludedDirsRegExp([]string{}) Expect(r).Should(BeEmpty()) }) }) Context("when getting call info", func() { It("should return the type and call name for selector expression", func() { pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("main.go", ` package main import( "bytes" ) func main() { b := new(bytes.Buffer) _, err := b.WriteString("test") if err != nil { panic(err) } } `) ctx := pkg.CreateContext("main.go") result := map[string]string{} visitor := testutils.NewMockVisitor() visitor.Context = ctx visitor.Callback = func(n ast.Node, ctx *gosec.Context) bool { typeName, call, err := gosec.GetCallInfo(n, ctx) if err == nil { result[typeName] = call } return true } ast.Walk(visitor, ctx.Root) Expect(result).Should(HaveKeyWithValue("*bytes.Buffer", "WriteString")) }) It("should return the type and call name for new selector expression", func() { pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("main.go", ` package main import( "bytes" ) func main() { _, err := new(bytes.Buffer).WriteString("test") if err != nil { panic(err) } } `) ctx := pkg.CreateContext("main.go") result := map[string]string{} visitor := testutils.NewMockVisitor() visitor.Context = ctx visitor.Callback = func(n ast.Node, ctx *gosec.Context) bool { typeName, call, err := gosec.GetCallInfo(n, ctx) if err == nil { result[typeName] = call } return true } ast.Walk(visitor, ctx.Root) Expect(result).Should(HaveKeyWithValue("bytes.Buffer", "WriteString")) }) It("should return the type and call name for function selector expression", func() { pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("main.go", ` package main import( "bytes" ) func createBuffer() *bytes.Buffer { return new(bytes.Buffer) } func main() { _, err := createBuffer().WriteString("test") if err != nil { panic(err) } } `) ctx := pkg.CreateContext("main.go") result := map[string]string{} visitor := testutils.NewMockVisitor() visitor.Context = ctx visitor.Callback = func(n ast.Node, ctx *gosec.Context) bool { typeName, call, err := gosec.GetCallInfo(n, ctx) if err == nil { result[typeName] = call } return true } ast.Walk(visitor, ctx.Root) Expect(result).Should(HaveKeyWithValue("*bytes.Buffer", "WriteString")) }) It("should return the type and call name for package function", func() { pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("main.go", ` package main import( "fmt" ) func main() { fmt.Println("test") } `) ctx := pkg.CreateContext("main.go") result := map[string]string{} visitor := testutils.NewMockVisitor() visitor.Context = ctx visitor.Callback = func(n ast.Node, ctx *gosec.Context) bool { typeName, call, err := gosec.GetCallInfo(n, ctx) if err == nil { result[typeName] = call } return true } ast.Walk(visitor, ctx.Root) Expect(result).Should(HaveKeyWithValue("fmt", "Println")) }) It("should return the type and call name when built-in new function is overridden", func() { pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("main.go", ` package main type S struct{ F int } func (f S) Fun() {} func new() S { return S{} } func main() { new().Fun() } `) ctx := pkg.CreateContext("main.go") result := map[string]string{} visitor := testutils.NewMockVisitor() visitor.Context = ctx visitor.Callback = func(n ast.Node, ctx *gosec.Context) bool { typeName, call, err := gosec.GetCallInfo(n, ctx) if err == nil { result[typeName] = call } return true } ast.Walk(visitor, ctx.Root) Expect(result).Should(HaveKeyWithValue("main", "new")) }) }) Context("when getting binary expression operands", func() { It("should return all operands of a binary expression", func() { pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("main.go", ` package main import( "fmt" ) func main() { be := "test1" + "test2" fmt.Println(be) } `) ctx := pkg.CreateContext("main.go") var be *ast.BinaryExpr visitor := testutils.NewMockVisitor() visitor.Context = ctx visitor.Callback = func(n ast.Node, ctx *gosec.Context) bool { if expr, ok := n.(*ast.BinaryExpr); ok { be = expr } return true } ast.Walk(visitor, ctx.Root) operands := gosec.GetBinaryExprOperands(be) Expect(operands).Should(HaveLen(2)) }) It("should return all operands of complex binary expression", func() { pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("main.go", ` package main import( "fmt" ) func main() { be := "test1" + "test2" + "test3" + "test4" fmt.Println(be) } `) ctx := pkg.CreateContext("main.go") var be *ast.BinaryExpr visitor := testutils.NewMockVisitor() visitor.Context = ctx visitor.Callback = func(n ast.Node, ctx *gosec.Context) bool { if expr, ok := n.(*ast.BinaryExpr); ok { if be == nil { be = expr } } return true } ast.Walk(visitor, ctx.Root) operands := gosec.GetBinaryExprOperands(be) Expect(operands).Should(HaveLen(4)) }) }) }) 07070100000041000081A400000000000000000000000166F5526900000974000000000000000000000000000000000000001F00000000gosec-2.21.4/import_tracker.go// Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package gosec import ( "go/ast" "go/types" "regexp" "strings" ) var versioningPackagePattern = regexp.MustCompile(`v[0-9]+$`) // ImportTracker is used to normalize the packages that have been imported // by a source file. It is able to differentiate between plain imports, aliased // imports and init only imports. type ImportTracker struct { // Imported is a map of Imported with their associated names/aliases. Imported map[string][]string } // NewImportTracker creates an empty Import tracker instance func NewImportTracker() *ImportTracker { return &ImportTracker{ Imported: make(map[string][]string), } } // TrackFile track all the imports used by the supplied file func (t *ImportTracker) TrackFile(file *ast.File) { for _, imp := range file.Imports { t.TrackImport(imp) } } // TrackPackages tracks all the imports used by the supplied packages func (t *ImportTracker) TrackPackages(pkgs ...*types.Package) { for _, pkg := range pkgs { t.Imported[pkg.Path()] = []string{pkg.Name()} } } // TrackImport tracks imports. func (t *ImportTracker) TrackImport(imported *ast.ImportSpec) { importPath := strings.Trim(imported.Path.Value, `"`) if imported.Name != nil { if imported.Name.Name != "_" { // Aliased import t.Imported[importPath] = append(t.Imported[importPath], imported.Name.String()) } } else { t.Imported[importPath] = append(t.Imported[importPath], importName(importPath)) } } func importName(importPath string) string { parts := strings.Split(importPath, "/") name := importPath if len(parts) > 0 { name = parts[len(parts)-1] } // If the last segment of the path is version information, consider the second to last segment as the package name. // (e.g., `math/rand/v2` would be `rand`) if len(parts) > 1 && versioningPackagePattern.MatchString(name) { name = parts[len(parts)-2] } return name } 07070100000042000081A400000000000000000000000166F5526900000562000000000000000000000000000000000000002400000000gosec-2.21.4/import_tracker_test.gopackage gosec_test import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/testutils" ) var _ = Describe("Import Tracker", func() { Context("when tracking a file", func() { It("should parse the imports from file", func() { tracker := gosec.NewImportTracker() pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", ` package foo import "fmt" func foo() { fmt.Println() } `) err := pkg.Build() Expect(err).ShouldNot(HaveOccurred()) pkgs := pkg.Pkgs() Expect(pkgs).Should(HaveLen(1)) files := pkgs[0].Syntax Expect(files).Should(HaveLen(1)) tracker.TrackFile(files[0]) Expect(tracker.Imported).Should(Equal(map[string][]string{"fmt": {"fmt"}})) }) It("should parse the named imports from file", func() { tracker := gosec.NewImportTracker() pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", ` package foo import fm "fmt" func foo() { fm.Println() } `) err := pkg.Build() Expect(err).ShouldNot(HaveOccurred()) pkgs := pkg.Pkgs() Expect(pkgs).Should(HaveLen(1)) files := pkgs[0].Syntax Expect(files).Should(HaveLen(1)) tracker.TrackFile(files[0]) Expect(tracker.Imported).Should(Equal(map[string][]string{"fmt": {"fm"}})) }) }) }) 07070100000043000081A400000000000000000000000166F5526900002484000000000000000000000000000000000000001800000000gosec-2.21.4/install.sh#!/bin/sh set -e # Code generated by godownloader. DO NOT EDIT. # usage() { this=$1 cat <<EOF $this: download go binaries for securego/gosec Usage: $this [-b] bindir [-d] [tag] -b sets bindir or installation directory, Defaults to ./bin -d turns on debug logging [tag] is a tag from https://github.com/securego/gosec/releases If tag is missing, then the latest will be used. Generated by godownloader https://github.com/goreleaser/godownloader EOF exit 2 } parse_args() { #BINDIR is ./bin unless set be ENV # over-ridden by flag below BINDIR=${BINDIR:-./bin} while getopts "b:dh?x" arg; do case "$arg" in b) BINDIR="$OPTARG" ;; d) log_set_priority 10 ;; h | \?) usage "$0" ;; x) set -x ;; esac done shift $((OPTIND - 1)) TAG=$1 } # this function wraps all the destructive operations # if a curl|bash cuts off the end of the script due to # network, either nothing will happen or will syntax error # out preventing half-done work execute() { tmpdir=$(mktemp -d) log_debug "downloading files into ${tmpdir}" http_download "${tmpdir}/${TARBALL}" "${TARBALL_URL}" http_download "${tmpdir}/${CHECKSUM}" "${CHECKSUM_URL}" hash_sha256_verify "${tmpdir}/${TARBALL}" "${tmpdir}/${CHECKSUM}" srcdir="${tmpdir}" (cd "${tmpdir}" && untar "${TARBALL}") test ! -d "${BINDIR}" && install -d "${BINDIR}" for binexe in $BINARIES; do if [ "$OS" = "windows" ]; then binexe="${binexe}.exe" fi install "${srcdir}/${binexe}" "${BINDIR}/" log_info "installed ${BINDIR}/${binexe}" done rm -rf "${tmpdir}" } get_binaries() { case "$PLATFORM" in darwin/amd64) BINARIES="gosec" ;; darwin/arm64) BINARIES="gosec" ;; linux/amd64) BINARIES="gosec" ;; linux/arm64) BINARIES="gosec" ;; windows/amd64) BINARIES="gosec" ;; windows/arm64) BINARIES="gosec" ;; *) log_crit "platform $PLATFORM is not supported. Make sure this script is up-to-date and file request at https://github.com/${PREFIX}/issues/new" exit 1 ;; esac } tag_to_version() { if [ -z "${TAG}" ]; then log_info "checking GitHub for latest tag" else log_info "checking GitHub for tag '${TAG}'" fi REALTAG=$(github_release "$OWNER/$REPO" "${TAG}") && true if test -z "$REALTAG"; then log_crit "unable to find '${TAG}' - use 'latest' or see https://github.com/${PREFIX}/releases for details" exit 1 fi # if version starts with 'v', remove it TAG="$REALTAG" VERSION=${TAG#v} } adjust_format() { # change format (tar.gz or zip) based on OS true } adjust_os() { # adjust archive name based on OS true } adjust_arch() { # adjust archive name based on ARCH true } cat /dev/null <<EOF ------------------------------------------------------------------------ https://github.com/client9/shlib - portable posix shell functions Public domain - http://unlicense.org https://github.com/client9/shlib/blob/master/LICENSE.md but credit (and pull requests) appreciated. ------------------------------------------------------------------------ EOF is_command() { command -v "$1" >/dev/null } echoerr() { echo "$@" 1>&2 } log_prefix() { echo "$0" } _logp=6 log_set_priority() { _logp="$1" } log_priority() { if test -z "$1"; then echo "$_logp" return fi [ "$1" -le "$_logp" ] } log_tag() { case $1 in 0) echo "emerg" ;; 1) echo "alert" ;; 2) echo "crit" ;; 3) echo "err" ;; 4) echo "warning" ;; 5) echo "notice" ;; 6) echo "info" ;; 7) echo "debug" ;; *) echo "$1" ;; esac } log_debug() { log_priority 7 || return 0 echoerr "$(log_prefix)" "$(log_tag 7)" "$@" } log_info() { log_priority 6 || return 0 echoerr "$(log_prefix)" "$(log_tag 6)" "$@" } log_err() { log_priority 3 || return 0 echoerr "$(log_prefix)" "$(log_tag 3)" "$@" } log_crit() { log_priority 2 || return 0 echoerr "$(log_prefix)" "$(log_tag 2)" "$@" } uname_os() { os=$(uname -s | tr '[:upper:]' '[:lower:]') case "$os" in cygwin_nt*) os="windows" ;; mingw*) os="windows" ;; msys_nt*) os="windows" ;; esac echo "$os" } uname_arch() { arch=$(uname -m) case $arch in x86_64) arch="amd64" ;; x86) arch="386" ;; i686) arch="386" ;; i386) arch="386" ;; aarch64) arch="arm64" ;; armv5*) arch="armv5" ;; armv6*) arch="armv6" ;; armv7*) arch="armv7" ;; esac echo ${arch} } uname_os_check() { os=$(uname_os) case "$os" in darwin) return 0 ;; dragonfly) return 0 ;; freebsd) return 0 ;; linux) return 0 ;; android) return 0 ;; nacl) return 0 ;; netbsd) return 0 ;; openbsd) return 0 ;; plan9) return 0 ;; solaris) return 0 ;; windows) return 0 ;; esac log_crit "uname_os_check '$(uname -s)' got converted to '$os' which is not a GOOS value. Please file bug at https://github.com/client9/shlib" return 1 } uname_arch_check() { arch=$(uname_arch) case "$arch" in 386) return 0 ;; amd64) return 0 ;; arm64) return 0 ;; armv5) return 0 ;; armv6) return 0 ;; armv7) return 0 ;; ppc64) return 0 ;; ppc64le) return 0 ;; mips) return 0 ;; mipsle) return 0 ;; mips64) return 0 ;; mips64le) return 0 ;; s390x) return 0 ;; amd64p32) return 0 ;; esac log_crit "uname_arch_check '$(uname -m)' got converted to '$arch' which is not a GOARCH value. Please file bug report at https://github.com/client9/shlib" return 1 } untar() { tarball=$1 case "${tarball}" in *.tar.gz | *.tgz) tar --no-same-owner -xzf "${tarball}" ;; *.tar) tar --no-same-owner -xf "${tarball}" ;; *.zip) unzip "${tarball}" ;; *) log_err "untar unknown archive format for ${tarball}" return 1 ;; esac } http_download_curl() { local_file=$1 source_url=$2 header=$3 if [ -z "$header" ]; then code=$(curl -w '%{http_code}' -sL -o "$local_file" "$source_url") else code=$(curl -w '%{http_code}' -sL -H "$header" -o "$local_file" "$source_url") fi if [ "$code" != "200" ]; then log_debug "http_download_curl received HTTP status $code" return 1 fi return 0 } http_download_wget() { local_file=$1 source_url=$2 header=$3 if [ -z "$header" ]; then wget -q -O "$local_file" "$source_url" else wget -q --header "$header" -O "$local_file" "$source_url" fi } http_download() { log_debug "http_download $2" if is_command curl; then http_download_curl "$@" return elif is_command wget; then http_download_wget "$@" return fi log_crit "http_download unable to find wget or curl" return 1 } http_copy() { tmp=$(mktemp) http_download "${tmp}" "$1" "$2" || return 1 body=$(cat "$tmp") rm -f "${tmp}" echo "$body" } github_release() { owner_repo=$1 version=$2 giturl="https://api.github.com/repos/${owner_repo}/releases/tags/${version}" if [ -z "${version}" ]; then giturl="https://api.github.com/repos/${owner_repo}/releases/latest" fi json=$(http_copy "$giturl" "Accept:application/json") test -z "$json" && return 1 version=$(echo "$json" | tr -s '\n' ' ' | sed 's/.*"tag_name": *"//' | sed 's/".*//') test -z "$version" && return 1 echo "$version" } hash_sha256() { TARGET=${1:-/dev/stdin} if is_command gsha256sum; then hash=$(gsha256sum "$TARGET") || return 1 echo "$hash" | cut -d ' ' -f 1 elif is_command sha256sum; then hash=$(sha256sum "$TARGET") || return 1 echo "$hash" | cut -d ' ' -f 1 elif is_command shasum; then hash=$(shasum -a 256 "$TARGET" 2>/dev/null) || return 1 echo "$hash" | cut -d ' ' -f 1 elif is_command openssl; then hash=$(openssl -dst openssl dgst -sha256 "$TARGET") || return 1 echo "$hash" | cut -d ' ' -f a else log_crit "hash_sha256 unable to find command to compute sha-256 hash" return 1 fi } hash_sha256_verify() { TARGET=$1 checksums=$2 if [ -z "$checksums" ]; then log_err "hash_sha256_verify checksum file not specified in arg2" return 1 fi BASENAME=${TARGET##*/} want=$(grep "${BASENAME}" "${checksums}" 2>/dev/null | tr '\t' ' ' | cut -d ' ' -f 1) if [ -z "$want" ]; then log_err "hash_sha256_verify unable to find checksum for '${TARGET}' in '${checksums}'" return 1 fi got=$(hash_sha256 "$TARGET") if [ "$want" != "$got" ]; then log_err "hash_sha256_verify checksum for '$TARGET' did not verify ${want} vs $got" return 1 fi } cat /dev/null <<EOF ------------------------------------------------------------------------ End of functions from https://github.com/client9/shlib ------------------------------------------------------------------------ EOF PROJECT_NAME="gosec" OWNER=securego REPO="gosec" BINARY=gosec FORMAT=tar.gz OS=$(uname_os) ARCH=$(uname_arch) PREFIX="$OWNER/$REPO" # use in logging routines log_prefix() { echo "$PREFIX" } PLATFORM="${OS}/${ARCH}" GITHUB_DOWNLOAD=https://github.com/${OWNER}/${REPO}/releases/download uname_os_check "$OS" uname_arch_check "$ARCH" parse_args "$@" get_binaries tag_to_version adjust_format adjust_os adjust_arch log_info "found version: ${VERSION} for ${TAG}/${OS}/${ARCH}" NAME=${PROJECT_NAME}_${VERSION}_${OS}_${ARCH} TARBALL=${NAME}.${FORMAT} TARBALL_URL=${GITHUB_DOWNLOAD}/${TAG}/${TARBALL} CHECKSUM=${PROJECT_NAME}_${VERSION}_checksums.txt CHECKSUM_URL=${GITHUB_DOWNLOAD}/${TAG}/${CHECKSUM} execute 07070100000044000041ED00000000000000000000000266F5526900000000000000000000000000000000000000000000001300000000gosec-2.21.4/issue07070100000045000081A400000000000000000000000166F5526900001828000000000000000000000000000000000000001C00000000gosec-2.21.4/issue/issue.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package issue import ( "bufio" "bytes" "encoding/json" "fmt" "go/ast" "go/token" "os" "strconv" "github.com/securego/gosec/v2/cwe" ) // Score type used by severity and confidence values type Score int const ( // Low severity or confidence Low Score = iota // Medium severity or confidence Medium // High severity or confidence High ) // SnippetOffset defines the number of lines captured before // the beginning and after the end of a code snippet const SnippetOffset = 1 // GetCweByRule retrieves a cwe weakness for a given RuleID func GetCweByRule(id string) *cwe.Weakness { cweID, ok := ruleToCWE[id] if ok && cweID != "" { return cwe.Get(cweID) } return nil } // ruleToCWE maps gosec rules to CWEs var ruleToCWE = map[string]string{ "G101": "798", "G102": "200", "G103": "242", "G104": "703", "G106": "322", "G107": "88", "G108": "200", "G109": "190", "G110": "409", "G111": "22", "G112": "400", "G113": "190", "G114": "676", "G115": "190", "G201": "89", "G202": "89", "G203": "79", "G204": "78", "G301": "276", "G302": "276", "G303": "377", "G304": "22", "G305": "22", "G306": "276", "G401": "328", "G402": "295", "G403": "310", "G404": "338", "G405": "327", "G406": "328", "G407": "1204", "G501": "327", "G502": "327", "G503": "327", "G504": "327", "G505": "327", "G506": "327", "G507": "327", "G601": "118", "G602": "118", } // Issue is returned by a gosec rule if it discovers an issue with the scanned code. type Issue struct { Severity Score `json:"severity"` // issue severity (how problematic it is) Confidence Score `json:"confidence"` // issue confidence (how sure we are we found it) Cwe *cwe.Weakness `json:"cwe"` // Cwe associated with RuleID RuleID string `json:"rule_id"` // Human readable explanation What string `json:"details"` // Human readable explanation File string `json:"file"` // File name we found it in Code string `json:"code"` // Impacted code line Line string `json:"line"` // Line number in file Col string `json:"column"` // Column number in line NoSec bool `json:"nosec"` // true if the issue is nosec Suppressions []SuppressionInfo `json:"suppressions"` // Suppression info of the issue Autofix string `json:"autofix,omitempty"` // Proposed auto fix the issue } // SuppressionInfo object is to record the kind and the justification that used // to suppress violations. type SuppressionInfo struct { Kind string `json:"kind"` Justification string `json:"justification"` } // FileLocation point out the file path and line number in file func (i *Issue) FileLocation() string { return fmt.Sprintf("%s:%s", i.File, i.Line) } // MetaData is embedded in all gosec rules. The Severity, Confidence and What message // will be passed through to reported issues. type MetaData struct { ID string Severity Score Confidence Score What string } // MarshalJSON is used convert a Score object into a JSON representation func (c Score) MarshalJSON() ([]byte, error) { return json.Marshal(c.String()) } // String converts a Score into a string func (c Score) String() string { switch c { case High: return "HIGH" case Medium: return "MEDIUM" case Low: return "LOW" } return "UNDEFINED" } // CodeSnippet extracts a code snippet based on the ast reference func CodeSnippet(file *os.File, start int64, end int64) (string, error) { var pos int64 var buf bytes.Buffer scanner := bufio.NewScanner(file) scanner.Split(bufio.ScanLines) for scanner.Scan() { pos++ if pos > end { break } else if pos >= start && pos <= end { code := fmt.Sprintf("%d: %s\n", pos, scanner.Text()) buf.WriteString(code) } } return buf.String(), nil } func codeSnippetStartLine(node ast.Node, fobj *token.File) int64 { s := (int64)(fobj.Line(node.Pos())) if s-SnippetOffset > 0 { return s - SnippetOffset } return s } func codeSnippetEndLine(node ast.Node, fobj *token.File) int64 { e := (int64)(fobj.Line(node.End())) return e + SnippetOffset } // New creates a new Issue func New(fobj *token.File, node ast.Node, ruleID, desc string, severity, confidence Score) *Issue { name := fobj.Name() line := GetLine(fobj, node) col := strconv.Itoa(fobj.Position(node.Pos()).Column) var code string if node == nil { code = "invalid AST node provided" } if file, err := os.Open(fobj.Name()); err == nil && node != nil { defer file.Close() // #nosec s := codeSnippetStartLine(node, fobj) e := codeSnippetEndLine(node, fobj) code, err = CodeSnippet(file, s, e) if err != nil { code = err.Error() } } return &Issue{ File: name, Line: line, Col: col, RuleID: ruleID, What: desc, Confidence: confidence, Severity: severity, Code: code, Cwe: GetCweByRule(ruleID), } } // WithSuppressions set the suppressions of the issue func (i *Issue) WithSuppressions(suppressions []SuppressionInfo) *Issue { i.Suppressions = suppressions return i } // GetLine returns the line number of a given ast.Node func GetLine(fobj *token.File, node ast.Node) string { start, end := fobj.Line(node.Pos()), fobj.Line(node.End()) line := strconv.Itoa(start) if start != end { line = fmt.Sprintf("%d-%d", start, end) } return line } 07070100000046000081A400000000000000000000000166F5526900000ED9000000000000000000000000000000000000002100000000gosec-2.21.4/issue/issue_test.gopackage issue_test import ( "go/ast" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" "github.com/securego/gosec/v2/rules" "github.com/securego/gosec/v2/testutils" ) var _ = Describe("Issue", func() { Context("when creating a new issue", func() { It("should create a code snippet from the specified ast.Node", func() { var target *ast.BasicLit source := `package main const foo = "bar" func main(){ println(foo) } ` pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", source) ctx := pkg.CreateContext("foo.go") v := testutils.NewMockVisitor() v.Callback = func(n ast.Node, ctx *gosec.Context) bool { if node, ok := n.(*ast.BasicLit); ok { target = node return false } return true } v.Context = ctx ast.Walk(v, ctx.Root) Expect(target).ShouldNot(BeNil()) fobj := ctx.GetFileAtNodePos(target) issue := issue.New(fobj, target, "TEST", "", issue.High, issue.High) Expect(issue).ShouldNot(BeNil()) Expect(issue.Code).Should(MatchRegexp(`"bar"`)) Expect(issue.Line).Should(Equal("2")) Expect(issue.Col).Should(Equal("16")) Expect(issue.Cwe).Should(BeNil()) }) It("should return an error if specific context is not able to be obtained", func() { Skip("Not implemented") }) It("should construct file path based on line and file information", func() { var target *ast.AssignStmt source := `package main import "fmt" func main() { username := "admin" password := "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" fmt.Println("Doing something with: ", username, password) }` pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", source) ctx := pkg.CreateContext("foo.go") v := testutils.NewMockVisitor() v.Callback = func(n ast.Node, ctx *gosec.Context) bool { if node, ok := n.(*ast.AssignStmt); ok { if id, ok := node.Lhs[0].(*ast.Ident); ok && id.Name == "password" { target = node } } return true } v.Context = ctx ast.Walk(v, ctx.Root) Expect(target).ShouldNot(BeNil()) // Use hardcoded rule to check assignment cfg := gosec.NewConfig() rule, _ := rules.NewHardcodedCredentials("TEST", cfg) foundIssue, err := rule.Match(target, ctx) Expect(err).ShouldNot(HaveOccurred()) Expect(foundIssue).ShouldNot(BeNil()) Expect(foundIssue.FileLocation()).Should(MatchRegexp("foo.go:5")) }) It("should provide accurate line and file information", func() { Skip("Not implemented") }) It("should provide accurate line and file information for multi-line statements", func() { var target *ast.CallExpr source := ` package main import ( "net" ) func main() { _, _ := net.Listen("tcp", "0.0.0.0:2000") } ` pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", source) ctx := pkg.CreateContext("foo.go") v := testutils.NewMockVisitor() v.Callback = func(n ast.Node, ctx *gosec.Context) bool { if node, ok := n.(*ast.CallExpr); ok { target = node } return true } v.Context = ctx ast.Walk(v, ctx.Root) Expect(target).ShouldNot(BeNil()) cfg := gosec.NewConfig() rule, _ := rules.NewBindsToAllNetworkInterfaces("TEST", cfg) issue, err := rule.Match(target, ctx) Expect(err).ShouldNot(HaveOccurred()) Expect(issue).ShouldNot(BeNil()) Expect(issue.File).Should(MatchRegexp("foo.go")) Expect(issue.Line).Should(MatchRegexp("7-8")) Expect(issue.Col).Should(Equal("10")) }) It("should maintain the provided severity score", func() { Skip("Not implemented") }) It("should maintain the provided confidence score", func() { Skip("Not implemented") }) }) }) 07070100000047000081ED00000000000000000000000166F5526900000421000000000000000000000000000000000000001A00000000gosec-2.21.4/perf-diff.sh#!/bin/bash BIN="gosec" BUILD_DIR="/tmp/securego" # Scan the current folder and measure the duration. function scan() { local scan_cmd=$1 s=$(date +%s%3N) $scan_cmd -quiet ./... e=$(date +%s%3N) res=$(expr $e - $s) echo $res } # Build the master reference version. mkdir -p ${BUILD_DIR} git clone --quiet https://github.com/securego/gosec.git ${BUILD_DIR} >/dev/null make -C ${BUILD_DIR} >/dev/null # Scan once with the main reference. duration_master=$(scan "${BUILD_DIR}/${BIN}") echo "gosec reference time: ${duration_master}ms" # Build the current version. make -C . >/dev/null # Scan once with the current version. duration=$(scan "./${BIN}") echo "gosec time: ${duration}ms" # Compute the difference of the execution time. diff=$(($duration - $duration_master)) if [[ diff -lt 0 ]]; then diff=$(($diff * -1)) fi echo "diff: ${diff}ms" perf=$((100 - ($duration * 100) / $duration_master)) echo "perf diff: ${perf}%" # Fail the build if there is a performance degradation of more than 10%. if [[ $perf -lt -10 ]]; then exit 1 fi 07070100000048000081A400000000000000000000000166F55269000001FC000000000000000000000000000000000000001B00000000gosec-2.21.4/renovate.json{ "dependencyDashboard": true, "dependencyDashboardTitle" : "Renovate(bot) : dependency dashboard", "vulnerabilityAlerts": { "enabled": true }, "extends": [ ":preserveSemverRanges", "group:all", "schedule:weekly" ], "lockFileMaintenance": { "commitMessageAction": "Update", "enabled": true, "extends": [ "group:all", "schedule:weekly" ] }, "postUpdateOptions": [ "gomodTidy", "gomodUpdateImportPaths" ], "separateMajorMinor": false } 07070100000049000041ED00000000000000000000000266F5526900000000000000000000000000000000000000000000001400000000gosec-2.21.4/report0707010000004A000081A400000000000000000000000166F5526900000295000000000000000000000000000000000000001700000000gosec-2.21.4/report.gopackage gosec import ( "github.com/securego/gosec/v2/issue" ) // ReportInfo this is report information type ReportInfo struct { Errors map[string][]Error `json:"Golang errors"` Issues []*issue.Issue Stats *Metrics GosecVersion string } // NewReportInfo instantiate a ReportInfo func NewReportInfo(issues []*issue.Issue, metrics *Metrics, errors map[string][]Error) *ReportInfo { return &ReportInfo{ Errors: errors, Issues: issues, Stats: metrics, } } // WithVersion defines the version of gosec used to generate the report func (r *ReportInfo) WithVersion(version string) *ReportInfo { r.GosecVersion = version return r } 0707010000004B000041ED00000000000000000000000266F5526900000000000000000000000000000000000000000000001800000000gosec-2.21.4/report/csv0707010000004C000081A400000000000000000000000166F5526900000206000000000000000000000000000000000000002200000000gosec-2.21.4/report/csv/writer.gopackage csv import ( "encoding/csv" "io" "github.com/securego/gosec/v2" ) // WriteReport write a report in csv format to the output writer func WriteReport(w io.Writer, data *gosec.ReportInfo) error { out := csv.NewWriter(w) defer out.Flush() for _, issue := range data.Issues { err := out.Write([]string{ issue.File, issue.Line, issue.What, issue.Severity.String(), issue.Confidence.String(), issue.Code, issue.Cwe.SprintID(), }) if err != nil { return err } } return nil } 0707010000004D000081A400000000000000000000000166F5526900000B6A000000000000000000000000000000000000002100000000gosec-2.21.4/report/formatter.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package report import ( "io" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" "github.com/securego/gosec/v2/report/csv" "github.com/securego/gosec/v2/report/golint" "github.com/securego/gosec/v2/report/html" "github.com/securego/gosec/v2/report/json" "github.com/securego/gosec/v2/report/junit" "github.com/securego/gosec/v2/report/sarif" "github.com/securego/gosec/v2/report/sonar" "github.com/securego/gosec/v2/report/text" "github.com/securego/gosec/v2/report/yaml" ) // Format enumerates the output format for reported issues type Format int const ( // ReportText is the default format that writes to stdout ReportText Format = iota // Plain text format // ReportJSON set the output format to json ReportJSON // Json format // ReportCSV set the output format to csv ReportCSV // CSV format // ReportJUnitXML set the output format to junit xml ReportJUnitXML // JUnit XML format // ReportSARIF set the output format to SARIF ReportSARIF // SARIF format ) // CreateReport generates a report based for the supplied issues and metrics given // the specified format. The formats currently accepted are: json, yaml, csv, junit-xml, html, sonarqube, golint and text. func CreateReport(w io.Writer, format string, enableColor bool, rootPaths []string, data *gosec.ReportInfo) error { var err error if format != "json" && format != "sarif" { data.Issues = filterOutSuppressedIssues(data.Issues) } switch format { case "json": err = json.WriteReport(w, data) case "yaml": err = yaml.WriteReport(w, data) case "csv": err = csv.WriteReport(w, data) case "junit-xml": err = junit.WriteReport(w, data) case "html": err = html.WriteReport(w, data) case "text": err = text.WriteReport(w, data, enableColor) case "sonarqube": err = sonar.WriteReport(w, data, rootPaths) case "golint": err = golint.WriteReport(w, data) case "sarif": err = sarif.WriteReport(w, data, rootPaths) default: err = text.WriteReport(w, data, enableColor) } return err } func filterOutSuppressedIssues(issues []*issue.Issue) []*issue.Issue { nonSuppressedIssues := []*issue.Issue{} for _, issue := range issues { if len(issue.Suppressions) == 0 { nonSuppressedIssues = append(nonSuppressedIssues, issue) } } return nonSuppressedIssues } 0707010000004E000081A400000000000000000000000166F55269000000C0000000000000000000000000000000000000002C00000000gosec-2.21.4/report/formatter_suite_test.gopackage report import ( "testing" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" ) func TestRules(t *testing.T) { RegisterFailHandler(Fail) RunSpecs(t, "Formatters Suite") } 0707010000004F000081A400000000000000000000000166F552690000422E000000000000000000000000000000000000002600000000gosec-2.21.4/report/formatter_test.gopackage report import ( "bytes" "encoding/json" "fmt" "strings" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "gopkg.in/yaml.v3" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/cwe" "github.com/securego/gosec/v2/issue" "github.com/securego/gosec/v2/report/junit" "github.com/securego/gosec/v2/report/sonar" ) func createIssueWithFileWhat(file, what string) *issue.Issue { issue := createIssue("i1", issue.GetCweByRule("G101")) issue.File = file issue.What = what return &issue } func createIssue(ruleID string, weakness *cwe.Weakness) issue.Issue { return issue.Issue{ File: "/home/src/project/test.go", Line: "1", Col: "1", RuleID: ruleID, What: "test", Confidence: issue.High, Severity: issue.High, Code: "1: testcode", Cwe: weakness, } } func createReportInfo(rule string, weakness *cwe.Weakness) gosec.ReportInfo { newissue := createIssue(rule, weakness) metrics := gosec.Metrics{} return gosec.ReportInfo{ Errors: map[string][]gosec.Error{}, Issues: []*issue.Issue{ &newissue, }, Stats: &metrics, } } func stripString(str string) string { ret := strings.Replace(str, "\n", "", -1) ret = strings.Replace(ret, " ", "", -1) ret = strings.Replace(ret, "\t", "", -1) return ret } var _ = Describe("Formatter", func() { BeforeEach(func() { }) Context("when converting to Sonarqube issues", func() { It("it should parse the report info", func() { data := &gosec.ReportInfo{ Errors: map[string][]gosec.Error{}, Issues: []*issue.Issue{ { Severity: 2, Confidence: 0, RuleID: "test", What: "test", File: "/home/src/project/test.go", Code: "", Line: "1-2", }, }, Stats: &gosec.Metrics{ NumFiles: 0, NumLines: 0, NumNosec: 0, NumFound: 0, }, } want := &sonar.Report{ Issues: []*sonar.Issue{ { EngineID: "gosec", RuleID: "test", PrimaryLocation: &sonar.Location{ Message: "test", FilePath: "test.go", TextRange: &sonar.TextRange{ StartLine: 1, EndLine: 2, }, }, Type: "VULNERABILITY", Severity: "BLOCKER", EffortMinutes: sonar.EffortMinutes, }, }, } rootPath := "/home/src/project" issues, err := sonar.GenerateReport([]string{rootPath}, data) Expect(err).ShouldNot(HaveOccurred()) Expect(*issues).To(Equal(*want)) }) It("it should parse the report info with files in subfolders", func() { data := &gosec.ReportInfo{ Errors: map[string][]gosec.Error{}, Issues: []*issue.Issue{ { Severity: 2, Confidence: 0, RuleID: "test", What: "test", File: "/home/src/project/subfolder/test.go", Code: "", Line: "1-2", }, }, Stats: &gosec.Metrics{ NumFiles: 0, NumLines: 0, NumNosec: 0, NumFound: 0, }, } want := &sonar.Report{ Issues: []*sonar.Issue{ { EngineID: "gosec", RuleID: "test", PrimaryLocation: &sonar.Location{ Message: "test", FilePath: "subfolder/test.go", TextRange: &sonar.TextRange{ StartLine: 1, EndLine: 2, }, }, Type: "VULNERABILITY", Severity: "BLOCKER", EffortMinutes: sonar.EffortMinutes, }, }, } rootPath := "/home/src/project" issues, err := sonar.GenerateReport([]string{rootPath}, data) Expect(err).ShouldNot(HaveOccurred()) Expect(*issues).To(Equal(*want)) }) It("it should not parse the report info for files from other projects", func() { data := &gosec.ReportInfo{ Errors: map[string][]gosec.Error{}, Issues: []*issue.Issue{ { Severity: 2, Confidence: 0, RuleID: "test", What: "test", File: "/home/src/project1/test.go", Code: "", Line: "1-2", }, }, Stats: &gosec.Metrics{ NumFiles: 0, NumLines: 0, NumNosec: 0, NumFound: 0, }, } want := &sonar.Report{ Issues: []*sonar.Issue{}, } rootPath := "/home/src/project2" issues, err := sonar.GenerateReport([]string{rootPath}, data) Expect(err).ShouldNot(HaveOccurred()) Expect(*issues).To(Equal(*want)) }) It("it should parse the report info for multiple projects", func() { data := &gosec.ReportInfo{ Errors: map[string][]gosec.Error{}, Issues: []*issue.Issue{ { Severity: 2, Confidence: 0, RuleID: "test", What: "test", File: "/home/src/project1/test-project1.go", Code: "", Line: "1-2", }, { Severity: 2, Confidence: 0, RuleID: "test", What: "test", File: "/home/src/project2/test-project2.go", Code: "", Line: "1-2", }, }, Stats: &gosec.Metrics{ NumFiles: 0, NumLines: 0, NumNosec: 0, NumFound: 0, }, } want := &sonar.Report{ Issues: []*sonar.Issue{ { EngineID: "gosec", RuleID: "test", PrimaryLocation: &sonar.Location{ Message: "test", FilePath: "test-project1.go", TextRange: &sonar.TextRange{ StartLine: 1, EndLine: 2, }, }, Type: "VULNERABILITY", Severity: "BLOCKER", EffortMinutes: sonar.EffortMinutes, }, { EngineID: "gosec", RuleID: "test", PrimaryLocation: &sonar.Location{ Message: "test", FilePath: "test-project2.go", TextRange: &sonar.TextRange{ StartLine: 1, EndLine: 2, }, }, Type: "VULNERABILITY", Severity: "BLOCKER", EffortMinutes: sonar.EffortMinutes, }, }, } rootPaths := []string{"/home/src/project1", "/home/src/project2"} issues, err := sonar.GenerateReport(rootPaths, data) Expect(err).ShouldNot(HaveOccurred()) Expect(*issues).To(Equal(*want)) }) }) Context("When using junit", func() { It("preserves order of issues", func() { issues := []*issue.Issue{createIssueWithFileWhat("i1", "1"), createIssueWithFileWhat("i2", "2"), createIssueWithFileWhat("i3", "1")} junitReport := junit.GenerateReport(&gosec.ReportInfo{Issues: issues}) testSuite := junitReport.Testsuites[0] Expect(testSuite.Testcases[0].Name).To(Equal(issues[0].File)) Expect(testSuite.Testcases[1].Name).To(Equal(issues[2].File)) testSuite = junitReport.Testsuites[1] Expect(testSuite.Testcases[0].Name).To(Equal(issues[1].File)) }) }) Context("When using different report formats", func() { grules := []string{ "G101", "G102", "G103", "G104", "G106", "G107", "G109", "G110", "G111", "G112", "G113", "G201", "G202", "G203", "G204", "G301", "G302", "G303", "G304", "G305", "G401", "G402", "G403", "G404", "G405", "G406", "G407", "G501", "G502", "G503", "G504", "G505", "G506", "G507", "G601", } It("csv formatted report should contain the CWE mapping", func() { for _, rule := range grules { cwe := issue.GetCweByRule(rule) newissue := createIssue(rule, cwe) errors := map[string][]gosec.Error{} buf := new(bytes.Buffer) reportInfo := gosec.NewReportInfo([]*issue.Issue{&newissue}, &gosec.Metrics{}, errors) err := CreateReport(buf, "csv", false, []string{}, reportInfo) Expect(err).ShouldNot(HaveOccurred()) pattern := "/home/src/project/test.go,1,test,HIGH,HIGH,1: testcode,CWE-%s\n" expect := fmt.Sprintf(pattern, cwe.ID) Expect(buf.String()).To(Equal(expect)) } }) It("xml formatted report should contain the CWE mapping", func() { for _, rule := range grules { cwe := issue.GetCweByRule(rule) newissue := createIssue(rule, cwe) errors := map[string][]gosec.Error{} buf := new(bytes.Buffer) reportInfo := gosec.NewReportInfo([]*issue.Issue{&newissue}, &gosec.Metrics{NumFiles: 0, NumLines: 0, NumNosec: 0, NumFound: 0}, errors).WithVersion("v2.7.0") err := CreateReport(buf, "xml", false, []string{}, reportInfo) Expect(err).ShouldNot(HaveOccurred()) pattern := "Results:\n\n\n[/home/src/project/test.go:1] - %s (CWE-%s): test (Confidence: HIGH, Severity: HIGH)\n > 1: testcode\n\nAutofix: \n\nSummary:\n Gosec : v2.7.0\n Files : 0\n Lines : 0\n Nosec : 0\n Issues : 0\n\n" expect := fmt.Sprintf(pattern, rule, cwe.ID) Expect(buf.String()).To(Equal(expect)) } }) It("json formatted report should contain the CWE mapping", func() { for _, rule := range grules { cwe := issue.GetCweByRule(rule) newissue := createIssue(rule, cwe) errors := map[string][]gosec.Error{} data := createReportInfo(rule, cwe) expect := new(bytes.Buffer) enc := json.NewEncoder(expect) err := enc.Encode(data) Expect(err).ShouldNot(HaveOccurred()) buf := new(bytes.Buffer) reportInfo := gosec.NewReportInfo([]*issue.Issue{&newissue}, &gosec.Metrics{}, errors) err = CreateReport(buf, "json", false, []string{}, reportInfo) Expect(err).ShouldNot(HaveOccurred()) result := stripString(buf.String()) expectation := stripString(expect.String()) Expect(result).To(Equal(expectation)) } }) It("html formatted report should contain the CWE mapping", func() { for _, rule := range grules { cwe := issue.GetCweByRule(rule) newissue := createIssue(rule, cwe) errors := map[string][]gosec.Error{} data := createReportInfo(rule, cwe) expect := new(bytes.Buffer) enc := json.NewEncoder(expect) err := enc.Encode(data) Expect(err).ShouldNot(HaveOccurred()) buf := new(bytes.Buffer) reportInfo := gosec.NewReportInfo([]*issue.Issue{&newissue}, &gosec.Metrics{}, errors) err = CreateReport(buf, "html", false, []string{}, reportInfo) Expect(err).ShouldNot(HaveOccurred()) result := stripString(buf.String()) expectation := stripString(expect.String()) Expect(result).To(ContainSubstring(expectation)) } }) It("yaml formatted report should contain the CWE mapping", func() { for _, rule := range grules { cwe := issue.GetCweByRule(rule) newissue := createIssue(rule, cwe) errors := map[string][]gosec.Error{} data := createReportInfo(rule, cwe) expect := new(bytes.Buffer) enc := yaml.NewEncoder(expect) err := enc.Encode(data) Expect(err).ShouldNot(HaveOccurred()) buf := new(bytes.Buffer) reportInfo := gosec.NewReportInfo([]*issue.Issue{&newissue}, &gosec.Metrics{}, errors) err = CreateReport(buf, "yaml", false, []string{}, reportInfo) Expect(err).ShouldNot(HaveOccurred()) result := stripString(buf.String()) expectation := stripString(expect.String()) Expect(result).To(ContainSubstring(expectation)) } }) It("junit-xml formatted report should contain the CWE mapping", func() { for _, rule := range grules { cwe := issue.GetCweByRule(rule) newissue := createIssue(rule, cwe) errors := map[string][]gosec.Error{} data := createReportInfo(rule, cwe) expect := new(bytes.Buffer) enc := yaml.NewEncoder(expect) err := enc.Encode(data) Expect(err).ShouldNot(HaveOccurred()) buf := new(bytes.Buffer) reportInfo := gosec.NewReportInfo([]*issue.Issue{&newissue}, &gosec.Metrics{}, errors) err = CreateReport(buf, "junit-xml", false, []string{}, reportInfo) Expect(err).ShouldNot(HaveOccurred()) expectation := stripString(fmt.Sprintf("[/home/src/project/test.go:1] - test (Confidence: 2, Severity: 2, CWE: %s)", cwe.ID)) result := stripString(buf.String()) Expect(result).To(ContainSubstring(expectation)) } }) It("text formatted report should contain the CWE mapping", func() { for _, rule := range grules { cwe := issue.GetCweByRule(rule) newissue := createIssue(rule, cwe) errors := map[string][]gosec.Error{} data := createReportInfo(rule, cwe) expect := new(bytes.Buffer) enc := yaml.NewEncoder(expect) err := enc.Encode(data) Expect(err).ShouldNot(HaveOccurred()) buf := new(bytes.Buffer) reportInfo := gosec.NewReportInfo([]*issue.Issue{&newissue}, &gosec.Metrics{}, errors) err = CreateReport(buf, "text", false, []string{}, reportInfo) Expect(err).ShouldNot(HaveOccurred()) expectation := stripString(fmt.Sprintf("[/home/src/project/test.go:1] - %s (CWE-%s): test (Confidence: HIGH, Severity: HIGH)", rule, cwe.ID)) result := stripString(buf.String()) Expect(result).To(ContainSubstring(expectation)) } }) It("sonarqube formatted report shouldn't contain the CWE mapping", func() { for _, rule := range grules { cwe := issue.GetCweByRule(rule) newissue := createIssue(rule, cwe) errors := map[string][]gosec.Error{} buf := new(bytes.Buffer) reportInfo := gosec.NewReportInfo([]*issue.Issue{&newissue}, &gosec.Metrics{}, errors) err := CreateReport(buf, "sonarqube", false, []string{"/home/src/project"}, reportInfo) Expect(err).ShouldNot(HaveOccurred()) result := stripString(buf.String()) expect := new(bytes.Buffer) enc := json.NewEncoder(expect) err = enc.Encode(cwe) Expect(err).ShouldNot(HaveOccurred()) expectation := stripString(expect.String()) Expect(result).ShouldNot(ContainSubstring(expectation)) } }) It("golint formatted report should contain the CWE mapping", func() { for _, rule := range grules { cwe := issue.GetCweByRule(rule) newissue := createIssue(rule, cwe) errors := map[string][]gosec.Error{} buf := new(bytes.Buffer) reportInfo := gosec.NewReportInfo([]*issue.Issue{&newissue}, &gosec.Metrics{}, errors) err := CreateReport(buf, "golint", false, []string{}, reportInfo) Expect(err).ShouldNot(HaveOccurred()) pattern := "/home/src/project/test.go:1:1: [CWE-%s] test (Rule:%s, Severity:HIGH, Confidence:HIGH)\n" expect := fmt.Sprintf(pattern, cwe.ID, rule) Expect(buf.String()).To(Equal(expect)) } }) It("sarif formatted report should contain the CWE mapping", func() { for _, rule := range grules { cwe := issue.GetCweByRule(rule) newissue := createIssue(rule, cwe) errors := map[string][]gosec.Error{} buf := new(bytes.Buffer) reportInfo := gosec.NewReportInfo([]*issue.Issue{&newissue}, &gosec.Metrics{}, errors).WithVersion("v2.7.0") err := CreateReport(buf, "sarif", false, []string{}, reportInfo) Expect(err).ShouldNot(HaveOccurred()) result := stripString(buf.String()) ruleIDPattern := "\"id\":\"%s\"" expectedRule := fmt.Sprintf(ruleIDPattern, rule) Expect(err).ShouldNot(HaveOccurred()) Expect(result).To(ContainSubstring(expectedRule)) cweURIPattern := "\"helpUri\":\"https://cwe.mitre.org/data/definitions/%s.html\"" expectedCweURI := fmt.Sprintf(cweURIPattern, cwe.ID) Expect(err).ShouldNot(HaveOccurred()) Expect(result).To(ContainSubstring(expectedCweURI)) cweIDPattern := "\"id\":\"%s\"" expectedCweID := fmt.Sprintf(cweIDPattern, cwe.ID) Expect(err).ShouldNot(HaveOccurred()) Expect(result).To(ContainSubstring(expectedCweID)) } }) }) Context("When converting suppressed issues", func() { ruleID := "G101" cwe := issue.GetCweByRule(ruleID) suppressions := []issue.SuppressionInfo{ { Kind: "kind", Justification: "justification", }, } suppressedIssue := createIssue(ruleID, cwe) suppressedIssue.WithSuppressions(suppressions) It("text formatted report should contain the suppressed issues", func() { errors := map[string][]gosec.Error{} reportInfo := gosec.NewReportInfo([]*issue.Issue{&suppressedIssue}, &gosec.Metrics{}, errors) buf := new(bytes.Buffer) err := CreateReport(buf, "text", false, []string{}, reportInfo) Expect(err).ShouldNot(HaveOccurred()) result := stripString(buf.String()) Expect(result).To(ContainSubstring("Results:Summary")) }) It("sarif formatted report should contain the suppressed issues", func() { errors := map[string][]gosec.Error{} reportInfo := gosec.NewReportInfo([]*issue.Issue{&suppressedIssue}, &gosec.Metrics{}, errors) buf := new(bytes.Buffer) err := CreateReport(buf, "sarif", false, []string{}, reportInfo) Expect(err).ShouldNot(HaveOccurred()) result := stripString(buf.String()) Expect(result).To(ContainSubstring(`"results":[{`)) }) It("json formatted report should contain the suppressed issues", func() { errors := map[string][]gosec.Error{} reportInfo := gosec.NewReportInfo([]*issue.Issue{&suppressedIssue}, &gosec.Metrics{}, errors) buf := new(bytes.Buffer) err := CreateReport(buf, "json", false, []string{}, reportInfo) Expect(err).ShouldNot(HaveOccurred()) result := stripString(buf.String()) Expect(result).To(ContainSubstring(`"Issues":[{`)) }) }) }) 07070100000050000041ED00000000000000000000000266F5526900000000000000000000000000000000000000000000001B00000000gosec-2.21.4/report/golint07070100000051000081A400000000000000000000000166F552690000039C000000000000000000000000000000000000002500000000gosec-2.21.4/report/golint/writer.gopackage golint import ( "fmt" "io" "strings" "github.com/securego/gosec/v2" ) // WriteReport write a report in golint format to the output writer func WriteReport(w io.Writer, data *gosec.ReportInfo) error { // Output Sample: // /tmp/main.go:11:14: [CWE-310] RSA keys should be at least 2048 bits (Rule:G403, Severity:MEDIUM, Confidence:HIGH) for _, issue := range data.Issues { what := issue.What if issue.Cwe != nil && issue.Cwe.ID != "" { what = fmt.Sprintf("[%s] %s", issue.Cwe.SprintID(), issue.What) } // issue.Line uses "start-end" format for multiple line detection. lines := strings.Split(issue.Line, "-") start := lines[0] _, err := fmt.Fprintf(w, "%s:%s:%s: %s (Rule:%s, Severity:%s, Confidence:%s)\n", issue.File, start, issue.Col, what, issue.RuleID, issue.Severity.String(), issue.Confidence.String(), ) if err != nil { return err } } return nil } 07070100000052000041ED00000000000000000000000266F5526900000000000000000000000000000000000000000000001900000000gosec-2.21.4/report/html07070100000053000081A400000000000000000000000166F55269000044E2000000000000000000000000000000000000002700000000gosec-2.21.4/report/html/template.html<!doctype html> <html lang="en"> <head> <meta charset="utf-8"> <title>Golang Security Checker</title> <link rel="shortcut icon" type="image/png" href="https://securego.io/img/favicon.png"> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/bulma/1.0.2/css/bulma.min.css" integrity="sha512-RpeJZX3aH5oZN3U3JhE7Sd+HG8XQsqmP3clIbu4G28p668yNsRNj3zMASKe1ATjl/W80wuEtCx2dFA8xaebG5w==" crossorigin="anonymous"/> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.10.0/styles/default.min.css" integrity="sha512-hasIneQUHlh06VNBe7f6ZcHmeRTLIaQWFd43YriJ0UND19bvYRauxthDg8E4eVNPm9bRUhr5JGeqH7FRFXQu5g==" crossorigin="anonymous"/> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.10.0/highlight.min.js" integrity="sha512-6yoqbrcLAHDWAdQmiRlHG4+m0g/CT/V9AGyxabG8j7Jk8j3r3K6due7oqpiRMZqcYe9WM2gPcaNNxnl2ux+3tA==" crossorigin="anonymous"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.10.0/languages/go.min.js" integrity="sha512-k7OybVx0SC719WXdukEkoxjgQBdxeRIFuMIBO2LffEGfE7v/cgRvQp/0UrF9MiHBGzVOol2yuvaV1TAW2zAFJA==" crossorigin="anonymous"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/react/15.7.0/react.min.js" integrity="sha512-+TFn1Gqbwx/qgwW3NU1/YtFYTfHGeD1e/8YfJZzkb6TFEZP4SUwp1Az9DMeWh3qC0F+YPKXbV3YclMUwBTvO3g==" crossorigin="anonymous"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/react/15.6.1/react-dom.min.js" integrity="sha512-8C49ZG/SaQnWaUgCHTU1o8uIQNYE6R8me38SwF26g2Q0byEXF4Jlvm+T/JAMHMeTBiEVPslSZRv9Xt4AV0pfmw==" crossorigin="anonymous"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/babel-standalone/7.25.6/babel.min.js" integrity="sha512-8M1WWEzuftS49rfh63fHz354qx+Pzvp3kcQVVTOxIdFSzjYC3I3vk5zgN0guAook97MQIZTfEdl9pUQTov9V6A==" crossorigin="anonymous"></script> <style> .field-label { min-width: 80px; } .break-word { word-wrap: break-word; } .help { white-space: pre-wrap; } .tag { width: 80px; } .summary-first { padding: .75rem .75rem .1rem .75rem; } .summary-last { padding: .1rem .75rem .75rem .75rem; } .summary { padding: .1rem .75rem ; } </style> </head> <body> <section class="section"> <div class="container"> <div id="content"></div> </div> </section> <script> var data = {{ . }}; </script> <script type="text/babel"> var IssueTag = React.createClass({ render: function() { var level = "tag" if (this.props.level === "HIGH") { level += " is-danger"; } else if (this.props.level === "MEDIUM") { level += " is-warning"; } else if (this.props.level === "LOW") { level += " is-info"; } else if (this.props.level === "WAIVED") { level += " is-success"; } level +=" is-rounded"; return ( <div className="control"> <div className="tags has-addons"> <span className="tag is-dark is-rounded">{ this.props.label }</span> <span className={ level }>{ this.props.level }</span> </div> </div> ); } }); var Highlight = React.createClass({ componentDidMount: function(){ var current = ReactDOM.findDOMNode(this); hljs.highlightElement(current); }, render: function() { return ( <pre className="go"><code >{ this.props.code }</code></pre> ); } }); var Issue = React.createClass({ render: function() { return ( <div className="issue box"> <div className="columns"> <div className="column is-three-quarters"> <strong className="break-word">{ this.props.data.file } (line { this.props.data.line })</strong> <p>{this.props.data.rule_id} (CWE-{this.props.data.cwe.id}): { this.props.data.details }</p> </div> <div className="column is-one-quarter"> <div className="field is-grouped is-grouped-multiline"> {this.props.data.nosec && <IssueTag label="NoSec" level="WAIVED"/>} <IssueTag label="Severity" level={ this.props.data.severity }/> <IssueTag label="Confidence" level={ this.props.data.confidence }/> </div> </div> </div> <div className="highlight"> <Highlight key={ this.props.data.file + this.props.data.line } code={ this.props.data.code }/> </div> </div> ); } }); var Stats = React.createClass({ render: function() { return ( <p className="help is-pulled-right"> Gosec {this.props.data.GosecVersion} scanned { this.props.data.Stats.files.toLocaleString() } files with { this.props.data.Stats.lines.toLocaleString() } lines of code. { this.props.data.Stats.nosec ? '\n' + this.props.data.Stats.nosec.toLocaleString() + ' false positives (nosec) have been waived.' : ''} </p> ); } }); var Issues = React.createClass({ render: function() { if (this.props.data.Stats.files === 0) { return ( <div className="notification"> No source files found. Do you even Go? </div> ); } if (this.props.data.Issues.length === 0) { return ( <div> <div className="notification"> Awesome! No issues found! </div> <Stats data={ this.props.data } /> </div> ); } var issues = this.props.data.Issues .filter(function(issue) { return this.props.severity.includes(issue.severity); }.bind(this)) .filter(function(issue) { return this.props.confidence.includes(issue.confidence); }.bind(this)) .filter(function(issue) { if (this.props.issueType) { return issue.details.toLowerCase().startsWith(this.props.issueType.toLowerCase()); } else { return true } }.bind(this)) .map(function(issue) { return (<Issue data={issue} />); }.bind(this)); if (issues.length === 0) { return ( <div> <div className="notification"> No issues matched given filters (of total { this.props.data.Issues.length } issues). </div> <Stats data={ this.props.data } /> </div> ); } return ( <div className="issues"> { issues } <Stats data={ this.props.data } /> </div> ); } }); var LevelSelector = React.createClass({ handleChange: function(level) { return function(e) { var updated = this.props.selected .filter(function(item) { return item != level; }); if (e.target.checked) { updated.push(level); } this.props.onChange(updated); }.bind(this); }, render: function() { var HIGH = "HIGH", MEDIUM = "MEDIUM", LOW = "LOW"; var highDisabled = !this.props.available.includes(HIGH); var mediumDisabled = !this.props.available.includes(MEDIUM); var lowDisabled = !this.props.available.includes(LOW); return ( <div className="field"> <div className="control"> <label className="checkbox" disabled={ highDisabled }> <input type="checkbox" checked={ this.props.selected.includes(HIGH) } disabled={ highDisabled } onChange={ this.handleChange(HIGH) }/> High </label> </div> <div className="control"> <label className="checkbox" disabled={ mediumDisabled }> <input type="checkbox" checked={ this.props.selected.includes(MEDIUM) } disabled={ mediumDisabled } onChange={ this.handleChange(MEDIUM) }/> Medium </label> </div> <div className="control"> <label className="checkbox" disabled={ lowDisabled }> <input type="checkbox" checked={ this.props.selected.includes(LOW) } disabled={ lowDisabled } onChange={ this.handleChange(LOW) }/> Low </label> </div> </div> ); } }); var Navigation = React.createClass({ updateSeverity: function(vals) { this.props.onSeverity(vals); }, updateConfidence: function(vals) { this.props.onConfidence(vals); }, updateIssueType: function(e) { if (e.target.value == "all") { this.props.onIssueType(null); } else { this.props.onIssueType(e.target.value); } }, render: function() { var issueTypes = this.props.allIssueTypes .map(function(it) { var matches = this.props.issueType == it return ( <option value={ it } selected={ matches }> { it } </option> ); }.bind(this)); return ( <div> <nav className="panel"> <div className="panel-heading">Filters</div> <div className="panel-block"> <div className="field is-horizontal"> <div className="field-label is-normal"> <label className="label is-pulled-left">Severity</label> </div> <div className="field-body"> <LevelSelector selected={ this.props.severity } available={ this.props.allSeverities } onChange={ this.updateSeverity } /> </div> </div> </div> <div className="panel-block"> <div className="field is-horizontal"> <div className="field-label is-normal"> <label className="label is-pulled-left">Confidence</label> </div> <div className="field-body"> <LevelSelector selected={ this.props.confidence } available={ this.props.allConfidences } onChange={ this.updateConfidence } /> </div> </div> </div> <div className="panel-block"> <div className="field is-horizontal"> <div className="field-label is-normal"> <label className="label is-pulled-left">Issue type</label> </div> <div className="field-body"> <div className="field"> <div className="control"> <div className="select is-fullwidth"> <select onChange={ this.updateIssueType }> <option value="all" selected={ !this.props.issueType }> (all) </option> { issueTypes } </select> </div> </div> </div> </div> </div> </div> </nav> <nav className="panel"> <div className="panel-heading">Summary</div> <div className="panel-block"> <div className="columns is-multiline"> <div className="column is-half summary-first"> <label className="label is-pulled-left">Gosec: </label> </div> <div className="column is-half summary-first"> {this.props.data.GosecVersion} </div> <div className="column is-half summary"> <label className="label is-pulled-left">Files: </label> </div> <div className="column is-half summary"> {this.props.data.Stats.files.toLocaleString()} </div> <div className="column is-half summary"> <label className="label is-pulled-left">Lines: </label> </div> <div className="column is-half summary"> {this.props.data.Stats.lines.toLocaleString()} </div> <div className="column is-half summary"> <label className="label is-pulled-left">Nosec: </label> </div> <div className="column is-half summary"> {this.props.data.Stats.nosec.toLocaleString()} </div> <div className="column is-half summary-last"> <label className="label is-pulled-left">Issues: </label> </div> <div className="column is-half summary-last"> {this.props.data.Stats.found.toLocaleString()} </div> </div> </div> </nav> </div> ); } }); var IssueBrowser = React.createClass({ getInitialState: function() { return {}; }, componentWillMount: function() { this.updateIssues(this.props.data); }, handleSeverity: function(val) { this.updateIssueTypes(this.props.data.Issues, val, this.state.confidence); this.setState({severity: val}); }, handleConfidence: function(val) { this.updateIssueTypes(this.props.data.Issues, this.state.severity, val); this.setState({confidence: val}); }, handleIssueType: function(val) { this.setState({issueType: val}); }, updateIssues: function(data) { if (!data) { this.setState({data: data}); return; } var allSeverities = data.Issues .map(function(issue) { return issue.severity }) .sort() .filter(function(item, pos, ary) { return !pos || item != ary[pos - 1]; }); var allConfidences = data.Issues .map(function(issue) { return issue.confidence }) .sort() .filter(function(item, pos, ary) { return !pos || item != ary[pos - 1]; }); var selectedSeverities = allSeverities; var selectedConfidences = allConfidences; this.updateIssueTypes(data.Issues, selectedSeverities, selectedConfidences); this.setState({ data: data, severity: selectedSeverities, allSeverities: allSeverities, confidence: selectedConfidences, allConfidences: allConfidences, issueType: null }); }, updateIssueTypes: function(issues, severities, confidences) { var allTypes = issues .filter(function(issue) { return severities.includes(issue.severity); }) .filter(function(issue) { return confidences.includes(issue.confidence); }) .map(function(issue) { return issue.details; }) .sort() .filter(function(item, pos, ary) { return !pos || item != ary[pos - 1]; }); if (this.state.issueType && !allTypes.includes(this.state.issueType)) { this.setState({issueType: null}); } this.setState({allIssueTypes: allTypes}); }, render: function() { return ( <div className="content"> <div className="columns"> <div className="column is-one-quarter"> <Navigation data={ this.props.data } severity={ this.state.severity } confidence={ this.state.confidence } issueType={ this.state.issueType } allSeverities={ this.state.allSeverities } allConfidences={ this.state.allConfidences } allIssueTypes={ this.state.allIssueTypes } onSeverity={ this.handleSeverity } onConfidence={ this.handleConfidence } onIssueType={ this.handleIssueType } /> </div> <div className="column is-three-quarters"> <Issues data={ this.props.data } severity={ this.state.severity } confidence={ this.state.confidence } issueType={ this.state.issueType } /> </div> </div> </div> ); } }); ReactDOM.render( <IssueBrowser data={ data } />, document.getElementById("content") ); </script> </body> </html>07070100000054000081A400000000000000000000000166F5526900000183000000000000000000000000000000000000002300000000gosec-2.21.4/report/html/writer.gopackage html import ( _ "embed" "html/template" "io" "github.com/securego/gosec/v2" ) //go:embed template.html var templateContent string // WriteReport write a report in html format to the output writer func WriteReport(w io.Writer, data *gosec.ReportInfo) error { t, e := template.New("gosec").Parse(templateContent) if e != nil { return e } return t.Execute(w, data) } 07070100000055000041ED00000000000000000000000266F5526900000000000000000000000000000000000000000000001900000000gosec-2.21.4/report/json07070100000056000081A400000000000000000000000166F5526900000149000000000000000000000000000000000000002300000000gosec-2.21.4/report/json/writer.gopackage json import ( "encoding/json" "io" "github.com/securego/gosec/v2" ) // WriteReport write a report in json format to the output writer func WriteReport(w io.Writer, data *gosec.ReportInfo) error { raw, err := json.MarshalIndent(data, "", "\t") if err != nil { return err } _, err = w.Write(raw) return err } 07070100000057000041ED00000000000000000000000266F5526900000000000000000000000000000000000000000000001A00000000gosec-2.21.4/report/junit07070100000058000081A400000000000000000000000166F55269000001C3000000000000000000000000000000000000002500000000gosec-2.21.4/report/junit/builder.gopackage junit // NewTestsuite instantiate a Testsuite func NewTestsuite(name string) *Testsuite { return &Testsuite{ Name: name, } } // NewFailure instantiate a Failure func NewFailure(message string, text string) *Failure { return &Failure{ Message: message, Text: text, } } // NewTestcase instantiate a Testcase func NewTestcase(name string, failure *Failure) *Testcase { return &Testcase{ Name: name, Failure: failure, } } 07070100000059000081A400000000000000000000000166F55269000004EF000000000000000000000000000000000000002700000000gosec-2.21.4/report/junit/formatter.gopackage junit import ( "html" "strconv" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) func generatePlaintext(issue *issue.Issue) string { cweID := "CWE" if issue.Cwe != nil { cweID = issue.Cwe.ID } return "Results:\n" + "[" + issue.File + ":" + issue.Line + "] - " + issue.What + " (Confidence: " + strconv.Itoa(int(issue.Confidence)) + ", Severity: " + strconv.Itoa(int(issue.Severity)) + ", CWE: " + cweID + ")\n" + "> " + html.EscapeString(issue.Code) + "\n Autofix: " + issue.Autofix } // GenerateReport Convert a gosec report to a JUnit Report func GenerateReport(data *gosec.ReportInfo) Report { var xmlReport Report testsuites := map[string]int{} for _, issue := range data.Issues { index, ok := testsuites[issue.What] if !ok { xmlReport.Testsuites = append(xmlReport.Testsuites, NewTestsuite(issue.What)) index = len(xmlReport.Testsuites) - 1 testsuites[issue.What] = index } failure := NewFailure("Found 1 vulnerability. See stacktrace for details.", generatePlaintext(issue)) testcase := NewTestcase(issue.File, failure) xmlReport.Testsuites[index].Testcases = append(xmlReport.Testsuites[index].Testcases, testcase) xmlReport.Testsuites[index].Tests++ } return xmlReport } 0707010000005A000081A400000000000000000000000166F55269000002F5000000000000000000000000000000000000002300000000gosec-2.21.4/report/junit/types.gopackage junit import ( "encoding/xml" ) // Report defines a JUnit XML report type Report struct { XMLName xml.Name `xml:"testsuites"` Testsuites []*Testsuite `xml:"testsuite"` } // Testsuite defines a JUnit testsuite type Testsuite struct { XMLName xml.Name `xml:"testsuite"` Name string `xml:"name,attr"` Tests int `xml:"tests,attr"` Testcases []*Testcase `xml:"testcase"` } // Testcase defines a JUnit testcase type Testcase struct { XMLName xml.Name `xml:"testcase"` Name string `xml:"name,attr"` Failure *Failure `xml:"failure"` } // Failure defines a JUnit failure type Failure struct { XMLName xml.Name `xml:"failure"` Message string `xml:"message,attr"` Text string `xml:",innerxml"` } 0707010000005B000081A400000000000000000000000166F5526900000203000000000000000000000000000000000000002400000000gosec-2.21.4/report/junit/writer.gopackage junit import ( "encoding/xml" "io" "github.com/securego/gosec/v2" ) // WriteReport write a report in JUnit format to the output writer func WriteReport(w io.Writer, data *gosec.ReportInfo) error { junitXMLStruct := GenerateReport(data) raw, err := xml.MarshalIndent(junitXMLStruct, "", "\t") if err != nil { return err } xmlHeader := []byte("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n") raw = append(xmlHeader, raw...) _, err = w.Write(raw) if err != nil { return err } return nil } 0707010000005C000041ED00000000000000000000000266F5526900000000000000000000000000000000000000000000001A00000000gosec-2.21.4/report/sarif0707010000005D000081A400000000000000000000000166F5526900001763000000000000000000000000000000000000002500000000gosec-2.21.4/report/sarif/builder.gopackage sarif // NewReport instantiate a SARIF Report func NewReport(version string, schema string) *Report { return &Report{ Version: version, Schema: schema, } } // WithRuns defines runs for the current report func (r *Report) WithRuns(runs ...*Run) *Report { r.Runs = runs return r } // NewMultiformatMessageString instantiate a MultiformatMessageString func NewMultiformatMessageString(text string) *MultiformatMessageString { return &MultiformatMessageString{ Text: text, } } // NewRun instantiate a Run func NewRun(tool *Tool) *Run { return &Run{ Tool: tool, } } // WithTaxonomies set the taxonomies for the current run func (r *Run) WithTaxonomies(taxonomies ...*ToolComponent) *Run { r.Taxonomies = taxonomies return r } // WithResults set the results for the current run func (r *Run) WithResults(results ...*Result) *Run { r.Results = results return r } // NewArtifactLocation instantiate an ArtifactLocation func NewArtifactLocation(uri string) *ArtifactLocation { return &ArtifactLocation{ URI: uri, } } // NewRegion instantiate a Region func NewRegion(startLine int, endLine int, startColumn int, endColumn int, sourceLanguage string) *Region { return &Region{ StartLine: startLine, EndLine: endLine, StartColumn: startColumn, EndColumn: endColumn, SourceLanguage: sourceLanguage, } } // WithSnippet defines the Snippet for the current Region func (r *Region) WithSnippet(snippet *ArtifactContent) *Region { r.Snippet = snippet return r } // NewArtifactContent instantiate an ArtifactContent func NewArtifactContent(text string) *ArtifactContent { return &ArtifactContent{ Text: text, } } // NewTool instantiate a Tool func NewTool(driver *ToolComponent) *Tool { return &Tool{ Driver: driver, } } // NewResult instantiate a Result func NewResult(ruleID string, ruleIndex int, level Level, message string, suppressions []*Suppression, autofix string) *Result { result := &Result{ RuleID: ruleID, RuleIndex: ruleIndex, Level: level, Message: NewMessage(message), Suppressions: suppressions, } if len(autofix) > 0 { result.Fixes = []*Fix{ { Description: &Message{ Markdown: autofix, }, }, } } return result } // NewMessage instantiate a Message func NewMessage(text string) *Message { return &Message{ Text: text, } } // WithLocations define the current result's locations func (r *Result) WithLocations(locations ...*Location) *Result { r.Locations = locations return r } // NewLocation instantiate a Location func NewLocation(physicalLocation *PhysicalLocation) *Location { return &Location{ PhysicalLocation: physicalLocation, } } // NewPhysicalLocation instantiate a PhysicalLocation func NewPhysicalLocation(artifactLocation *ArtifactLocation, region *Region) *PhysicalLocation { return &PhysicalLocation{ ArtifactLocation: artifactLocation, Region: region, } } // NewToolComponent instantiate a ToolComponent func NewToolComponent(name string, version string, informationURI string) *ToolComponent { return &ToolComponent{ Name: name, Version: version, InformationURI: informationURI, GUID: uuid3(name), } } // WithLanguage set Language for the current ToolComponent func (t *ToolComponent) WithLanguage(language string) *ToolComponent { t.Language = language return t } // WithSemanticVersion set SemanticVersion for the current ToolComponent func (t *ToolComponent) WithSemanticVersion(semanticVersion string) *ToolComponent { t.SemanticVersion = semanticVersion return t } // WithReleaseDateUtc set releaseDateUtc for the current ToolComponent func (t *ToolComponent) WithReleaseDateUtc(releaseDateUtc string) *ToolComponent { t.ReleaseDateUtc = releaseDateUtc return t } // WithDownloadURI set downloadURI for the current ToolComponent func (t *ToolComponent) WithDownloadURI(downloadURI string) *ToolComponent { t.DownloadURI = downloadURI return t } // WithOrganization set organization for the current ToolComponent func (t *ToolComponent) WithOrganization(organization string) *ToolComponent { t.Organization = organization return t } // WithShortDescription set shortDescription for the current ToolComponent func (t *ToolComponent) WithShortDescription(shortDescription *MultiformatMessageString) *ToolComponent { t.ShortDescription = shortDescription return t } // WithIsComprehensive set isComprehensive for the current ToolComponent func (t *ToolComponent) WithIsComprehensive(isComprehensive bool) *ToolComponent { t.IsComprehensive = isComprehensive return t } // WithMinimumRequiredLocalizedDataSemanticVersion set MinimumRequiredLocalizedDataSemanticVersion for the current ToolComponent func (t *ToolComponent) WithMinimumRequiredLocalizedDataSemanticVersion(minimumRequiredLocalizedDataSemanticVersion string) *ToolComponent { t.MinimumRequiredLocalizedDataSemanticVersion = minimumRequiredLocalizedDataSemanticVersion return t } // WithTaxa set taxa for the current ToolComponent func (t *ToolComponent) WithTaxa(taxa ...*ReportingDescriptor) *ToolComponent { t.Taxa = taxa return t } // WithSupportedTaxonomies set the supported taxonomies for the current ToolComponent func (t *ToolComponent) WithSupportedTaxonomies(supportedTaxonomies ...*ToolComponentReference) *ToolComponent { t.SupportedTaxonomies = supportedTaxonomies return t } // WithRules set the rules for the current ToolComponent func (t *ToolComponent) WithRules(rules ...*ReportingDescriptor) *ToolComponent { t.Rules = rules return t } // NewToolComponentReference instantiate a ToolComponentReference func NewToolComponentReference(name string) *ToolComponentReference { return &ToolComponentReference{ Name: name, GUID: uuid3(name), } } // NewSuppression instantiate a Suppression func NewSuppression(kind string, justification string) *Suppression { return &Suppression{ Kind: kind, Justification: justification, } } 0707010000005E000081A400000000000000000000000166F5526900000380000000000000000000000000000000000000002200000000gosec-2.21.4/report/sarif/data.gopackage sarif // Level SARIF level // From https://docs.oasis-open.org/sarif/sarif/v2.0/csprd02/sarif-v2.0-csprd02.html#_Toc10127839 type Level string const ( // None : The concept of “severity” does not apply to this result because the kind // property (§3.27.9) has a value other than "fail". None = Level("none") // Note : The rule specified by ruleId was evaluated and a minor problem or an opportunity // to improve the code was found. Note = Level("note") // Warning : The rule specified by ruleId was evaluated and a problem was found. Warning = Level("warning") // Error : The rule specified by ruleId was evaluated and a serious problem was found. Error = Level("error") // Version : SARIF Schema version Version = "2.1.0" // Schema : SARIF Schema URL Schema = "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json" ) 0707010000005F000081A400000000000000000000000166F5526900001AAE000000000000000000000000000000000000002700000000gosec-2.21.4/report/sarif/formatter.gopackage sarif import ( "fmt" "sort" "strconv" "strings" "github.com/google/uuid" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/cwe" "github.com/securego/gosec/v2/issue" ) // GenerateReport converts a gosec report into a SARIF report func GenerateReport(rootPaths []string, data *gosec.ReportInfo) (*Report, error) { rules := []*ReportingDescriptor{} results := []*Result{} cweTaxa := []*ReportingDescriptor{} weaknesses := map[string]*cwe.Weakness{} for _, issue := range data.Issues { if issue.Cwe != nil { _, ok := weaknesses[issue.Cwe.ID] if !ok { weakness := cwe.Get(issue.Cwe.ID) weaknesses[issue.Cwe.ID] = weakness cweTaxon := parseSarifTaxon(weakness) cweTaxa = append(cweTaxa, cweTaxon) } } rule := parseSarifRule(issue) var ruleIndex int rules, ruleIndex = addRuleInOrder(rules, rule) location, err := parseSarifLocation(issue, rootPaths) if err != nil { return nil, err } result := NewResult( issue.RuleID, ruleIndex, getSarifLevel(issue.Severity.String()), issue.What, buildSarifSuppressions(issue.Suppressions), issue.Autofix, ).WithLocations(location) results = append(results, result) } sort.SliceStable(cweTaxa, func(i, j int) bool { return cweTaxa[i].ID < cweTaxa[j].ID }) tool := NewTool(buildSarifDriver(rules, data.GosecVersion)) cweTaxonomy := buildCWETaxonomy(cweTaxa) run := NewRun(tool). WithTaxonomies(cweTaxonomy). WithResults(results...) return NewReport(Version, Schema). WithRuns(run), nil } // addRuleInOrder inserts a rule into the rules slice keeping the rules IDs order, it returns the new rules // slice and the position where the rule was inserted func addRuleInOrder(rules []*ReportingDescriptor, rule *ReportingDescriptor) ([]*ReportingDescriptor, int) { position := 0 for i, r := range rules { if r.ID < rule.ID { continue } if r.ID == rule.ID { return rules, i } position = i break } rules = append(rules, nil) copy(rules[position+1:], rules[position:]) rules[position] = rule return rules, position } // parseSarifRule return SARIF rule field struct func parseSarifRule(i *issue.Issue) *ReportingDescriptor { cwe := issue.GetCweByRule(i.RuleID) name := i.RuleID if cwe != nil { name = cwe.Name } return &ReportingDescriptor{ ID: i.RuleID, Name: name, ShortDescription: NewMultiformatMessageString(i.What), FullDescription: NewMultiformatMessageString(i.What), Help: NewMultiformatMessageString(fmt.Sprintf("%s\nSeverity: %s\nConfidence: %s\n", i.What, i.Severity.String(), i.Confidence.String())), Properties: &PropertyBag{ "tags": []string{"security", i.Severity.String()}, "precision": strings.ToLower(i.Confidence.String()), }, DefaultConfiguration: &ReportingConfiguration{ Level: getSarifLevel(i.Severity.String()), }, Relationships: []*ReportingDescriptorRelationship{ buildSarifReportingDescriptorRelationship(i.Cwe), }, } } func buildSarifReportingDescriptorRelationship(weakness *cwe.Weakness) *ReportingDescriptorRelationship { if weakness == nil { return nil } return &ReportingDescriptorRelationship{ Target: &ReportingDescriptorReference{ ID: weakness.ID, GUID: uuid3(weakness.SprintID()), ToolComponent: NewToolComponentReference(cwe.Acronym), }, Kinds: []string{"superset"}, } } func buildCWETaxonomy(taxa []*ReportingDescriptor) *ToolComponent { return NewToolComponent(cwe.Acronym, cwe.Version, cwe.InformationURI). WithReleaseDateUtc(cwe.ReleaseDateUtc). WithDownloadURI(cwe.DownloadURI). WithOrganization(cwe.Organization). WithShortDescription(NewMultiformatMessageString(cwe.Description)). WithIsComprehensive(true). WithLanguage("en"). WithMinimumRequiredLocalizedDataSemanticVersion(cwe.Version). WithTaxa(taxa...) } func parseSarifTaxon(weakness *cwe.Weakness) *ReportingDescriptor { return &ReportingDescriptor{ ID: weakness.ID, GUID: uuid3(weakness.SprintID()), HelpURI: weakness.SprintURL(), FullDescription: NewMultiformatMessageString(weakness.Description), ShortDescription: NewMultiformatMessageString(weakness.Name), } } func parseSemanticVersion(version string) string { if len(version) == 0 { return "devel" } if strings.HasPrefix(version, "v") { return version[1:] } return version } func buildSarifDriver(rules []*ReportingDescriptor, gosecVersion string) *ToolComponent { semanticVersion := parseSemanticVersion(gosecVersion) return NewToolComponent("gosec", gosecVersion, "https://github.com/securego/gosec/"). WithSemanticVersion(semanticVersion). WithSupportedTaxonomies(NewToolComponentReference(cwe.Acronym)). WithRules(rules...) } func uuid3(value string) string { return uuid.NewMD5(uuid.Nil, []byte(value)).String() } // parseSarifLocation return SARIF location struct func parseSarifLocation(i *issue.Issue, rootPaths []string) (*Location, error) { region, err := parseSarifRegion(i) if err != nil { return nil, err } artifactLocation := parseSarifArtifactLocation(i, rootPaths) return NewLocation(NewPhysicalLocation(artifactLocation, region)), nil } func parseSarifArtifactLocation(i *issue.Issue, rootPaths []string) *ArtifactLocation { var filePath string for _, rootPath := range rootPaths { if strings.HasPrefix(i.File, rootPath) { filePath = strings.Replace(i.File, rootPath+"/", "", 1) } } return NewArtifactLocation(filePath) } func parseSarifRegion(i *issue.Issue) (*Region, error) { lines := strings.Split(i.Line, "-") startLine, err := strconv.Atoi(lines[0]) if err != nil { return nil, err } endLine := startLine if len(lines) > 1 { endLine, err = strconv.Atoi(lines[1]) if err != nil { return nil, err } } col, err := strconv.Atoi(i.Col) if err != nil { return nil, err } var code string line := startLine codeLines := strings.Split(i.Code, "\n") for _, codeLine := range codeLines { lineStart := fmt.Sprintf("%d:", line) if strings.HasPrefix(codeLine, lineStart) { code += strings.TrimSpace( strings.TrimPrefix(codeLine, lineStart)) if endLine > startLine { code += "\n" } line++ if line > endLine { break } } } snippet := NewArtifactContent(code) return NewRegion(startLine, endLine, col, col, "go").WithSnippet(snippet), nil } func getSarifLevel(s string) Level { switch s { case "LOW": return Warning case "MEDIUM": return Error case "HIGH": return Error default: return Note } } func buildSarifSuppressions(suppressions []issue.SuppressionInfo) []*Suppression { var sarifSuppressionList []*Suppression for _, s := range suppressions { sarifSuppressionList = append(sarifSuppressionList, NewSuppression(s.Kind, s.Justification)) } return sarifSuppressionList } 07070100000060000081A400000000000000000000000166F55269000000CA000000000000000000000000000000000000002E00000000gosec-2.21.4/report/sarif/sarif_suite_test.gopackage sarif_test import ( "testing" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" ) func TestRules(t *testing.T) { RegisterFailHandler(Fail) RunSpecs(t, "Sarif Formatters Suite") } 07070100000061000081A400000000000000000000000166F55269000016B0000000000000000000000000000000000000002800000000gosec-2.21.4/report/sarif/sarif_test.gopackage sarif_test import ( "bytes" "regexp" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" "github.com/securego/gosec/v2/report/sarif" ) var _ = Describe("Sarif Formatter", func() { BeforeEach(func() { }) Context("when converting to Sarif issues", func() { It("sarif formatted report should contain the result", func() { buf := new(bytes.Buffer) reportInfo := gosec.NewReportInfo([]*issue.Issue{}, &gosec.Metrics{}, map[string][]gosec.Error{}).WithVersion("v2.7.0") err := sarif.WriteReport(buf, reportInfo, []string{}) result := buf.String() Expect(err).ShouldNot(HaveOccurred()) Expect(result).To(ContainSubstring("\"results\": [")) }) It("sarif formatted report should contain the suppressed results", func() { ruleID := "G101" cwe := issue.GetCweByRule(ruleID) suppressedIssue := issue.Issue{ File: "/home/src/project/test.go", Line: "1", Col: "1", RuleID: ruleID, What: "test", Confidence: issue.High, Severity: issue.High, Code: "1: testcode", Cwe: cwe, Suppressions: []issue.SuppressionInfo{ { Kind: "kind", Justification: "justification", }, }, } reportInfo := gosec.NewReportInfo([]*issue.Issue{&suppressedIssue}, &gosec.Metrics{}, map[string][]gosec.Error{}).WithVersion("v2.7.0") buf := new(bytes.Buffer) err := sarif.WriteReport(buf, reportInfo, []string{}) result := buf.String() Expect(err).ShouldNot(HaveOccurred()) hasResults, _ := regexp.MatchString(`"results": \[(\s*){`, result) Expect(hasResults).To(BeTrue()) hasSuppressions, _ := regexp.MatchString(`"suppressions": \[(\s*){`, result) Expect(hasSuppressions).To(BeTrue()) }) It("sarif formatted report should contain the formatted one line code snippet", func() { ruleID := "G101" cwe := issue.GetCweByRule(ruleID) code := "68: \t\t}\n69: \t\tvar data = template.HTML(v.TmplFile)\n70: \t\tisTmpl := true\n" expectedCode := "var data = template.HTML(v.TmplFile)" newissue := issue.Issue{ File: "/home/src/project/test.go", Line: "69", Col: "14", RuleID: ruleID, What: "test", Confidence: issue.High, Severity: issue.High, Code: code, Cwe: cwe, Suppressions: []issue.SuppressionInfo{ { Kind: "kind", Justification: "justification", }, }, } reportInfo := gosec.NewReportInfo([]*issue.Issue{&newissue}, &gosec.Metrics{}, map[string][]gosec.Error{}).WithVersion("v2.7.0") sarifReport, err := sarif.GenerateReport([]string{}, reportInfo) Expect(err).ShouldNot(HaveOccurred()) Expect(sarifReport.Runs[0].Results[0].Locations[0].PhysicalLocation.Region.Snippet.Text).Should(Equal(expectedCode)) }) It("sarif formatted report should contain the formatted multiple line code snippet", func() { ruleID := "G101" cwe := issue.GetCweByRule(ruleID) code := "68: }\n69: var data = template.HTML(v.TmplFile)\n70: isTmpl := true\n" expectedCode := "var data = template.HTML(v.TmplFile)\nisTmpl := true\n" newissue := issue.Issue{ File: "/home/src/project/test.go", Line: "69-70", Col: "14", RuleID: ruleID, What: "test", Confidence: issue.High, Severity: issue.High, Code: code, Cwe: cwe, Suppressions: []issue.SuppressionInfo{ { Kind: "kind", Justification: "justification", }, }, } reportInfo := gosec.NewReportInfo([]*issue.Issue{&newissue}, &gosec.Metrics{}, map[string][]gosec.Error{}).WithVersion("v2.7.0") sarifReport, err := sarif.GenerateReport([]string{}, reportInfo) Expect(err).ShouldNot(HaveOccurred()) Expect(sarifReport.Runs[0].Results[0].Locations[0].PhysicalLocation.Region.Snippet.Text).Should(Equal(expectedCode)) }) It("sarif formatted report should have proper rule index", func() { rules := []string{"G404", "G101", "G102", "G103"} issues := []*issue.Issue{} for _, rule := range rules { cwe := issue.GetCweByRule(rule) newissue := issue.Issue{ File: "/home/src/project/test.go", Line: "69-70", Col: "14", RuleID: rule, What: "test", Confidence: issue.High, Severity: issue.High, Cwe: cwe, Suppressions: []issue.SuppressionInfo{ { Kind: "kind", Justification: "justification", }, }, } issues = append(issues, &newissue) } dupRules := []string{"G102", "G404"} for _, rule := range dupRules { cwe := issue.GetCweByRule(rule) newissue := issue.Issue{ File: "/home/src/project/test.go", Line: "69-70", Col: "14", RuleID: rule, What: "test", Confidence: issue.High, Severity: issue.High, Cwe: cwe, Suppressions: []issue.SuppressionInfo{ { Kind: "kind", Justification: "justification", }, }, } issues = append(issues, &newissue) } reportInfo := gosec.NewReportInfo(issues, &gosec.Metrics{}, map[string][]gosec.Error{}).WithVersion("v2.7.0") sarifReport, err := sarif.GenerateReport([]string{}, reportInfo) Expect(err).ShouldNot(HaveOccurred()) resultRuleIndexes := map[string]int{} for _, result := range sarifReport.Runs[0].Results { resultRuleIndexes[result.RuleID] = result.RuleIndex } driverRuleIndexes := map[string]int{} for ruleIndex, rule := range sarifReport.Runs[0].Tool.Driver.Rules { driverRuleIndexes[rule.ID] = ruleIndex } Expect(resultRuleIndexes).Should(Equal(driverRuleIndexes)) }) }) }) 07070100000062000081A400000000000000000000000166F5526900010376000000000000000000000000000000000000002300000000gosec-2.21.4/report/sarif/types.go// Code generated by schema-generate. DO NOT EDIT. package sarif // Address A physical or virtual address, or a range of addresses, in an 'addressable region' (memory or a binary file). type Address struct { // The address expressed as a byte offset from the start of the addressable region. AbsoluteAddress int `json:"absoluteAddress,omitempty"` // A human-readable fully qualified name that is associated with the address. FullyQualifiedName string `json:"fullyQualifiedName,omitempty"` // The index within run.addresses of the cached object for this address. Index int `json:"index,omitempty"` // An open-ended string that identifies the address kind. 'data', 'function', 'header','instruction', 'module', 'page', 'section', 'segment', 'stack', 'stackFrame', 'table' are well-known values. Kind string `json:"kind,omitempty"` // The number of bytes in this range of addresses. Length int `json:"length,omitempty"` // A name that is associated with the address, e.g., '.text'. Name string `json:"name,omitempty"` // The byte offset of this address from the absolute or relative address of the parent object. OffsetFromParent int `json:"offsetFromParent,omitempty"` // The index within run.addresses of the parent object. ParentIndex int `json:"parentIndex,omitempty"` // Key/value pairs that provide additional information about the address. Properties *PropertyBag `json:"properties,omitempty"` // The address expressed as a byte offset from the absolute address of the top-most parent object. RelativeAddress int `json:"relativeAddress,omitempty"` } // Artifact A single artifact. In some cases, this artifact might be nested within another artifact. type Artifact struct { // The contents of the artifact. Contents *ArtifactContent `json:"contents,omitempty"` // A short description of the artifact. Description *Message `json:"description,omitempty"` // Specifies the encoding for an artifact object that refers to a text file. Encoding string `json:"encoding,omitempty"` // A dictionary, each of whose keys is the name of a hash function and each of whose values is the hashed value of the artifact produced by the specified hash function. Hashes map[string]string `json:"hashes,omitempty"` // The Coordinated Universal Time (UTC) date and time at which the artifact was most recently modified. See "Date/time properties" in the SARIF spec for the required format. LastModifiedTimeUtc string `json:"lastModifiedTimeUtc,omitempty"` // The length of the artifact in bytes. Length int `json:"length,omitempty"` // The location of the artifact. Location *ArtifactLocation `json:"location,omitempty"` // The MIME type (RFC 2045) of the artifact. MimeType string `json:"mimeType,omitempty"` // The offset in bytes of the artifact within its containing artifact. Offset int `json:"offset,omitempty"` // Identifies the index of the immediate parent of the artifact, if this artifact is nested. ParentIndex int `json:"parentIndex,omitempty"` // Key/value pairs that provide additional information about the artifact. Properties *PropertyBag `json:"properties,omitempty"` // The role or roles played by the artifact in the analysis. Roles []interface{} `json:"roles,omitempty"` // Specifies the source language for any artifact object that refers to a text file that contains source code. SourceLanguage string `json:"sourceLanguage,omitempty"` } // ArtifactChange A change to a single artifact. type ArtifactChange struct { // The location of the artifact to change. ArtifactLocation *ArtifactLocation `json:"artifactLocation"` // Key/value pairs that provide additional information about the change. Properties *PropertyBag `json:"properties,omitempty"` // An array of replacement objects, each of which represents the replacement of a single region in a single artifact specified by 'artifactLocation'. Replacements []*Replacement `json:"replacements"` } // ArtifactContent Represents the contents of an artifact. type ArtifactContent struct { // MIME Base64-encoded content from a binary artifact, or from a text artifact in its original encoding. Binary string `json:"binary,omitempty"` // Key/value pairs that provide additional information about the artifact content. Properties *PropertyBag `json:"properties,omitempty"` // An alternate rendered representation of the artifact (e.g., a decompiled representation of a binary region). Rendered *MultiformatMessageString `json:"rendered,omitempty"` // UTF-8-encoded content from a text artifact. Text string `json:"text,omitempty"` } // ArtifactLocation Specifies the location of an artifact. type ArtifactLocation struct { // A short description of the artifact location. Description *Message `json:"description,omitempty"` // The index within the run artifacts array of the artifact object associated with the artifact location. Index int `json:"index,omitempty"` // Key/value pairs that provide additional information about the artifact location. Properties *PropertyBag `json:"properties,omitempty"` // A string containing a valid relative or absolute URI. URI string `json:"uri,omitempty"` // A string which indirectly specifies the absolute URI with respect to which a relative URI in the "uri" property is interpreted. UriBaseID string `json:"uriBaseId,omitempty"` } // Attachment An artifact relevant to a result. type Attachment struct { // The location of the attachment. ArtifactLocation *ArtifactLocation `json:"artifactLocation"` // A message describing the role played by the attachment. Description *Message `json:"description,omitempty"` // Key/value pairs that provide additional information about the attachment. Properties *PropertyBag `json:"properties,omitempty"` // An array of rectangles specifying areas of interest within the image. Rectangles []*Rectangle `json:"rectangles,omitempty"` // An array of regions of interest within the attachment. Regions []*Region `json:"regions,omitempty"` } // CodeFlow A set of threadFlows which together describe a pattern of code execution relevant to detecting a result. type CodeFlow struct { // A message relevant to the code flow. Message *Message `json:"message,omitempty"` // Key/value pairs that provide additional information about the code flow. Properties *PropertyBag `json:"properties,omitempty"` // An array of one or more unique threadFlow objects, each of which describes the progress of a program through a thread of execution. ThreadFlows []*ThreadFlow `json:"threadFlows"` } // ConfigurationOverride Information about how a specific rule or notification was reconfigured at runtime. type ConfigurationOverride struct { // Specifies how the rule or notification was configured during the scan. Configuration *ReportingConfiguration `json:"configuration"` // A reference used to locate the descriptor whose configuration was overridden. Descriptor *ReportingDescriptorReference `json:"descriptor"` // Key/value pairs that provide additional information about the configuration override. Properties *PropertyBag `json:"properties,omitempty"` } // Conversion Describes how a converter transformed the output of a static analysis tool from the analysis tool's native output format into the SARIF format. type Conversion struct { // The locations of the analysis tool's per-run log files. AnalysisToolLogFiles []*ArtifactLocation `json:"analysisToolLogFiles,omitempty"` // An invocation object that describes the invocation of the converter. Invocation *Invocation `json:"invocation,omitempty"` // Key/value pairs that provide additional information about the conversion. Properties *PropertyBag `json:"properties,omitempty"` // A tool object that describes the converter. Tool *Tool `json:"tool"` } // Edge Represents a directed edge in a graph. type Edge struct { // A string that uniquely identifies the edge within its graph. ID string `json:"id"` // A short description of the edge. Label *Message `json:"label,omitempty"` // Key/value pairs that provide additional information about the edge. Properties *PropertyBag `json:"properties,omitempty"` // Identifies the source node (the node at which the edge starts). SourceNodeID string `json:"sourceNodeId"` // Identifies the target node (the node at which the edge ends). TargetNodeID string `json:"targetNodeId"` } // EdgeTraversal Represents the traversal of a single edge during a graph traversal. type EdgeTraversal struct { // Identifies the edge being traversed. EdgeID string `json:"edgeId"` // The values of relevant expressions after the edge has been traversed. FinalState map[string]*MultiformatMessageString `json:"finalState,omitempty"` // A message to display to the user as the edge is traversed. Message *Message `json:"message,omitempty"` // Key/value pairs that provide additional information about the edge traversal. Properties *PropertyBag `json:"properties,omitempty"` // The number of edge traversals necessary to return from a nested graph. StepOverEdgeCount int `json:"stepOverEdgeCount,omitempty"` } // Exception Describes a runtime exception encountered during the execution of an analysis tool. type Exception struct { // An array of exception objects each of which is considered a cause of this exception. InnerExceptions []*Exception `json:"innerExceptions,omitempty"` // A string that identifies the kind of exception, for example, the fully qualified type name of an object that was thrown, or the symbolic name of a signal. Kind string `json:"kind,omitempty"` // A message that describes the exception. Message string `json:"message,omitempty"` // Key/value pairs that provide additional information about the exception. Properties *PropertyBag `json:"properties,omitempty"` // The sequence of function calls leading to the exception. Stack *Stack `json:"stack,omitempty"` } // ExternalProperties The top-level element of an external property file. type ExternalProperties struct { // Addresses that will be merged with a separate run. Addresses []*Address `json:"addresses,omitempty"` // An array of artifact objects that will be merged with a separate run. Artifacts []*Artifact `json:"artifacts,omitempty"` // A conversion object that will be merged with a separate run. Conversion *Conversion `json:"conversion,omitempty"` // The analysis tool object that will be merged with a separate run. Driver *ToolComponent `json:"driver,omitempty"` // Tool extensions that will be merged with a separate run. Extensions []*ToolComponent `json:"extensions,omitempty"` // Key/value pairs that provide additional information that will be merged with a separate run. ExternalizedProperties *PropertyBag `json:"externalizedProperties,omitempty"` // An array of graph objects that will be merged with a separate run. Graphs []*Graph `json:"graphs,omitempty"` // A stable, unique identifier for this external properties object, in the form of a GUID. GUID string `json:"guid,omitempty"` // Describes the invocation of the analysis tool that will be merged with a separate run. Invocations []*Invocation `json:"invocations,omitempty"` // An array of logical locations such as namespaces, types or functions that will be merged with a separate run. LogicalLocations []*LogicalLocation `json:"logicalLocations,omitempty"` // Tool policies that will be merged with a separate run. Policies []*ToolComponent `json:"policies,omitempty"` // Key/value pairs that provide additional information about the external properties. Properties *PropertyBag `json:"properties,omitempty"` // An array of result objects that will be merged with a separate run. Results []*Result `json:"results,omitempty"` // A stable, unique identifier for the run associated with this external properties object, in the form of a GUID. RunGUID string `json:"runGuid,omitempty"` // The URI of the JSON schema corresponding to the version of the external property file format. Schema string `json:"schema,omitempty"` // Tool taxonomies that will be merged with a separate run. Taxonomies []*ToolComponent `json:"taxonomies,omitempty"` // An array of threadFlowLocation objects that will be merged with a separate run. ThreadFlowLocations []*ThreadFlowLocation `json:"threadFlowLocations,omitempty"` // Tool translations that will be merged with a separate run. Translations []*ToolComponent `json:"translations,omitempty"` // The SARIF format version of this external properties object. Version interface{} `json:"version,omitempty"` // Requests that will be merged with a separate run. WebRequests []*WebRequest `json:"webRequests,omitempty"` // Responses that will be merged with a separate run. WebResponses []*WebResponse `json:"webResponses,omitempty"` } // ExternalPropertyFileReference Contains information that enables a SARIF consumer to locate the external property file that contains the value of an externalized property associated with the run. type ExternalPropertyFileReference struct { // A stable, unique identifier for the external property file in the form of a GUID. GUID string `json:"guid,omitempty"` // A non-negative integer specifying the number of items contained in the external property file. ItemCount int `json:"itemCount,omitempty"` // The location of the external property file. Location *ArtifactLocation `json:"location,omitempty"` // Key/value pairs that provide additional information about the external property file. Properties *PropertyBag `json:"properties,omitempty"` } // ExternalPropertyFileReferences References to external property files that should be inlined with the content of a root log file. type ExternalPropertyFileReferences struct { // An array of external property files containing run.addresses arrays to be merged with the root log file. Addresses []*ExternalPropertyFileReference `json:"addresses,omitempty"` // An array of external property files containing run.artifacts arrays to be merged with the root log file. Artifacts []*ExternalPropertyFileReference `json:"artifacts,omitempty"` // An external property file containing a run.conversion object to be merged with the root log file. Conversion *ExternalPropertyFileReference `json:"conversion,omitempty"` // An external property file containing a run.driver object to be merged with the root log file. Driver *ExternalPropertyFileReference `json:"driver,omitempty"` // An array of external property files containing run.extensions arrays to be merged with the root log file. Extensions []*ExternalPropertyFileReference `json:"extensions,omitempty"` // An external property file containing a run.properties object to be merged with the root log file. ExternalizedProperties *ExternalPropertyFileReference `json:"externalizedProperties,omitempty"` // An array of external property files containing a run.graphs object to be merged with the root log file. Graphs []*ExternalPropertyFileReference `json:"graphs,omitempty"` // An array of external property files containing run.invocations arrays to be merged with the root log file. Invocations []*ExternalPropertyFileReference `json:"invocations,omitempty"` // An array of external property files containing run.logicalLocations arrays to be merged with the root log file. LogicalLocations []*ExternalPropertyFileReference `json:"logicalLocations,omitempty"` // An array of external property files containing run.policies arrays to be merged with the root log file. Policies []*ExternalPropertyFileReference `json:"policies,omitempty"` // Key/value pairs that provide additional information about the external property files. Properties *PropertyBag `json:"properties,omitempty"` // An array of external property files containing run.results arrays to be merged with the root log file. Results []*ExternalPropertyFileReference `json:"results,omitempty"` // An array of external property files containing run.taxonomies arrays to be merged with the root log file. Taxonomies []*ExternalPropertyFileReference `json:"taxonomies,omitempty"` // An array of external property files containing run.threadFlowLocations arrays to be merged with the root log file. ThreadFlowLocations []*ExternalPropertyFileReference `json:"threadFlowLocations,omitempty"` // An array of external property files containing run.translations arrays to be merged with the root log file. Translations []*ExternalPropertyFileReference `json:"translations,omitempty"` // An array of external property files containing run.requests arrays to be merged with the root log file. WebRequests []*ExternalPropertyFileReference `json:"webRequests,omitempty"` // An array of external property files containing run.responses arrays to be merged with the root log file. WebResponses []*ExternalPropertyFileReference `json:"webResponses,omitempty"` } // Fix A proposed fix for the problem represented by a result object. A fix specifies a set of artifacts to modify. For each artifact, it specifies a set of bytes to remove, and provides a set of new bytes to replace them. type Fix struct { // One or more artifact changes that comprise a fix for a result. ArtifactChanges []*ArtifactChange `json:"artifactChanges"` // A message that describes the proposed fix, enabling viewers to present the proposed change to an end user. Description *Message `json:"description,omitempty"` // Key/value pairs that provide additional information about the fix. Properties *PropertyBag `json:"properties,omitempty"` } // Graph A network of nodes and directed edges that describes some aspect of the structure of the code (for example, a call graph). type Graph struct { // A description of the graph. Description *Message `json:"description,omitempty"` // An array of edge objects representing the edges of the graph. Edges []*Edge `json:"edges,omitempty"` // An array of node objects representing the nodes of the graph. Nodes []*Node `json:"nodes,omitempty"` // Key/value pairs that provide additional information about the graph. Properties *PropertyBag `json:"properties,omitempty"` } // GraphTraversal Represents a path through a graph. type GraphTraversal struct { // A description of this graph traversal. Description *Message `json:"description,omitempty"` // The sequences of edges traversed by this graph traversal. EdgeTraversals []*EdgeTraversal `json:"edgeTraversals,omitempty"` // Values of relevant expressions at the start of the graph traversal that remain constant for the graph traversal. ImmutableState map[string]*MultiformatMessageString `json:"immutableState,omitempty"` // Values of relevant expressions at the start of the graph traversal that may change during graph traversal. InitialState map[string]*MultiformatMessageString `json:"initialState,omitempty"` // Key/value pairs that provide additional information about the graph traversal. Properties *PropertyBag `json:"properties,omitempty"` // The index within the result.graphs to be associated with the result. ResultGraphIndex int `json:"resultGraphIndex,omitempty"` // The index within the run.graphs to be associated with the result. RunGraphIndex int `json:"runGraphIndex,omitempty"` } // Invocation The runtime environment of the analysis tool run. type Invocation struct { // The account under which the invocation occurred. Account string `json:"account,omitempty"` // An array of strings, containing in order the command line arguments passed to the tool from the operating system. Arguments []string `json:"arguments,omitempty"` // The command line used to invoke the tool. CommandLine string `json:"commandLine,omitempty"` // The Coordinated Universal Time (UTC) date and time at which the invocation ended. See "Date/time properties" in the SARIF spec for the required format. EndTimeUtc string `json:"endTimeUtc,omitempty"` // The environment variables associated with the analysis tool process, expressed as key/value pairs. EnvironmentVariables map[string]string `json:"environmentVariables,omitempty"` // An absolute URI specifying the location of the executable that was invoked. ExecutableLocation *ArtifactLocation `json:"executableLocation,omitempty"` // Specifies whether the tool's execution completed successfully. ExecutionSuccessful bool `json:"executionSuccessful"` // The process exit code. ExitCode int `json:"exitCode,omitempty"` // The reason for the process exit. ExitCodeDescription string `json:"exitCodeDescription,omitempty"` // The name of the signal that caused the process to exit. ExitSignalName string `json:"exitSignalName,omitempty"` // The numeric value of the signal that caused the process to exit. ExitSignalNumber int `json:"exitSignalNumber,omitempty"` // The machine on which the invocation occurred. Machine string `json:"machine,omitempty"` // An array of configurationOverride objects that describe notifications related runtime overrides. NotificationConfigurationOverrides []*ConfigurationOverride `json:"notificationConfigurationOverrides,omitempty"` // The id of the process in which the invocation occurred. ProcessId int `json:"processId,omitempty"` // The reason given by the operating system that the process failed to start. ProcessStartFailureMessage string `json:"processStartFailureMessage,omitempty"` // Key/value pairs that provide additional information about the invocation. Properties *PropertyBag `json:"properties,omitempty"` // The locations of any response files specified on the tool's command line. ResponseFiles []*ArtifactLocation `json:"responseFiles,omitempty"` // An array of configurationOverride objects that describe rules related runtime overrides. RuleConfigurationOverrides []*ConfigurationOverride `json:"ruleConfigurationOverrides,omitempty"` // The Coordinated Universal Time (UTC) date and time at which the invocation started. See "Date/time properties" in the SARIF spec for the required format. StartTimeUtc string `json:"startTimeUtc,omitempty"` // A file containing the standard error stream from the process that was invoked. Stderr *ArtifactLocation `json:"stderr,omitempty"` // A file containing the standard input stream to the process that was invoked. Stdin *ArtifactLocation `json:"stdin,omitempty"` // A file containing the standard output stream from the process that was invoked. Stdout *ArtifactLocation `json:"stdout,omitempty"` // A file containing the interleaved standard output and standard error stream from the process that was invoked. StdoutStderr *ArtifactLocation `json:"stdoutStderr,omitempty"` // A list of conditions detected by the tool that are relevant to the tool's configuration. ToolConfigurationNotifications []*Notification `json:"toolConfigurationNotifications,omitempty"` // A list of runtime conditions detected by the tool during the analysis. ToolExecutionNotifications []*Notification `json:"toolExecutionNotifications,omitempty"` // The working directory for the invocation. WorkingDirectory *ArtifactLocation `json:"workingDirectory,omitempty"` } // Location A location within a programming artifact. type Location struct { // A set of regions relevant to the location. Annotations []*Region `json:"annotations,omitempty"` // Value that distinguishes this location from all other locations within a single result object. Id int `json:"id,omitempty"` // The logical locations associated with the result. LogicalLocations []*LogicalLocation `json:"logicalLocations,omitempty"` // A message relevant to the location. Message *Message `json:"message,omitempty"` // Identifies the artifact and region. PhysicalLocation *PhysicalLocation `json:"physicalLocation,omitempty"` // Key/value pairs that provide additional information about the location. Properties *PropertyBag `json:"properties,omitempty"` // An array of objects that describe relationships between this location and others. Relationships []*LocationRelationship `json:"relationships,omitempty"` } // LocationRelationship Information about the relation of one location to another. type LocationRelationship struct { // A description of the location relationship. Description *Message `json:"description,omitempty"` // A set of distinct strings that categorize the relationship. Well-known kinds include 'includes', 'isIncludedBy' and 'relevant'. Kinds []string `json:"kinds,omitempty"` // Key/value pairs that provide additional information about the location relationship. Properties *PropertyBag `json:"properties,omitempty"` // A reference to the related location. Target int `json:"target"` } // LogicalLocation A logical location of a construct that produced a result. type LogicalLocation struct { // The machine-readable name for the logical location, such as a mangled function name provided by a C++ compiler that encodes calling convention, return type and other details along with the function name. DecoratedName string `json:"decoratedName,omitempty"` // The human-readable fully qualified name of the logical location. FullyQualifiedName string `json:"fullyQualifiedName,omitempty"` // The index within the logical locations array. Index int `json:"index,omitempty"` // The type of construct this logical location component refers to. Should be one of 'function', 'member', 'module', 'namespace', 'parameter', 'resource', 'returnType', 'type', 'variable', 'object', 'array', 'property', 'value', 'element', 'text', 'attribute', 'comment', 'declaration', 'dtd' or 'processingInstruction', if any of those accurately describe the construct. Kind string `json:"kind,omitempty"` // Identifies the construct in which the result occurred. For example, this property might contain the name of a class or a method. Name string `json:"name,omitempty"` // Identifies the index of the immediate parent of the construct in which the result was detected. For example, this property might point to a logical location that represents the namespace that holds a type. ParentIndex int `json:"parentIndex,omitempty"` // Key/value pairs that provide additional information about the logical location. Properties *PropertyBag `json:"properties,omitempty"` } // Message Encapsulates a message intended to be read by the end user. type Message struct { // An array of strings to substitute into the message string. Arguments []string `json:"arguments,omitempty"` // The identifier for this message. ID string `json:"id,omitempty"` // A Markdown message string. Markdown string `json:"markdown,omitempty"` // Key/value pairs that provide additional information about the message. Properties *PropertyBag `json:"properties,omitempty"` // A plain text message string. Text string `json:"text,omitempty"` } // MultiformatMessageString A message string or message format string rendered in multiple formats. type MultiformatMessageString struct { // A Markdown message string or format string. Markdown string `json:"markdown,omitempty"` // Key/value pairs that provide additional information about the message. Properties *PropertyBag `json:"properties,omitempty"` // A plain text message string or format string. Text string `json:"text"` } // Node Represents a node in a graph. type Node struct { // Array of child nodes. Children []*Node `json:"children,omitempty"` // A string that uniquely identifies the node within its graph. ID string `json:"id"` // A short description of the node. Label *Message `json:"label,omitempty"` // A code location associated with the node. Location *Location `json:"location,omitempty"` // Key/value pairs that provide additional information about the node. Properties *PropertyBag `json:"properties,omitempty"` } // Notification Describes a condition relevant to the tool itself, as opposed to being relevant to a target being analyzed by the tool. type Notification struct { // A reference used to locate the rule descriptor associated with this notification. AssociatedRule *ReportingDescriptorReference `json:"associatedRule,omitempty"` // A reference used to locate the descriptor relevant to this notification. Descriptor *ReportingDescriptorReference `json:"descriptor,omitempty"` // The runtime exception, if any, relevant to this notification. Exception *Exception `json:"exception,omitempty"` // A value specifying the severity level of the notification. Level interface{} `json:"level,omitempty"` // The locations relevant to this notification. Locations []*Location `json:"locations,omitempty"` // A message that describes the condition that was encountered. Message *Message `json:"message"` // Key/value pairs that provide additional information about the notification. Properties *PropertyBag `json:"properties,omitempty"` // The thread identifier of the code that generated the notification. ThreadID int `json:"threadId,omitempty"` // The Coordinated Universal Time (UTC) date and time at which the analysis tool generated the notification. TimeUtc string `json:"timeUtc,omitempty"` } // PhysicalLocation A physical location relevant to a result. Specifies a reference to a programming artifact together with a range of bytes or characters within that artifact. type PhysicalLocation struct { // The address of the location. Address *Address `json:"address,omitempty"` // The location of the artifact. ArtifactLocation *ArtifactLocation `json:"artifactLocation,omitempty"` // Specifies a portion of the artifact that encloses the region. Allows a viewer to display additional context around the region. ContextRegion *Region `json:"contextRegion,omitempty"` // Key/value pairs that provide additional information about the physical location. Properties *PropertyBag `json:"properties,omitempty"` // Specifies a portion of the artifact. Region *Region `json:"region,omitempty"` } // PropertyBag Key/value pairs that provide additional information about the object. type PropertyBag map[string]interface{} // Rectangle An area within an image. type Rectangle struct { // The Y coordinate of the bottom edge of the rectangle, measured in the image's natural units. Bottom float64 `json:"bottom,omitempty"` // The X coordinate of the left edge of the rectangle, measured in the image's natural units. Left float64 `json:"left,omitempty"` // A message relevant to the rectangle. Message *Message `json:"message,omitempty"` // Key/value pairs that provide additional information about the rectangle. Properties *PropertyBag `json:"properties,omitempty"` // The X coordinate of the right edge of the rectangle, measured in the image's natural units. Right float64 `json:"right,omitempty"` // The Y coordinate of the top edge of the rectangle, measured in the image's natural units. Top float64 `json:"top,omitempty"` } // Region A region within an artifact where a result was detected. type Region struct { // The length of the region in bytes. ByteLength int `json:"byteLength,omitempty"` // The zero-based offset from the beginning of the artifact of the first byte in the region. ByteOffset int `json:"byteOffset,omitempty"` // The length of the region in characters. CharLength int `json:"charLength,omitempty"` // The zero-based offset from the beginning of the artifact of the first character in the region. CharOffset int `json:"charOffset,omitempty"` // The column number of the character following the end of the region. EndColumn int `json:"endColumn,omitempty"` // The line number of the last character in the region. EndLine int `json:"endLine,omitempty"` // A message relevant to the region. Message *Message `json:"message,omitempty"` // Key/value pairs that provide additional information about the region. Properties *PropertyBag `json:"properties,omitempty"` // The portion of the artifact contents within the specified region. Snippet *ArtifactContent `json:"snippet,omitempty"` // Specifies the source language, if any, of the portion of the artifact specified by the region object. SourceLanguage string `json:"sourceLanguage,omitempty"` // The column number of the first character in the region. StartColumn int `json:"startColumn,omitempty"` // The line number of the first character in the region. StartLine int `json:"startLine,omitempty"` } // Replacement The replacement of a single region of an artifact. type Replacement struct { // The region of the artifact to delete. DeletedRegion *Region `json:"deletedRegion"` // The content to insert at the location specified by the 'deletedRegion' property. InsertedContent *ArtifactContent `json:"insertedContent,omitempty"` // Key/value pairs that provide additional information about the replacement. Properties *PropertyBag `json:"properties,omitempty"` } // ReportingConfiguration Information about a rule or notification that can be configured at runtime. type ReportingConfiguration struct { // Specifies whether the report may be produced during the scan. Enabled bool `json:"enabled,omitempty"` // Specifies the failure level for the report. Level interface{} `json:"level,omitempty"` // Contains configuration information specific to a report. Parameters *PropertyBag `json:"parameters,omitempty"` // Key/value pairs that provide additional information about the reporting configuration. Properties *PropertyBag `json:"properties,omitempty"` // Specifies the relative priority of the report. Used for analysis output only. Rank float64 `json:"rank,omitempty"` } // ReportingDescriptor Metadata that describes a specific report produced by the tool, as part of the analysis it provides or its runtime reporting. type ReportingDescriptor struct { // Default reporting configuration information. DefaultConfiguration *ReportingConfiguration `json:"defaultConfiguration,omitempty"` // An array of unique identifies in the form of a GUID by which this report was known in some previous version of the analysis tool. DeprecatedGuids []string `json:"deprecatedGuids,omitempty"` // An array of stable, opaque identifiers by which this report was known in some previous version of the analysis tool. DeprecatedIds []string `json:"deprecatedIds,omitempty"` // An array of readable identifiers by which this report was known in some previous version of the analysis tool. DeprecatedNames []string `json:"deprecatedNames,omitempty"` // A description of the report. Should, as far as possible, provide details sufficient to enable resolution of any problem indicated by the result. FullDescription *MultiformatMessageString `json:"fullDescription,omitempty"` // A unique identifier for the reporting descriptor in the form of a GUID. GUID string `json:"guid,omitempty"` // Provides the primary documentation for the report, useful when there is no online documentation. Help *MultiformatMessageString `json:"help,omitempty"` // A URI where the primary documentation for the report can be found. HelpURI string `json:"helpUri,omitempty"` // A stable, opaque identifier for the report. ID string `json:"id"` // A set of name/value pairs with arbitrary names. Each value is a multiformatMessageString object, which holds message strings in plain text and (optionally) Markdown format. The strings can include placeholders, which can be used to construct a message in combination with an arbitrary number of additional string arguments. MessageStrings map[string]*MultiformatMessageString `json:"messageStrings,omitempty"` // A report identifier that is understandable to an end user. Name string `json:"name,omitempty"` // Key/value pairs that provide additional information about the report. Properties *PropertyBag `json:"properties,omitempty"` // An array of objects that describe relationships between this reporting descriptor and others. Relationships []*ReportingDescriptorRelationship `json:"relationships,omitempty"` // A concise description of the report. Should be a single sentence that is understandable when visible space is limited to a single line of text. ShortDescription *MultiformatMessageString `json:"shortDescription,omitempty"` } // ReportingDescriptorReference Information about how to locate a relevant reporting descriptor. type ReportingDescriptorReference struct { // A guid that uniquely identifies the descriptor. GUID string `json:"guid,omitempty"` // The id of the descriptor. ID string `json:"id,omitempty"` // The index into an array of descriptors in toolComponent.ruleDescriptors, toolComponent.notificationDescriptors, or toolComponent.taxonomyDescriptors, depending on context. Index int `json:"index,omitempty"` // Key/value pairs that provide additional information about the reporting descriptor reference. Properties *PropertyBag `json:"properties,omitempty"` // A reference used to locate the toolComponent associated with the descriptor. ToolComponent *ToolComponentReference `json:"toolComponent,omitempty"` } // ReportingDescriptorRelationship Information about the relation of one reporting descriptor to another. type ReportingDescriptorRelationship struct { // A description of the reporting descriptor relationship. Description *Message `json:"description,omitempty"` // A set of distinct strings that categorize the relationship. Well-known kinds include 'canPrecede', 'canFollow', 'willPrecede', 'willFollow', 'superset', 'subset', 'equal', 'disjoint', 'relevant', and 'incomparable'. Kinds []string `json:"kinds,omitempty"` // Key/value pairs that provide additional information about the reporting descriptor reference. Properties *PropertyBag `json:"properties,omitempty"` // A reference to the related reporting descriptor. Target *ReportingDescriptorReference `json:"target"` } // Result A result produced by an analysis tool. type Result struct { // Identifies the artifact that the analysis tool was instructed to scan. This need not be the same as the artifact where the result actually occurred. AnalysisTarget *ArtifactLocation `json:"analysisTarget,omitempty"` // A set of artifacts relevant to the result. Attachments []*Attachment `json:"attachments,omitempty"` // The state of a result relative to a baseline of a previous run. BaselineState interface{} `json:"baselineState,omitempty"` // An array of 'codeFlow' objects relevant to the result. CodeFlows []*CodeFlow `json:"codeFlows,omitempty"` // A stable, unique identifier for the equivalence class of logically identical results to which this result belongs, in the form of a GUID. CorrelationGUID string `json:"correlationGuid,omitempty"` // A set of strings each of which individually defines a stable, unique identity for the result. Fingerprints map[string]string `json:"fingerprints,omitempty"` // An array of 'fix' objects, each of which represents a proposed fix to the problem indicated by the result. Fixes []*Fix `json:"fixes,omitempty"` // An array of one or more unique 'graphTraversal' objects. GraphTraversals []*GraphTraversal `json:"graphTraversals,omitempty"` // An array of zero or more unique graph objects associated with the result. Graphs []*Graph `json:"graphs,omitempty"` // A stable, unique identifier for the result in the form of a GUID. GUID string `json:"guid,omitempty"` // An absolute URI at which the result can be viewed. HostedViewerURI string `json:"hostedViewerUri,omitempty"` // A value that categorizes results by evaluation state. Kind interface{} `json:"kind,omitempty"` // A value specifying the severity level of the result. Level interface{} `json:"level,omitempty"` // The set of locations where the result was detected. Specify only one location unless the problem indicated by the result can only be corrected by making a change at every specified location. Locations []*Location `json:"locations,omitempty"` // A message that describes the result. The first sentence of the message only will be displayed when visible space is limited. Message *Message `json:"message"` // A positive integer specifying the number of times this logically unique result was observed in this run. OccurrenceCount int `json:"occurrenceCount,omitempty"` // A set of strings that contribute to the stable, unique identity of the result. PartialFingerprints map[string]string `json:"partialFingerprints,omitempty"` // Key/value pairs that provide additional information about the result. Properties *PropertyBag `json:"properties,omitempty"` // Information about how and when the result was detected. Provenance *ResultProvenance `json:"provenance,omitempty"` // A number representing the priority or importance of the result. Rank float64 `json:"rank,omitempty"` // A set of locations relevant to this result. RelatedLocations []*Location `json:"relatedLocations,omitempty"` // A reference used to locate the rule descriptor relevant to this result. Rule *ReportingDescriptorReference `json:"rule,omitempty"` // The stable, unique identifier of the rule, if any, to which this result is relevant. RuleID string `json:"ruleId,omitempty"` // The index within the tool component rules array of the rule object associated with this result. RuleIndex int `json:"ruleIndex,omitempty"` // An array of 'stack' objects relevant to the result. Stacks []*Stack `json:"stacks,omitempty"` // A set of suppressions relevant to this result. Suppressions []*Suppression `json:"suppressions,omitempty"` // An array of references to taxonomy reporting descriptors that are applicable to the result. Taxa []*ReportingDescriptorReference `json:"taxa,omitempty"` // A web request associated with this result. WebRequest *WebRequest `json:"webRequest,omitempty"` // A web response associated with this result. WebResponse *WebResponse `json:"webResponse,omitempty"` // The URIs of the work items associated with this result. WorkItemUris []string `json:"workItemUris,omitempty"` } // ResultProvenance Contains information about how and when a result was detected. type ResultProvenance struct { // An array of physicalLocation objects which specify the portions of an analysis tool's output that a converter transformed into the result. ConversionSources []*PhysicalLocation `json:"conversionSources,omitempty"` // A GUID-valued string equal to the automationDetails.guid property of the run in which the result was first detected. FirstDetectionRunGUID string `json:"firstDetectionRunGuid,omitempty"` // The Coordinated Universal Time (UTC) date and time at which the result was first detected. See "Date/time properties" in the SARIF spec for the required format. FirstDetectionTimeUtc string `json:"firstDetectionTimeUtc,omitempty"` // The index within the run.invocations array of the invocation object which describes the tool invocation that detected the result. InvocationIndex int `json:"invocationIndex,omitempty"` // A GUID-valued string equal to the automationDetails.guid property of the run in which the result was most recently detected. LastDetectionRunGUID string `json:"lastDetectionRunGuid,omitempty"` // The Coordinated Universal Time (UTC) date and time at which the result was most recently detected. See "Date/time properties" in the SARIF spec for the required format. LastDetectionTimeUtc string `json:"lastDetectionTimeUtc,omitempty"` // Key/value pairs that provide additional information about the result. Properties *PropertyBag `json:"properties,omitempty"` } // Run Describes a single run of an analysis tool, and contains the reported output of that run. type Run struct { // Addresses associated with this run instance, if any. Addresses []*Address `json:"addresses,omitempty"` // An array of artifact objects relevant to the run. Artifacts []*Artifact `json:"artifacts,omitempty"` // Automation details that describe this run. AutomationDetails *RunAutomationDetails `json:"automationDetails,omitempty"` // The 'guid' property of a previous SARIF 'run' that comprises the baseline that was used to compute result 'baselineState' properties for the run. BaselineGUID string `json:"baselineGuid,omitempty"` // Specifies the unit in which the tool measures columns. ColumnKind interface{} `json:"columnKind,omitempty"` // A conversion object that describes how a converter transformed an analysis tool's native reporting format into the SARIF format. Conversion *Conversion `json:"conversion,omitempty"` // Specifies the default encoding for any artifact object that refers to a text file. DefaultEncoding string `json:"defaultEncoding,omitempty"` // Specifies the default source language for any artifact object that refers to a text file that contains source code. DefaultSourceLanguage string `json:"defaultSourceLanguage,omitempty"` // References to external property files that should be inlined with the content of a root log file. ExternalPropertyFileReferences *ExternalPropertyFileReferences `json:"externalPropertyFileReferences,omitempty"` // An array of zero or more unique graph objects associated with the run. Graphs []*Graph `json:"graphs,omitempty"` // Describes the invocation of the analysis tool. Invocations []*Invocation `json:"invocations,omitempty"` // The language of the messages emitted into the log file during this run (expressed as an ISO 639-1 two-letter lowercase culture code) and an optional region (expressed as an ISO 3166-1 two-letter uppercase subculture code associated with a country or region). The casing is recommended but not required (in order for this data to conform to RFC5646). Language string `json:"language,omitempty"` // An array of logical locations such as namespaces, types or functions. LogicalLocations []*LogicalLocation `json:"logicalLocations,omitempty"` // An ordered list of character sequences that were treated as line breaks when computing region information for the run. NewlineSequences []string `json:"newlineSequences,omitempty"` // The artifact location specified by each uriBaseId symbol on the machine where the tool originally ran. OriginalUriBaseIds map[string]*ArtifactLocation `json:"originalUriBaseIds,omitempty"` // Contains configurations that may potentially override both reportingDescriptor.defaultConfiguration (the tool's default severities) and invocation.configurationOverrides (severities established at run-time from the command line). Policies []*ToolComponent `json:"policies,omitempty"` // Key/value pairs that provide additional information about the run. Properties *PropertyBag `json:"properties,omitempty"` // An array of strings used to replace sensitive information in a redaction-aware property. RedactionTokens []string `json:"redactionTokens,omitempty"` // The set of results contained in an SARIF log. The results array can be omitted when a run is solely exporting rules metadata. It must be present (but may be empty) if a log file represents an actual scan. Results []*Result `json:"results"` // Automation details that describe the aggregate of runs to which this run belongs. RunAggregates []*RunAutomationDetails `json:"runAggregates,omitempty"` // A specialLocations object that defines locations of special significance to SARIF consumers. SpecialLocations *SpecialLocations `json:"specialLocations,omitempty"` // An array of toolComponent objects relevant to a taxonomy in which results are categorized. Taxonomies []*ToolComponent `json:"taxonomies,omitempty"` // An array of threadFlowLocation objects cached at run level. ThreadFlowLocations []*ThreadFlowLocation `json:"threadFlowLocations,omitempty"` // Information about the tool or tool pipeline that generated the results in this run. A run can only contain results produced by a single tool or tool pipeline. A run can aggregate results from multiple log files, as long as context around the tool run (tool command-line arguments and the like) is identical for all aggregated files. Tool *Tool `json:"tool"` // The set of available translations of the localized data provided by the tool. Translations []*ToolComponent `json:"translations,omitempty"` // Specifies the revision in version control of the artifacts that were scanned. VersionControlProvenance []*VersionControlDetails `json:"versionControlProvenance,omitempty"` // An array of request objects cached at run level. WebRequests []*WebRequest `json:"webRequests,omitempty"` // An array of response objects cached at run level. WebResponses []*WebResponse `json:"webResponses,omitempty"` } // RunAutomationDetails Information that describes a run's identity and role within an engineering system process. type RunAutomationDetails struct { // A stable, unique identifier for the equivalence class of runs to which this object's containing run object belongs in the form of a GUID. CorrelationGUID string `json:"correlationGuid,omitempty"` // A description of the identity and role played within the engineering system by this object's containing run object. Description *Message `json:"description,omitempty"` // A stable, unique identifier for this object's containing run object in the form of a GUID. GUID string `json:"guid,omitempty"` // A hierarchical string that uniquely identifies this object's containing run object. ID string `json:"id,omitempty"` // Key/value pairs that provide additional information about the run automation details. Properties *PropertyBag `json:"properties,omitempty"` } // SpecialLocations Defines locations of special significance to SARIF consumers. type SpecialLocations struct { // Provides a suggestion to SARIF consumers to display file paths relative to the specified location. DisplayBase *ArtifactLocation `json:"displayBase,omitempty"` // Key/value pairs that provide additional information about the special locations. Properties *PropertyBag `json:"properties,omitempty"` } // Stack A call stack that is relevant to a result. type Stack struct { // An array of stack frames that represents a sequence of calls, rendered in reverse chronological order, that comprise the call stack. Frames []*StackFrame `json:"frames"` // A message relevant to this call stack. Message *Message `json:"message,omitempty"` // Key/value pairs that provide additional information about the stack. Properties *PropertyBag `json:"properties,omitempty"` } // StackFrame A function call within a stack trace. type StackFrame struct { // The location to which this stack frame refers. Location *Location `json:"location,omitempty"` // The name of the module that contains the code of this stack frame. Module string `json:"module,omitempty"` // The parameters of the call that is executing. Parameters []string `json:"parameters,omitempty"` // Key/value pairs that provide additional information about the stack frame. Properties *PropertyBag `json:"properties,omitempty"` // The thread identifier of the stack frame. ThreadID int `json:"threadId,omitempty"` } // Report Static Analysis Results Format (SARIF) Version 2.1.0 JSON Schema: a standard format for the output of static analysis tools. type Report struct { // References to external property files that share data between runs. InlineExternalProperties []*ExternalProperties `json:"inlineExternalProperties,omitempty"` // Key/value pairs that provide additional information about the log file. Properties *PropertyBag `json:"properties,omitempty"` // The set of runs contained in this log file. Runs []*Run `json:"runs"` // The URI of the JSON schema corresponding to the version. Schema string `json:"$schema,omitempty"` // The SARIF format version of this log file. Version interface{} `json:"version"` } // Suppression A suppression that is relevant to a result. type Suppression struct { // A stable, unique identifier for the suprression in the form of a GUID. GUID string `json:"guid,omitempty"` // A string representing the justification for the suppression. Justification string `json:"justification,omitempty"` // A string that indicates where the suppression is persisted. Kind interface{} `json:"kind"` // Identifies the location associated with the suppression. Location *Location `json:"location,omitempty"` // Key/value pairs that provide additional information about the suppression. Properties *PropertyBag `json:"properties,omitempty"` // A string that indicates the review status of the suppression. Status interface{} `json:"status,omitempty"` } // ThreadFlow Describes a sequence of code locations that specify a path through a single thread of execution such as an operating system or fiber. type ThreadFlow struct { // An string that uniquely identifies the threadFlow within the codeFlow in which it occurs. ID string `json:"id,omitempty"` // Values of relevant expressions at the start of the thread flow that remain constant. ImmutableState map[string]*MultiformatMessageString `json:"immutableState,omitempty"` // Values of relevant expressions at the start of the thread flow that may change during thread flow execution. InitialState map[string]*MultiformatMessageString `json:"initialState,omitempty"` // A temporally ordered array of 'threadFlowLocation' objects, each of which describes a location visited by the tool while producing the result. Locations []*ThreadFlowLocation `json:"locations"` // A message relevant to the thread flow. Message *Message `json:"message,omitempty"` // Key/value pairs that provide additional information about the thread flow. Properties *PropertyBag `json:"properties,omitempty"` } // ThreadFlowLocation A location visited by an analysis tool while simulating or monitoring the execution of a program. type ThreadFlowLocation struct { // An integer representing the temporal order in which execution reached this location. ExecutionOrder int `json:"executionOrder,omitempty"` // The Coordinated Universal Time (UTC) date and time at which this location was executed. ExecutionTimeUtc string `json:"executionTimeUtc,omitempty"` // Specifies the importance of this location in understanding the code flow in which it occurs. The order from most to least important is "essential", "important", "unimportant". Default: "important". Importance interface{} `json:"importance,omitempty"` // The index within the run threadFlowLocations array. Index int `json:"index,omitempty"` // A set of distinct strings that categorize the thread flow location. Well-known kinds include 'acquire', 'release', 'enter', 'exit', 'call', 'return', 'branch', 'implicit', 'false', 'true', 'caution', 'danger', 'unknown', 'unreachable', 'taint', 'function', 'handler', 'lock', 'memory', 'resource', 'scope' and 'value'. Kinds []string `json:"kinds,omitempty"` // The code location. Location *Location `json:"location,omitempty"` // The name of the module that contains the code that is executing. Module string `json:"module,omitempty"` // An integer representing a containment hierarchy within the thread flow. NestingLevel int `json:"nestingLevel,omitempty"` // Key/value pairs that provide additional information about the threadflow location. Properties *PropertyBag `json:"properties,omitempty"` // The call stack leading to this location. Stack *Stack `json:"stack,omitempty"` // A dictionary, each of whose keys specifies a variable or expression, the associated value of which represents the variable or expression value. For an annotation of kind 'continuation', for example, this dictionary might hold the current assumed values of a set of global variables. State map[string]*MultiformatMessageString `json:"state,omitempty"` // An array of references to rule or taxonomy reporting descriptors that are applicable to the thread flow location. Taxa []*ReportingDescriptorReference `json:"taxa,omitempty"` // A web request associated with this thread flow location. WebRequest *WebRequest `json:"webRequest,omitempty"` // A web response associated with this thread flow location. WebResponse *WebResponse `json:"webResponse,omitempty"` } // Tool The analysis tool that was run. type Tool struct { // The analysis tool that was run. Driver *ToolComponent `json:"driver"` // Tool extensions that contributed to or reconfigured the analysis tool that was run. Extensions []*ToolComponent `json:"extensions,omitempty"` // Key/value pairs that provide additional information about the tool. Properties *PropertyBag `json:"properties,omitempty"` } // ToolComponent A component, such as a plug-in or the driver, of the analysis tool that was run. type ToolComponent struct { // The component which is strongly associated with this component. For a translation, this refers to the component which has been translated. For an extension, this is the driver that provides the extension's plugin model. AssociatedComponent *ToolComponentReference `json:"associatedComponent,omitempty"` // The kinds of data contained in this object. Contents []interface{} `json:"contents,omitempty"` // The binary version of the tool component's primary executable file expressed as four non-negative integers separated by a period (for operating systems that express file versions in this way). DottedQuadFileVersion string `json:"dottedQuadFileVersion,omitempty"` // The absolute URI from which the tool component can be downloaded. DownloadURI string `json:"downloadUri,omitempty"` // A comprehensive description of the tool component. FullDescription *MultiformatMessageString `json:"fullDescription,omitempty"` // The name of the tool component along with its version and any other useful identifying information, such as its locale. FullName string `json:"fullName,omitempty"` // A dictionary, each of whose keys is a resource identifier and each of whose values is a multiformatMessageString object, which holds message strings in plain text and (optionally) Markdown format. The strings can include placeholders, which can be used to construct a message in combination with an arbitrary number of additional string arguments. GlobalMessageStrings map[string]*MultiformatMessageString `json:"globalMessageStrings,omitempty"` // A unique identifier for the tool component in the form of a GUID. GUID string `json:"guid,omitempty"` // The absolute URI at which information about this version of the tool component can be found. InformationURI string `json:"informationUri,omitempty"` // Specifies whether this object contains a complete definition of the localizable and/or non-localizable data for this component, as opposed to including only data that is relevant to the results persisted to this log file. IsComprehensive bool `json:"isComprehensive,omitempty"` // The language of the messages emitted into the log file during this run (expressed as an ISO 639-1 two-letter lowercase language code) and an optional region (expressed as an ISO 3166-1 two-letter uppercase subculture code associated with a country or region). The casing is recommended but not required (in order for this data to conform to RFC5646). Language string `json:"language,omitempty"` // The semantic version of the localized strings defined in this component; maintained by components that provide translations. LocalizedDataSemanticVersion string `json:"localizedDataSemanticVersion,omitempty"` // An array of the artifactLocation objects associated with the tool component. Locations []*ArtifactLocation `json:"locations,omitempty"` // The minimum value of localizedDataSemanticVersion required in translations consumed by this component; used by components that consume translations. MinimumRequiredLocalizedDataSemanticVersion string `json:"minimumRequiredLocalizedDataSemanticVersion,omitempty"` // The name of the tool component. Name string `json:"name"` // An array of reportingDescriptor objects relevant to the notifications related to the configuration and runtime execution of the tool component. Notifications []*ReportingDescriptor `json:"notifications,omitempty"` // The organization or company that produced the tool component. Organization string `json:"organization,omitempty"` // A product suite to which the tool component belongs. Product string `json:"product,omitempty"` // A localizable string containing the name of the suite of products to which the tool component belongs. ProductSuite string `json:"productSuite,omitempty"` // Key/value pairs that provide additional information about the tool component. Properties *PropertyBag `json:"properties,omitempty"` // A string specifying the UTC date (and optionally, the time) of the component's release. ReleaseDateUtc string `json:"releaseDateUtc,omitempty"` // An array of reportingDescriptor objects relevant to the analysis performed by the tool component. Rules []*ReportingDescriptor `json:"rules,omitempty"` // The tool component version in the format specified by Semantic Versioning 2.0. SemanticVersion string `json:"semanticVersion,omitempty"` // A brief description of the tool component. ShortDescription *MultiformatMessageString `json:"shortDescription,omitempty"` // An array of toolComponentReference objects to declare the taxonomies supported by the tool component. SupportedTaxonomies []*ToolComponentReference `json:"supportedTaxonomies,omitempty"` // An array of reportingDescriptor objects relevant to the definitions of both standalone and tool-defined taxonomies. Taxa []*ReportingDescriptor `json:"taxa,omitempty"` // Translation metadata, required for a translation, not populated by other component types. TranslationMetadata *TranslationMetadata `json:"translationMetadata,omitempty"` // The tool component version, in whatever format the component natively provides. Version string `json:"version,omitempty"` } // ToolComponentReference Identifies a particular toolComponent object, either the driver or an extension. type ToolComponentReference struct { // The 'guid' property of the referenced toolComponent. GUID string `json:"guid,omitempty"` // An index into the referenced toolComponent in tool.extensions. Index int `json:"index,omitempty"` // The 'name' property of the referenced toolComponent. Name string `json:"name,omitempty"` // Key/value pairs that provide additional information about the toolComponentReference. Properties *PropertyBag `json:"properties,omitempty"` } // TranslationMetadata Provides additional metadata related to translation. type TranslationMetadata struct { // The absolute URI from which the translation metadata can be downloaded. DownloadURI string `json:"downloadUri,omitempty"` // A comprehensive description of the translation metadata. FullDescription *MultiformatMessageString `json:"fullDescription,omitempty"` // The full name associated with the translation metadata. FullName string `json:"fullName,omitempty"` // The absolute URI from which information related to the translation metadata can be downloaded. InformationURI string `json:"informationUri,omitempty"` // The name associated with the translation metadata. Name string `json:"name"` // Key/value pairs that provide additional information about the translation metadata. Properties *PropertyBag `json:"properties,omitempty"` // A brief description of the translation metadata. ShortDescription *MultiformatMessageString `json:"shortDescription,omitempty"` } // VersionControlDetails Specifies the information necessary to retrieve a desired revision from a version control system. type VersionControlDetails struct { // A Coordinated Universal Time (UTC) date and time that can be used to synchronize an enlistment to the state of the repository at that time. AsOfTimeUtc string `json:"asOfTimeUtc,omitempty"` // The name of a branch containing the revision. Branch string `json:"branch,omitempty"` // The location in the local file system to which the root of the repository was mapped at the time of the analysis. MappedTo *ArtifactLocation `json:"mappedTo,omitempty"` // Key/value pairs that provide additional information about the version control details. Properties *PropertyBag `json:"properties,omitempty"` // The absolute URI of the repository. RepositoryURI string `json:"repositoryUri"` // A string that uniquely and permanently identifies the revision within the repository. RevisionID string `json:"revisionId,omitempty"` // A tag that has been applied to the revision. RevisionTag string `json:"revisionTag,omitempty"` } // WebRequest Describes an HTTP request. type WebRequest struct { // The body of the request. Body *ArtifactContent `json:"body,omitempty"` // The request headers. Headers map[string]string `json:"headers,omitempty"` // The index within the run.webRequests array of the request object associated with this result. Index int `json:"index,omitempty"` // The HTTP method. Well-known values are 'GET', 'PUT', 'POST', 'DELETE', 'PATCH', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT'. Method string `json:"method,omitempty"` // The request parameters. Parameters map[string]string `json:"parameters,omitempty"` // Key/value pairs that provide additional information about the request. Properties *PropertyBag `json:"properties,omitempty"` // The request protocol. Example: 'http'. Protocol string `json:"protocol,omitempty"` // The target of the request. Target string `json:"target,omitempty"` // The request version. Example: '1.1'. Version string `json:"version,omitempty"` } // WebResponse Describes the response to an HTTP request. type WebResponse struct { // The body of the response. Body *ArtifactContent `json:"body,omitempty"` // The response headers. Headers map[string]string `json:"headers,omitempty"` // The index within the run.webResponses array of the response object associated with this result. Index int `json:"index,omitempty"` // Specifies whether a response was received from the server. NoResponseReceived bool `json:"noResponseReceived,omitempty"` // Key/value pairs that provide additional information about the response. Properties *PropertyBag `json:"properties,omitempty"` // The response protocol. Example: 'http'. Protocol string `json:"protocol,omitempty"` // The response reason. Example: 'Not found'. ReasonPhrase string `json:"reasonPhrase,omitempty"` // The response status code. Example: 451. StatusCode int `json:"statusCode,omitempty"` // The response version. Example: '1.1'. Version string `json:"version,omitempty"` } 07070100000063000081A400000000000000000000000166F55269000001AA000000000000000000000000000000000000002400000000gosec-2.21.4/report/sarif/writer.gopackage sarif import ( "encoding/json" "io" "github.com/securego/gosec/v2" ) // WriteReport write a report in SARIF format to the output writer func WriteReport(w io.Writer, data *gosec.ReportInfo, rootPaths []string) error { sr, err := GenerateReport(rootPaths, data) if err != nil { return err } raw, err := json.MarshalIndent(sr, "", "\t") if err != nil { return err } _, err = w.Write(raw) return err } 07070100000064000041ED00000000000000000000000266F5526900000000000000000000000000000000000000000000001A00000000gosec-2.21.4/report/sonar07070100000065000081A400000000000000000000000166F5526900000309000000000000000000000000000000000000002500000000gosec-2.21.4/report/sonar/builder.gopackage sonar // NewLocation instantiate a Location func NewLocation(message string, filePath string, textRange *TextRange) *Location { return &Location{ Message: message, FilePath: filePath, TextRange: textRange, } } // NewTextRange instantiate a TextRange func NewTextRange(startLine int, endLine int) *TextRange { return &TextRange{ StartLine: startLine, EndLine: endLine, } } // NewIssue instantiate an Issue func NewIssue(engineID string, ruleID string, primaryLocation *Location, issueType string, severity string, effortMinutes int) *Issue { return &Issue{ EngineID: engineID, RuleID: ruleID, PrimaryLocation: primaryLocation, Type: issueType, Severity: severity, EffortMinutes: effortMinutes, } } 07070100000066000081A400000000000000000000000166F5526900000697000000000000000000000000000000000000002700000000gosec-2.21.4/report/sonar/formatter.gopackage sonar import ( "strconv" "strings" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) const ( // EffortMinutes effort to fix in minutes EffortMinutes = 5 ) // GenerateReport Convert a gosec report to a Sonar Report func GenerateReport(rootPaths []string, data *gosec.ReportInfo) (*Report, error) { si := &Report{Issues: []*Issue{}} for _, issue := range data.Issues { sonarFilePath := parseFilePath(issue, rootPaths) if sonarFilePath == "" { continue } textRange, err := parseTextRange(issue) if err != nil { return si, err } primaryLocation := NewLocation(issue.What, sonarFilePath, textRange) severity := getSonarSeverity(issue.Severity.String()) s := NewIssue("gosec", issue.RuleID, primaryLocation, "VULNERABILITY", severity, EffortMinutes) si.Issues = append(si.Issues, s) } return si, nil } func parseFilePath(issue *issue.Issue, rootPaths []string) string { var sonarFilePath string for _, rootPath := range rootPaths { if strings.HasPrefix(issue.File, rootPath) { sonarFilePath = strings.Replace(issue.File, rootPath+"/", "", 1) } } return sonarFilePath } func parseTextRange(issue *issue.Issue) (*TextRange, error) { lines := strings.Split(issue.Line, "-") startLine, err := strconv.Atoi(lines[0]) if err != nil { return nil, err } endLine := startLine if len(lines) > 1 { endLine, err = strconv.Atoi(lines[1]) if err != nil { return nil, err } } return NewTextRange(startLine, endLine), nil } func getSonarSeverity(s string) string { switch s { case "LOW": return "MINOR" case "MEDIUM": return "MAJOR" case "HIGH": return "BLOCKER" default: return "INFO" } } 07070100000067000081A400000000000000000000000166F55269000000CA000000000000000000000000000000000000002E00000000gosec-2.21.4/report/sonar/sonar_suite_test.gopackage sonar_test import ( "testing" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" ) func TestRules(t *testing.T) { RegisterFailHandler(Fail) RunSpecs(t, "Sonar Formatters Suite") } 07070100000068000081A400000000000000000000000166F55269000013BB000000000000000000000000000000000000002800000000gosec-2.21.4/report/sonar/sonar_test.gopackage sonar_test import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" "github.com/securego/gosec/v2/report/sonar" ) var _ = Describe("Sonar Formatter", func() { BeforeEach(func() { }) Context("when converting to Sonarqube issues", func() { It("it should parse the report info", func() { data := &gosec.ReportInfo{ Errors: map[string][]gosec.Error{}, Issues: []*issue.Issue{ { Severity: 2, Confidence: 0, RuleID: "test", What: "test", File: "/home/src/project/test.go", Code: "", Line: "1-2", }, }, Stats: &gosec.Metrics{ NumFiles: 0, NumLines: 0, NumNosec: 0, NumFound: 0, }, } want := &sonar.Report{ Issues: []*sonar.Issue{ { EngineID: "gosec", RuleID: "test", PrimaryLocation: &sonar.Location{ Message: "test", FilePath: "test.go", TextRange: &sonar.TextRange{ StartLine: 1, EndLine: 2, }, }, Type: "VULNERABILITY", Severity: "BLOCKER", EffortMinutes: sonar.EffortMinutes, }, }, } rootPath := "/home/src/project" issues, err := sonar.GenerateReport([]string{rootPath}, data) Expect(err).ShouldNot(HaveOccurred()) Expect(*issues).To(Equal(*want)) }) It("it should parse the report info with files in subfolders", func() { data := &gosec.ReportInfo{ Errors: map[string][]gosec.Error{}, Issues: []*issue.Issue{ { Severity: 2, Confidence: 0, RuleID: "test", What: "test", File: "/home/src/project/subfolder/test.go", Code: "", Line: "1-2", }, }, Stats: &gosec.Metrics{ NumFiles: 0, NumLines: 0, NumNosec: 0, NumFound: 0, }, } want := &sonar.Report{ Issues: []*sonar.Issue{ { EngineID: "gosec", RuleID: "test", PrimaryLocation: &sonar.Location{ Message: "test", FilePath: "subfolder/test.go", TextRange: &sonar.TextRange{ StartLine: 1, EndLine: 2, }, }, Type: "VULNERABILITY", Severity: "BLOCKER", EffortMinutes: sonar.EffortMinutes, }, }, } rootPath := "/home/src/project" issues, err := sonar.GenerateReport([]string{rootPath}, data) Expect(err).ShouldNot(HaveOccurred()) Expect(*issues).To(Equal(*want)) }) It("it should not parse the report info for files from other projects", func() { data := &gosec.ReportInfo{ Errors: map[string][]gosec.Error{}, Issues: []*issue.Issue{ { Severity: 2, Confidence: 0, RuleID: "test", What: "test", File: "/home/src/project1/test.go", Code: "", Line: "1-2", }, }, Stats: &gosec.Metrics{ NumFiles: 0, NumLines: 0, NumNosec: 0, NumFound: 0, }, } want := &sonar.Report{ Issues: []*sonar.Issue{}, } rootPath := "/home/src/project2" issues, err := sonar.GenerateReport([]string{rootPath}, data) Expect(err).ShouldNot(HaveOccurred()) Expect(*issues).To(Equal(*want)) }) It("it should parse the report info for multiple projects", func() { data := &gosec.ReportInfo{ Errors: map[string][]gosec.Error{}, Issues: []*issue.Issue{ { Severity: 2, Confidence: 0, RuleID: "test", What: "test", File: "/home/src/project1/test-project1.go", Code: "", Line: "1-2", }, { Severity: 2, Confidence: 0, RuleID: "test", What: "test", File: "/home/src/project2/test-project2.go", Code: "", Line: "1-2", }, }, Stats: &gosec.Metrics{ NumFiles: 0, NumLines: 0, NumNosec: 0, NumFound: 0, }, } want := &sonar.Report{ Issues: []*sonar.Issue{ { EngineID: "gosec", RuleID: "test", PrimaryLocation: &sonar.Location{ Message: "test", FilePath: "test-project1.go", TextRange: &sonar.TextRange{ StartLine: 1, EndLine: 2, }, }, Type: "VULNERABILITY", Severity: "BLOCKER", EffortMinutes: sonar.EffortMinutes, }, { EngineID: "gosec", RuleID: "test", PrimaryLocation: &sonar.Location{ Message: "test", FilePath: "test-project2.go", TextRange: &sonar.TextRange{ StartLine: 1, EndLine: 2, }, }, Type: "VULNERABILITY", Severity: "BLOCKER", EffortMinutes: sonar.EffortMinutes, }, }, } rootPaths := []string{"/home/src/project1", "/home/src/project2"} issues, err := sonar.GenerateReport(rootPaths, data) Expect(err).ShouldNot(HaveOccurred()) Expect(*issues).To(Equal(*want)) }) }) }) 07070100000069000081A400000000000000000000000166F55269000003D9000000000000000000000000000000000000002300000000gosec-2.21.4/report/sonar/types.gopackage sonar // TextRange defines the text range of an issue's location type TextRange struct { StartLine int `json:"startLine"` EndLine int `json:"endLine"` StartColumn int `json:"startColumn,omitempty"` EtartColumn int `json:"endColumn,omitempty"` } // Location defines a sonar issue's location type Location struct { Message string `json:"message"` FilePath string `json:"filePath"` TextRange *TextRange `json:"textRange,omitempty"` } // Issue defines a sonar issue type Issue struct { EngineID string `json:"engineId"` RuleID string `json:"ruleId"` PrimaryLocation *Location `json:"primaryLocation"` Type string `json:"type"` Severity string `json:"severity"` EffortMinutes int `json:"effortMinutes"` SecondaryLocations []*Location `json:"secondaryLocations,omitempty"` } // Report defines a sonar report type Report struct { Issues []*Issue `json:"issues"` } 0707010000006A000081A400000000000000000000000166F55269000001A9000000000000000000000000000000000000002400000000gosec-2.21.4/report/sonar/writer.gopackage sonar import ( "encoding/json" "io" "github.com/securego/gosec/v2" ) // WriteReport write a report in sonar format to the output writer func WriteReport(w io.Writer, data *gosec.ReportInfo, rootPaths []string) error { si, err := GenerateReport(rootPaths, data) if err != nil { return err } raw, err := json.MarshalIndent(si, "", "\t") if err != nil { return err } _, err = w.Write(raw) return err } 0707010000006B000041ED00000000000000000000000266F5526900000000000000000000000000000000000000000000001900000000gosec-2.21.4/report/text0707010000006C000081A400000000000000000000000166F5526900000391000000000000000000000000000000000000002600000000gosec-2.21.4/report/text/template.txtResults: {{range $filePath,$fileErrors := .Errors}} Golang errors in file: [{{ $filePath }}]: {{range $index, $error := $fileErrors}} > [line {{$error.Line}} : column {{$error.Column}}] - {{$error.Err}} {{end}} {{end}} {{ range $index, $issue := .Issues }} [{{ highlight $issue.FileLocation $issue.Severity $issue.NoSec }}] - {{ $issue.RuleID }}{{ if $issue.NoSec }} ({{- success "NoSec" -}}){{ end }} ({{ if $issue.Cwe }}{{$issue.Cwe.SprintID}}{{ else }}{{"CWE"}}{{ end }}): {{ $issue.What }} (Confidence: {{ $issue.Confidence}}, Severity: {{ $issue.Severity }}) {{ printCode $issue }} {{ "Autofix" }}: {{ $issue.Autofix }} {{ end }} {{ notice "Summary:" }} Gosec : {{.GosecVersion}} Files : {{.Stats.NumFiles}} Lines : {{.Stats.NumLines}} Nosec : {{.Stats.NumNosec}} Issues : {{ if eq .Stats.NumFound 0 }} {{- success .Stats.NumFound }} {{- else }} {{- danger .Stats.NumFound }} {{- end }} 0707010000006D000081A400000000000000000000000166F5526900000A33000000000000000000000000000000000000002300000000gosec-2.21.4/report/text/writer.gopackage text import ( "bufio" "bytes" _ "embed" // use go embed to import template "fmt" "io" "strconv" "strings" "text/template" "github.com/gookit/color" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) var ( errorTheme = color.New(color.FgLightWhite, color.BgRed) warningTheme = color.New(color.FgBlack, color.BgYellow) defaultTheme = color.New(color.FgWhite, color.BgBlack) //go:embed template.txt templateContent string ) // WriteReport write a (colorized) report in text format func WriteReport(w io.Writer, data *gosec.ReportInfo, enableColor bool) error { t, e := template. New("gosec"). Funcs(plainTextFuncMap(enableColor)). Parse(templateContent) if e != nil { return e } return t.Execute(w, data) } func plainTextFuncMap(enableColor bool) template.FuncMap { if enableColor { return template.FuncMap{ "highlight": highlight, "danger": color.Danger.Render, "notice": color.Notice.Render, "success": color.Success.Render, "printCode": printCodeSnippet, } } // by default those functions return the given content untouched return template.FuncMap{ "highlight": func(t string, s issue.Score, ignored bool) string { return t }, "danger": fmt.Sprint, "notice": fmt.Sprint, "success": fmt.Sprint, "printCode": printCodeSnippet, } } // highlight returns content t colored based on Score func highlight(t string, s issue.Score, ignored bool) string { if ignored { return defaultTheme.Sprint(t) } switch s { case issue.High: return errorTheme.Sprint(t) case issue.Medium: return warningTheme.Sprint(t) default: return defaultTheme.Sprint(t) } } // printCodeSnippet prints the code snippet from the issue by adding a marker to the affected line func printCodeSnippet(issue *issue.Issue) string { start, end := parseLine(issue.Line) scanner := bufio.NewScanner(strings.NewReader(issue.Code)) var buf bytes.Buffer line := start for scanner.Scan() { codeLine := scanner.Text() if strings.HasPrefix(codeLine, strconv.Itoa(line)) && line <= end { codeLine = " > " + codeLine + "\n" line++ } else { codeLine = " " + codeLine + "\n" } buf.WriteString(codeLine) } return buf.String() } // parseLine extract the start and the end line numbers from a issue line func parseLine(line string) (int, int) { parts := strings.Split(line, "-") start := parts[0] end := start if len(parts) > 1 { end = parts[1] } s, err := strconv.Atoi(start) if err != nil { return -1, -1 } e, err := strconv.Atoi(end) if err != nil { return -1, -1 } return s, e } 0707010000006E000041ED00000000000000000000000266F5526900000000000000000000000000000000000000000000001900000000gosec-2.21.4/report/yaml0707010000006F000081A400000000000000000000000166F552690000013C000000000000000000000000000000000000002300000000gosec-2.21.4/report/yaml/writer.gopackage yaml import ( "io" "gopkg.in/yaml.v3" "github.com/securego/gosec/v2" ) // WriteReport write a report in yaml format to the output writer func WriteReport(w io.Writer, data *gosec.ReportInfo) error { raw, err := yaml.Marshal(data) if err != nil { return err } _, err = w.Write(raw) return err } 07070100000070000081A400000000000000000000000166F5526900000935000000000000000000000000000000000000001800000000gosec-2.21.4/resolve.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package gosec import "go/ast" func resolveIdent(n *ast.Ident, c *Context) bool { if n.Obj == nil || n.Obj.Kind != ast.Var { return true } if node, ok := n.Obj.Decl.(ast.Node); ok { return TryResolve(node, c) } return false } func resolveValueSpec(n *ast.ValueSpec, c *Context) bool { if len(n.Values) == 0 { return false } for _, value := range n.Values { if !TryResolve(value, c) { return false } } return true } func resolveAssign(n *ast.AssignStmt, c *Context) bool { if len(n.Rhs) == 0 { return false } for _, arg := range n.Rhs { if !TryResolve(arg, c) { return false } } return true } func resolveCompLit(n *ast.CompositeLit, c *Context) bool { if len(n.Elts) == 0 { return false } for _, arg := range n.Elts { if !TryResolve(arg, c) { return false } } return true } func resolveBinExpr(n *ast.BinaryExpr, c *Context) bool { return (TryResolve(n.X, c) && TryResolve(n.Y, c)) } func resolveCallExpr(_ *ast.CallExpr, _ *Context) bool { // TODO(tkelsey): next step, full function resolution return false } // TryResolve will attempt, given a subtree starting at some AST node, to resolve // all values contained within to a known constant. It is used to check for any // unknown values in compound expressions. func TryResolve(n ast.Node, c *Context) bool { switch node := n.(type) { case *ast.BasicLit: return true case *ast.CompositeLit: return resolveCompLit(node, c) case *ast.Ident: return resolveIdent(node, c) case *ast.ValueSpec: return resolveValueSpec(node, c) case *ast.AssignStmt: return resolveAssign(node, c) case *ast.CallExpr: return resolveCallExpr(node, c) case *ast.BinaryExpr: return resolveBinExpr(node, c) } return false } 07070100000071000081A400000000000000000000000166F5526900002B5A000000000000000000000000000000000000001D00000000gosec-2.21.4/resolve_test.gopackage gosec_test import ( "go/ast" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/testutils" ) var _ = Describe("Resolve ast node to concrete value", func() { Context("when attempting to resolve an ast node", func() { It("should successfully resolve basic literal", func() { var basicLiteral *ast.BasicLit pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", `package main; const foo = "bar"; func main(){}`) ctx := pkg.CreateContext("foo.go") v := testutils.NewMockVisitor() v.Callback = func(n ast.Node, ctx *gosec.Context) bool { if node, ok := n.(*ast.BasicLit); ok { basicLiteral = node return false } return true } v.Context = ctx ast.Walk(v, ctx.Root) Expect(basicLiteral).ShouldNot(BeNil()) Expect(gosec.TryResolve(basicLiteral, ctx)).Should(BeTrue()) }) It("should successfully resolve identifier", func() { var ident *ast.Ident pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", `package main; var foo string = "bar"; func main(){}`) ctx := pkg.CreateContext("foo.go") v := testutils.NewMockVisitor() v.Callback = func(n ast.Node, ctx *gosec.Context) bool { if node, ok := n.(*ast.Ident); ok { ident = node return false } return true } v.Context = ctx ast.Walk(v, ctx.Root) Expect(ident).ShouldNot(BeNil()) Expect(gosec.TryResolve(ident, ctx)).Should(BeTrue()) }) It("should successfully resolve variable identifier", func() { var ident *ast.Ident pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", `package main; import "fmt"; func main(){ x := "test"; y := x; fmt.Println(y) }`) ctx := pkg.CreateContext("foo.go") v := testutils.NewMockVisitor() v.Callback = func(n ast.Node, ctx *gosec.Context) bool { if node, ok := n.(*ast.Ident); ok && node.Name == "y" { ident = node return false } return true } v.Context = ctx ast.Walk(v, ctx.Root) Expect(ident).ShouldNot(BeNil()) Expect(gosec.TryResolve(ident, ctx)).Should(BeTrue()) }) It("should successfully not resolve variable identifier with no declaration", func() { var ident *ast.Ident pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", `package main; import "fmt"; func main(){ x := "test"; y := x; fmt.Println(y) }`) ctx := pkg.CreateContext("foo.go") v := testutils.NewMockVisitor() v.Callback = func(n ast.Node, ctx *gosec.Context) bool { if node, ok := n.(*ast.Ident); ok && node.Name == "y" { ident = node return false } return true } v.Context = ctx ast.Walk(v, ctx.Root) Expect(ident).ShouldNot(BeNil()) ident.Obj.Decl = nil Expect(gosec.TryResolve(ident, ctx)).Should(BeFalse()) }) It("should successfully resolve assign statement", func() { var assign *ast.AssignStmt pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", `package main; const x = "bar"; func main(){ y := x; println(y) }`) ctx := pkg.CreateContext("foo.go") v := testutils.NewMockVisitor() v.Callback = func(n ast.Node, ctx *gosec.Context) bool { if node, ok := n.(*ast.AssignStmt); ok { if id, ok := node.Lhs[0].(*ast.Ident); ok && id.Name == "y" { assign = node } } return true } v.Context = ctx ast.Walk(v, ctx.Root) Expect(assign).ShouldNot(BeNil()) Expect(gosec.TryResolve(assign, ctx)).Should(BeTrue()) }) It("should successfully not resolve assign statement without rhs", func() { var assign *ast.AssignStmt pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", `package main; const x = "bar"; func main(){ y := x; println(y) }`) ctx := pkg.CreateContext("foo.go") v := testutils.NewMockVisitor() v.Callback = func(n ast.Node, ctx *gosec.Context) bool { if node, ok := n.(*ast.AssignStmt); ok { if id, ok := node.Lhs[0].(*ast.Ident); ok && id.Name == "y" { assign = node } } return true } v.Context = ctx ast.Walk(v, ctx.Root) Expect(assign).ShouldNot(BeNil()) assign.Rhs = []ast.Expr{} Expect(gosec.TryResolve(assign, ctx)).Should(BeFalse()) }) It("should successfully not resolve assign statement with unsolvable rhs", func() { var assign *ast.AssignStmt pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", `package main; const x = "bar"; func main(){ y := x; println(y) }`) ctx := pkg.CreateContext("foo.go") v := testutils.NewMockVisitor() v.Callback = func(n ast.Node, ctx *gosec.Context) bool { if node, ok := n.(*ast.AssignStmt); ok { if id, ok := node.Lhs[0].(*ast.Ident); ok && id.Name == "y" { assign = node } } return true } v.Context = ctx ast.Walk(v, ctx.Root) Expect(assign).ShouldNot(BeNil()) assign.Rhs = []ast.Expr{&ast.CallExpr{}} Expect(gosec.TryResolve(assign, ctx)).Should(BeFalse()) }) It("should successfully resolve a binary statement", func() { var target *ast.BinaryExpr pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", `package main; const (x = "bar"; y = "baz"); func main(){ z := x + y; println(z) }`) ctx := pkg.CreateContext("foo.go") v := testutils.NewMockVisitor() v.Callback = func(n ast.Node, ctx *gosec.Context) bool { if node, ok := n.(*ast.BinaryExpr); ok { target = node } return true } v.Context = ctx ast.Walk(v, ctx.Root) Expect(target).ShouldNot(BeNil()) Expect(gosec.TryResolve(target, ctx)).Should(BeTrue()) }) It("should successfully resolve value spec", func() { var value *ast.ValueSpec pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", `package main; const x = "bar"; func main(){ var y string = x; println(y) }`) ctx := pkg.CreateContext("foo.go") v := testutils.NewMockVisitor() v.Callback = func(n ast.Node, ctx *gosec.Context) bool { if node, ok := n.(*ast.ValueSpec); ok { if len(node.Names) == 1 && node.Names[0].Name == "y" { value = node } } return true } v.Context = ctx ast.Walk(v, ctx.Root) Expect(value).ShouldNot(BeNil()) Expect(gosec.TryResolve(value, ctx)).Should(BeTrue()) }) It("should successfully not resolve value spec without values", func() { var value *ast.ValueSpec pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", `package main; const x = "bar"; func main(){ var y string = x; println(y) }`) ctx := pkg.CreateContext("foo.go") v := testutils.NewMockVisitor() v.Callback = func(n ast.Node, ctx *gosec.Context) bool { if node, ok := n.(*ast.ValueSpec); ok { if len(node.Names) == 1 && node.Names[0].Name == "y" { value = node } } return true } v.Context = ctx ast.Walk(v, ctx.Root) Expect(value).ShouldNot(BeNil()) value.Values = []ast.Expr{} Expect(gosec.TryResolve(value, ctx)).Should(BeFalse()) }) It("should successfully not resolve value spec with unsolvable value", func() { var value *ast.ValueSpec pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", `package main; const x = "bar"; func main(){ var y string = x; println(y) }`) ctx := pkg.CreateContext("foo.go") v := testutils.NewMockVisitor() v.Callback = func(n ast.Node, ctx *gosec.Context) bool { if node, ok := n.(*ast.ValueSpec); ok { if len(node.Names) == 1 && node.Names[0].Name == "y" { value = node } } return true } v.Context = ctx ast.Walk(v, ctx.Root) Expect(value).ShouldNot(BeNil()) value.Values = []ast.Expr{&ast.CallExpr{}} Expect(gosec.TryResolve(value, ctx)).Should(BeFalse()) }) It("should successfully resolve composite literal", func() { var value *ast.CompositeLit pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", `package main; func main(){ y := []string{"value1", "value2"}; println(y) }`) ctx := pkg.CreateContext("foo.go") v := testutils.NewMockVisitor() v.Callback = func(n ast.Node, ctx *gosec.Context) bool { if node, ok := n.(*ast.CompositeLit); ok { value = node } return true } v.Context = ctx ast.Walk(v, ctx.Root) Expect(value).ShouldNot(BeNil()) Expect(gosec.TryResolve(value, ctx)).Should(BeTrue()) }) It("should successfully not resolve composite literal without elst", func() { var value *ast.CompositeLit pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", `package main; func main(){ y := []string{"value1", "value2"}; println(y) }`) ctx := pkg.CreateContext("foo.go") v := testutils.NewMockVisitor() v.Callback = func(n ast.Node, ctx *gosec.Context) bool { if node, ok := n.(*ast.CompositeLit); ok { value = node } return true } v.Context = ctx ast.Walk(v, ctx.Root) Expect(value).ShouldNot(BeNil()) value.Elts = []ast.Expr{} Expect(gosec.TryResolve(value, ctx)).Should(BeFalse()) }) It("should successfully not resolve composite literal with unsolvable elst", func() { var value *ast.CompositeLit pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", `package main; func main(){ y := []string{"value1", "value2"}; println(y) }`) ctx := pkg.CreateContext("foo.go") v := testutils.NewMockVisitor() v.Callback = func(n ast.Node, ctx *gosec.Context) bool { if node, ok := n.(*ast.CompositeLit); ok { value = node } return true } v.Context = ctx ast.Walk(v, ctx.Root) Expect(value).ShouldNot(BeNil()) value.Elts = []ast.Expr{&ast.CallExpr{}} Expect(gosec.TryResolve(value, ctx)).Should(BeFalse()) }) It("should successfully not resolve call expressions", func() { var value *ast.CallExpr pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", `package main; func main(){ y := []string{"value1", "value2"}; println(y) }`) ctx := pkg.CreateContext("foo.go") v := testutils.NewMockVisitor() v.Callback = func(n ast.Node, ctx *gosec.Context) bool { if node, ok := n.(*ast.CallExpr); ok { value = node } return true } v.Context = ctx ast.Walk(v, ctx.Root) Expect(value).ShouldNot(BeNil()) Expect(gosec.TryResolve(value, ctx)).Should(BeFalse()) }) It("should successfully not resolve call expressions", func() { var value *ast.ImportSpec pkg := testutils.NewTestPackage() defer pkg.Close() pkg.AddFile("foo.go", `package main; import "fmt"; func main(){ y := []string{"value1", "value2"}; fmt.Println(y) }`) ctx := pkg.CreateContext("foo.go") v := testutils.NewMockVisitor() v.Callback = func(n ast.Node, ctx *gosec.Context) bool { if node, ok := n.(*ast.ImportSpec); ok { value = node } return true } v.Context = ctx ast.Walk(v, ctx.Root) Expect(value).ShouldNot(BeNil()) Expect(gosec.TryResolve(value, ctx)).Should(BeFalse()) }) }) }) 07070100000072000081A400000000000000000000000166F55269000008B5000000000000000000000000000000000000001500000000gosec-2.21.4/rule.go// Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package gosec import ( "go/ast" "reflect" "github.com/securego/gosec/v2/issue" ) // The Rule interface used by all rules supported by gosec. type Rule interface { ID() string Match(ast.Node, *Context) (*issue.Issue, error) } // RuleBuilder is used to register a rule definition with the analyzer type RuleBuilder func(id string, c Config) (Rule, []ast.Node) // A RuleSet contains a mapping of lists of rules to the type of AST node they // should be run on and a mapping of rule ID's to whether the rule are // suppressed. // The analyzer will only invoke rules contained in the list associated with the // type of AST node it is currently visiting. type RuleSet struct { Rules map[reflect.Type][]Rule RuleSuppressedMap map[string]bool } // NewRuleSet constructs a new RuleSet func NewRuleSet() RuleSet { return RuleSet{make(map[reflect.Type][]Rule), make(map[string]bool)} } // Register adds a trigger for the supplied rule for the // specified ast nodes. func (r RuleSet) Register(rule Rule, isSuppressed bool, nodes ...ast.Node) { for _, n := range nodes { t := reflect.TypeOf(n) if rules, ok := r.Rules[t]; ok { r.Rules[t] = append(rules, rule) } else { r.Rules[t] = []Rule{rule} } } r.RuleSuppressedMap[rule.ID()] = isSuppressed } // RegisteredFor will return all rules that are registered for a // specified ast node. func (r RuleSet) RegisteredFor(n ast.Node) []Rule { if rules, found := r.Rules[reflect.TypeOf(n)]; found { return rules } return []Rule{} } // IsRuleSuppressed will return whether the rule is suppressed. func (r RuleSet) IsRuleSuppressed(ruleID string) bool { return r.RuleSuppressedMap[ruleID] } 07070100000073000081A400000000000000000000000166F5526900000C57000000000000000000000000000000000000001A00000000gosec-2.21.4/rule_test.gopackage gosec_test import ( "fmt" "go/ast" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type mockrule struct { issue *issue.Issue err error callback func(n ast.Node, ctx *gosec.Context) bool } func (m *mockrule) ID() string { return "MOCK" } func (m *mockrule) Match(n ast.Node, ctx *gosec.Context) (*issue.Issue, error) { if m.callback(n, ctx) { return m.issue, nil } return nil, m.err } var _ = Describe("Rule", func() { Context("when using a ruleset", func() { var ( ruleset gosec.RuleSet dummyErrorRule gosec.Rule dummyIssueRule gosec.Rule ) JustBeforeEach(func() { ruleset = gosec.NewRuleSet() dummyErrorRule = &mockrule{ issue: nil, err: fmt.Errorf("An unexpected error occurred"), callback: func(n ast.Node, ctx *gosec.Context) bool { return false }, } dummyIssueRule = &mockrule{ issue: &issue.Issue{ Severity: issue.High, Confidence: issue.High, What: `Some explanation of the thing`, File: "main.go", Code: `#include <stdio.h> int main(){ puts("hello world"); }`, Line: "42", }, err: nil, callback: func(n ast.Node, ctx *gosec.Context) bool { return true }, } }) It("should be possible to register a rule for multiple ast.Node", func() { registeredNodeA := (*ast.CallExpr)(nil) registeredNodeB := (*ast.AssignStmt)(nil) unregisteredNode := (*ast.BinaryExpr)(nil) ruleset.Register(dummyIssueRule, false, registeredNodeA, registeredNodeB) Expect(ruleset.RegisteredFor(unregisteredNode)).Should(BeEmpty()) Expect(ruleset.RegisteredFor(registeredNodeA)).Should(ContainElement(dummyIssueRule)) Expect(ruleset.RegisteredFor(registeredNodeB)).Should(ContainElement(dummyIssueRule)) Expect(ruleset.IsRuleSuppressed(dummyIssueRule.ID())).Should(BeFalse()) }) It("should not register a rule when no ast.Nodes are specified", func() { ruleset.Register(dummyErrorRule, false) Expect(ruleset.Rules).Should(BeEmpty()) }) It("should be possible to retrieve a list of rules for a given node type", func() { registeredNode := (*ast.CallExpr)(nil) unregisteredNode := (*ast.AssignStmt)(nil) ruleset.Register(dummyErrorRule, false, registeredNode) ruleset.Register(dummyIssueRule, false, registeredNode) Expect(ruleset.RegisteredFor(unregisteredNode)).Should(BeEmpty()) Expect(ruleset.RegisteredFor(registeredNode)).Should(HaveLen(2)) Expect(ruleset.RegisteredFor(registeredNode)).Should(ContainElement(dummyErrorRule)) Expect(ruleset.RegisteredFor(registeredNode)).Should(ContainElement(dummyIssueRule)) }) It("should register a suppressed rule", func() { registeredNode := (*ast.CallExpr)(nil) unregisteredNode := (*ast.AssignStmt)(nil) ruleset.Register(dummyIssueRule, true, registeredNode) Expect(ruleset.RegisteredFor(registeredNode)).Should(ContainElement(dummyIssueRule)) Expect(ruleset.RegisteredFor(unregisteredNode)).Should(BeEmpty()) Expect(ruleset.IsRuleSuppressed(dummyIssueRule.ID())).Should(BeTrue()) }) }) }) 07070100000074000041ED00000000000000000000000266F5526900000000000000000000000000000000000000000000001300000000gosec-2.21.4/rules07070100000075000081A400000000000000000000000166F55269000006FA000000000000000000000000000000000000001E00000000gosec-2.21.4/rules/archive.gopackage rules import ( "go/ast" "go/types" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type archive struct { issue.MetaData calls gosec.CallList argTypes []string } func (a *archive) ID() string { return a.MetaData.ID } // Match inspects AST nodes to determine if the filepath.Joins uses any argument derived from type zip.File or tar.Header func (a *archive) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) { if node := a.calls.ContainsPkgCallExpr(n, c, false); node != nil { for _, arg := range node.Args { var argType types.Type if selector, ok := arg.(*ast.SelectorExpr); ok { argType = c.Info.TypeOf(selector.X) } else if ident, ok := arg.(*ast.Ident); ok { if ident.Obj != nil && ident.Obj.Kind == ast.Var { decl := ident.Obj.Decl if assign, ok := decl.(*ast.AssignStmt); ok { if selector, ok := assign.Rhs[0].(*ast.SelectorExpr); ok { argType = c.Info.TypeOf(selector.X) } } } } if argType != nil { for _, t := range a.argTypes { if argType.String() == t { return c.NewIssue(n, a.ID(), a.What, a.Severity, a.Confidence), nil } } } } } return nil, nil } // NewArchive creates a new rule which detects the file traversal when extracting zip/tar archives func NewArchive(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { calls := gosec.NewCallList() calls.Add("path/filepath", "Join") calls.Add("path", "Join") return &archive{ calls: calls, argTypes: []string{"*archive/zip.File", "*archive/tar.Header"}, MetaData: issue.MetaData{ ID: id, Severity: issue.Medium, Confidence: issue.High, What: "File traversal when extracting zip/tar archive", }, }, []ast.Node{(*ast.CallExpr)(nil)} } 07070100000076000081A400000000000000000000000166F5526900000A12000000000000000000000000000000000000001B00000000gosec-2.21.4/rules/bind.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package rules import ( "go/ast" "regexp" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) // Looks for net.Listen("0.0.0.0") or net.Listen(":8080") type bindsToAllNetworkInterfaces struct { issue.MetaData calls gosec.CallList pattern *regexp.Regexp } func (r *bindsToAllNetworkInterfaces) ID() string { return r.MetaData.ID } func (r *bindsToAllNetworkInterfaces) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) { callExpr := r.calls.ContainsPkgCallExpr(n, c, false) if callExpr == nil { return nil, nil } if len(callExpr.Args) > 1 { arg := callExpr.Args[1] if bl, ok := arg.(*ast.BasicLit); ok { if arg, err := gosec.GetString(bl); err == nil { if r.pattern.MatchString(arg) { return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil } } } else if ident, ok := arg.(*ast.Ident); ok { values := gosec.GetIdentStringValues(ident) for _, value := range values { if r.pattern.MatchString(value) { return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil } } } } else if len(callExpr.Args) > 0 { values := gosec.GetCallStringArgsValues(callExpr.Args[0], c) for _, value := range values { if r.pattern.MatchString(value) { return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil } } } return nil, nil } // NewBindsToAllNetworkInterfaces detects socket connections that are setup to // listen on all network interfaces. func NewBindsToAllNetworkInterfaces(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { calls := gosec.NewCallList() calls.Add("net", "Listen") calls.Add("crypto/tls", "Listen") return &bindsToAllNetworkInterfaces{ calls: calls, pattern: regexp.MustCompile(`^(0.0.0.0|:).*$`), MetaData: issue.MetaData{ ID: id, Severity: issue.Medium, Confidence: issue.High, What: "Binds to all network interfaces", }, }, []ast.Node{(*ast.CallExpr)(nil)} } 07070100000077000081A400000000000000000000000166F5526900000F6C000000000000000000000000000000000000002000000000gosec-2.21.4/rules/blocklist.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package rules import ( "go/ast" "strings" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type blocklistedImport struct { issue.MetaData Blocklisted map[string]string } func unquote(original string) string { cleaned := strings.TrimSpace(original) cleaned = strings.TrimLeft(cleaned, `"`) return strings.TrimRight(cleaned, `"`) } func (r *blocklistedImport) ID() string { return r.MetaData.ID } func (r *blocklistedImport) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) { if node, ok := n.(*ast.ImportSpec); ok { if description, ok := r.Blocklisted[unquote(node.Path.Value)]; ok { return c.NewIssue(node, r.ID(), description, r.Severity, r.Confidence), nil } } return nil, nil } // NewBlocklistedImports reports when a blocklisted import is being used. // Typically when a deprecated technology is being used. func NewBlocklistedImports(id string, _ gosec.Config, blocklist map[string]string) (gosec.Rule, []ast.Node) { return &blocklistedImport{ MetaData: issue.MetaData{ ID: id, Severity: issue.Medium, Confidence: issue.High, }, Blocklisted: blocklist, }, []ast.Node{(*ast.ImportSpec)(nil)} } // NewBlocklistedImportMD5 fails if MD5 is imported func NewBlocklistedImportMD5(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { return NewBlocklistedImports(id, conf, map[string]string{ "crypto/md5": "Blocklisted import crypto/md5: weak cryptographic primitive", }) } // NewBlocklistedImportDES fails if DES is imported func NewBlocklistedImportDES(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { return NewBlocklistedImports(id, conf, map[string]string{ "crypto/des": "Blocklisted import crypto/des: weak cryptographic primitive", }) } // NewBlocklistedImportRC4 fails if DES is imported func NewBlocklistedImportRC4(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { return NewBlocklistedImports(id, conf, map[string]string{ "crypto/rc4": "Blocklisted import crypto/rc4: weak cryptographic primitive", }) } // NewBlocklistedImportCGI fails if CGI is imported func NewBlocklistedImportCGI(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { return NewBlocklistedImports(id, conf, map[string]string{ "net/http/cgi": "Blocklisted import net/http/cgi: Go versions < 1.6.3 are vulnerable to Httpoxy attack: (CVE-2016-5386)", }) } // NewBlocklistedImportSHA1 fails if SHA1 is imported func NewBlocklistedImportSHA1(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { return NewBlocklistedImports(id, conf, map[string]string{ "crypto/sha1": "Blocklisted import crypto/sha1: weak cryptographic primitive", }) } // NewBlocklistedImportMD4 fails if MD4 is imported func NewBlocklistedImportMD4(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { return NewBlocklistedImports(id, conf, map[string]string{ "golang.org/x/crypto/md4": "Blocklisted import golang.org/x/crypto/md4: deprecated and weak cryptographic primitive", }) } // NewBlocklistedImportRIPEMD160 fails if RIPEMD160 is imported func NewBlocklistedImportRIPEMD160(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { return NewBlocklistedImports(id, conf, map[string]string{ "golang.org/x/crypto/ripemd160": "Blocklisted import golang.org/x/crypto/ripemd160: deprecated and weak cryptographic primitive", }) } 07070100000078000081A400000000000000000000000166F5526900000E9D000000000000000000000000000000000000002900000000gosec-2.21.4/rules/decompression-bomb.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package rules import ( "fmt" "go/ast" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type decompressionBombCheck struct { issue.MetaData readerCalls gosec.CallList copyCalls gosec.CallList } func (d *decompressionBombCheck) ID() string { return d.MetaData.ID } func containsReaderCall(node ast.Node, ctx *gosec.Context, list gosec.CallList) bool { if list.ContainsPkgCallExpr(node, ctx, false) != nil { return true } // Resolve type info of ident (for *archive/zip.File.Open) s, idt, _ := gosec.GetCallInfo(node, ctx) return list.Contains(s, idt) } func (d *decompressionBombCheck) Match(node ast.Node, ctx *gosec.Context) (*issue.Issue, error) { var readerVarObj map[*ast.Object]struct{} // To check multiple lines, ctx.PassedValues is used to store temporary data. if _, ok := ctx.PassedValues[d.ID()]; !ok { readerVarObj = make(map[*ast.Object]struct{}) ctx.PassedValues[d.ID()] = readerVarObj } else if pv, ok := ctx.PassedValues[d.ID()].(map[*ast.Object]struct{}); ok { readerVarObj = pv } else { return nil, fmt.Errorf("PassedValues[%s] of Context is not map[*ast.Object]struct{}, but %T", d.ID(), ctx.PassedValues[d.ID()]) } // io.Copy is a common function. // To reduce false positives, This rule detects code which is used for compressed data only. switch n := node.(type) { case *ast.AssignStmt: for _, expr := range n.Rhs { if callExpr, ok := expr.(*ast.CallExpr); ok && containsReaderCall(callExpr, ctx, d.readerCalls) { if idt, ok := n.Lhs[0].(*ast.Ident); ok && idt.Name != "_" { // Example: // r, _ := zlib.NewReader(buf) // Add r's Obj to readerVarObj map readerVarObj[idt.Obj] = struct{}{} } } } case *ast.CallExpr: if d.copyCalls.ContainsPkgCallExpr(n, ctx, false) != nil { if idt, ok := n.Args[1].(*ast.Ident); ok { if _, ok := readerVarObj[idt.Obj]; ok { // Detect io.Copy(x, r) return ctx.NewIssue(n, d.ID(), d.What, d.Severity, d.Confidence), nil } } } } return nil, nil } // NewDecompressionBombCheck detects if there is potential DoS vulnerability via decompression bomb func NewDecompressionBombCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { readerCalls := gosec.NewCallList() readerCalls.Add("compress/gzip", "NewReader") readerCalls.AddAll("compress/zlib", "NewReader", "NewReaderDict") readerCalls.Add("compress/bzip2", "NewReader") readerCalls.AddAll("compress/flate", "NewReader", "NewReaderDict") readerCalls.Add("compress/lzw", "NewReader") readerCalls.Add("archive/tar", "NewReader") readerCalls.Add("archive/zip", "NewReader") readerCalls.Add("*archive/zip.File", "Open") copyCalls := gosec.NewCallList() copyCalls.Add("io", "Copy") copyCalls.Add("io", "CopyBuffer") return &decompressionBombCheck{ MetaData: issue.MetaData{ ID: id, Severity: issue.Medium, Confidence: issue.Medium, What: "Potential DoS vulnerability via decompression bomb", }, readerCalls: readerCalls, copyCalls: copyCalls, }, []ast.Node{(*ast.FuncDecl)(nil), (*ast.AssignStmt)(nil), (*ast.CallExpr)(nil)} } 07070100000079000081A400000000000000000000000166F552690000064A000000000000000000000000000000000000002A00000000gosec-2.21.4/rules/directory-traversal.gopackage rules import ( "go/ast" "regexp" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type traversal struct { pattern *regexp.Regexp issue.MetaData } func (r *traversal) ID() string { return r.MetaData.ID } func (r *traversal) Match(n ast.Node, ctx *gosec.Context) (*issue.Issue, error) { switch node := n.(type) { case *ast.CallExpr: return r.matchCallExpr(node, ctx) } return nil, nil } func (r *traversal) matchCallExpr(assign *ast.CallExpr, ctx *gosec.Context) (*issue.Issue, error) { for _, i := range assign.Args { if basiclit, ok1 := i.(*ast.BasicLit); ok1 { if fun, ok2 := assign.Fun.(*ast.SelectorExpr); ok2 { if x, ok3 := fun.X.(*ast.Ident); ok3 { str := x.Name + "." + fun.Sel.Name + "(" + basiclit.Value + ")" if r.pattern.MatchString(str) { return ctx.NewIssue(assign, r.ID(), r.What, r.Severity, r.Confidence), nil } } } } } return nil, nil } // NewDirectoryTraversal attempts to find the use of http.Dir("/") func NewDirectoryTraversal(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { pattern := `http\.Dir\("\/"\)|http\.Dir\('\/'\)` if val, ok := conf[id]; ok { conf := val.(map[string]interface{}) if configPattern, ok := conf["pattern"]; ok { if cfgPattern, ok := configPattern.(string); ok { pattern = cfgPattern } } } return &traversal{ pattern: regexp.MustCompile(pattern), MetaData: issue.MetaData{ ID: id, What: "Potential directory traversal", Confidence: issue.Medium, Severity: issue.Medium, }, }, []ast.Node{(*ast.CallExpr)(nil)} } 0707010000007A000081A400000000000000000000000166F5526900000E01000000000000000000000000000000000000001D00000000gosec-2.21.4/rules/errors.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package rules import ( "go/ast" "go/types" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type noErrorCheck struct { issue.MetaData whitelist gosec.CallList } func (r *noErrorCheck) ID() string { return r.MetaData.ID } func returnsError(callExpr *ast.CallExpr, ctx *gosec.Context) int { if tv := ctx.Info.TypeOf(callExpr); tv != nil { switch t := tv.(type) { case *types.Tuple: for pos := 0; pos < t.Len(); pos++ { variable := t.At(pos) if variable != nil && variable.Type().String() == "error" { return pos } } case *types.Named: if t.String() == "error" { return 0 } } } return -1 } func (r *noErrorCheck) Match(n ast.Node, ctx *gosec.Context) (*issue.Issue, error) { switch stmt := n.(type) { case *ast.AssignStmt: cfg := ctx.Config if enabled, err := cfg.IsGlobalEnabled(gosec.Audit); err == nil && enabled { for _, expr := range stmt.Rhs { if callExpr, ok := expr.(*ast.CallExpr); ok && r.whitelist.ContainsCallExpr(expr, ctx) == nil { pos := returnsError(callExpr, ctx) if pos < 0 || pos >= len(stmt.Lhs) { return nil, nil } if id, ok := stmt.Lhs[pos].(*ast.Ident); ok && id.Name == "_" { return ctx.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil } } } } case *ast.ExprStmt: if callExpr, ok := stmt.X.(*ast.CallExpr); ok && r.whitelist.ContainsCallExpr(stmt.X, ctx) == nil { pos := returnsError(callExpr, ctx) if pos >= 0 { return ctx.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil } } } return nil, nil } // NewNoErrorCheck detects if the returned error is unchecked func NewNoErrorCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { // TODO(gm) Come up with sensible defaults here. Or flip it to use a // black list instead. whitelist := gosec.NewCallList() whitelist.AddAll("bytes.Buffer", "Write", "WriteByte", "WriteRune", "WriteString") whitelist.AddAll("fmt", "Print", "Printf", "Println", "Fprint", "Fprintf", "Fprintln") whitelist.AddAll("strings.Builder", "Write", "WriteByte", "WriteRune", "WriteString") whitelist.Add("io.PipeWriter", "CloseWithError") whitelist.Add("hash.Hash", "Write") whitelist.Add("os", "Unsetenv") if configured, ok := conf[id]; ok { if whitelisted, ok := configured.(map[string]interface{}); ok { for pkg, funcs := range whitelisted { if funcs, ok := funcs.([]interface{}); ok { whitelist.AddAll(pkg, toStringSlice(funcs)...) } } } } return &noErrorCheck{ MetaData: issue.MetaData{ ID: id, Severity: issue.Low, Confidence: issue.High, What: "Errors unhandled.", }, whitelist: whitelist, }, []ast.Node{(*ast.AssignStmt)(nil), (*ast.ExprStmt)(nil)} } func toStringSlice(values []interface{}) []string { result := []string{} for _, value := range values { if value, ok := value.(string); ok { result = append(result, value) } } return result } 0707010000007B000081A400000000000000000000000166F5526900001431000000000000000000000000000000000000002000000000gosec-2.21.4/rules/fileperms.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package rules import ( "fmt" "go/ast" "strconv" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type filePermissions struct { issue.MetaData mode int64 pkgs []string calls []string } // ID returns the ID of the rule. func (r *filePermissions) ID() string { return r.MetaData.ID } func getConfiguredMode(conf map[string]interface{}, configKey string, defaultMode int64) int64 { mode := defaultMode if value, ok := conf[configKey]; ok { switch value := value.(type) { case int64: mode = value case string: if m, e := strconv.ParseInt(value, 0, 64); e != nil { mode = defaultMode } else { mode = m } } } return mode } func modeIsSubset(subset int64, superset int64) bool { return (subset | superset) == superset } // Match checks if the rule is matched. func (r *filePermissions) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) { for _, pkg := range r.pkgs { if callexpr, matched := gosec.MatchCallByPackage(n, c, pkg, r.calls...); matched { modeArg := callexpr.Args[len(callexpr.Args)-1] if mode, err := gosec.GetInt(modeArg); err == nil && !modeIsSubset(mode, r.mode) || isOsPerm(modeArg) { return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil } } } return nil, nil } // isOsPerm check if the provide ast node contains a os.PermMode symbol func isOsPerm(n ast.Node) bool { if node, ok := n.(*ast.SelectorExpr); ok { if identX, ok := node.X.(*ast.Ident); ok { if identX.Name == "os" && node.Sel != nil && node.Sel.Name == "ModePerm" { return true } } } return false } // NewWritePerms creates a rule to detect file Writes with bad permissions. func NewWritePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { mode := getConfiguredMode(conf, id, 0o600) return &filePermissions{ mode: mode, pkgs: []string{"io/ioutil", "os"}, calls: []string{"WriteFile"}, MetaData: issue.MetaData{ ID: id, Severity: issue.Medium, Confidence: issue.High, What: fmt.Sprintf("Expect WriteFile permissions to be %#o or less", mode), }, }, []ast.Node{(*ast.CallExpr)(nil)} } // NewFilePerms creates a rule to detect file creation with a more permissive than configured // permission mask. func NewFilePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { mode := getConfiguredMode(conf, id, 0o600) return &filePermissions{ mode: mode, pkgs: []string{"os"}, calls: []string{"OpenFile", "Chmod"}, MetaData: issue.MetaData{ ID: id, Severity: issue.Medium, Confidence: issue.High, What: fmt.Sprintf("Expect file permissions to be %#o or less", mode), }, }, []ast.Node{(*ast.CallExpr)(nil)} } // NewMkdirPerms creates a rule to detect directory creation with more permissive than // configured permission mask. func NewMkdirPerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { mode := getConfiguredMode(conf, id, 0o750) return &filePermissions{ mode: mode, pkgs: []string{"os"}, calls: []string{"Mkdir", "MkdirAll"}, MetaData: issue.MetaData{ ID: id, Severity: issue.Medium, Confidence: issue.High, What: fmt.Sprintf("Expect directory permissions to be %#o or less", mode), }, }, []ast.Node{(*ast.CallExpr)(nil)} } type osCreatePermissions struct { issue.MetaData mode int64 pkgs []string calls []string } const defaultOsCreateMode = 0o666 // ID returns the ID of the rule. func (r *osCreatePermissions) ID() string { return r.MetaData.ID } // Match checks if the rule is matched. func (r *osCreatePermissions) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) { for _, pkg := range r.pkgs { if _, matched := gosec.MatchCallByPackage(n, c, pkg, r.calls...); matched { if !modeIsSubset(defaultOsCreateMode, r.mode) { return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil } } } return nil, nil } // NewOsCreatePerms reates a rule to detect file creation with a more permissive than configured // permission mask. func NewOsCreatePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { mode := getConfiguredMode(conf, id, 0o666) return &osCreatePermissions{ mode: mode, pkgs: []string{"os"}, calls: []string{"Create"}, MetaData: issue.MetaData{ ID: id, Severity: issue.Medium, Confidence: issue.High, What: fmt.Sprintf("Expect file permissions to be %#o or less but os.Create used with default permissions %#o", mode, defaultOsCreateMode), }, }, []ast.Node{(*ast.CallExpr)(nil)} } 0707010000007C000081A400000000000000000000000166F552690000017D000000000000000000000000000000000000002500000000gosec-2.21.4/rules/fileperms_test.gopackage rules import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" ) var _ = Describe("modeIsSubset", func() { It("it compares modes correctly", func() { Expect(modeIsSubset(0o600, 0o600)).To(BeTrue()) Expect(modeIsSubset(0o400, 0o600)).To(BeTrue()) Expect(modeIsSubset(0o644, 0o600)).To(BeFalse()) Expect(modeIsSubset(0o466, 0o600)).To(BeFalse()) }) }) 0707010000007D000081A400000000000000000000000166F5526900002E2A000000000000000000000000000000000000002C00000000gosec-2.21.4/rules/hardcoded_credentials.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package rules import ( "fmt" "go/ast" "go/token" "regexp" "strconv" zxcvbn "github.com/ccojocar/zxcvbn-go" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type secretPattern struct { name string regexp *regexp.Regexp } var secretsPatterns = [...]secretPattern{ { name: "RSA private key", regexp: regexp.MustCompile(`-----BEGIN RSA PRIVATE KEY-----`), }, { name: "SSH (DSA) private key", regexp: regexp.MustCompile(`-----BEGIN DSA PRIVATE KEY-----`), }, { name: "SSH (EC) private key", regexp: regexp.MustCompile(`-----BEGIN EC PRIVATE KEY-----`), }, { name: "PGP private key block", regexp: regexp.MustCompile(`-----BEGIN PGP PRIVATE KEY BLOCK-----`), }, { name: "Slack Token", regexp: regexp.MustCompile(`xox[pborsa]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32}`), }, { name: "AWS API Key", regexp: regexp.MustCompile(`AKIA[0-9A-Z]{16}`), }, { name: "Amazon MWS Auth Token", regexp: regexp.MustCompile(`amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}`), }, { name: "AWS AppSync GraphQL Key", regexp: regexp.MustCompile(`da2-[a-z0-9]{26}`), }, { name: "GitHub personal access token", regexp: regexp.MustCompile(`ghp_[a-zA-Z0-9]{36}`), }, { name: "GitHub fine-grained access token", regexp: regexp.MustCompile(`github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}`), }, { name: "GitHub action temporary token", regexp: regexp.MustCompile(`ghs_[a-zA-Z0-9]{36}`), }, { name: "Google API Key", regexp: regexp.MustCompile(`AIza[0-9A-Za-z\-_]{35}`), }, { name: "Google Cloud Platform API Key", regexp: regexp.MustCompile(`AIza[0-9A-Za-z\-_]{35}`), }, { name: "Google Cloud Platform OAuth", regexp: regexp.MustCompile(`[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com`), }, { name: "Google Drive API Key", regexp: regexp.MustCompile(`AIza[0-9A-Za-z\-_]{35}`), }, { name: "Google Drive OAuth", regexp: regexp.MustCompile(`[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com`), }, { name: "Google (GCP) Service-account", regexp: regexp.MustCompile(`"type": "service_account"`), }, { name: "Google Gmail API Key", regexp: regexp.MustCompile(`AIza[0-9A-Za-z\-_]{35}`), }, { name: "Google Gmail OAuth", regexp: regexp.MustCompile(`[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com`), }, { name: "Google OAuth Access Token", regexp: regexp.MustCompile(`ya29\.[0-9A-Za-z\-_]+`), }, { name: "Google YouTube API Key", regexp: regexp.MustCompile(`AIza[0-9A-Za-z\-_]{35}`), }, { name: "Google YouTube OAuth", regexp: regexp.MustCompile(`[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com`), }, { name: "Generic API Key", regexp: regexp.MustCompile(`[aA][pP][iI]_?[kK][eE][yY].*[''|"][0-9a-zA-Z]{32,45}[''|"]`), }, { name: "Generic Secret", regexp: regexp.MustCompile(`[sS][eE][cC][rR][eE][tT].*[''|"][0-9a-zA-Z]{32,45}[''|"]`), }, { name: "Heroku API Key", regexp: regexp.MustCompile(`[hH][eE][rR][oO][kK][uU].*[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}`), }, { name: "MailChimp API Key", regexp: regexp.MustCompile(`[0-9a-f]{32}-us[0-9]{1,2}`), }, { name: "Mailgun API Key", regexp: regexp.MustCompile(`key-[0-9a-zA-Z]{32}`), }, { name: "Password in URL", regexp: regexp.MustCompile(`[a-zA-Z]{3,10}://[^/\\s:@]{3,20}:[^/\\s:@]{3,20}@.{1,100}["'\\s]`), }, { name: "Slack Webhook", regexp: regexp.MustCompile(`https://hooks\.slack\.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}`), }, { name: "Stripe API Key", regexp: regexp.MustCompile(`sk_live_[0-9a-zA-Z]{24}`), }, { name: "Stripe Restricted API Key", regexp: regexp.MustCompile(`rk_live_[0-9a-zA-Z]{24}`), }, { name: "Square Access Token", regexp: regexp.MustCompile(`sq0atp-[0-9A-Za-z\-_]{22}`), }, { name: "Square OAuth Secret", regexp: regexp.MustCompile(`sq0csp-[0-9A-Za-z\-_]{43}`), }, { name: "Telegram Bot API Key", regexp: regexp.MustCompile(`[0-9]+:AA[0-9A-Za-z\-_]{33}`), }, { name: "Twilio API Key", regexp: regexp.MustCompile(`SK[0-9a-fA-F]{32}`), }, { name: "Twitter Access Token", regexp: regexp.MustCompile(`[tT][wW][iI][tT][tT][eE][rR].*[1-9][0-9]+-[0-9a-zA-Z]{40}`), }, { name: "Twitter OAuth", regexp: regexp.MustCompile(`[tT][wW][iI][tT][tT][eE][rR].*[''|"][0-9a-zA-Z]{35,44}[''|"]`), }, } type credentials struct { issue.MetaData pattern *regexp.Regexp entropyThreshold float64 perCharThreshold float64 truncate int ignoreEntropy bool } func (r *credentials) ID() string { return r.MetaData.ID } func truncate(s string, n int) string { if n > len(s) { return s } return s[:n] } func (r *credentials) isHighEntropyString(str string) bool { s := truncate(str, r.truncate) info := zxcvbn.PasswordStrength(s, []string{}) entropyPerChar := info.Entropy / float64(len(s)) return (info.Entropy >= r.entropyThreshold || (info.Entropy >= (r.entropyThreshold/2) && entropyPerChar >= r.perCharThreshold)) } func (r *credentials) isSecretPattern(str string) (bool, string) { for _, pattern := range secretsPatterns { if pattern.regexp.MatchString(str) { return true, pattern.name } } return false, "" } func (r *credentials) Match(n ast.Node, ctx *gosec.Context) (*issue.Issue, error) { switch node := n.(type) { case *ast.AssignStmt: return r.matchAssign(node, ctx) case *ast.ValueSpec: return r.matchValueSpec(node, ctx) case *ast.BinaryExpr: return r.matchEqualityCheck(node, ctx) } return nil, nil } func (r *credentials) matchAssign(assign *ast.AssignStmt, ctx *gosec.Context) (*issue.Issue, error) { for _, i := range assign.Lhs { if ident, ok := i.(*ast.Ident); ok { // First check LHS to find anything being assigned to variables whose name appears to be a cred if r.pattern.MatchString(ident.Name) { for _, e := range assign.Rhs { if val, err := gosec.GetString(e); err == nil { if r.ignoreEntropy || (!r.ignoreEntropy && r.isHighEntropyString(val)) { return ctx.NewIssue(assign, r.ID(), r.What, r.Severity, r.Confidence), nil } } } } // Now that no names were matched, match the RHS to see if the actual values being assigned are creds for _, e := range assign.Rhs { val, err := gosec.GetString(e) if err != nil { continue } if r.ignoreEntropy || r.isHighEntropyString(val) { if ok, patternName := r.isSecretPattern(val); ok { return ctx.NewIssue(assign, r.ID(), fmt.Sprintf("%s: %s", r.What, patternName), r.Severity, r.Confidence), nil } } } } } return nil, nil } func (r *credentials) matchValueSpec(valueSpec *ast.ValueSpec, ctx *gosec.Context) (*issue.Issue, error) { // Running match against the variable name(s) first. Will catch any creds whose var name matches the pattern, // then will go back over to check the values themselves. for index, ident := range valueSpec.Names { if r.pattern.MatchString(ident.Name) && valueSpec.Values != nil { // const foo, bar = "same value" if len(valueSpec.Values) <= index { index = len(valueSpec.Values) - 1 } if val, err := gosec.GetString(valueSpec.Values[index]); err == nil { if r.ignoreEntropy || (!r.ignoreEntropy && r.isHighEntropyString(val)) { return ctx.NewIssue(valueSpec, r.ID(), r.What, r.Severity, r.Confidence), nil } } } } // Now that no variable names have been matched, match the actual values to find any creds for _, ident := range valueSpec.Values { if val, err := gosec.GetString(ident); err == nil { if r.ignoreEntropy || r.isHighEntropyString(val) { if ok, patternName := r.isSecretPattern(val); ok { return ctx.NewIssue(valueSpec, r.ID(), fmt.Sprintf("%s: %s", r.What, patternName), r.Severity, r.Confidence), nil } } } } return nil, nil } func (r *credentials) matchEqualityCheck(binaryExpr *ast.BinaryExpr, ctx *gosec.Context) (*issue.Issue, error) { if binaryExpr.Op == token.EQL || binaryExpr.Op == token.NEQ { ident, ok := binaryExpr.X.(*ast.Ident) if !ok { ident, _ = binaryExpr.Y.(*ast.Ident) } if ident != nil && r.pattern.MatchString(ident.Name) { valueNode := binaryExpr.Y if !ok { valueNode = binaryExpr.X } if val, err := gosec.GetString(valueNode); err == nil { if r.ignoreEntropy || (!r.ignoreEntropy && r.isHighEntropyString(val)) { return ctx.NewIssue(binaryExpr, r.ID(), r.What, r.Severity, r.Confidence), nil } } } // Now that the variable names have been checked, and no matches were found, make sure that // either the left or right operands is a string literal so we can match the value. identStrConst, ok := binaryExpr.X.(*ast.BasicLit) if !ok { identStrConst, ok = binaryExpr.Y.(*ast.BasicLit) } if ok && identStrConst.Kind == token.STRING { s, _ := gosec.GetString(identStrConst) if r.ignoreEntropy || r.isHighEntropyString(s) { if ok, patternName := r.isSecretPattern(s); ok { return ctx.NewIssue(binaryExpr, r.ID(), fmt.Sprintf("%s: %s", r.What, patternName), r.Severity, r.Confidence), nil } } } } return nil, nil } // NewHardcodedCredentials attempts to find high entropy string constants being // assigned to variables that appear to be related to credentials. func NewHardcodedCredentials(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { pattern := `(?i)passwd|pass|password|pwd|secret|token|pw|apiKey|bearer|cred` entropyThreshold := 80.0 perCharThreshold := 3.0 ignoreEntropy := false truncateString := 16 if val, ok := conf[id]; ok { conf := val.(map[string]interface{}) if configPattern, ok := conf["pattern"]; ok { if cfgPattern, ok := configPattern.(string); ok { pattern = cfgPattern } } if configIgnoreEntropy, ok := conf["ignore_entropy"]; ok { if cfgIgnoreEntropy, ok := configIgnoreEntropy.(bool); ok { ignoreEntropy = cfgIgnoreEntropy } } if configEntropyThreshold, ok := conf["entropy_threshold"]; ok { if cfgEntropyThreshold, ok := configEntropyThreshold.(string); ok { if parsedNum, err := strconv.ParseFloat(cfgEntropyThreshold, 64); err == nil { entropyThreshold = parsedNum } } } if configCharThreshold, ok := conf["per_char_threshold"]; ok { if cfgCharThreshold, ok := configCharThreshold.(string); ok { if parsedNum, err := strconv.ParseFloat(cfgCharThreshold, 64); err == nil { perCharThreshold = parsedNum } } } if configTruncate, ok := conf["truncate"]; ok { if cfgTruncate, ok := configTruncate.(string); ok { if parsedInt, err := strconv.Atoi(cfgTruncate); err == nil { truncateString = parsedInt } } } } return &credentials{ pattern: regexp.MustCompile(pattern), entropyThreshold: entropyThreshold, perCharThreshold: perCharThreshold, ignoreEntropy: ignoreEntropy, truncate: truncateString, MetaData: issue.MetaData{ ID: id, What: "Potential hardcoded credentials", Confidence: issue.Low, Severity: issue.High, }, }, []ast.Node{(*ast.AssignStmt)(nil), (*ast.ValueSpec)(nil), (*ast.BinaryExpr)(nil)} } 0707010000007E000081A400000000000000000000000166F552690000045D000000000000000000000000000000000000002100000000gosec-2.21.4/rules/http_serve.gopackage rules import ( "go/ast" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type httpServeWithoutTimeouts struct { issue.MetaData pkg string calls []string } func (r *httpServeWithoutTimeouts) ID() string { return r.MetaData.ID } func (r *httpServeWithoutTimeouts) Match(n ast.Node, c *gosec.Context) (gi *issue.Issue, err error) { if _, matches := gosec.MatchCallByPackage(n, c, r.pkg, r.calls...); matches { return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil } return nil, nil } // NewHTTPServeWithoutTimeouts detects use of net/http serve functions that have no support for setting timeouts. func NewHTTPServeWithoutTimeouts(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { return &httpServeWithoutTimeouts{ pkg: "net/http", calls: []string{"ListenAndServe", "ListenAndServeTLS", "Serve", "ServeTLS"}, MetaData: issue.MetaData{ ID: id, What: "Use of net/http serve function that has no support for setting timeouts", Severity: issue.Medium, Confidence: issue.High, }, }, []ast.Node{(*ast.CallExpr)(nil)} } 0707010000007F000081A400000000000000000000000166F552690000113B000000000000000000000000000000000000002800000000gosec-2.21.4/rules/implicit_aliasing.gopackage rules import ( "go/ast" "go/token" "go/types" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type implicitAliasing struct { issue.MetaData aliases map[*ast.Object]struct{} rightBrace token.Pos acceptableAlias []*ast.UnaryExpr } func (r *implicitAliasing) ID() string { return r.MetaData.ID } func containsUnary(exprs []*ast.UnaryExpr, expr *ast.UnaryExpr) bool { for _, e := range exprs { if e == expr { return true } } return false } func getIdentExpr(expr ast.Expr) (*ast.Ident, bool) { return doGetIdentExpr(expr, false) } func doGetIdentExpr(expr ast.Expr, hasSelector bool) (*ast.Ident, bool) { switch node := expr.(type) { case *ast.Ident: return node, hasSelector case *ast.SelectorExpr: return doGetIdentExpr(node.X, true) case *ast.UnaryExpr: return doGetIdentExpr(node.X, hasSelector) default: return nil, false } } func (r *implicitAliasing) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) { // This rule does not apply for Go 1.22, see https://tip.golang.org/doc/go1.22#language. major, minor, _ := gosec.GoVersion() if major >= 1 && minor >= 22 { return nil, nil } switch node := n.(type) { case *ast.RangeStmt: // When presented with a range statement, get the underlying Object bound to // by assignment and add it to our set (r.aliases) of objects to check for. if key, ok := node.Value.(*ast.Ident); ok { if key.Obj != nil { if assignment, ok := key.Obj.Decl.(*ast.AssignStmt); ok { if len(assignment.Lhs) < 2 { return nil, nil } if object, ok := assignment.Lhs[1].(*ast.Ident); ok { r.aliases[object.Obj] = struct{}{} if r.rightBrace < node.Body.Rbrace { r.rightBrace = node.Body.Rbrace } } } } } case *ast.UnaryExpr: // If this unary expression is outside of the last range statement we were looking at // then clear the list of objects we're concerned about because they're no longer in // scope if node.Pos() > r.rightBrace { r.aliases = make(map[*ast.Object]struct{}) r.acceptableAlias = make([]*ast.UnaryExpr, 0) } // Short circuit logic to skip checking aliases if we have nothing to check against. if len(r.aliases) == 0 { return nil, nil } // If this unary is at the top level of a return statement then it is okay-- // see *ast.ReturnStmt comment below. if containsUnary(r.acceptableAlias, node) { return nil, nil } // If we find a unary op of & (reference) of an object within r.aliases, complain. if identExpr, hasSelector := getIdentExpr(node); identExpr != nil && node.Op.String() == "&" { if _, contains := r.aliases[identExpr.Obj]; contains { _, isPointer := c.Info.TypeOf(identExpr).(*types.Pointer) if !hasSelector || !isPointer { return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil } } } case *ast.ReturnStmt: // Returning a rangeStmt yielded value is acceptable since only one value will be returned for _, item := range node.Results { if unary, ok := item.(*ast.UnaryExpr); ok && unary.Op.String() == "&" { r.acceptableAlias = append(r.acceptableAlias, unary) } } } return nil, nil } // NewImplicitAliasing detects implicit memory aliasing of type: for blah := SomeCall() {... SomeOtherCall(&blah) ...} func NewImplicitAliasing(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { return &implicitAliasing{ aliases: make(map[*ast.Object]struct{}), rightBrace: token.NoPos, acceptableAlias: make([]*ast.UnaryExpr, 0), MetaData: issue.MetaData{ ID: id, Severity: issue.Medium, Confidence: issue.Medium, What: "Implicit memory aliasing in for loop.", }, }, []ast.Node{(*ast.RangeStmt)(nil), (*ast.UnaryExpr)(nil), (*ast.ReturnStmt)(nil)} } /* This rule is prone to flag false positives. Within GoSec, the rule is just an AST match-- there are a handful of other implementation strategies which might lend more nuance to the rule at the cost of allowing false negatives. From a tooling side, I'd rather have this rule flag false positives than potentially have some false negatives-- especially if the sentiment of this rule (as I understand it, and Go) is that referencing a rangeStmt-yielded value is kinda strange and does not have a strongly justified use case. Which is to say-- a false positive _should_ just be changed. */ 07070100000080000081A400000000000000000000000166F5526900000B62000000000000000000000000000000000000002700000000gosec-2.21.4/rules/integer_overflow.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package rules import ( "fmt" "go/ast" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type integerOverflowCheck struct { issue.MetaData calls gosec.CallList } func (i *integerOverflowCheck) ID() string { return i.MetaData.ID } func (i *integerOverflowCheck) Match(node ast.Node, ctx *gosec.Context) (*issue.Issue, error) { var atoiVarObj map[*ast.Object]ast.Node // To check multiple lines, ctx.PassedValues is used to store temporary data. if _, ok := ctx.PassedValues[i.ID()]; !ok { atoiVarObj = make(map[*ast.Object]ast.Node) ctx.PassedValues[i.ID()] = atoiVarObj } else if pv, ok := ctx.PassedValues[i.ID()].(map[*ast.Object]ast.Node); ok { atoiVarObj = pv } else { return nil, fmt.Errorf("PassedValues[%s] of Context is not map[*ast.Object]ast.Node, but %T", i.ID(), ctx.PassedValues[i.ID()]) } // strconv.Atoi is a common function. // To reduce false positives, This rule detects code which is converted to int32/int16 only. switch n := node.(type) { case *ast.AssignStmt: for _, expr := range n.Rhs { if callExpr, ok := expr.(*ast.CallExpr); ok && i.calls.ContainsPkgCallExpr(callExpr, ctx, false) != nil { if idt, ok := n.Lhs[0].(*ast.Ident); ok && idt.Name != "_" { // Example: // v, _ := strconv.Atoi("1111") // Add v's Obj to atoiVarObj map atoiVarObj[idt.Obj] = n } } } case *ast.CallExpr: if fun, ok := n.Fun.(*ast.Ident); ok { if fun.Name == "int32" || fun.Name == "int16" { if idt, ok := n.Args[0].(*ast.Ident); ok { if _, ok := atoiVarObj[idt.Obj]; ok { // Detect int32(v) and int16(v) return ctx.NewIssue(n, i.ID(), i.What, i.Severity, i.Confidence), nil } } } } } return nil, nil } // NewIntegerOverflowCheck detects if there is potential Integer OverFlow func NewIntegerOverflowCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { calls := gosec.NewCallList() calls.Add("strconv", "Atoi") return &integerOverflowCheck{ MetaData: issue.MetaData{ ID: id, Severity: issue.High, Confidence: issue.Medium, What: "Potential Integer overflow made by strconv.Atoi result conversion to int16/32", }, calls: calls, }, []ast.Node{(*ast.FuncDecl)(nil), (*ast.AssignStmt)(nil), (*ast.CallExpr)(nil)} } 07070100000081000081A400000000000000000000000166F552690000048E000000000000000000000000000000000000002300000000gosec-2.21.4/rules/math_big_rat.gopackage rules import ( "go/ast" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type usingOldMathBig struct { issue.MetaData calls gosec.CallList } func (r *usingOldMathBig) ID() string { return r.MetaData.ID } func (r *usingOldMathBig) Match(node ast.Node, ctx *gosec.Context) (gi *issue.Issue, err error) { if callExpr := r.calls.ContainsPkgCallExpr(node, ctx, false); callExpr == nil { return nil, nil } confidence := issue.Low major, minor, build := gosec.GoVersion() if major == 1 && (minor == 16 && build < 14 || minor == 17 && build < 7) { confidence = issue.Medium } return ctx.NewIssue(node, r.ID(), r.What, r.Severity, confidence), nil } // NewUsingOldMathBig rule detects the use of Rat.SetString from math/big. func NewUsingOldMathBig(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { calls := gosec.NewCallList() calls.Add("math/big.Rat", "SetString") return &usingOldMathBig{ calls: calls, MetaData: issue.MetaData{ ID: id, What: "Potential uncontrolled memory consumption in Rat.SetString (CVE-2022-23772)", Severity: issue.High, }, }, []ast.Node{(*ast.CallExpr)(nil)} } 07070100000082000081A400000000000000000000000166F5526900000444000000000000000000000000000000000000001C00000000gosec-2.21.4/rules/pprof.gopackage rules import ( "go/ast" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type pprofCheck struct { issue.MetaData importPath string importName string } // ID returns the ID of the check func (p *pprofCheck) ID() string { return p.MetaData.ID } // Match checks for pprof imports func (p *pprofCheck) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) { if node, ok := n.(*ast.ImportSpec); ok { if p.importPath == unquote(node.Path.Value) && node.Name != nil && p.importName == node.Name.Name { return c.NewIssue(node, p.ID(), p.What, p.Severity, p.Confidence), nil } } return nil, nil } // NewPprofCheck detects when the profiling endpoint is automatically exposed func NewPprofCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { return &pprofCheck{ MetaData: issue.MetaData{ ID: id, Severity: issue.High, Confidence: issue.High, What: "Profiling endpoint is automatically exposed on /debug/pprof", }, importPath: "net/http/pprof", importName: "_", }, []ast.Node{(*ast.ImportSpec)(nil)} } 07070100000083000081A400000000000000000000000166F55269000007E0000000000000000000000000000000000000001B00000000gosec-2.21.4/rules/rand.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package rules import ( "go/ast" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type weakRand struct { issue.MetaData blocklist map[string][]string } func (w *weakRand) ID() string { return w.MetaData.ID } func (w *weakRand) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) { for pkg, funcs := range w.blocklist { if _, matched := gosec.MatchCallByPackage(n, c, pkg, funcs...); matched { return c.NewIssue(n, w.ID(), w.What, w.Severity, w.Confidence), nil } } return nil, nil } // NewWeakRandCheck detects the use of random number generator that isn't cryptographically secure func NewWeakRandCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { calls := make(map[string][]string) calls["math/rand"] = []string{ "New", "Read", "Float32", "Float64", "Int", "Int31", "Int31n", "Int63", "Int63n", "Intn", "NormFloat64", "Uint32", "Uint64", } calls["math/rand/v2"] = []string{ "New", "Float32", "Float64", "Int", "Int32", "Int32N", "Int64", "Int64N", "IntN", "N", "NormFloat64", "Uint32", "Uint32N", "Uint64", "Uint64N", "UintN", } return &weakRand{ blocklist: calls, MetaData: issue.MetaData{ ID: id, Severity: issue.High, Confidence: issue.Medium, What: "Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand)", }, }, []ast.Node{(*ast.CallExpr)(nil)} } 07070100000084000081A400000000000000000000000166F55269000012BA000000000000000000000000000000000000001F00000000gosec-2.21.4/rules/readfile.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package rules import ( "go/ast" "go/types" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type readfile struct { issue.MetaData gosec.CallList pathJoin gosec.CallList clean gosec.CallList cleanedVar map[any]ast.Node } // ID returns the identifier for this rule func (r *readfile) ID() string { return r.MetaData.ID } // isJoinFunc checks if there is a filepath.Join or other join function func (r *readfile) isJoinFunc(n ast.Node, c *gosec.Context) bool { if call := r.pathJoin.ContainsPkgCallExpr(n, c, false); call != nil { for _, arg := range call.Args { // edge case: check if one of the args is a BinaryExpr if binExp, ok := arg.(*ast.BinaryExpr); ok { // iterate and resolve all found identities from the BinaryExpr if _, ok := gosec.FindVarIdentities(binExp, c); ok { return true } } // try and resolve identity if ident, ok := arg.(*ast.Ident); ok { obj := c.Info.ObjectOf(ident) if _, ok := obj.(*types.Var); ok && !gosec.TryResolve(ident, c) { return true } } } } return false } // isFilepathClean checks if there is a filepath.Clean for given variable func (r *readfile) isFilepathClean(n *ast.Ident, c *gosec.Context) bool { if _, ok := r.cleanedVar[n.Obj.Decl]; ok { return true } if n.Obj.Kind != ast.Var { return false } if node, ok := n.Obj.Decl.(*ast.AssignStmt); ok { if call, ok := node.Rhs[0].(*ast.CallExpr); ok { if clean := r.clean.ContainsPkgCallExpr(call, c, false); clean != nil { return true } } } return false } // trackFilepathClean tracks back the declaration of variable from filepath.Clean argument func (r *readfile) trackFilepathClean(n ast.Node) { if clean, ok := n.(*ast.CallExpr); ok && len(clean.Args) > 0 { if ident, ok := clean.Args[0].(*ast.Ident); ok { // ident.Obj may be nil if the referenced declaration is in another file. It also may be incorrect. // if it is nil, do not follow it. if ident.Obj != nil { r.cleanedVar[ident.Obj.Decl] = n } } } } // Match inspects AST nodes to determine if the match the methods `os.Open` or `ioutil.ReadFile` func (r *readfile) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) { if node := r.clean.ContainsPkgCallExpr(n, c, false); node != nil { r.trackFilepathClean(n) return nil, nil } else if node := r.ContainsPkgCallExpr(n, c, false); node != nil { for _, arg := range node.Args { // handles path joining functions in Arg // eg. os.Open(filepath.Join("/tmp/", file)) if callExpr, ok := arg.(*ast.CallExpr); ok { if r.isJoinFunc(callExpr, c) { return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil } } // handles binary string concatenation eg. ioutil.Readfile("/tmp/" + file + "/blob") if binExp, ok := arg.(*ast.BinaryExpr); ok { // resolve all found identities from the BinaryExpr if _, ok := gosec.FindVarIdentities(binExp, c); ok { return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil } } if ident, ok := arg.(*ast.Ident); ok { obj := c.Info.ObjectOf(ident) if _, ok := obj.(*types.Var); ok && !gosec.TryResolve(ident, c) && !r.isFilepathClean(ident, c) { return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil } } } } return nil, nil } // NewReadFile detects cases where we read files func NewReadFile(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { rule := &readfile{ pathJoin: gosec.NewCallList(), clean: gosec.NewCallList(), CallList: gosec.NewCallList(), MetaData: issue.MetaData{ ID: id, What: "Potential file inclusion via variable", Severity: issue.Medium, Confidence: issue.High, }, cleanedVar: map[any]ast.Node{}, } rule.pathJoin.Add("path/filepath", "Join") rule.pathJoin.Add("path", "Join") rule.clean.Add("path/filepath", "Clean") rule.clean.Add("path/filepath", "Rel") rule.clean.Add("path/filepath", "EvalSymlinks") rule.Add("io/ioutil", "ReadFile") rule.Add("os", "ReadFile") rule.Add("os", "Open") rule.Add("os", "OpenFile") rule.Add("os", "Create") return rule, []ast.Node{(*ast.CallExpr)(nil)} } 07070100000085000081A400000000000000000000000166F55269000006CF000000000000000000000000000000000000001A00000000gosec-2.21.4/rules/rsa.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package rules import ( "fmt" "go/ast" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type weakKeyStrength struct { issue.MetaData calls gosec.CallList bits int } func (w *weakKeyStrength) ID() string { return w.MetaData.ID } func (w *weakKeyStrength) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) { if callExpr := w.calls.ContainsPkgCallExpr(n, c, false); callExpr != nil { if bits, err := gosec.GetInt(callExpr.Args[1]); err == nil && bits < (int64)(w.bits) { return c.NewIssue(n, w.ID(), w.What, w.Severity, w.Confidence), nil } } return nil, nil } // NewWeakKeyStrength builds a rule that detects RSA keys < 2048 bits func NewWeakKeyStrength(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { calls := gosec.NewCallList() calls.Add("crypto/rsa", "GenerateKey") bits := 2048 return &weakKeyStrength{ calls: calls, bits: bits, MetaData: issue.MetaData{ ID: id, Severity: issue.Medium, Confidence: issue.High, What: fmt.Sprintf("RSA keys should be at least %d bits", bits), }, }, []ast.Node{(*ast.CallExpr)(nil)} } 07070100000086000081A400000000000000000000000166F55269000015AD000000000000000000000000000000000000001F00000000gosec-2.21.4/rules/rulelist.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package rules import "github.com/securego/gosec/v2" // RuleDefinition contains the description of a rule and a mechanism to // create it. type RuleDefinition struct { ID string Description string Create gosec.RuleBuilder } // RuleList contains a mapping of rule ID's to rule definitions and a mapping // of rule ID's to whether rules are suppressed. type RuleList struct { Rules map[string]RuleDefinition RuleSuppressed map[string]bool } // RulesInfo returns all the create methods and the rule suppressed map for a // given list func (rl RuleList) RulesInfo() (map[string]gosec.RuleBuilder, map[string]bool) { builders := make(map[string]gosec.RuleBuilder) for _, def := range rl.Rules { builders[def.ID] = def.Create } return builders, rl.RuleSuppressed } // RuleFilter can be used to include or exclude a rule depending on the return // value of the function type RuleFilter func(string) bool // NewRuleFilter is a closure that will include/exclude the rule ID's based on // the supplied boolean value. func NewRuleFilter(action bool, ruleIDs ...string) RuleFilter { rulelist := make(map[string]bool) for _, rule := range ruleIDs { rulelist[rule] = true } return func(rule string) bool { if _, found := rulelist[rule]; found { return action } return !action } } // Generate the list of rules to use func Generate(trackSuppressions bool, filters ...RuleFilter) RuleList { rules := []RuleDefinition{ // misc {"G101", "Look for hardcoded credentials", NewHardcodedCredentials}, {"G102", "Bind to all interfaces", NewBindsToAllNetworkInterfaces}, {"G103", "Audit the use of unsafe block", NewUsingUnsafe}, {"G104", "Audit errors not checked", NewNoErrorCheck}, {"G106", "Audit the use of ssh.InsecureIgnoreHostKey function", NewSSHHostKey}, {"G107", "Url provided to HTTP request as taint input", NewSSRFCheck}, {"G108", "Profiling endpoint is automatically exposed", NewPprofCheck}, {"G109", "Converting strconv.Atoi result to int32/int16", NewIntegerOverflowCheck}, {"G110", "Detect io.Copy instead of io.CopyN when decompression", NewDecompressionBombCheck}, {"G111", "Detect http.Dir('/') as a potential risk", NewDirectoryTraversal}, {"G112", "Detect ReadHeaderTimeout not configured as a potential risk", NewSlowloris}, {"G113", "Usage of Rat.SetString in math/big with an overflow", NewUsingOldMathBig}, {"G114", "Use of net/http serve function that has no support for setting timeouts", NewHTTPServeWithoutTimeouts}, // injection {"G201", "SQL query construction using format string", NewSQLStrFormat}, {"G202", "SQL query construction using string concatenation", NewSQLStrConcat}, {"G203", "Use of unescaped data in HTML templates", NewTemplateCheck}, {"G204", "Audit use of command execution", NewSubproc}, // filesystem {"G301", "Poor file permissions used when creating a directory", NewMkdirPerms}, {"G302", "Poor file permissions used when creation file or using chmod", NewFilePerms}, {"G303", "Creating tempfile using a predictable path", NewBadTempFile}, {"G304", "File path provided as taint input", NewReadFile}, {"G305", "File path traversal when extracting zip archive", NewArchive}, {"G306", "Poor file permissions used when writing to a file", NewWritePerms}, {"G307", "Poor file permissions used when creating a file with os.Create", NewOsCreatePerms}, // crypto {"G401", "Detect the usage of MD5 or SHA1", NewUsesWeakCryptographyHash}, {"G402", "Look for bad TLS connection settings", NewIntermediateTLSCheck}, {"G403", "Ensure minimum RSA key length of 2048 bits", NewWeakKeyStrength}, {"G404", "Insecure random number source (rand)", NewWeakRandCheck}, {"G405", "Detect the usage of DES or RC4", NewUsesWeakCryptographyEncryption}, {"G406", "Detect the usage of deprecated MD4 or RIPEMD160", NewUsesWeakDeprecatedCryptographyHash}, // blocklist {"G501", "Import blocklist: crypto/md5", NewBlocklistedImportMD5}, {"G502", "Import blocklist: crypto/des", NewBlocklistedImportDES}, {"G503", "Import blocklist: crypto/rc4", NewBlocklistedImportRC4}, {"G504", "Import blocklist: net/http/cgi", NewBlocklistedImportCGI}, {"G505", "Import blocklist: crypto/sha1", NewBlocklistedImportSHA1}, {"G506", "Import blocklist: golang.org/x/crypto/md4", NewBlocklistedImportMD4}, {"G507", "Import blocklist: golang.org/x/crypto/ripemd160", NewBlocklistedImportRIPEMD160}, // memory safety {"G601", "Implicit memory aliasing in RangeStmt", NewImplicitAliasing}, } ruleMap := make(map[string]RuleDefinition) ruleSuppressedMap := make(map[string]bool) RULES: for _, rule := range rules { ruleSuppressedMap[rule.ID] = false for _, filter := range filters { if filter(rule.ID) { ruleSuppressedMap[rule.ID] = true if !trackSuppressions { continue RULES } } } ruleMap[rule.ID] = rule } return RuleList{ruleMap, ruleSuppressedMap} } 07070100000087000081A400000000000000000000000166F55269000000BF000000000000000000000000000000000000002700000000gosec-2.21.4/rules/rules_suite_test.gopackage rules_test import ( "testing" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" ) func TestRules(t *testing.T) { RegisterFailHandler(Fail) RunSpecs(t, "Rules Suite") } 07070100000088000081A400000000000000000000000166F5526900001877000000000000000000000000000000000000002100000000gosec-2.21.4/rules/rules_test.gopackage rules_test import ( "fmt" "log" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/rules" "github.com/securego/gosec/v2/testutils" ) var _ = Describe("gosec rules", func() { var ( logger *log.Logger config gosec.Config analyzer *gosec.Analyzer runner func(string, []testutils.CodeSample) buildTags []string tests bool ) BeforeEach(func() { logger, _ = testutils.NewLogger() config = gosec.NewConfig() analyzer = gosec.NewAnalyzer(config, tests, false, false, 1, logger) runner = func(rule string, samples []testutils.CodeSample) { for n, sample := range samples { analyzer.Reset() analyzer.SetConfig(sample.Config) analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, rule)).RulesInfo()) pkg := testutils.NewTestPackage() defer pkg.Close() for i, code := range sample.Code { pkg.AddFile(fmt.Sprintf("sample_%d_%d.go", n, i), code) } err := pkg.Build() Expect(err).ShouldNot(HaveOccurred()) Expect(pkg.PrintErrors()).Should(BeZero()) err = analyzer.Process(buildTags, pkg.Path) Expect(err).ShouldNot(HaveOccurred()) issues, _, _ := analyzer.Report() if len(issues) != sample.Errors { fmt.Println(sample.Code) } Expect(issues).Should(HaveLen(sample.Errors)) } } }) Context("report correct errors for all samples", func() { It("should detect hardcoded credentials", func() { runner("G101", testutils.SampleCodeG101) }) It("should detect hardcoded credential values", func() { runner("G101", testutils.SampleCodeG101Values) }) It("should detect binding to all network interfaces", func() { runner("G102", testutils.SampleCodeG102) }) It("should use of unsafe block", func() { runner("G103", testutils.SampleCodeG103) }) It("should detect errors not being checked", func() { runner("G104", testutils.SampleCodeG104) }) It("should detect errors not being checked in audit mode", func() { runner("G104", testutils.SampleCodeG104Audit) }) It("should detect of ssh.InsecureIgnoreHostKey function", func() { runner("G106", testutils.SampleCodeG106) }) It("should detect ssrf via http requests with variable url", func() { runner("G107", testutils.SampleCodeG107) }) It("should detect pprof endpoint", func() { runner("G108", testutils.SampleCodeG108) }) It("should detect integer overflow", func() { runner("G109", testutils.SampleCodeG109) }) It("should detect DoS vulnerability via decompression bomb", func() { runner("G110", testutils.SampleCodeG110) }) It("should detect potential directory traversal", func() { runner("G111", testutils.SampleCodeG111) }) It("should detect potential slowloris attack", func() { runner("G112", testutils.SampleCodeG112) }) It("should detect potential uncontrolled memory consumption in Rat.SetString", func() { runner("G113", testutils.SampleCodeG113) }) It("should detect uses of net/http serve functions that have no support for setting timeouts", func() { runner("G114", testutils.SampleCodeG114) }) It("should detect sql injection via format strings", func() { runner("G201", testutils.SampleCodeG201) }) It("should detect sql injection via string concatenation", func() { runner("G202", testutils.SampleCodeG202) }) It("should detect unescaped html in templates", func() { runner("G203", testutils.SampleCodeG203) }) It("should detect command execution", func() { runner("G204", testutils.SampleCodeG204) }) It("should detect poor file permissions on mkdir", func() { runner("G301", testutils.SampleCodeG301) }) It("should detect poor permissions when creating or chmod a file", func() { runner("G302", testutils.SampleCodeG302) }) It("should detect insecure temp file creation", func() { runner("G303", testutils.SampleCodeG303) }) It("should detect file path provided as taint input", func() { runner("G304", testutils.SampleCodeG304) }) It("should detect file path traversal when extracting zip archive", func() { runner("G305", testutils.SampleCodeG305) }) It("should detect poor permissions when writing to a file", func() { runner("G306", testutils.SampleCodeG306) }) It("should detect weak crypto algorithms", func() { runner("G401", testutils.SampleCodeG401) }) It("should detect weak crypto algorithms", func() { runner("G401", testutils.SampleCodeG401b) }) It("should find insecure tls settings", func() { runner("G402", testutils.SampleCodeG402) }) It("should detect weak creation of weak rsa keys", func() { runner("G403", testutils.SampleCodeG403) }) It("should find non cryptographically secure random number sources", func() { runner("G404", testutils.SampleCodeG404) }) It("should detect weak crypto algorithms", func() { runner("G405", testutils.SampleCodeG405) }) It("should detect weak crypto algorithms", func() { runner("G405", testutils.SampleCodeG405b) }) It("should detect weak crypto algorithms", func() { runner("G406", testutils.SampleCodeG406) }) It("should detect weak crypto algorithms", func() { runner("G406", testutils.SampleCodeG406b) }) It("should detect blocklisted imports - MD5", func() { runner("G501", testutils.SampleCodeG501) }) It("should detect blocklisted imports - DES", func() { runner("G502", testutils.SampleCodeG502) }) It("should detect blocklisted imports - RC4", func() { runner("G503", testutils.SampleCodeG503) }) It("should detect blocklisted imports - CGI (httpoxy)", func() { runner("G504", testutils.SampleCodeG504) }) It("should detect blocklisted imports - SHA1", func() { runner("G505", testutils.SampleCodeG505) }) It("should detect blocklisted imports - MD4", func() { runner("G506", testutils.SampleCodeG506) }) It("should detect blocklisted imports - RIPEMD160", func() { runner("G507", testutils.SampleCodeG507) }) It("should detect implicit aliasing in ForRange", func() { major, minor, _ := gosec.GoVersion() if major <= 1 && minor < 22 { runner("G601", testutils.SampleCodeG601) } }) }) }) 07070100000089000081A400000000000000000000000166F55269000007F0000000000000000000000000000000000000002000000000gosec-2.21.4/rules/slowloris.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package rules import ( "go/ast" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type slowloris struct { issue.MetaData } func (r *slowloris) ID() string { return r.MetaData.ID } func containsReadHeaderTimeout(node *ast.CompositeLit) bool { if node == nil { return false } for _, elt := range node.Elts { if kv, ok := elt.(*ast.KeyValueExpr); ok { if ident, ok := kv.Key.(*ast.Ident); ok { if ident.Name == "ReadHeaderTimeout" || ident.Name == "ReadTimeout" { return true } } } } return false } func (r *slowloris) Match(n ast.Node, ctx *gosec.Context) (*issue.Issue, error) { switch node := n.(type) { case *ast.CompositeLit: actualType := ctx.Info.TypeOf(node.Type) if actualType != nil && actualType.String() == "net/http.Server" { if !containsReadHeaderTimeout(node) { return ctx.NewIssue(node, r.ID(), r.What, r.Severity, r.Confidence), nil } } } return nil, nil } // NewSlowloris attempts to find the http.Server struct and check if the ReadHeaderTimeout is configured. func NewSlowloris(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { return &slowloris{ MetaData: issue.MetaData{ ID: id, What: "Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server", Confidence: issue.Low, Severity: issue.Medium, }, }, []ast.Node{(*ast.CompositeLit)(nil)} } 0707010000008A000081A400000000000000000000000166F5526900002A81000000000000000000000000000000000000001A00000000gosec-2.21.4/rules/sql.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package rules import ( "fmt" "go/ast" "regexp" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type sqlStatement struct { issue.MetaData gosec.CallList // Contains a list of patterns which must all match for the rule to match. patterns []*regexp.Regexp } var sqlCallIdents = map[string]map[string]int{ "*database/sql.DB": { "Exec": 0, "ExecContext": 1, "Query": 0, "QueryContext": 1, "QueryRow": 0, "QueryRowContext": 1, "Prepare": 0, "PrepareContext": 1, }, "*database/sql.Tx": { "Exec": 0, "ExecContext": 1, "Query": 0, "QueryContext": 1, "QueryRow": 0, "QueryRowContext": 1, "Prepare": 0, "PrepareContext": 1, }, } // findQueryArg locates the argument taking raw SQL func findQueryArg(call *ast.CallExpr, ctx *gosec.Context) (ast.Expr, error) { typeName, fnName, err := gosec.GetCallInfo(call, ctx) if err != nil { return nil, err } i := -1 if ni, ok := sqlCallIdents[typeName]; ok { if i, ok = ni[fnName]; !ok { i = -1 } } if i == -1 { return nil, fmt.Errorf("SQL argument index not found for %s.%s", typeName, fnName) } if i >= len(call.Args) { return nil, nil } query := call.Args[i] return query, nil } func (s *sqlStatement) ID() string { return s.MetaData.ID } // See if the string matches the patterns for the statement. func (s *sqlStatement) MatchPatterns(str string) bool { for _, pattern := range s.patterns { if !pattern.MatchString(str) { return false } } return true } type sqlStrConcat struct { sqlStatement } func (s *sqlStrConcat) ID() string { return s.MetaData.ID } // findInjectionInBranch walks diwb a set if expressions, and will create new issues if it finds SQL injections // This method assumes you've already verified that the branch contains SQL syntax func (s *sqlStrConcat) findInjectionInBranch(ctx *gosec.Context, branch []ast.Expr) *ast.BinaryExpr { for _, node := range branch { be, ok := node.(*ast.BinaryExpr) if !ok { continue } operands := gosec.GetBinaryExprOperands(be) for _, op := range operands { if _, ok := op.(*ast.BasicLit); ok { continue } if ident, ok := op.(*ast.Ident); ok && s.checkObject(ident, ctx) { continue } return be } } return nil } // see if we can figure out what it is func (s *sqlStrConcat) checkObject(n *ast.Ident, c *gosec.Context) bool { if n.Obj != nil { return n.Obj.Kind != ast.Var && n.Obj.Kind != ast.Fun } // Try to resolve unresolved identifiers using other files in same package for _, file := range c.PkgFiles { if node, ok := file.Scope.Objects[n.String()]; ok { return node.Kind != ast.Var && node.Kind != ast.Fun } } return false } // checkQuery verifies if the query parameters is a string concatenation func (s *sqlStrConcat) checkQuery(call *ast.CallExpr, ctx *gosec.Context) (*issue.Issue, error) { query, err := findQueryArg(call, ctx) if err != nil { return nil, err } if be, ok := query.(*ast.BinaryExpr); ok { operands := gosec.GetBinaryExprOperands(be) if start, ok := operands[0].(*ast.BasicLit); ok { if str, e := gosec.GetString(start); e == nil { if !s.MatchPatterns(str) { return nil, nil } } for _, op := range operands[1:] { if _, ok := op.(*ast.BasicLit); ok { continue } if op, ok := op.(*ast.Ident); ok && s.checkObject(op, ctx) { continue } return ctx.NewIssue(be, s.ID(), s.What, s.Severity, s.Confidence), nil } } } // Handle the case where an injection occurs as an infixed string concatenation, ie "SELECT * FROM foo WHERE name = '" + os.Args[0] + "' AND 1=1" if id, ok := query.(*ast.Ident); ok { var match bool for _, str := range gosec.GetIdentStringValuesRecursive(id) { if s.MatchPatterns(str) { match = true break } } if !match { return nil, nil } switch decl := id.Obj.Decl.(type) { case *ast.AssignStmt: if injection := s.findInjectionInBranch(ctx, decl.Rhs); injection != nil { return ctx.NewIssue(injection, s.ID(), s.What, s.Severity, s.Confidence), nil } } } return nil, nil } // Checks SQL query concatenation issues such as "SELECT * FROM table WHERE " + " ' OR 1=1" func (s *sqlStrConcat) Match(n ast.Node, ctx *gosec.Context) (*issue.Issue, error) { switch stmt := n.(type) { case *ast.AssignStmt: for _, expr := range stmt.Rhs { if sqlQueryCall, ok := expr.(*ast.CallExpr); ok && s.ContainsCallExpr(expr, ctx) != nil { return s.checkQuery(sqlQueryCall, ctx) } } case *ast.ExprStmt: if sqlQueryCall, ok := stmt.X.(*ast.CallExpr); ok && s.ContainsCallExpr(stmt.X, ctx) != nil { return s.checkQuery(sqlQueryCall, ctx) } } return nil, nil } // NewSQLStrConcat looks for cases where we are building SQL strings via concatenation func NewSQLStrConcat(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { rule := &sqlStrConcat{ sqlStatement: sqlStatement{ patterns: []*regexp.Regexp{ regexp.MustCompile("(?i)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE)( |\n|\r|\t)"), }, MetaData: issue.MetaData{ ID: id, Severity: issue.Medium, Confidence: issue.High, What: "SQL string concatenation", }, CallList: gosec.NewCallList(), }, } for s, si := range sqlCallIdents { for i := range si { rule.Add(s, i) } } return rule, []ast.Node{(*ast.AssignStmt)(nil), (*ast.ExprStmt)(nil)} } type sqlStrFormat struct { gosec.CallList sqlStatement fmtCalls gosec.CallList noIssue gosec.CallList noIssueQuoted gosec.CallList } // see if we can figure out what it is func (s *sqlStrFormat) constObject(e ast.Expr, c *gosec.Context) bool { n, ok := e.(*ast.Ident) if !ok { return false } if n.Obj != nil { return n.Obj.Kind == ast.Con } // Try to resolve unresolved identifiers using other files in same package for _, file := range c.PkgFiles { if node, ok := file.Scope.Objects[n.String()]; ok { return node.Kind == ast.Con } } return false } func (s *sqlStrFormat) checkQuery(call *ast.CallExpr, ctx *gosec.Context) (*issue.Issue, error) { query, err := findQueryArg(call, ctx) if err != nil { return nil, err } if ident, ok := query.(*ast.Ident); ok && ident.Obj != nil { decl := ident.Obj.Decl if assign, ok := decl.(*ast.AssignStmt); ok { for _, expr := range assign.Rhs { issue := s.checkFormatting(expr, ctx) if issue != nil { return issue, err } } } } return nil, nil } func (s *sqlStrFormat) checkFormatting(n ast.Node, ctx *gosec.Context) *issue.Issue { // argIndex changes the function argument which gets matched to the regex argIndex := 0 if node := s.fmtCalls.ContainsPkgCallExpr(n, ctx, false); node != nil { // if the function is fmt.Fprintf, search for SQL statement in Args[1] instead if sel, ok := node.Fun.(*ast.SelectorExpr); ok { if sel.Sel.Name == "Fprintf" { // if os.Stderr or os.Stdout is in Arg[0], mark as no issue if arg, ok := node.Args[0].(*ast.SelectorExpr); ok { if ident, ok := arg.X.(*ast.Ident); ok { if s.noIssue.Contains(ident.Name, arg.Sel.Name) { return nil } } } // the function is Fprintf so set argIndex = 1 argIndex = 1 } } // no formatter if len(node.Args) == 0 { return nil } var formatter string // concats callexpr arg strings together if needed before regex evaluation if argExpr, ok := node.Args[argIndex].(*ast.BinaryExpr); ok { if fullStr, ok := gosec.ConcatString(argExpr); ok { formatter = fullStr } } else if arg, e := gosec.GetString(node.Args[argIndex]); e == nil { formatter = arg } if len(formatter) <= 0 { return nil } // If all formatter args are quoted or constant, then the SQL construction is safe if argIndex+1 < len(node.Args) { allSafe := true for _, arg := range node.Args[argIndex+1:] { if n := s.noIssueQuoted.ContainsPkgCallExpr(arg, ctx, true); n == nil && !s.constObject(arg, ctx) { allSafe = false break } } if allSafe { return nil } } if s.MatchPatterns(formatter) { return ctx.NewIssue(n, s.ID(), s.What, s.Severity, s.Confidence) } } return nil } // Check SQL query formatting issues such as "fmt.Sprintf("SELECT * FROM foo where '%s', userInput)" func (s *sqlStrFormat) Match(n ast.Node, ctx *gosec.Context) (*issue.Issue, error) { switch stmt := n.(type) { case *ast.AssignStmt: for _, expr := range stmt.Rhs { if call, ok := expr.(*ast.CallExpr); ok { selector, ok := call.Fun.(*ast.SelectorExpr) if !ok { continue } sqlQueryCall, ok := selector.X.(*ast.CallExpr) if ok && s.ContainsCallExpr(sqlQueryCall, ctx) != nil { issue, err := s.checkQuery(sqlQueryCall, ctx) if err == nil && issue != nil { return issue, err } } } if sqlQueryCall, ok := expr.(*ast.CallExpr); ok && s.ContainsCallExpr(expr, ctx) != nil { return s.checkQuery(sqlQueryCall, ctx) } } case *ast.ExprStmt: if sqlQueryCall, ok := stmt.X.(*ast.CallExpr); ok && s.ContainsCallExpr(stmt.X, ctx) != nil { return s.checkQuery(sqlQueryCall, ctx) } } return nil, nil } // NewSQLStrFormat looks for cases where we're building SQL query strings using format strings func NewSQLStrFormat(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { rule := &sqlStrFormat{ CallList: gosec.NewCallList(), fmtCalls: gosec.NewCallList(), noIssue: gosec.NewCallList(), noIssueQuoted: gosec.NewCallList(), sqlStatement: sqlStatement{ patterns: []*regexp.Regexp{ regexp.MustCompile("(?i)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE)( |\n|\r|\t)"), regexp.MustCompile("%[^bdoxXfFp]"), }, MetaData: issue.MetaData{ ID: id, Severity: issue.Medium, Confidence: issue.High, What: "SQL string formatting", }, }, } for s, si := range sqlCallIdents { for i := range si { rule.Add(s, i) } } rule.fmtCalls.AddAll("fmt", "Sprint", "Sprintf", "Sprintln", "Fprintf") rule.noIssue.AddAll("os", "Stdout", "Stderr") rule.noIssueQuoted.Add("github.com/lib/pq", "QuoteIdentifier") return rule, []ast.Node{(*ast.AssignStmt)(nil), (*ast.ExprStmt)(nil)} } 0707010000008B000081A400000000000000000000000166F55269000003C3000000000000000000000000000000000000001A00000000gosec-2.21.4/rules/ssh.gopackage rules import ( "go/ast" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type sshHostKey struct { issue.MetaData pkg string calls []string } func (r *sshHostKey) ID() string { return r.MetaData.ID } func (r *sshHostKey) Match(n ast.Node, c *gosec.Context) (gi *issue.Issue, err error) { if _, matches := gosec.MatchCallByPackage(n, c, r.pkg, r.calls...); matches { return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil } return nil, nil } // NewSSHHostKey rule detects the use of insecure ssh HostKeyCallback. func NewSSHHostKey(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { return &sshHostKey{ pkg: "golang.org/x/crypto/ssh", calls: []string{"InsecureIgnoreHostKey"}, MetaData: issue.MetaData{ ID: id, What: "Use of ssh InsecureIgnoreHostKey should be audited", Severity: issue.Medium, Confidence: issue.High, }, }, []ast.Node{(*ast.CallExpr)(nil)} } 0707010000008C000081A400000000000000000000000166F55269000006EC000000000000000000000000000000000000001B00000000gosec-2.21.4/rules/ssrf.gopackage rules import ( "go/ast" "go/types" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type ssrf struct { issue.MetaData gosec.CallList } // ID returns the identifier for this rule func (r *ssrf) ID() string { return r.MetaData.ID } // ResolveVar tries to resolve the first argument of a call expression // The first argument is the url func (r *ssrf) ResolveVar(n *ast.CallExpr, c *gosec.Context) bool { if len(n.Args) > 0 { arg := n.Args[0] if ident, ok := arg.(*ast.Ident); ok { obj := c.Info.ObjectOf(ident) if _, ok := obj.(*types.Var); ok { scope := c.Pkg.Scope() if scope != nil && scope.Lookup(ident.Name) != nil { // a URL defined in a variable at package scope can be changed at any time return true } if !gosec.TryResolve(ident, c) { return true } } } } return false } // Match inspects AST nodes to determine if certain net/http methods are called with variable input func (r *ssrf) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) { // Call expression is using http package directly if node := r.ContainsPkgCallExpr(n, c, false); node != nil { if r.ResolveVar(node, c) { return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil } } return nil, nil } // NewSSRFCheck detects cases where HTTP requests are sent func NewSSRFCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { rule := &ssrf{ CallList: gosec.NewCallList(), MetaData: issue.MetaData{ ID: id, What: "Potential HTTP request made with variable url", Severity: issue.Medium, Confidence: issue.Medium, }, } rule.AddAll("net/http", "Do", "Get", "Head", "Post", "PostForm", "RoundTrip") return rule, []ast.Node{(*ast.CallExpr)(nil)} } 0707010000008D000081A400000000000000000000000166F5526900000FA9000000000000000000000000000000000000001E00000000gosec-2.21.4/rules/subproc.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package rules import ( "go/ast" "go/types" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type subprocess struct { issue.MetaData gosec.CallList } func (r *subprocess) ID() string { return r.MetaData.ID } // TODO(gm) The only real potential for command injection with a Go project // is something like this: // // syscall.Exec("/bin/sh", []string{"-c", tainted}) // // E.g. Input is correctly escaped but the execution context being used // is unsafe. For example: // // syscall.Exec("echo", "foobar" + tainted) func (r *subprocess) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) { if node := r.ContainsPkgCallExpr(n, c, false); node != nil { args := node.Args if r.isContext(n, c) { args = args[1:] } for _, arg := range args { if ident, ok := arg.(*ast.Ident); ok { obj := c.Info.ObjectOf(ident) // need to cast and check whether it is for a variable ? _, variable := obj.(*types.Var) // .. indeed it is a variable then processing is different than a normal // field assignment if variable { // skip the check when the declaration is not available if ident.Obj == nil { continue } switch ident.Obj.Decl.(type) { case *ast.AssignStmt: _, assignment := ident.Obj.Decl.(*ast.AssignStmt) if variable && assignment { if !gosec.TryResolve(ident, c) { return c.NewIssue(n, r.ID(), "Subprocess launched with variable", issue.Medium, issue.High), nil } } case *ast.Field: _, field := ident.Obj.Decl.(*ast.Field) if variable && field { // check if the variable exist in the scope vv, vvok := obj.(*types.Var) if vvok && vv.Parent().Lookup(ident.Name) == nil { return c.NewIssue(n, r.ID(), "Subprocess launched with variable", issue.Medium, issue.High), nil } } case *ast.ValueSpec: _, valueSpec := ident.Obj.Decl.(*ast.ValueSpec) if variable && valueSpec { if !gosec.TryResolve(ident, c) { return c.NewIssue(n, r.ID(), "Subprocess launched with variable", issue.Medium, issue.High), nil } } } } } else if !gosec.TryResolve(arg, c) { // the arg is not a constant or a variable but instead a function call or os.Args[i] return c.NewIssue(n, r.ID(), "Subprocess launched with a potential tainted input or cmd arguments", issue.Medium, issue.High), nil } } } return nil, nil } // isContext checks whether or not the node is a CommandContext call or not // This is required in order to skip the first argument from the check. func (r *subprocess) isContext(n ast.Node, ctx *gosec.Context) bool { selector, indent, err := gosec.GetCallInfo(n, ctx) if err != nil { return false } if selector == "exec" && indent == "CommandContext" { return true } return false } // NewSubproc detects cases where we are forking out to an external process func NewSubproc(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { rule := &subprocess{issue.MetaData{ID: id}, gosec.NewCallList()} rule.Add("os/exec", "Command") rule.Add("os/exec", "CommandContext") rule.Add("syscall", "Exec") rule.Add("syscall", "ForkExec") rule.Add("syscall", "StartProcess") rule.Add("golang.org/x/sys/execabs", "Command") rule.Add("golang.org/x/sys/execabs", "CommandContext") return rule, []ast.Node{(*ast.CallExpr)(nil)} } 0707010000008E000081A400000000000000000000000166F5526900000AB5000000000000000000000000000000000000002000000000gosec-2.21.4/rules/tempfiles.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package rules import ( "go/ast" "regexp" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type badTempFile struct { issue.MetaData calls gosec.CallList args *regexp.Regexp argCalls gosec.CallList nestedCalls gosec.CallList } func (t *badTempFile) ID() string { return t.MetaData.ID } func (t *badTempFile) findTempDirArgs(n ast.Node, c *gosec.Context, suspect ast.Node) *issue.Issue { if s, e := gosec.GetString(suspect); e == nil { if t.args.MatchString(s) { return c.NewIssue(n, t.ID(), t.What, t.Severity, t.Confidence) } return nil } if ce := t.argCalls.ContainsPkgCallExpr(suspect, c, false); ce != nil { return c.NewIssue(n, t.ID(), t.What, t.Severity, t.Confidence) } if be, ok := suspect.(*ast.BinaryExpr); ok { if ops := gosec.GetBinaryExprOperands(be); len(ops) != 0 { return t.findTempDirArgs(n, c, ops[0]) } return nil } if ce := t.nestedCalls.ContainsPkgCallExpr(suspect, c, false); ce != nil { return t.findTempDirArgs(n, c, ce.Args[0]) } return nil } func (t *badTempFile) Match(n ast.Node, c *gosec.Context) (gi *issue.Issue, err error) { if node := t.calls.ContainsPkgCallExpr(n, c, false); node != nil { return t.findTempDirArgs(n, c, node.Args[0]), nil } return nil, nil } // NewBadTempFile detects direct writes to predictable path in temporary directory func NewBadTempFile(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { calls := gosec.NewCallList() calls.Add("io/ioutil", "WriteFile") calls.AddAll("os", "Create", "WriteFile") argCalls := gosec.NewCallList() argCalls.Add("os", "TempDir") nestedCalls := gosec.NewCallList() nestedCalls.Add("path", "Join") nestedCalls.Add("path/filepath", "Join") return &badTempFile{ calls: calls, args: regexp.MustCompile(`^(/(usr|var))?/tmp(/.*)?$`), argCalls: argCalls, nestedCalls: nestedCalls, MetaData: issue.MetaData{ ID: id, Severity: issue.Medium, Confidence: issue.High, What: "File creation in shared tmp directory without using ioutil.Tempfile", }, }, []ast.Node{(*ast.CallExpr)(nil)} } 0707010000008F000081A400000000000000000000000166F552690000081F000000000000000000000000000000000000002000000000gosec-2.21.4/rules/templates.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package rules import ( "go/ast" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type templateCheck struct { issue.MetaData calls gosec.CallList } func (t *templateCheck) ID() string { return t.MetaData.ID } func (t *templateCheck) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) { if node := t.calls.ContainsPkgCallExpr(n, c, false); node != nil { for _, arg := range node.Args { if _, ok := arg.(*ast.BasicLit); !ok { // basic lits are safe return c.NewIssue(n, t.ID(), t.What, t.Severity, t.Confidence), nil } } } return nil, nil } // NewTemplateCheck constructs the template check rule. This rule is used to // find use of templates where HTML/JS escaping is not being used func NewTemplateCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { calls := gosec.NewCallList() calls.Add("html/template", "CSS") calls.Add("html/template", "HTML") calls.Add("html/template", "HTMLAttr") calls.Add("html/template", "JS") calls.Add("html/template", "JSStr") calls.Add("html/template", "Srcset") calls.Add("html/template", "URL") return &templateCheck{ calls: calls, MetaData: issue.MetaData{ ID: id, Severity: issue.Medium, Confidence: issue.Low, What: "The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.", }, }, []ast.Node{(*ast.CallExpr)(nil)} } 07070100000090000081A400000000000000000000000166F5526900001A2C000000000000000000000000000000000000001A00000000gosec-2.21.4/rules/tls.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. //go:generate tlsconfig package rules import ( "crypto/tls" "fmt" "go/ast" "go/types" "strconv" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type insecureConfigTLS struct { issue.MetaData MinVersion int64 MaxVersion int64 requiredType string goodCiphers []string actualMinVersion int64 actualMaxVersion int64 } func (t *insecureConfigTLS) ID() string { return t.MetaData.ID } func stringInSlice(a string, list []string) bool { for _, b := range list { if b == a { return true } } return false } func (t *insecureConfigTLS) processTLSCipherSuites(n ast.Node, c *gosec.Context) *issue.Issue { if ciphers, ok := n.(*ast.CompositeLit); ok { for _, cipher := range ciphers.Elts { if ident, ok := cipher.(*ast.SelectorExpr); ok { if !stringInSlice(ident.Sel.Name, t.goodCiphers) { err := fmt.Sprintf("TLS Bad Cipher Suite: %s", ident.Sel.Name) return c.NewIssue(ident, t.ID(), err, issue.High, issue.High) } } } } return nil } func (t *insecureConfigTLS) processTLSConf(n ast.Node, c *gosec.Context) *issue.Issue { if kve, ok := n.(*ast.KeyValueExpr); ok { issue := t.processTLSConfVal(kve.Key, kve.Value, c) if issue != nil { return issue } } else if assign, ok := n.(*ast.AssignStmt); ok { if len(assign.Lhs) < 1 || len(assign.Rhs) < 1 { return nil } if selector, ok := assign.Lhs[0].(*ast.SelectorExpr); ok { issue := t.processTLSConfVal(selector.Sel, assign.Rhs[0], c) if issue != nil { return issue } } } return nil } func (t *insecureConfigTLS) processTLSConfVal(key ast.Expr, value ast.Expr, c *gosec.Context) *issue.Issue { if ident, ok := key.(*ast.Ident); ok { switch ident.Name { case "InsecureSkipVerify": if node, ok := value.(*ast.Ident); ok { if node.Name != "false" { return c.NewIssue(value, t.ID(), "TLS InsecureSkipVerify set true.", issue.High, issue.High) } } else { // TODO(tk): symbol tab look up to get the actual value return c.NewIssue(value, t.ID(), "TLS InsecureSkipVerify may be true.", issue.High, issue.Low) } case "PreferServerCipherSuites": if node, ok := value.(*ast.Ident); ok { if node.Name == "false" { return c.NewIssue(value, t.ID(), "TLS PreferServerCipherSuites set false.", issue.Medium, issue.High) } } else { // TODO(tk): symbol tab look up to get the actual value return c.NewIssue(value, t.ID(), "TLS PreferServerCipherSuites may be false.", issue.Medium, issue.Low) } case "MinVersion": if d, ok := value.(*ast.Ident); ok { obj := d.Obj if obj == nil { for _, f := range c.PkgFiles { obj = f.Scope.Lookup(d.Name) if obj != nil { break } } } if vs, ok := obj.Decl.(*ast.ValueSpec); ok && len(vs.Values) > 0 { if s, ok := vs.Values[0].(*ast.SelectorExpr); ok { x := s.X.(*ast.Ident).Name sel := s.Sel.Name for _, imp := range c.Pkg.Imports() { if imp.Name() == x { tObj := imp.Scope().Lookup(sel) if cst, ok := tObj.(*types.Const); ok { // ..got the value check if this can be translated if minVersion, err := strconv.ParseInt(cst.Val().String(), 0, 64); err == nil { t.actualMinVersion = minVersion } } } } } if ival, ierr := gosec.GetInt(vs.Values[0]); ierr == nil { t.actualMinVersion = ival } } } else if ival, ierr := gosec.GetInt(value); ierr == nil { t.actualMinVersion = ival } else { if se, ok := value.(*ast.SelectorExpr); ok { if pkg, ok := se.X.(*ast.Ident); ok { if ip, ok := gosec.GetImportPath(pkg.Name, c); ok && ip == "crypto/tls" { t.actualMinVersion = t.mapVersion(se.Sel.Name) } } } } case "MaxVersion": if ival, ierr := gosec.GetInt(value); ierr == nil { t.actualMaxVersion = ival } else { if se, ok := value.(*ast.SelectorExpr); ok { if pkg, ok := se.X.(*ast.Ident); ok { if ip, ok := gosec.GetImportPath(pkg.Name, c); ok && ip == "crypto/tls" { t.actualMaxVersion = t.mapVersion(se.Sel.Name) } } } } case "CipherSuites": if ret := t.processTLSCipherSuites(value, c); ret != nil { return ret } } } return nil } func (t *insecureConfigTLS) mapVersion(version string) int64 { var v int64 switch version { case "VersionTLS13": v = tls.VersionTLS13 case "VersionTLS12": v = tls.VersionTLS12 case "VersionTLS11": v = tls.VersionTLS11 case "VersionTLS10": v = tls.VersionTLS10 } return v } func (t *insecureConfigTLS) checkVersion(n ast.Node, c *gosec.Context) *issue.Issue { if t.actualMaxVersion == 0 && t.actualMinVersion >= t.MinVersion { // no warning is generated since the min version is greater than the secure min version return nil } if t.actualMinVersion < t.MinVersion { return c.NewIssue(n, t.ID(), "TLS MinVersion too low.", issue.High, issue.High) } if t.actualMaxVersion < t.MaxVersion { return c.NewIssue(n, t.ID(), "TLS MaxVersion too low.", issue.High, issue.High) } return nil } func (t *insecureConfigTLS) resetVersion() { t.actualMaxVersion = 0 t.actualMinVersion = 0 } func (t *insecureConfigTLS) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) { if complit, ok := n.(*ast.CompositeLit); ok && complit.Type != nil { actualType := c.Info.TypeOf(complit.Type) if actualType != nil && actualType.String() == t.requiredType { for _, elt := range complit.Elts { issue := t.processTLSConf(elt, c) if issue != nil { return issue, nil } } issue := t.checkVersion(complit, c) t.resetVersion() return issue, nil } } else { if assign, ok := n.(*ast.AssignStmt); ok && len(assign.Lhs) > 0 { if selector, ok := assign.Lhs[0].(*ast.SelectorExpr); ok { actualType := c.Info.TypeOf(selector.X) if actualType != nil && actualType.String() == t.requiredType { issue := t.processTLSConf(assign, c) if issue != nil { return issue, nil } } } } } return nil, nil } 07070100000091000081A400000000000000000000000166F5526900000CDC000000000000000000000000000000000000002100000000gosec-2.21.4/rules/tls_config.gopackage rules import ( "go/ast" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) // NewModernTLSCheck creates a check for Modern TLS ciphers // DO NOT EDIT - generated by tlsconfig tool func NewModernTLSCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { return &insecureConfigTLS{ MetaData: issue.MetaData{ID: id}, requiredType: "crypto/tls.Config", MinVersion: 0x0304, MaxVersion: 0x0304, goodCiphers: []string{ "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", }, }, []ast.Node{(*ast.CompositeLit)(nil), (*ast.AssignStmt)(nil)} } // NewIntermediateTLSCheck creates a check for Intermediate TLS ciphers // DO NOT EDIT - generated by tlsconfig tool func NewIntermediateTLSCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { return &insecureConfigTLS{ MetaData: issue.MetaData{ID: id}, requiredType: "crypto/tls.Config", MinVersion: 0x0303, MaxVersion: 0x0304, goodCiphers: []string{ "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", }, }, []ast.Node{(*ast.CompositeLit)(nil), (*ast.AssignStmt)(nil)} } // NewOldTLSCheck creates a check for Old TLS ciphers // DO NOT EDIT - generated by tlsconfig tool func NewOldTLSCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { return &insecureConfigTLS{ MetaData: issue.MetaData{ID: id}, requiredType: "crypto/tls.Config", MinVersion: 0x0301, MaxVersion: 0x0304, goodCiphers: []string{ "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_3DES_EDE_CBC_SHA", }, }, []ast.Node{(*ast.CompositeLit)(nil), (*ast.AssignStmt)(nil)} } 07070100000092000081A400000000000000000000000166F5526900000662000000000000000000000000000000000000001D00000000gosec-2.21.4/rules/unsafe.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package rules import ( "go/ast" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type usingUnsafe struct { issue.MetaData pkg string calls []string } func (r *usingUnsafe) ID() string { return r.MetaData.ID } func (r *usingUnsafe) Match(n ast.Node, c *gosec.Context) (gi *issue.Issue, err error) { if _, matches := gosec.MatchCallByPackage(n, c, r.pkg, r.calls...); matches { return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil } return nil, nil } // NewUsingUnsafe rule detects the use of the unsafe package. This is only // really useful for auditing purposes. func NewUsingUnsafe(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { return &usingUnsafe{ pkg: "unsafe", calls: []string{"Pointer", "String", "StringData", "Slice", "SliceData"}, MetaData: issue.MetaData{ ID: id, What: "Use of unsafe calls should be audited", Severity: issue.Low, Confidence: issue.High, }, }, []ast.Node{(*ast.CallExpr)(nil)} } 07070100000093000081A400000000000000000000000166F552690000070B000000000000000000000000000000000000002100000000gosec-2.21.4/rules/weakcrypto.go// (c) Copyright 2016 Hewlett Packard Enterprise Development LP // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package rules import ( "go/ast" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type usesWeakCryptographyEncryption struct { issue.MetaData blocklist map[string][]string } func (r *usesWeakCryptographyEncryption) ID() string { return r.MetaData.ID } func (r *usesWeakCryptographyEncryption) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) { for pkg, funcs := range r.blocklist { if _, matched := gosec.MatchCallByPackage(n, c, pkg, funcs...); matched { return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil } } return nil, nil } // NewUsesWeakCryptographyEncryption detects uses of des.*, rc4.* func NewUsesWeakCryptographyEncryption(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { calls := make(map[string][]string) calls["crypto/des"] = []string{"NewCipher", "NewTripleDESCipher"} calls["crypto/rc4"] = []string{"NewCipher"} rule := &usesWeakCryptographyEncryption{ blocklist: calls, MetaData: issue.MetaData{ ID: id, Severity: issue.Medium, Confidence: issue.High, What: "Use of weak cryptographic primitive", }, } return rule, []ast.Node{(*ast.CallExpr)(nil)} } 07070100000094000081A400000000000000000000000166F5526900000692000000000000000000000000000000000000002500000000gosec-2.21.4/rules/weakcryptohash.go// Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package rules import ( "go/ast" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type usesWeakCryptographyHash struct { issue.MetaData blocklist map[string][]string } func (r *usesWeakCryptographyHash) ID() string { return r.MetaData.ID } func (r *usesWeakCryptographyHash) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) { for pkg, funcs := range r.blocklist { if _, matched := gosec.MatchCallByPackage(n, c, pkg, funcs...); matched { return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil } } return nil, nil } // NewUsesWeakCryptographyHash detects uses of md5.*, sha1.* func NewUsesWeakCryptographyHash(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { calls := make(map[string][]string) calls["crypto/md5"] = []string{"New", "Sum"} calls["crypto/sha1"] = []string{"New", "Sum"} rule := &usesWeakCryptographyHash{ blocklist: calls, MetaData: issue.MetaData{ ID: id, Severity: issue.Medium, Confidence: issue.High, What: "Use of weak cryptographic primitive", }, } return rule, []ast.Node{(*ast.CallExpr)(nil)} } 07070100000095000081A400000000000000000000000166F5526900000725000000000000000000000000000000000000002F00000000gosec-2.21.4/rules/weakdepricatedcryptohash.go// (c) Copyright 2024 Mercedes-Benz Tech Innovation GmbH // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package rules import ( "go/ast" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/issue" ) type usesWeakDeprecatedCryptographyHash struct { issue.MetaData blocklist map[string][]string } func (r *usesWeakDeprecatedCryptographyHash) ID() string { return r.MetaData.ID } func (r *usesWeakDeprecatedCryptographyHash) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) { for pkg, funcs := range r.blocklist { if _, matched := gosec.MatchCallByPackage(n, c, pkg, funcs...); matched { return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil } } return nil, nil } // NewUsesWeakCryptographyHash detects uses of md4.New, ripemd160.New func NewUsesWeakDeprecatedCryptographyHash(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { calls := make(map[string][]string) calls["golang.org/x/crypto/md4"] = []string{"New"} calls["golang.org/x/crypto/ripemd160"] = []string{"New"} rule := &usesWeakDeprecatedCryptographyHash{ blocklist: calls, MetaData: issue.MetaData{ ID: id, Severity: issue.Medium, Confidence: issue.High, What: "Use of deprecated weak cryptographic primitive", }, } return rule, []ast.Node{(*ast.CallExpr)(nil)} } 07070100000096000041ED00000000000000000000000266F5526900000000000000000000000000000000000000000000001700000000gosec-2.21.4/testutils07070100000097000081A400000000000000000000000166F55269000004A8000000000000000000000000000000000000002600000000gosec-2.21.4/testutils/cgo_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeCgo - Cgo file sample var SampleCodeCgo = []CodeSample{ {[]string{` package main import ( "fmt" "unsafe" ) /* #include <stdlib.h> #include <stdio.h> #include <string.h> int printData(unsigned char *data) { return printf("cData: %lu \"%s\"\n", (long unsigned int)strlen(data), data); } */ import "C" func main() { // Allocate C data buffer. width, height := 8, 2 lenData := width * height // add string terminating null byte cData := (*C.uchar)(C.calloc(C.size_t(lenData+1), C.sizeof_uchar)) // When no longer in use, free C allocations. defer C.free(unsafe.Pointer(cData)) // Go slice reference to C data buffer, // minus string terminating null byte gData := (*[1 << 30]byte)(unsafe.Pointer(cData))[:lenData:lenData] // Write and read cData via gData. for i := range gData { gData[i] = '.' } copy(gData[0:], "Data") gData[len(gData)-1] = 'X' fmt.Printf("gData: %d %q\n", len(gData), gData) C.printData(cData) } `}, 0, gosec.NewConfig()}, } 07070100000098000081A400000000000000000000000166F552690000187E000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g101_samples.gopackage testutils import "github.com/securego/gosec/v2" var ( // SampleCodeG101 code snippets for hardcoded credentials SampleCodeG101 = []CodeSample{ {[]string{` package main import "fmt" func main() { username := "admin" password := "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" fmt.Println("Doing something with: ", username, password) } `}, 1, gosec.NewConfig()}, {[]string{` // Entropy check should not report this error by default package main import "fmt" func main() { username := "admin" password := "secret" fmt.Println("Doing something with: ", username, password) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" var password = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" func main() { username := "admin" fmt.Println("Doing something with: ", username, password) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" const password = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" func main() { username := "admin" fmt.Println("Doing something with: ", username, password) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" const ( username = "user" password = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" ) func main() { fmt.Println("Doing something with: ", username, password) } `}, 1, gosec.NewConfig()}, {[]string{` package main var password string func init() { password = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" } `}, 1, gosec.NewConfig()}, {[]string{` package main const ( ATNStateSomethingElse = 1 ATNStateTokenStart = 42 ) func main() { println(ATNStateTokenStart) } `}, 0, gosec.NewConfig()}, {[]string{` package main const ( ATNStateTokenStart = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" ) func main() { println(ATNStateTokenStart) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { var password string if password == "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" { fmt.Println("password equality") } } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { var password string if "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" == password { fmt.Println("password equality") } } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { var password string if password != "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" { fmt.Println("password equality") } } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { var password string if "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" != password { fmt.Println("password equality") } } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { var p string if p != "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" { fmt.Println("password equality") } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { var p string if "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" != p { fmt.Println("password equality") } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" const ( pw = "KjasdlkjapoIKLlka98098sdf012U/rL2sLdBqOHQUlt5Z6kCgKGDyCFA==" ) func main() { fmt.Println(pw) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" var ( pw string ) func main() { pw = "KjasdlkjapoIKLlka98098sdf012U/rL2sLdBqOHQUlt5Z6kCgKGDyCFA==" fmt.Println(pw) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" const ( cred = "KjasdlkjapoIKLlka98098sdf012U/rL2sLdBqOHQUlt5Z6kCgKGDyCFA==" ) func main() { fmt.Println(cred) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" var ( cred string ) func main() { cred = "KjasdlkjapoIKLlka98098sdf012U/rL2sLdBqOHQUlt5Z6kCgKGDyCFA==" fmt.Println(cred) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" const ( apiKey = "KjasdlkjapoIKLlka98098sdf012U" ) func main() { fmt.Println(apiKey) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" var ( apiKey string ) func main() { apiKey = "KjasdlkjapoIKLlka98098sdf012U" fmt.Println(apiKey) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" const ( bearer = "Bearer: 2lkjdfoiuwer092834kjdwf09" ) func main() { fmt.Println(bearer) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" var ( bearer string ) func main() { bearer = "Bearer: 2lkjdfoiuwer092834kjdwf09" fmt.Println(bearer) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" // #nosec G101 const ( ConfigLearnerTokenAuth string = "learner_auth_token_config" // #nosec G101 ) func main() { fmt.Printf("%s\n", ConfigLearnerTokenAuth) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" // #nosec G101 const ( ConfigLearnerTokenAuth string = "learner_auth_token_config" ) func main() { fmt.Printf("%s\n", ConfigLearnerTokenAuth) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" const ( ConfigLearnerTokenAuth string = "learner_auth_token_config" // #nosec G101 ) func main() { fmt.Printf("%s\n", ConfigLearnerTokenAuth) } `}, 0, gosec.NewConfig()}, } // SampleCodeG101Values code snippets for hardcoded credentials SampleCodeG101Values = []CodeSample{ {[]string{` package main import "fmt" func main() { customerNameEnvKey := "FOO_CUSTOMER_NAME" fmt.Println(customerNameEnvKey) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { txnID := "3637cfcc1eec55a50f78a7c435914583ccbc75a21dec9a0e94dfa077647146d7" fmt.Println(txnID) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { urlSecret := "https://username:abcdef0123456789abcdef0123456789abcdef01@contoso.com/" fmt.Println(urlSecret) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { githubToken := "ghp_iR54dhCYg9Tfmoywi9xLmmKZrrnAw438BYh3" fmt.Println(githubToken) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { awsAccessKeyID := "AKIAI44QH8DHBEXAMPLE" fmt.Println(awsAccessKeyID) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { compareGoogleAPI := "test" if compareGoogleAPI == "AIzajtGS_aJGkoiAmSbXzu9I-1eytAi9Lrlh-vT" { fmt.Println(compareGoogleAPI) } } `}, 1, gosec.NewConfig()}, } ) 07070100000099000081A400000000000000000000000166F552690000062A000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g102_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG102 code snippets for network binding var SampleCodeG102 = []CodeSample{ // Bind to all networks explicitly {[]string{` package main import ( "log" "net" ) func main() { l, err := net.Listen("tcp", "0.0.0.0:2000") if err != nil { log.Fatal(err) } defer l.Close() } `}, 1, gosec.NewConfig()}, // Bind to all networks implicitly (default if host omitted) {[]string{` package main import ( "log" "net" ) func main() { l, err := net.Listen("tcp", ":2000") if err != nil { log.Fatal(err) } defer l.Close() } `}, 1, gosec.NewConfig()}, // Bind to all networks indirectly through a parsing function {[]string{` package main import ( "log" "net" ) func parseListenAddr(listenAddr string) (network string, addr string) { return "", "" } func main() { addr := ":2000" l, err := net.Listen(parseListenAddr(addr)) if err != nil { log.Fatal(err) } defer l.Close() } `}, 1, gosec.NewConfig()}, // Bind to all networks indirectly through a parsing function {[]string{` package main import ( "log" "net" ) const addr = ":2000" func parseListenAddr(listenAddr string) (network string, addr string) { return "", "" } func main() { l, err := net.Listen(parseListenAddr(addr)) if err != nil { log.Fatal(err) } defer l.Close() } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "log" "net" ) const addr = "0.0.0.0:2000" func main() { l, err := net.Listen("tcp", addr) if err != nil { log.Fatal(err) } defer l.Close() } `}, 1, gosec.NewConfig()}, } 0707010000009A000081A400000000000000000000000166F55269000004C1000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g103_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG103 find instances of unsafe blocks for auditing purposes var SampleCodeG103 = []CodeSample{ {[]string{` package main import ( "fmt" "unsafe" ) type Fake struct{} func (Fake) Good() {} func main() { unsafeM := Fake{} unsafeM.Good() intArray := [...]int{1, 2} fmt.Printf("\nintArray: %v\n", intArray) intPtr := &intArray[0] fmt.Printf("\nintPtr=%p, *intPtr=%d.\n", intPtr, *intPtr) addressHolder := uintptr(unsafe.Pointer(intPtr)) intPtr = (*int)(unsafe.Pointer(addressHolder)) fmt.Printf("\nintPtr=%p, *intPtr=%d.\n\n", intPtr, *intPtr) } `}, 2, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "unsafe" ) func main() { chars := [...]byte{1, 2} charsPtr := &chars[0] str := unsafe.String(charsPtr, len(chars)) fmt.Printf("%s\n", str) ptr := unsafe.StringData(str) fmt.Printf("ptr: %p\n", ptr) } `}, 2, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "unsafe" ) func main() { chars := [...]byte{1, 2} charsPtr := &chars[0] slice := unsafe.Slice(charsPtr, len(chars)) fmt.Printf("%v\n", slice) ptr := unsafe.SliceData(slice) fmt.Printf("ptr: %p\n", ptr) } `}, 2, gosec.NewConfig()}, } 0707010000009B000081A400000000000000000000000166F5526900000D1D000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g104_samples.gopackage testutils import "github.com/securego/gosec/v2" var ( // SampleCodeG104 finds errors that aren't being handled SampleCodeG104 = []CodeSample{ {[]string{` package main import "fmt" func test() (int,error) { return 0, nil } func main() { v, _ := test() fmt.Println(v) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "io/ioutil" "os" "fmt" ) func a() error { return fmt.Errorf("This is an error") } func b() { fmt.Println("b") ioutil.WriteFile("foo.txt", []byte("bar"), os.ModeExclusive) } func c() string { return fmt.Sprintf("This isn't anything") } func main() { _ = a() a() b() c() } `}, 2, gosec.NewConfig()}, {[]string{` package main import "fmt" func test() error { return nil } func main() { e := test() fmt.Println(e) } `}, 0, gosec.NewConfig()}, {[]string{` // +build go1.10 package main import "strings" func main() { var buf strings.Builder _, err := buf.WriteString("test string") if err != nil { panic(err) } }`, ` package main func dummy(){} `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "bytes" ) type a struct { buf *bytes.Buffer } func main() { a := &a{ buf: new(bytes.Buffer), } a.buf.Write([]byte{0}) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "io/ioutil" "os" "fmt" ) func a() { fmt.Println("a") ioutil.WriteFile("foo.txt", []byte("bar"), os.ModeExclusive) } func main() { a() } `}, 0, gosec.Config{"G104": map[string]interface{}{"ioutil": []interface{}{"WriteFile"}}}}, {[]string{` package main import ( "bytes" "fmt" "io" "os" "strings" ) func createBuffer() *bytes.Buffer { return new(bytes.Buffer) } func main() { new(bytes.Buffer).WriteString("*bytes.Buffer") fmt.Fprintln(os.Stderr, "fmt") new(strings.Builder).WriteString("*strings.Builder") _, pw := io.Pipe() pw.CloseWithError(io.EOF) createBuffer().WriteString("*bytes.Buffer") b := createBuffer() b.WriteString("*bytes.Buffer") } `}, 0, gosec.NewConfig()}, } // it shouldn't return any errors because all method calls are whitelisted by default // SampleCodeG104Audit finds errors that aren't being handled in audit mode SampleCodeG104Audit = []CodeSample{ {[]string{` package main import "fmt" func test() (int,error) { return 0, nil } func main() { v, _ := test() fmt.Println(v) } `}, 1, gosec.Config{gosec.Globals: map[gosec.GlobalOption]string{gosec.Audit: "enabled"}}}, {[]string{` package main import ( "io/ioutil" "os" "fmt" ) func a() error { return fmt.Errorf("This is an error") } func b() { fmt.Println("b") ioutil.WriteFile("foo.txt", []byte("bar"), os.ModeExclusive) } func c() string { return fmt.Sprintf("This isn't anything") } func main() { _ = a() a() b() c() } `}, 3, gosec.Config{gosec.Globals: map[gosec.GlobalOption]string{gosec.Audit: "enabled"}}}, {[]string{` package main import "fmt" func test() error { return nil } func main() { e := test() fmt.Println(e) } `}, 0, gosec.Config{gosec.Globals: map[gosec.GlobalOption]string{gosec.Audit: "enabled"}}}, {[]string{` // +build go1.10 package main import "strings" func main() { var buf strings.Builder _, err := buf.WriteString("test string") if err != nil { panic(err) } } `, ` package main func dummy(){} `}, 0, gosec.Config{gosec.Globals: map[gosec.GlobalOption]string{gosec.Audit: "enabled"}}}, } ) 0707010000009C000081A400000000000000000000000166F552690000011D000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g106_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG106 - ssh InsecureIgnoreHostKey var SampleCodeG106 = []CodeSample{ {[]string{` package main import ( "golang.org/x/crypto/ssh" ) func main() { _ = ssh.InsecureIgnoreHostKey() } `}, 1, gosec.NewConfig()}, } 0707010000009D000081A400000000000000000000000166F5526900000D72000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g107_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG107 - SSRF via http requests with variable url var SampleCodeG107 = []CodeSample{ {[]string{` // Input from the std in is considered insecure package main import ( "net/http" "io/ioutil" "fmt" "os" "bufio" ) func main() { in := bufio.NewReader(os.Stdin) url, err := in.ReadString('\n') if err != nil { panic(err) } resp, err := http.Get(url) if err != nil { panic(err) } defer resp.Body.Close() body, err := ioutil.ReadAll(resp.Body) if err != nil { panic(err) } fmt.Printf("%s", body) } `}, 1, gosec.NewConfig()}, {[]string{` // Variable defined a package level can be changed at any time // regardless of the initial value package main import ( "fmt" "io/ioutil" "net/http" ) var url string = "https://www.google.com" func main() { resp, err := http.Get(url) if err != nil { panic(err) } defer resp.Body.Close() body, err := ioutil.ReadAll(resp.Body) if err != nil { panic(err) } fmt.Printf("%s", body) }`}, 1, gosec.NewConfig()}, {[]string{` // Environmental variables are not considered as secure source package main import ( "net/http" "io/ioutil" "fmt" "os" ) func main() { url := os.Getenv("tainted_url") resp, err := http.Get(url) if err != nil { panic(err) } defer resp.Body.Close() body, err := ioutil.ReadAll(resp.Body) if err != nil { panic(err) } fmt.Printf("%s", body) } `}, 1, gosec.NewConfig()}, {[]string{` // Constant variables or hard-coded strings are secure package main import ( "fmt" "net/http" ) const url = "http://127.0.0.1" func main() { resp, err := http.Get(url) if err != nil { fmt.Println(err) } fmt.Println(resp.Status) } `}, 0, gosec.NewConfig()}, {[]string{` // A variable at function scope which is initialized to // a constant string is secure (e.g. cannot be changed concurrently) package main import ( "fmt" "net/http" ) func main() { var url string = "http://127.0.0.1" resp, err := http.Get(url) if err != nil { fmt.Println(err) } fmt.Println(resp.Status) } `}, 0, gosec.NewConfig()}, {[]string{` // A variable at function scope which is initialized to // a constant string is secure (e.g. cannot be changed concurrently) package main import ( "fmt" "net/http" ) func main() { url := "http://127.0.0.1" resp, err := http.Get(url) if err != nil { fmt.Println(err) } fmt.Println(resp.Status) } `}, 0, gosec.NewConfig()}, {[]string{` // A variable at function scope which is initialized to // a constant string is secure (e.g. cannot be changed concurrently) package main import ( "fmt" "net/http" ) func main() { url1 := "test" var url2 string = "http://127.0.0.1" url2 = url1 resp, err := http.Get(url2) if err != nil { fmt.Println(err) } fmt.Println(resp.Status) } `}, 0, gosec.NewConfig()}, {[]string{` // An exported variable declared a packaged scope is not secure // because it can changed at any time package main import ( "fmt" "net/http" ) var Url string func main() { resp, err := http.Get(Url) if err != nil { fmt.Println(err) } fmt.Println(resp.Status) } `}, 1, gosec.NewConfig()}, {[]string{` // An url provided as a function argument is not secure package main import ( "fmt" "net/http" ) func get(url string) { resp, err := http.Get(url) if err != nil { fmt.Println(err) } fmt.Println(resp.Status) } func main() { url := "http://127.0.0.1" get(url) } `}, 1, gosec.NewConfig()}, } 0707010000009E000081A400000000000000000000000166F55269000002B4000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g108_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG108 - pprof endpoint automatically exposed var SampleCodeG108 = []CodeSample{ {[]string{` package main import ( "fmt" "log" "net/http" _ "net/http/pprof" ) func main() { http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "Hello World!") }) log.Fatal(http.ListenAndServe(":8080", nil)) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "log" "net/http" ) func main() { http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "Hello World!") }) log.Fatal(http.ListenAndServe(":8080", nil)) } `}, 0, gosec.NewConfig()}, } 0707010000009F000081A400000000000000000000000166F55269000005D2000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g109_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG109 - Potential Integer OverFlow var SampleCodeG109 = []CodeSample{ {[]string{` package main import ( "fmt" "strconv" ) func main() { bigValue, err := strconv.Atoi("2147483648") if err != nil { panic(err) } value := int32(bigValue) fmt.Println(value) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "strconv" ) func main() { bigValue, err := strconv.Atoi("32768") if err != nil { panic(err) } if int16(bigValue) < 0 { fmt.Println(bigValue) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "strconv" ) func main() { bigValue, err := strconv.Atoi("2147483648") if err != nil { panic(err) } fmt.Println(bigValue) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "strconv" ) func main() { bigValue, err := strconv.Atoi("2147483648") if err != nil { panic(err) } fmt.Println(bigValue) test() } func test() { bigValue := 30 value := int64(bigValue) fmt.Println(value) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "strconv" ) func main() { value := 10 if value == 10 { value, _ := strconv.Atoi("2147483648") fmt.Println(value) } v := int64(value) fmt.Println(v) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "strconv" ) func main() { a, err := strconv.Atoi("a") b := int64(a) //#nosec G109 fmt.Println(b, err) } `}, 0, gosec.NewConfig()}, } 070701000000A0000081A400000000000000000000000166F5526900000749000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g110_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG110 - potential DoS vulnerability via decompression bomb var SampleCodeG110 = []CodeSample{ {[]string{` package main import ( "bytes" "compress/zlib" "io" "os" ) func main() { buff := []byte{120, 156, 202, 72, 205, 201, 201, 215, 81, 40, 207, 47, 202, 73, 225, 2, 4, 0, 0, 255, 255, 33, 231, 4, 147} b := bytes.NewReader(buff) r, err := zlib.NewReader(b) if err != nil { panic(err) } _, err = io.Copy(os.Stdout, r) if err != nil { panic(err) } r.Close() }`}, 1, gosec.NewConfig()}, {[]string{` package main import ( "bytes" "compress/zlib" "io" "os" ) func main() { buff := []byte{120, 156, 202, 72, 205, 201, 201, 215, 81, 40, 207, 47, 202, 73, 225, 2, 4, 0, 0, 255, 255, 33, 231, 4, 147} b := bytes.NewReader(buff) r, err := zlib.NewReader(b) if err != nil { panic(err) } buf := make([]byte, 8) _, err = io.CopyBuffer(os.Stdout, r, buf) if err != nil { panic(err) } r.Close() } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "archive/zip" "io" "os" "strconv" ) func main() { r, err := zip.OpenReader("tmp.zip") if err != nil { panic(err) } defer r.Close() for i, f := range r.File { out, err := os.OpenFile("output" + strconv.Itoa(i), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode()) if err != nil { panic(err) } rc, err := f.Open() if err != nil { panic(err) } _, err = io.Copy(out, rc) out.Close() rc.Close() if err != nil { panic(err) } } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "io" "os" ) func main() { s, err := os.Open("src") if err != nil { panic(err) } defer s.Close() d, err := os.Create("dst") if err != nil { panic(err) } defer d.Close() _, err = io.Copy(d, s) if err != nil { panic(err) } } `}, 0, gosec.NewConfig()}, } 070701000000A1000081A400000000000000000000000166F552690000021F000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g111_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG111 - potential directory traversal var SampleCodeG111 = []CodeSample{ {[]string{` package main import ( "fmt" "log" "net/http" "os" ) func main() { http.Handle("/bad/", http.StripPrefix("/bad/", http.FileServer(http.Dir("/")))) http.HandleFunc("/", HelloServer) log.Fatal(http.ListenAndServe(":"+os.Getenv("PORT"), nil)) } func HelloServer(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "Hello, %s!", r.URL.Path[1:]) } `}, 1, gosec.NewConfig()}, } 070701000000A2000081A400000000000000000000000166F552690000067E000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g112_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG112 - potential slowloris attack var SampleCodeG112 = []CodeSample{ {[]string{` package main import ( "fmt" "net/http" ) func main() { http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "Hello, %s!", r.URL.Path[1:]) }) err := (&http.Server{ Addr: ":1234", }).ListenAndServe() if err != nil { panic(err) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "time" "net/http" ) func main() { http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "Hello, %s!", r.URL.Path[1:]) }) server := &http.Server{ Addr: ":1234", ReadHeaderTimeout: 3 * time.Second, } err := server.ListenAndServe() if err != nil { panic(err) } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "time" "net/http" ) func main() { http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "Hello, %s!", r.URL.Path[1:]) }) server := &http.Server{ Addr: ":1234", ReadTimeout: 1 * time.Second, } err := server.ListenAndServe() if err != nil { panic(err) } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "net/http" "sync" ) type Server struct { hs *http.Server mux *http.ServeMux mu sync.Mutex } func New(listenAddr string) *Server { mux := http.NewServeMux() return &Server{ hs: &http.Server{ // #nosec G112 - Not publicly exposed Addr: listenAddr, Handler: mux, }, mux: mux, mu: sync.Mutex{}, } } func main() { fmt.Print("test") } `}, 0, gosec.NewConfig()}, } 070701000000A3000081A400000000000000000000000166F5526900000155000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g113_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG113 - Usage of Rat.SetString in math/big with an overflow var SampleCodeG113 = []CodeSample{ {[]string{` package main import ( "math/big" "fmt" ) func main() { r := big.Rat{} r.SetString("13e-9223372036854775808") fmt.Println(r) } `}, 1, gosec.NewConfig()}, } 070701000000A4000081A400000000000000000000000166F5526900000413000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g114_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG114 - Use of net/http serve functions that have no support for setting timeouts var SampleCodeG114 = []CodeSample{ {[]string{` package main import ( "log" "net/http" ) func main() { err := http.ListenAndServe(":8080", nil) log.Fatal(err) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "log" "net/http" ) func main() { err := http.ListenAndServeTLS(":8443", "cert.pem", "key.pem", nil) log.Fatal(err) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "log" "net" "net/http" ) func main() { l, err := net.Listen("tcp", ":8080") if err != nil { log.Fatal(err) } defer l.Close() err = http.Serve(l, nil) log.Fatal(err) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "log" "net" "net/http" ) func main() { l, err := net.Listen("tcp", ":8443") if err != nil { log.Fatal(err) } defer l.Close() err = http.ServeTLS(l, nil, "cert.pem", "key.pem") log.Fatal(err) } `}, 1, gosec.NewConfig()}, } 070701000000A5000081A400000000000000000000000166F5526900002F0E000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g115_samples.gopackage testutils import "github.com/securego/gosec/v2" var SampleCodeG115 = []CodeSample{ {[]string{` package main import ( "fmt" "math" ) func main() { var a uint32 = math.MaxUint32 b := int32(a) fmt.Println(b) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "math" ) func main() { var a uint16 = math.MaxUint16 b := int32(a) fmt.Println(b) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "math" ) func main() { var a uint32 = math.MaxUint32 b := uint16(a) fmt.Println(b) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "math" ) func main() { var a int32 = math.MaxInt32 b := int16(a) fmt.Println(b) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "math" ) func main() { var a int16 = math.MaxInt16 b := int32(a) fmt.Println(b) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "math" ) func main() { var a int32 = math.MaxInt32 b := uint32(a) fmt.Println(b) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "math" ) func main() { var a uint = math.MaxUint b := int16(a) fmt.Println(b) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "math" ) func main() { var a uint = math.MaxUint b := int64(a) fmt.Println(b) } `}, 1, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "math" ) func main() { var a uint = math.MaxUint // #nosec G115 b := int64(a) fmt.Println(b) } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "math" ) func main() { var a uint = math.MaxUint // #nosec G115 b := int64(a) fmt.Println(b) } `, ` package main func ExampleFunction() { } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "math" ) type Uint uint func main() { var a uint8 = math.MaxUint8 b := Uint(a) fmt.Println(b) } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" ) func main() { var a byte = '\xff' b := int64(a) fmt.Println(b) } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" ) func main() { var a int8 = -1 b := int64(a) fmt.Println(b) } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "math" ) type CustomType int func main() { var a uint = math.MaxUint b := CustomType(a) fmt.Println(b) } `, }, 1, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" ) func main() { a := []int{1,2,3} b := uint32(len(a)) fmt.Println(b) } `, }, 1, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" ) func main() { a := "A\xFF" b := int64(a[0]) fmt.Printf("%d\n", b) } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" ) func main() { var a uint8 = 13 b := int(a) fmt.Printf("%d\n", b) } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" ) func main() { const a int64 = 13 b := int32(a) fmt.Printf("%d\n", b) } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "math" "math/rand" ) func main() { a := rand.Int63() if a < math.MinInt32 { panic("out of range") } if a > math.MaxInt32 { panic("out of range") } b := int32(a) fmt.Printf("%d\n", b) } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "math" "math/rand" ) func main() { a := rand.Int63() if a < math.MinInt32 && a > math.MaxInt32 { panic("out of range") } b := int32(a) fmt.Printf("%d\n", b) } `, }, 1, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "math" "math/rand" ) func main() { a := rand.Int63() if a < math.MinInt32 || a > math.MaxInt32 { panic("out of range") } b := int32(a) fmt.Printf("%d\n", b) } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "math" "math/rand" ) func main() { a := rand.Int63() if a < math.MinInt64 || a > math.MaxInt32 { panic("out of range") } b := int32(a) fmt.Printf("%d\n", b) } `, }, 1, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "math" ) func main() { var a int32 = math.MaxInt32 if a < math.MinInt32 && a > math.MaxInt32 { panic("out of range") } var b int64 = int64(a) * 2 c := int32(b) fmt.Printf("%d\n", c) } `, }, 1, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "strconv" ) func main() { var a string = "13" b, _ := strconv.ParseInt(a, 10, 32) c := int32(b) fmt.Printf("%d\n", c) } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "strconv" ) func main() { var a string = "13" b, _ := strconv.ParseUint(a, 10, 8) c := uint8(b) fmt.Printf("%d\n", c) } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "strconv" ) func main() { var a string = "13" b, _ := strconv.ParseInt(a, 10, 8) c := uint8(b) fmt.Printf("%d\n", c) } `, }, 1, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "math" "math/rand" ) func main() { a := rand.Int63() if a < 0 { panic("out of range") } if a > math.MaxUint32 { panic("out of range") } b := uint32(a) fmt.Printf("%d\n", b) } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "math/rand" ) func main() { a := rand.Int63() if a < 0 { panic("out of range") } b := uint32(a) fmt.Printf("%d\n", b) } `, }, 1, gosec.NewConfig()}, {[]string{ ` package main import ( "math" ) func foo(x int) uint32 { if x < 0 { return 0 } if x > math.MaxUint32 { return math.MaxUint32 } return uint32(x) } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "math" ) func foo(items []string) uint32 { x := len(items) if x > math.MaxUint32 { return math.MaxUint32 } return uint32(x) } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "math" ) func foo(items []string) uint32 { x := cap(items) if x > math.MaxUint32 { return math.MaxUint32 } return uint32(x) } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "math" ) func foo(items []string) uint32 { x := len(items) if x < math.MaxUint32 { return uint32(x) } return math.MaxUint32 } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "math" "math/rand" ) func main() { a := rand.Int63() if a >= math.MinInt32 && a <= math.MaxInt32 { b := int32(a) fmt.Printf("%d\n", b) } panic("out of range") } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "math" "math/rand" ) func main() { a := rand.Int63() if a >= math.MinInt32 && a <= math.MaxInt32 { b := int32(a) fmt.Printf("%d\n", b) } panic("out of range") } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "math" "math/rand" ) func main() { a := rand.Int63() if !(a >= math.MinInt32) && a > math.MaxInt32 { b := int32(a) fmt.Printf("%d\n", b) } panic("out of range") } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "math" "math/rand" ) func main() { a := rand.Int63() if !(a >= math.MinInt32) || a > math.MaxInt32 { panic("out of range") } b := int32(a) fmt.Printf("%d\n", b) } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "math" "math/rand" ) func main() { a := rand.Int63() if math.MinInt32 <= a && math.MaxInt32 >= a { b := int32(a) fmt.Printf("%d\n", b) } panic("out of range") } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "math/rand" ) func main() { a := rand.Int63() if a == 3 || a == 4 { b := int32(a) fmt.Printf("%d\n", b) } panic("out of range") } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "math/rand" ) func main() { a := rand.Int63() if a != 3 || a != 4 { panic("out of range") } b := int32(a) fmt.Printf("%d\n", b) } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import "unsafe" func main() { i := uintptr(123) p := unsafe.Pointer(i) _ = p } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "math/rand" ) func main() { a := rand.Int63() if a >= 0 { panic("no positivity allowed") } b := uint64(-a) fmt.Printf("%d\n", b) } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "math" ) type CustomStruct struct { Value int } func main() { results := CustomStruct{Value: 0} if results.Value < math.MinInt32 || results.Value > math.MaxInt32 { panic("value out of range for int32") } convertedValue := int32(results.Value) fmt.Println(convertedValue) } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "math" ) type CustomStruct struct { Value int } func main() { results := CustomStruct{Value: 0} if results.Value >= math.MinInt32 && results.Value <= math.MaxInt32 { convertedValue := int32(results.Value) fmt.Println(convertedValue) } panic("value out of range for int32") } `, }, 0, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "math" ) type CustomStruct struct { Value int } func main() { results := CustomStruct{Value: 0} if results.Value < math.MinInt32 || results.Value > math.MaxInt32 { panic("value out of range for int32") } // checked value is decremented by 1 before conversion which is unsafe convertedValue := int32(results.Value-1) fmt.Println(convertedValue) } `, }, 1, gosec.NewConfig()}, {[]string{ ` package main import ( "fmt" "math" "math/rand" ) func main() { a := rand.Int63() if a < math.MinInt32 || a > math.MaxInt32 { panic("out of range") } // checked value is incremented by 1 before conversion which is unsafe b := int32(a+1) fmt.Printf("%d\n", b) } `, }, 1, gosec.NewConfig()}, } 070701000000A6000081A400000000000000000000000166F5526900001A3B000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g201_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG201 - SQL injection via format string var SampleCodeG201 = []CodeSample{ {[]string{` // Format string without proper quoting package main import ( "database/sql" "fmt" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := fmt.Sprintf("SELECT * FROM foo where name = '%s'", os.Args[1]) rows, err := db.Query(q) if err != nil { panic(err) } defer rows.Close() } `}, 1, gosec.NewConfig()}, {[]string{` // Format string without proper quoting case insensitive package main import ( "database/sql" "fmt" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := fmt.Sprintf("select * from foo where name = '%s'", os.Args[1]) rows, err := db.Query(q) if err != nil { panic(err) } defer rows.Close() } `}, 1, gosec.NewConfig()}, {[]string{` // Format string without proper quoting with context package main import ( "context" "database/sql" "fmt" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := fmt.Sprintf("select * from foo where name = '%s'", os.Args[1]) rows, err := db.QueryContext(context.Background(), q) if err != nil { panic(err) } defer rows.Close() } `}, 1, gosec.NewConfig()}, {[]string{` // Format string without proper quoting with transaction package main import ( "context" "database/sql" "fmt" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } tx, err := db.Begin() if err != nil { panic(err) } defer tx.Rollback() q := fmt.Sprintf("select * from foo where name = '%s'", os.Args[1]) rows, err := tx.QueryContext(context.Background(), q) if err != nil { panic(err) } defer rows.Close() if err := tx.Commit(); err != nil { panic(err) } } `}, 1, gosec.NewConfig()}, {[]string{` // Format string false positive, safe string spec. package main import ( "database/sql" "fmt" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := fmt.Sprintf("SELECT * FROM foo where id = %d", os.Args[1]) rows, err := db.Query(q) if err != nil { panic(err) } defer rows.Close() } `}, 0, gosec.NewConfig()}, {[]string{` // Format string false positive package main import ( "database/sql" ) const staticQuery = "SELECT * FROM foo WHERE age < 32" func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } rows, err := db.Query(staticQuery) if err != nil { panic(err) } defer rows.Close() } `}, 0, gosec.NewConfig()}, {[]string{` // Format string false positive, quoted formatter argument. package main import ( "database/sql" "fmt" "os" "github.com/lib/pq" ) func main(){ db, err := sql.Open("postgres", "localhost") if err != nil { panic(err) } q := fmt.Sprintf("SELECT * FROM %s where id = 1", pq.QuoteIdentifier(os.Args[1])) rows, err := db.Query(q) if err != nil { panic(err) } defer rows.Close() } `}, 0, gosec.NewConfig()}, {[]string{` // false positive package main import ( "database/sql" "fmt" ) const Table = "foo" func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := fmt.Sprintf("SELECT * FROM %s where id = 1", Table) rows, err := db.Query(q) if err != nil { panic(err) } defer rows.Close() } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" ) func main(){ fmt.Sprintln() } `}, 0, gosec.NewConfig()}, {[]string{` // Format string with \n\r package main import ( "database/sql" "fmt" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := fmt.Sprintf("SELECT * FROM foo where\n name = '%s'", os.Args[1]) rows, err := db.Query(q) if err != nil { panic(err) } defer rows.Close() } `}, 1, gosec.NewConfig()}, {[]string{` // Format string with \n\r package main import ( "database/sql" "fmt" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := fmt.Sprintf("SELECT * FROM foo where\nname = '%s'", os.Args[1]) rows, err := db.Query(q) if err != nil { panic(err) } defer rows.Close() } `}, 1, gosec.NewConfig()}, {[]string{` // SQLI by db.Query(some).Scan(&other) package main import ( "database/sql" "fmt" "os" ) func main() { var name string db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := fmt.Sprintf("SELECT name FROM users where id = '%s'", os.Args[1]) row := db.QueryRow(q) err = row.Scan(&name) if err != nil { panic(err) } defer db.Close() }`}, 1, gosec.NewConfig()}, {[]string{` // SQLI by db.Query(some).Scan(&other) package main import ( "database/sql" "fmt" "os" ) func main() { var name string db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := fmt.Sprintf("SELECT name FROM users where id = '%s'", os.Args[1]) err = db.QueryRow(q).Scan(&name) if err != nil { panic(err) } defer db.Close() }`}, 1, gosec.NewConfig()}, {[]string{` // SQLI by db.Prepare(some) package main import ( "database/sql" "fmt" "log" "os" ) const Table = "foo" func main() { var album string db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := fmt.Sprintf("SELECT name FROM users where '%s' = ?", os.Args[1]) stmt, err := db.Prepare(q) if err != nil { log.Fatal(err) } stmt.QueryRow(fmt.Sprintf("%s", os.Args[2])).Scan(&album) if err != nil { if err == sql.ErrNoRows { log.Fatal(err) } } defer stmt.Close() } `}, 1, gosec.NewConfig()}, {[]string{` // SQLI by db.PrepareContext(some) package main import ( "context" "database/sql" "fmt" "log" "os" ) const Table = "foo" func main() { var album string db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := fmt.Sprintf("SELECT name FROM users where '%s' = ?", os.Args[1]) stmt, err := db.PrepareContext(context.Background(), q) if err != nil { log.Fatal(err) } stmt.QueryRow(fmt.Sprintf("%s", os.Args[2])).Scan(&album) if err != nil { if err == sql.ErrNoRows { log.Fatal(err) } } defer stmt.Close() } `}, 1, gosec.NewConfig()}, {[]string{` // false positive package main import ( "database/sql" "fmt" "log" "os" ) const Table = "foo" func main() { var album string db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } stmt, err := db.Prepare("SELECT * FROM album WHERE id = ?") if err != nil { log.Fatal(err) } stmt.QueryRow(fmt.Sprintf("%s", os.Args[1])).Scan(&album) if err != nil { if err == sql.ErrNoRows { log.Fatal(err) } } defer stmt.Close() } `}, 0, gosec.NewConfig()}, } 070701000000A7000081A400000000000000000000000166F55269000011BE000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g202_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG202 - SQL query string building via string concatenation var SampleCodeG202 = []CodeSample{ {[]string{` // infixed concatenation package main import ( "database/sql" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } q := "INSERT INTO foo (name) VALUES ('" + os.Args[0] + "')" rows, err := db.Query(q) if err != nil { panic(err) } defer rows.Close() } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } rows, err := db.Query("SELECT * FROM foo WHERE name = " + os.Args[1]) if err != nil { panic(err) } defer rows.Close() } `}, 1, gosec.NewConfig()}, {[]string{` // case insensitive match package main import ( "database/sql" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } rows, err := db.Query("select * from foo where name = " + os.Args[1]) if err != nil { panic(err) } defer rows.Close() } `}, 1, gosec.NewConfig()}, {[]string{` // context match package main import ( "context" "database/sql" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } rows, err := db.QueryContext(context.Background(), "select * from foo where name = " + os.Args[1]) if err != nil { panic(err) } defer rows.Close() } `}, 1, gosec.NewConfig()}, {[]string{` // DB transaction check package main import ( "context" "database/sql" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } tx, err := db.Begin() if err != nil { panic(err) } defer tx.Rollback() rows, err := tx.QueryContext(context.Background(), "select * from foo where name = " + os.Args[1]) if err != nil { panic(err) } defer rows.Close() if err := tx.Commit(); err != nil { panic(err) } } `}, 1, gosec.NewConfig()}, {[]string{` // multiple string concatenation package main import ( "database/sql" "os" ) func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } rows, err := db.Query("SELECT * FROM foo" + "WHERE name = " + os.Args[1]) if err != nil { panic(err) } defer rows.Close() } `}, 1, gosec.NewConfig()}, {[]string{` // false positive package main import ( "database/sql" ) var staticQuery = "SELECT * FROM foo WHERE age < " func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } rows, err := db.Query(staticQuery + "32") if err != nil { panic(err) } defer rows.Close() } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" ) const age = "32" var staticQuery = "SELECT * FROM foo WHERE age < " func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } rows, err := db.Query(staticQuery + age) if err != nil { panic(err) } defer rows.Close() } `}, 0, gosec.NewConfig()}, {[]string{` package main const gender = "M" `, ` package main import ( "database/sql" ) const age = "32" var staticQuery = "SELECT * FROM foo WHERE age < " func main(){ db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } rows, err := db.Query("SELECT * FROM foo WHERE gender = " + gender) if err != nil { panic(err) } defer rows.Close() } `}, 0, gosec.NewConfig()}, {[]string{` // ExecContext match package main import ( "context" "database/sql" "fmt" "os" ) func main() { db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } result, err := db.ExecContext(context.Background(), "select * from foo where name = "+os.Args[1]) if err != nil { panic(err) } fmt.Println(result) }`}, 1, gosec.NewConfig()}, {[]string{` // Exec match package main import ( "database/sql" "fmt" "os" ) func main() { db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } result, err := db.Exec("select * from foo where name = " + os.Args[1]) if err != nil { panic(err) } fmt.Println(result) }`}, 1, gosec.NewConfig()}, {[]string{` package main import ( "database/sql" "fmt" ) const gender = "M" const age = "32" var staticQuery = "SELECT * FROM foo WHERE age < " func main() { db, err := sql.Open("sqlite3", ":memory:") if err != nil { panic(err) } result, err := db.Exec("SELECT * FROM foo WHERE gender = " + gender) if err != nil { panic(err) } fmt.Println(result) } `}, 0, gosec.NewConfig()}, } 070701000000A8000081A400000000000000000000000166F55269000006D3000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g203_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG203 - Template checks var SampleCodeG203 = []CodeSample{ {[]string{` // We assume that hardcoded template strings are safe as the programmer would // need to be explicitly shooting themselves in the foot (as below) package main import ( "html/template" "os" ) const tmpl = "" func main() { t := template.Must(template.New("ex").Parse(tmpl)) v := map[string]interface{}{ "Title": "Test <b>World</b>", "Body": template.HTML("<script>alert(1)</script>"), } t.Execute(os.Stdout, v) } `}, 0, gosec.NewConfig()}, {[]string{` // Using a variable to initialize could potentially be dangerous. Under the // current model this will likely produce some false positives. package main import ( "html/template" "os" ) const tmpl = "" func main() { a := "something from another place" t := template.Must(template.New("ex").Parse(tmpl)) v := map[string]interface{}{ "Title": "Test <b>World</b>", "Body": template.HTML(a), } t.Execute(os.Stdout, v) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "html/template" "os" ) const tmpl = "" func main() { a := "something from another place" t := template.Must(template.New("ex").Parse(tmpl)) v := map[string]interface{}{ "Title": "Test <b>World</b>", "Body": template.JS(a), } t.Execute(os.Stdout, v) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "html/template" "os" ) const tmpl = "" func main() { a := "something from another place" t := template.Must(template.New("ex").Parse(tmpl)) v := map[string]interface{}{ "Title": "Test <b>World</b>", "Body": template.URL(a), } t.Execute(os.Stdout, v) } `}, 1, gosec.NewConfig()}, } 070701000000A9000081A400000000000000000000000166F5526900001135000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g204_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG204 - Subprocess auditing var SampleCodeG204 = []CodeSample{ {[]string{` package main import ( "log" "os/exec" "context" ) func main() { err := exec.CommandContext(context.Background(), "git", "rev-parse", "--show-toplevel").Run() if err != nil { log.Fatal(err) } log.Printf("Command finished with error: %v", err) } `}, 0, gosec.NewConfig()}, {[]string{` // Calling any function which starts a new process with using // command line arguments as it's arguments is considered dangerous package main import ( "context" "log" "os" "os/exec" ) func main() { err := exec.CommandContext(context.Background(), os.Args[0], "5").Run() if err != nil { log.Fatal(err) } log.Printf("Command finished with error: %v", err) } `}, 1, gosec.NewConfig()}, {[]string{` // Initializing a local variable using a environmental // variable is consider as a dangerous user input package main import ( "log" "os" "os/exec" ) func main() { run := "sleep" + os.Getenv("SOMETHING") cmd := exec.Command(run, "5") err := cmd.Start() if err != nil { log.Fatal(err) } log.Printf("Waiting for command to finish...") err = cmd.Wait() log.Printf("Command finished with error: %v", err) } `}, 1, gosec.NewConfig()}, {[]string{` // gosec doesn't have enough context to decide that the // command argument of the RunCmd function is hardcoded string // and that's why it's better to warn the user so he can audit it package main import ( "log" "os/exec" ) func RunCmd(command string) { cmd := exec.Command(command, "5") err := cmd.Start() if err != nil { log.Fatal(err) } log.Printf("Waiting for command to finish...") err = cmd.Wait() } func main() { RunCmd("sleep") } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "log" "os/exec" ) func RunCmd(a string, c string) { cmd := exec.Command(c) err := cmd.Start() if err != nil { log.Fatal(err) } log.Printf("Waiting for command to finish...") err = cmd.Wait() cmd = exec.Command(a) err = cmd.Start() if err != nil { log.Fatal(err) } log.Printf("Waiting for command to finish...") err = cmd.Wait() } func main() { RunCmd("ll", "ls") } `}, 0, gosec.NewConfig()}, {[]string{` // syscall.Exec function called with hardcoded arguments // shouldn't be consider as a command injection package main import ( "fmt" "syscall" ) func main() { err := syscall.Exec("/bin/cat", []string{"/etc/passwd"}, nil) if err != nil { fmt.Printf("Error: %v\n", err) } } `}, 0, gosec.NewConfig()}, { []string{` package main import ( "fmt" "syscall" ) func RunCmd(command string) { _, err := syscall.ForkExec(command, []string{}, nil) if err != nil { fmt.Printf("Error: %v\n", err) } } func main() { RunCmd("sleep") } `}, 1, gosec.NewConfig(), }, {[]string{` package main import ( "fmt" "syscall" ) func RunCmd(command string) { _, _, err := syscall.StartProcess(command, []string{}, nil) if err != nil { fmt.Printf("Error: %v\n", err) } } func main() { RunCmd("sleep") } `}, 1, gosec.NewConfig()}, {[]string{` // starting a process with a variable as an argument // even if not constant is not considered as dangerous // because it has hardcoded value package main import ( "log" "os/exec" ) func main() { run := "sleep" cmd := exec.Command(run, "5") err := cmd.Start() if err != nil { log.Fatal(err) } log.Printf("Waiting for command to finish...") err = cmd.Wait() log.Printf("Command finished with error: %v", err) } `}, 0, gosec.NewConfig()}, {[]string{` // exec.Command from supplemental package sys/execabs // using variable arguments package main import ( "context" "log" "os" exec "golang.org/x/sys/execabs" ) func main() { err := exec.CommandContext(context.Background(), os.Args[0], "5").Run() if err != nil { log.Fatal(err) } log.Printf("Command finished with error: %v", err) } `}, 1, gosec.NewConfig()}, {[]string{` // Initializing a local variable using a environmental // variable is consider as a dangerous user input package main import ( "log" "os" "os/exec" ) func main() { var run = "sleep" + os.Getenv("SOMETHING") cmd := exec.Command(run, "5") err := cmd.Start() if err != nil { log.Fatal(err) } log.Printf("Waiting for command to finish...") err = cmd.Wait() log.Printf("Command finished with error: %v", err) } `}, 1, gosec.NewConfig()}, } 070701000000AA000081A400000000000000000000000166F5526900000306000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g301_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG301 - mkdir permission check var SampleCodeG301 = []CodeSample{ {[]string{` package main import ( "fmt" "os" ) func main() { err := os.Mkdir("/tmp/mydir", 0777) if err != nil { fmt.Println("Error when creating a directory!") return } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "os" ) func main() { err := os.MkdirAll("/tmp/mydir", 0777) if err != nil { fmt.Println("Error when creating a directory!") return } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "os" ) func main() { err := os.Mkdir("/tmp/mydir", 0600) if err != nil { fmt.Println("Error when creating a directory!") return } } `}, 0, gosec.NewConfig()}, } 070701000000AB000081A400000000000000000000000166F55269000003FA000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g302_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG302 - file create / chmod permissions check var SampleCodeG302 = []CodeSample{ {[]string{` package main import ( "fmt" "os" ) func main() { err := os.Chmod("/tmp/somefile", 0777) if err != nil { fmt.Println("Error when changing file permissions!") return } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "os" ) func main() { _, err := os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0666) if err != nil { fmt.Println("Error opening a file!") return } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "os" ) func main() { err := os.Chmod("/tmp/mydir", 0400) if err != nil { fmt.Println("Error") return } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "os" ) func main() { _, err := os.OpenFile("/tmp/thing", os.O_CREATE|os.O_WRONLY, 0600) if err != nil { fmt.Println("Error opening a file!") return } } `}, 0, gosec.NewConfig()}, } 070701000000AC000081A400000000000000000000000166F5526900000627000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g303_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG303 - bad tempfile permissions & hardcoded shared path var SampleCodeG303 = []CodeSample{ {[]string{` package samples import ( "fmt" "io/ioutil" "os" "path" "path/filepath" ) func main() { err := ioutil.WriteFile("/tmp/demo2", []byte("This is some data"), 0644) if err != nil { fmt.Println("Error while writing!") } f, err := os.Create("/tmp/demo2") if err != nil { fmt.Println("Error while writing!") } else if err = f.Close(); err != nil { fmt.Println("Error while closing!") } err = os.WriteFile("/tmp/demo2", []byte("This is some data"), 0644) if err != nil { fmt.Println("Error while writing!") } err = os.WriteFile("/usr/tmp/demo2", []byte("This is some data"), 0644) if err != nil { fmt.Println("Error while writing!") } err = os.WriteFile("/tmp/" + "demo2", []byte("This is some data"), 0644) if err != nil { fmt.Println("Error while writing!") } err = os.WriteFile(os.TempDir() + "/demo2", []byte("This is some data"), 0644) if err != nil { fmt.Println("Error while writing!") } err = os.WriteFile(path.Join("/var/tmp", "demo2"), []byte("This is some data"), 0644) if err != nil { fmt.Println("Error while writing!") } err = os.WriteFile(path.Join(os.TempDir(), "demo2"), []byte("This is some data"), 0644) if err != nil { fmt.Println("Error while writing!") } err = os.WriteFile(filepath.Join(os.TempDir(), "demo2"), []byte("This is some data"), 0644) if err != nil { fmt.Println("Error while writing!") } } `}, 9, gosec.NewConfig()}, } 070701000000AD000081A400000000000000000000000166F552690000132A000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g304_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG304 - potential file inclusion vulnerability var SampleCodeG304 = []CodeSample{ {[]string{` package main import ( "os" "io/ioutil" "log" ) func main() { f := os.Getenv("tainted_file") body, err := ioutil.ReadFile(f) if err != nil { log.Printf("Error: %v\n", err) } log.Print(body) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "os" "log" ) func main() { f := os.Getenv("tainted_file") body, err := os.ReadFile(f) if err != nil { log.Printf("Error: %v\n", err) } log.Print(body) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "log" "net/http" "os" ) func main() { http.HandleFunc("/bar", func(w http.ResponseWriter, r *http.Request) { title := r.URL.Query().Get("title") f, err := os.Open(title) if err != nil { fmt.Printf("Error: %v\n", err) } body := make([]byte, 5) if _, err = f.Read(body); err != nil { fmt.Printf("Error: %v\n", err) } fmt.Fprintf(w, "%s", body) }) log.Fatal(http.ListenAndServe(":3000", nil)) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "log" "net/http" "os" ) func main() { http.HandleFunc("/bar", func(w http.ResponseWriter, r *http.Request) { title := r.URL.Query().Get("title") f, err := os.OpenFile(title, os.O_RDWR|os.O_CREATE, 0755) if err != nil { fmt.Printf("Error: %v\n", err) } body := make([]byte, 5) if _, err = f.Read(body); err != nil { fmt.Printf("Error: %v\n", err) } fmt.Fprintf(w, "%s", body) }) log.Fatal(http.ListenAndServe(":3000", nil)) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "log" "os" "io/ioutil" ) func main() { f2 := os.Getenv("tainted_file2") body, err := ioutil.ReadFile("/tmp/" + f2) if err != nil { log.Printf("Error: %v\n", err) } log.Print(body) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "bufio" "fmt" "os" "path/filepath" ) func main() { reader := bufio.NewReader(os.Stdin) fmt.Print("Please enter file to read: ") file, _ := reader.ReadString('\n') file = file[:len(file)-1] f, err := os.Open(filepath.Join("/tmp/service/", file)) if err != nil { fmt.Printf("Error: %v\n", err) } contents := make([]byte, 15) if _, err = f.Read(contents); err != nil { fmt.Printf("Error: %v\n", err) } fmt.Println(string(contents)) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "log" "os" "io/ioutil" "path/filepath" ) func main() { dir := os.Getenv("server_root") f3 := os.Getenv("tainted_file3") // edge case where both a binary expression and file Join are used. body, err := ioutil.ReadFile(filepath.Join("/var/"+dir, f3)) if err != nil { log.Printf("Error: %v\n", err) } log.Print(body) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "os" "path/filepath" ) func main() { repoFile := "path_of_file" cleanRepoFile := filepath.Clean(repoFile) _, err := os.OpenFile(cleanRepoFile, os.O_RDONLY, 0600) if err != nil { panic(err) } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "os" "path/filepath" ) func openFile(filePath string) { _, err := os.OpenFile(filepath.Clean(filePath), os.O_RDONLY, 0600) if err != nil { panic(err) } } func main() { repoFile := "path_of_file" openFile(repoFile) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "os" "path/filepath" ) func openFile(dir string, filePath string) { fp := filepath.Join(dir, filePath) fp = filepath.Clean(fp) _, err := os.OpenFile(fp, os.O_RDONLY, 0600) if err != nil { panic(err) } } func main() { repoFile := "path_of_file" dir := "path_of_dir" openFile(dir, repoFile) } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "os" "path/filepath" ) func main() { repoFile := "path_of_file" relFile, err := filepath.Rel("./", repoFile) if err != nil { panic(err) } _, err = os.OpenFile(relFile, os.O_RDONLY, 0600) if err != nil { panic(err) } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "io" "os" ) func createFile(file string) *os.File { f, err := os.Create(file) if err != nil { panic(err) } return f } func main() { s, err := os.Open("src") if err != nil { panic(err) } defer s.Close() d := createFile("dst") defer d.Close() _, err = io.Copy(d, s) if err != nil { panic(err) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "path/filepath" ) type foo struct { } func (f *foo) doSomething(silly string) error { whoCares, err := filepath.Rel(THEWD, silly) if err != nil { return err } fmt.Printf("%s", whoCares) return nil } func main() { f := &foo{} if err := f.doSomething("irrelevant"); err != nil { panic(err) } } `, ` package main var THEWD string `}, 0, gosec.NewConfig()}, } 070701000000AE000081A400000000000000000000000166F5526900000CD9000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g305_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG305 - File path traversal when extracting zip/tar archives var SampleCodeG305 = []CodeSample{ {[]string{` package unzip import ( "archive/zip" "io" "os" "path/filepath" ) func unzip(archive, target string) error { reader, err := zip.OpenReader(archive) if err != nil { return err } if err := os.MkdirAll(target, 0750); err != nil { return err } for _, file := range reader.File { path := filepath.Join(target, file.Name) if file.FileInfo().IsDir() { os.MkdirAll(path, file.Mode()) //#nosec continue } fileReader, err := file.Open() if err != nil { return err } defer fileReader.Close() targetFile, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, file.Mode()) if err != nil { return err } defer targetFile.Close() if _, err := io.Copy(targetFile, fileReader); err != nil { return err } } return nil } `}, 1, gosec.NewConfig()}, {[]string{` package unzip import ( "archive/zip" "io" "os" "path/filepath" ) func unzip(archive, target string) error { reader, err := zip.OpenReader(archive) if err != nil { return err } if err := os.MkdirAll(target, 0750); err != nil { return err } for _, file := range reader.File { archiveFile := file.Name path := filepath.Join(target, archiveFile) if file.FileInfo().IsDir() { os.MkdirAll(path, file.Mode()) //#nosec continue } fileReader, err := file.Open() if err != nil { return err } defer fileReader.Close() targetFile, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, file.Mode()) if err != nil { return err } defer targetFile.Close() if _, err := io.Copy(targetFile, fileReader); err != nil { return err } } return nil } `}, 1, gosec.NewConfig()}, {[]string{` package zip import ( "archive/zip" "io" "os" "path" ) func extractFile(f *zip.File, destPath string) error { filePath := path.Join(destPath, f.Name) os.MkdirAll(path.Dir(filePath), os.ModePerm) rc, err := f.Open() if err != nil { return err } defer rc.Close() fw, err := os.Create(filePath) if err != nil { return err } defer fw.Close() if _, err = io.Copy(fw, rc); err != nil { return err } if f.FileInfo().Mode()&os.ModeSymlink != 0 { return nil } if err = os.Chtimes(filePath, f.ModTime(), f.ModTime()); err != nil { return err } return os.Chmod(filePath, f.FileInfo().Mode()) } `}, 1, gosec.NewConfig()}, {[]string{` package tz import ( "archive/tar" "io" "os" "path" ) func extractFile(f *tar.Header, tr *tar.Reader, destPath string) error { filePath := path.Join(destPath, f.Name) os.MkdirAll(path.Dir(filePath), os.ModePerm) fw, err := os.Create(filePath) if err != nil { return err } defer fw.Close() if _, err = io.Copy(fw, tr); err != nil { return err } if f.FileInfo().Mode()&os.ModeSymlink != 0 { return nil } if err = os.Chtimes(filePath, f.FileInfo().ModTime(), f.FileInfo().ModTime()); err != nil { return err } return os.Chmod(filePath, f.FileInfo().Mode()) } `}, 1, gosec.NewConfig()}, } 070701000000AF000081A400000000000000000000000166F5526900000460000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g306_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG306 - Poor permissions for WriteFile var SampleCodeG306 = []CodeSample{ {[]string{` package main import ( "bufio" "fmt" "io/ioutil" "os" ) func check(e error) { if e != nil { panic(e) } } func main() { d1 := []byte("hello\ngo\n") err := ioutil.WriteFile("/tmp/dat1", d1, 0744) check(err) allowed := ioutil.WriteFile("/tmp/dat1", d1, 0600) check(allowed) f, err := os.Create("/tmp/dat2") check(err) defer f.Close() d2 := []byte{115, 111, 109, 101, 10} n2, err := f.Write(d2) defer check(err) fmt.Printf("wrote %d bytes\n", n2) n3, err := f.WriteString("writes\n") fmt.Printf("wrote %d bytes\n", n3) f.Sync() w := bufio.NewWriter(f) n4, err := w.WriteString("buffered\n") fmt.Printf("wrote %d bytes\n", n4) w.Flush() } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "io/ioutil" "os" ) func check(e error) { if e != nil { panic(e) } } func main() { content := []byte("hello\ngo\n") err := ioutil.WriteFile("/tmp/dat1", content, os.ModePerm) check(err) } `}, 1, gosec.NewConfig()}, } 070701000000B0000081A400000000000000000000000166F5526900000248000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g307_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG307 - Poor permissions for os.Create var SampleCodeG307 = []CodeSample{ {[]string{` package main import ( "fmt" "os" ) func check(e error) { if e != nil { panic(e) } } func main() { f, err := os.Create("/tmp/dat2") check(err) defer f.Close() } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" "os" ) func check(e error) { if e != nil { panic(e) } } func main() { f, err := os.Create("/tmp/dat2") check(err) defer f.Close() } `}, 1, gosec.Config{"G307": "0o600"}}, } 070701000000B1000081A400000000000000000000000166F55269000003DC000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g401_samples.gopackage testutils import "github.com/securego/gosec/v2" var ( // SampleCodeG401 - Use of weak crypto hash MD5 SampleCodeG401 = []CodeSample{ {[]string{` package main import ( "crypto/md5" "fmt" "io" "log" "os" ) func main() { f, err := os.Open("file.txt") if err != nil { log.Fatal(err) } defer f.Close() defer func() { err := f.Close() if err != nil { log.Printf("error closing the file: %s", err) } }() h := md5.New() if _, err := io.Copy(h, f); err != nil { log.Fatal(err) } fmt.Printf("%x", h.Sum(nil)) } `}, 1, gosec.NewConfig()}, } // SampleCodeG401b - Use of weak crypto hash SHA1 SampleCodeG401b = []CodeSample{ {[]string{` package main import ( "crypto/sha1" "fmt" "io" "log" "os" ) func main() { f, err := os.Open("file.txt") if err != nil { log.Fatal(err) } defer f.Close() h := sha1.New() if _, err := io.Copy(h, f); err != nil { log.Fatal(err) } fmt.Printf("%x", h.Sum(nil)) } `}, 1, gosec.NewConfig()}, } ) 070701000000B2000081A400000000000000000000000166F55269000011D3000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g402_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG402 - TLS settings var SampleCodeG402 = []CodeSample{ {[]string{` // InsecureSkipVerify package main import ( "crypto/tls" "fmt" "net/http" ) func main() { tr := &http.Transport{ TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, } client := &http.Client{Transport: tr} _, err := client.Get("https://golang.org/") if err != nil { fmt.Println(err) } } `}, 1, gosec.NewConfig()}, {[]string{` // InsecureSkipVerify from variable package main import ( "crypto/tls" ) func main() { var conf tls.Config conf.InsecureSkipVerify = true } `}, 1, gosec.NewConfig()}, {[]string{` // Insecure minimum version package main import ( "crypto/tls" "fmt" "net/http" ) func main() { tr := &http.Transport{ TLSClientConfig: &tls.Config{MinVersion: 0}, } client := &http.Client{Transport: tr} _, err := client.Get("https://golang.org/") if err != nil { fmt.Println(err) } } `}, 1, gosec.NewConfig()}, {[]string{` // Insecure minimum version package main import ( "crypto/tls" "fmt" ) func CaseNotError() *tls.Config { var v uint16 = tls.VersionTLS13 return &tls.Config{ MinVersion: v, } } func main() { a := CaseNotError() fmt.Printf("Debug: %v\n", a.MinVersion) } `}, 0, gosec.NewConfig()}, {[]string{` // Insecure minimum version package main import ( "crypto/tls" "fmt" ) func CaseNotError() *tls.Config { return &tls.Config{ MinVersion: tls.VersionTLS13, } } func main() { a := CaseNotError() fmt.Printf("Debug: %v\n", a.MinVersion) } `}, 0, gosec.NewConfig()}, {[]string{` // Insecure minimum version package main import ( "crypto/tls" "fmt" ) func CaseError() *tls.Config { var v = &tls.Config{ MinVersion: 0, } return v } func main() { a := CaseError() fmt.Printf("Debug: %v\n", a.MinVersion) } `}, 1, gosec.NewConfig()}, {[]string{` // Insecure minimum version package main import ( "crypto/tls" "fmt" ) func CaseError() *tls.Config { var v = &tls.Config{ MinVersion: getVersion(), } return v } func getVersion() uint16 { return tls.VersionTLS12 } func main() { a := CaseError() fmt.Printf("Debug: %v\n", a.MinVersion) } `}, 1, gosec.NewConfig()}, {[]string{` // Insecure minimum version package main import ( "crypto/tls" "fmt" "net/http" ) var theValue uint16 = 0x0304 func main() { tr := &http.Transport{ TLSClientConfig: &tls.Config{MinVersion: theValue}, } client := &http.Client{Transport: tr} _, err := client.Get("https://golang.org/") if err != nil { fmt.Println(err) } } `}, 0, gosec.NewConfig()}, {[]string{` // Insecure max version package main import ( "crypto/tls" "fmt" "net/http" ) func main() { tr := &http.Transport{ TLSClientConfig: &tls.Config{MaxVersion: 0}, } client := &http.Client{Transport: tr} _, err := client.Get("https://golang.org/") if err != nil { fmt.Println(err) } } `}, 1, gosec.NewConfig()}, {[]string{` // Insecure ciphersuite selection package main import ( "crypto/tls" "fmt" "net/http" ) func main() { tr := &http.Transport{ TLSClientConfig: &tls.Config{ CipherSuites: []uint16{ tls.TLS_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, }, }, } client := &http.Client{Transport: tr} _, err := client.Get("https://golang.org/") if err != nil { fmt.Println(err) } } `}, 1, gosec.NewConfig()}, {[]string{` // secure max version when min version is specified package main import ( "crypto/tls" "fmt" "net/http" ) func main() { tr := &http.Transport{ TLSClientConfig: &tls.Config{ MaxVersion: 0, MinVersion: tls.VersionTLS13, }, } client := &http.Client{Transport: tr} _, err := client.Get("https://golang.org/") if err != nil { fmt.Println(err) } } `}, 0, gosec.NewConfig()}, {[]string{` package p0 import "crypto/tls" func TlsConfig0() *tls.Config { var v uint16 = 0 return &tls.Config{MinVersion: v} } `, ` package p0 import "crypto/tls" func TlsConfig1() *tls.Config { return &tls.Config{MinVersion: 0x0304} } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "crypto/tls" "fmt" ) func main() { cfg := tls.Config{ MinVersion: MinVer, } fmt.Println("tls min version", cfg.MinVersion) } `, ` package main import "crypto/tls" const MinVer = tls.VersionTLS13 `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "crypto/tls" cryptotls "crypto/tls" ) func main() { _ = tls.Config{MinVersion: tls.VersionTLS12} _ = cryptotls.Config{MinVersion: cryptotls.VersionTLS12} } `}, 0, gosec.NewConfig()}, } 070701000000B3000081A400000000000000000000000166F552690000017C000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g403_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG403 - weak key strength var SampleCodeG403 = []CodeSample{ {[]string{` package main import ( "crypto/rand" "crypto/rsa" "fmt" ) func main() { //Generate Private Key pvk, err := rsa.GenerateKey(rand.Reader, 1024) if err != nil { fmt.Println(err) } fmt.Println(pvk) } `}, 1, gosec.NewConfig()}, } 070701000000B4000081A400000000000000000000000166F5526900000A21000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g404_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG404 - weak random number var SampleCodeG404 = []CodeSample{ {[]string{` package main import "crypto/rand" func main() { good, _ := rand.Read(nil) println(good) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "math/rand" func main() { bad := rand.Int() println(bad) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "math/rand/v2" func main() { bad := rand.Int() println(bad) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "crypto/rand" mrand "math/rand" ) func main() { good, _ := rand.Read(nil) println(good) bad := mrand.Int31() println(bad) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "crypto/rand" mrand "math/rand/v2" ) func main() { good, _ := rand.Read(nil) println(good) bad := mrand.Int32() println(bad) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "math/rand" ) func main() { gen := rand.New(rand.NewSource(10)) bad := gen.Int() println(bad) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "math/rand/v2" ) func main() { gen := rand.New(rand.NewPCG(1, 2)) bad := gen.Int() println(bad) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "math/rand" ) func main() { bad := rand.Intn(10) println(bad) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "math/rand/v2" ) func main() { bad := rand.IntN(10) println(bad) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "crypto/rand" "math/big" rnd "math/rand" ) func main() { good, _ := rand.Int(rand.Reader, big.NewInt(int64(2))) println(good) bad := rnd.Intn(2) println(bad) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "crypto/rand" "math/big" rnd "math/rand/v2" ) func main() { good, _ := rand.Int(rand.Reader, big.NewInt(int64(2))) println(good) bad := rnd.IntN(2) println(bad) } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( crand "crypto/rand" "math/big" "math/rand" rand2 "math/rand" rand3 "math/rand" ) func main() { _, _ = crand.Int(crand.Reader, big.NewInt(int64(2))) // good _ = rand.Intn(2) // bad _ = rand2.Intn(2) // bad _ = rand3.Intn(2) // bad } `}, 3, gosec.NewConfig()}, {[]string{` package main import ( crand "crypto/rand" "math/big" "math/rand/v2" rand2 "math/rand/v2" rand3 "math/rand/v2" ) func main() { _, _ = crand.Int(crand.Reader, big.NewInt(int64(2))) // good _ = rand.IntN(2) // bad _ = rand2.IntN(2) // bad _ = rand3.IntN(2) // bad } `}, 3, gosec.NewConfig()}, } 070701000000B5000081A400000000000000000000000166F55269000004A4000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g405_samples.gopackage testutils import "github.com/securego/gosec/v2" var ( // SampleCodeG405 - Use of weak crypto encryption DES SampleCodeG405 = []CodeSample{ {[]string{` package main import ( "crypto/des" "fmt" ) func main() { // Weakness: Usage of weak encryption algorithm c, e := des.NewCipher([]byte("mySecret")) if e != nil { panic("We have a problem: " + e.Error()) } data := []byte("hello world") fmt.Println("Plain", string(data)) c.Encrypt(data, data) fmt.Println("Encrypted", string(data)) c.Decrypt(data, data) fmt.Println("Plain Decrypted", string(data)) } `}, 1, gosec.NewConfig()}, } // SampleCodeG405b - Use of weak crypto encryption RC4 SampleCodeG405b = []CodeSample{ {[]string{` package main import ( "crypto/rc4" "fmt" ) func main() { // Weakness: Usage of weak encryption algorithm c, _ := rc4.NewCipher([]byte("mySecret")) data := []byte("hello world") fmt.Println("Plain", string(data)) c.XORKeyStream(data, data) cryptCipher2, _ := rc4.NewCipher([]byte("mySecret")) fmt.Println("Encrypted", string(data)) cryptCipher2.XORKeyStream(data, data) fmt.Println("Plain Decrypted", string(data)) } `}, 2, gosec.NewConfig()}, } ) 070701000000B6000081A400000000000000000000000166F55269000002CD000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g406_samples.gopackage testutils import "github.com/securego/gosec/v2" var ( // SampleCodeG406 - Use of deprecated weak crypto hash MD4 SampleCodeG406 = []CodeSample{ {[]string{` package main import ( "encoding/hex" "fmt" "golang.org/x/crypto/md4" ) func main() { h := md4.New() h.Write([]byte("test")) fmt.Println(hex.EncodeToString(h.Sum(nil))) } `}, 1, gosec.NewConfig()}, } // SampleCodeG406b - Use of deprecated weak crypto hash RIPEMD160 SampleCodeG406b = []CodeSample{ {[]string{` package main import ( "encoding/hex" "fmt" "golang.org/x/crypto/ripemd160" ) func main() { h := ripemd160.New() h.Write([]byte("test")) fmt.Println(hex.EncodeToString(h.Sum(nil))) } `}, 1, gosec.NewConfig()}, } ) 070701000000B7000081A400000000000000000000000166F5526900002B39000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g407_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG407 - Use of hardcoded nonce/IV var SampleCodeG407 = []CodeSample{ {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesOFB := cipher.NewOFB(block, []byte("ILoveMyNonceAlot")) var output = make([]byte, 16) aesOFB.XORKeyStream(output, []byte("Very Cool thing!")) fmt.Println(string(output)) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func encrypt(nonce []byte) { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesOFB := cipher.NewOFB(block, nonce) var output = make([]byte, 16) aesOFB.XORKeyStream(output, []byte("Very Cool thing!")) fmt.Println(string(output)) } func main() { var nonce = []byte("ILoveMyNonceAlot") encrypt(nonce) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesOFB := cipher.NewOFB(block, []byte("ILoveMyNonceAlot")) // #nosec G407 var output = make([]byte, 16) aesOFB.XORKeyStream(output, []byte("Very Cool thing!")) fmt.Println(string(output)) } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher( []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesGCM, _ := cipher.NewGCM(block) cipherText := aesGCM.Seal(nil, func() []byte { if true { return []byte("ILoveMyNonce") } else { return []byte("IDont'Love..") } }(), []byte("My secret message"), nil) // #nosec G407 fmt.Println(string(cipherText)) cipherText, _ = aesGCM.Open(nil, func() []byte { if true { return []byte("ILoveMyNonce") } else { return []byte("IDont'Love..") } }(), cipherText, nil) // #nosec G407 fmt.Println(string(cipherText)) } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesOFB := cipher.NewOFB(block, []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) var output = make([]byte, 16) aesOFB.XORKeyStream(output, []byte("Very Cool thing!")) fmt.Println(string(output)) }`}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesCTR := cipher.NewCTR(block, []byte("ILoveMyNonceAlot")) var output = make([]byte, 16) aesCTR.XORKeyStream(output, []byte("Very Cool thing!")) fmt.Println(string(output)) }`}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesCTR := cipher.NewCTR(block, []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) var output = make([]byte, 16) aesCTR.XORKeyStream(output, []byte("Very Cool thing!")) fmt.Println(string(output)) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesGCM, _ := cipher.NewGCM(block) cipherText := aesGCM.Seal(nil, []byte("ILoveMyNonce"), []byte("My secret message"), nil) fmt.Println(string(cipherText)) cipherText, _ = aesGCM.Open(nil, []byte("ILoveMyNonce"), cipherText, nil) fmt.Println(string(cipherText)) } `}, 2, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesGCM, _ := cipher.NewGCM(block) cipherText := aesGCM.Seal(nil, []byte{}, []byte("My secret message"), nil) fmt.Println(string(cipherText)) cipherText, _ = aesGCM.Open(nil, []byte{}, cipherText, nil) fmt.Println(string(cipherText)) } `}, 2, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesGCM, _ := cipher.NewGCM(block) cipherText := aesGCM.Seal(nil, []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}, []byte("My secret message"), nil) fmt.Println(string(cipherText)) cipherText, _ = aesGCM.Open(nil, []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}, cipherText, nil) fmt.Println(string(cipherText)) } `}, 2, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher( []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesGCM, _ := cipher.NewGCM(block) cipherText := aesGCM.Seal(nil, func() []byte { if true { return []byte("ILoveMyNonce") } else { return []byte("IDont'Love..") } }(), []byte("My secret message"), nil) fmt.Println(string(cipherText)) cipherText, _ = aesGCM.Open(nil, func() []byte { if true { return []byte("ILoveMyNonce") } else { return []byte("IDont'Love..") } }(), cipherText, nil) fmt.Println(string(cipherText)) } `}, 2, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesGCM, _ := cipher.NewGCM(block) cipherText := aesGCM.Seal(nil, func() []byte { if true { return []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1} } else { return []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1} } }(), []byte("My secret message"), nil) fmt.Println(string(cipherText)) cipherText, _ = aesGCM.Open(nil, func() []byte { if true { return []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1} } else { return []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1} } }(), cipherText, nil) fmt.Println(string(cipherText)) } `}, 2, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesGCM, _ := cipher.NewGCM(block) cipheredText := aesGCM.Seal(nil, func() []byte { return []byte("ILoveMyNonce") }(), []byte("My secret message"), nil) fmt.Println(string(cipheredText)) cipheredText, _ = aesGCM.Open(nil, func() []byte { return []byte("ILoveMyNonce") }(), cipheredText, nil) fmt.Println(string(cipheredText)) } `}, 2, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesGCM, _ := cipher.NewGCM(block) cipheredText := aesGCM.Seal(nil, func() []byte { return []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1} }(), []byte("My secret message"), nil) fmt.Println(string(cipheredText)) cipheredText, _ = aesGCM.Open(nil, func() []byte { return []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1} }(), cipheredText, nil) fmt.Println(string(cipheredText)) } `}, 2, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesCFB := cipher.NewCFBEncrypter(block, []byte("ILoveMyNonceAlot")) var output = make([]byte, 16) aesCFB.XORKeyStream(output, []byte("Very Cool thing!")) fmt.Println(string(output)) aesCFB = cipher.NewCFBDecrypter(block, []byte("ILoveMyNonceAlot")) aesCFB.XORKeyStream(output, output) fmt.Println(string(output)) }`}, 2, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesCFB := cipher.NewCFBEncrypter(block, []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) var output = make([]byte, 16) aesCFB.XORKeyStream(output, []byte("Very Cool thing!")) fmt.Println(string(output)) aesCFB = cipher.NewCFBDecrypter(block, []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesCFB.XORKeyStream(output, output) fmt.Println(string(output)) }`}, 2, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesCBC := cipher.NewCBCEncrypter(block, []byte("ILoveMyNonceAlot")) var output = make([]byte, 16) aesCBC.CryptBlocks(output, []byte("Very Cool thing!")) fmt.Println(string(output)) aesCBC = cipher.NewCBCDecrypter(block, []byte("ILoveMyNonceAlot")) aesCBC.CryptBlocks(output, output) fmt.Println(string(output)) }`}, 2, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesCBC := cipher.NewCBCEncrypter(block, []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) var output = make([]byte, 16) aesCBC.CryptBlocks(output, []byte("Very Cool thing!")) fmt.Println(string(output)) aesCBC = cipher.NewCBCDecrypter(block, []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesCBC.CryptBlocks(output, output) fmt.Println(string(output)) } `}, 2, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { var nonce = []byte("ILoveMyNonce") block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesGCM, _ := cipher.NewGCM(block) fmt.Println(string(aesGCM.Seal(nil, nonce, []byte("My secret message"), nil))) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) func main() { var nonce = []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1} block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesCTR := cipher.NewCTR(block, nonce) var output = make([]byte, 16) aesCTR.XORKeyStream(output, []byte("Very Cool thing!")) fmt.Println(string(output)) } `}, 1, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "crypto/rand" "fmt" ) func coolFunc(size int) []byte{ buf := make([]byte, size) rand.Read(buf) return buf } func main() { var nonce = coolFunc(16) block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesCTR := cipher.NewCTR(block, nonce) var output = make([]byte, 16) aesCTR.XORKeyStream(output, []byte("Very Cool thing!")) fmt.Println(string(output)) } `}, 0, gosec.NewConfig()}, {[]string{`package main import ( "crypto/aes" "crypto/cipher" "fmt" ) var nonce = []byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1} func main() { block, _ := aes.NewCipher([]byte{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}) aesGCM, _ := cipher.NewGCM(block) cipherText := aesGCM.Seal(nil, nonce, []byte("My secret message"), nil) fmt.Println(string(cipherText)) } `}, 1, gosec.NewConfig()}, } 070701000000B8000081A400000000000000000000000166F552690000014E000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g501_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG501 - Blocklisted import MD5 var SampleCodeG501 = []CodeSample{ {[]string{` package main import ( "crypto/md5" "fmt" "os" ) func main() { for _, arg := range os.Args { fmt.Printf("%x - %s\n", md5.Sum([]byte(arg)), arg) } } `}, 1, gosec.NewConfig()}, } 070701000000B9000081A400000000000000000000000166F55269000002FD000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g502_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG502 - Blocklisted import DES var SampleCodeG502 = []CodeSample{ {[]string{` package main import ( "crypto/cipher" "crypto/des" "crypto/rand" "encoding/hex" "fmt" "io" ) func main() { block, err := des.NewCipher([]byte("sekritz")) if err != nil { panic(err) } plaintext := []byte("I CAN HAZ SEKRIT MSG PLZ") ciphertext := make([]byte, des.BlockSize+len(plaintext)) iv := ciphertext[:des.BlockSize] if _, err := io.ReadFull(rand.Reader, iv); err != nil { panic(err) } stream := cipher.NewCFBEncrypter(block, iv) stream.XORKeyStream(ciphertext[des.BlockSize:], plaintext) fmt.Println("Secret message is: %s", hex.EncodeToString(ciphertext)) } `}, 1, gosec.NewConfig()}, } 070701000000BA000081A400000000000000000000000166F5526900000222000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g503_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG503 - Blocklisted import RC4 var SampleCodeG503 = []CodeSample{ {[]string{` package main import ( "crypto/rc4" "encoding/hex" "fmt" ) func main() { cipher, err := rc4.NewCipher([]byte("sekritz")) if err != nil { panic(err) } plaintext := []byte("I CAN HAZ SEKRIT MSG PLZ") ciphertext := make([]byte, len(plaintext)) cipher.XORKeyStream(ciphertext, plaintext) fmt.Println("Secret message is: %s", hex.EncodeToString(ciphertext)) } `}, 1, gosec.NewConfig()}, } 070701000000BB000081A400000000000000000000000166F5526900000131000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g504_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG504 - Blocklisted import CGI var SampleCodeG504 = []CodeSample{ {[]string{` package main import ( "net/http/cgi" "net/http" ) func main() { cgi.Serve(http.FileServer(http.Dir("/usr/share/doc"))) } `}, 1, gosec.NewConfig()}, } 070701000000BC000081A400000000000000000000000166F5526900000151000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g505_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG505 - Blocklisted import SHA1 var SampleCodeG505 = []CodeSample{ {[]string{` package main import ( "crypto/sha1" "fmt" "os" ) func main() { for _, arg := range os.Args { fmt.Printf("%x - %s\n", sha1.Sum([]byte(arg)), arg) } } `}, 1, gosec.NewConfig()}, } 070701000000BD000081A400000000000000000000000166F5526900000165000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g506_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG506 - Blocklisted import MD4 var SampleCodeG506 = []CodeSample{ {[]string{` package main import ( "encoding/hex" "fmt" "golang.org/x/crypto/md4" ) func main() { h := md4.New() h.Write([]byte("test")) fmt.Println(hex.EncodeToString(h.Sum(nil))) } `}, 1, gosec.NewConfig()}, } 070701000000BE000081A400000000000000000000000166F5526900000177000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g507_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG507 - Blocklisted import RIPEMD160 var SampleCodeG507 = []CodeSample{ {[]string{` package main import ( "encoding/hex" "fmt" "golang.org/x/crypto/ripemd160" ) func main() { h := ripemd160.New() h.Write([]byte("test")) fmt.Println(hex.EncodeToString(h.Sum(nil))) } `}, 1, gosec.NewConfig()}, } 070701000000BF000081A400000000000000000000000166F5526900000C12000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g601_samples.gopackage testutils import "github.com/securego/gosec/v2" var ( // SampleCodeG601 - Implicit aliasing over range statement SampleCodeG601 = []CodeSample{ {[]string{` package main import "fmt" var vector []*string func appendVector(s *string) { vector = append(vector, s) } func printVector() { for _, item := range vector { fmt.Printf("%s", *item) } fmt.Println() } func foo() (int, **string, *string) { for _, item := range vector { return 0, &item, item } return 0, nil, nil } func main() { for _, item := range []string{"A", "B", "C"} { appendVector(&item) } printVector() zero, c_star, c := foo() fmt.Printf("%d %v %s", zero, c_star, c) } `}, 1, gosec.NewConfig()}, {[]string{` // see: github.com/securego/gosec/issues/475 package main import ( "fmt" ) func main() { sampleMap := map[string]string{} sampleString := "A string" for sampleString, _ = range sampleMap { fmt.Println(sampleString) } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" ) type sampleStruct struct { name string } func main() { samples := []sampleStruct{ {name: "a"}, {name: "b"}, } for _, sample := range samples { fmt.Println(sample.name) } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" ) type sampleStruct struct { name string } func main() { samples := []*sampleStruct{ {name: "a"}, {name: "b"}, } for _, sample := range samples { fmt.Println(&sample) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" ) type sampleStruct struct { name string } func main() { samples := []*sampleStruct{ {name: "a"}, {name: "b"}, } for _, sample := range samples { fmt.Println(&sample.name) } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" ) type sampleStruct struct { name string } func main() { samples := []sampleStruct{ {name: "a"}, {name: "b"}, } for _, sample := range samples { fmt.Println(&sample.name) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" ) type subStruct struct { name string } type sampleStruct struct { sub subStruct } func main() { samples := []sampleStruct{ {sub: subStruct{name: "a"}}, {sub: subStruct{name: "b"}}, } for _, sample := range samples { fmt.Println(&sample.sub.name) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import ( "fmt" ) type subStruct struct { name string } type sampleStruct struct { sub subStruct } func main() { samples := []*sampleStruct{ {sub: subStruct{name: "a"}}, {sub: subStruct{name: "b"}}, } for _, sample := range samples { fmt.Println(&sample.sub.name) } } `}, 0, gosec.NewConfig()}, {[]string{` package main import ( "fmt" ) func main() { one, two := 1, 2 samples := []*int{&one, &two} for _, sample := range samples { fmt.Println(&sample) } } `}, 1, gosec.NewConfig()}, } // SampleCodeBuildTag - G601 build tags SampleCodeBuildTag = []CodeSample{ {[]string{` // +build tag package main func main() { fmt.Println("no package imported error") } `}, 1, gosec.NewConfig()}, } ) 070701000000C0000081A400000000000000000000000166F552690000105B000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/g602_samples.gopackage testutils import "github.com/securego/gosec/v2" // SampleCodeG602 - Slice access out of bounds var SampleCodeG602 = []CodeSample{ {[]string{` package main import "fmt" func main() { s := make([]byte, 0) fmt.Println(s[:3]) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 0) fmt.Println(s[3:]) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 16) fmt.Println(s[:17]) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 16) fmt.Println(s[:16]) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 16) fmt.Println(s[5:17]) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 4) fmt.Println(s[3]) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 4) fmt.Println(s[5]) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 0) s = make([]byte, 3) fmt.Println(s[:3]) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 0, 4) fmt.Println(s[:3]) fmt.Println(s[3]) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 0, 4) fmt.Println(s[:5]) fmt.Println(s[7]) } `}, 2, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 0, 4) x := s[:2] y := x[:10] fmt.Println(y) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]int, 0, 4) doStuff(s) } func doStuff(x []int) { newSlice := x[:10] fmt.Println(newSlice) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]int, 0, 30) doStuff(s) x := make([]int, 20) y := x[10:] doStuff(y) z := y[5:] doStuff(z) } func doStuff(x []int) { newSlice := x[:10] fmt.Println(newSlice) newSlice2 := x[:6] fmt.Println(newSlice2) } `}, 2, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { testMap := make(map[string]any, 0) testMap["test1"] = map[string]interface{}{ "test2": map[string]interface{}{ "value": 0, }, } fmt.Println(testMap) } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 0) if len(s) > 0 { fmt.Println(s[0]) } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 0) if len(s) > 0 { switch s[0] { case 0: fmt.Println("zero") return default: fmt.Println(s[0]) return } } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 0) if len(s) > 0 { switch s[0] { case 0: b := true if b == true { // Should work for many-levels of nesting when the condition is not on the target slice fmt.Println(s[0]) } return default: fmt.Println(s[0]) return } } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 0) if len(s) > 0 { if len(s) > 1 { fmt.Println(s[1]) } fmt.Println(s[0]) } } `}, 0, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 2) fmt.Println(s[1]) s = make([]byte, 0) fmt.Println(s[1]) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 0) if len(s) > 0 { if len(s) > 4 { fmt.Println(s[3]) } else { // Should error fmt.Println(s[2]) } fmt.Println(s[0]) } } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]byte, 0) if len(s) > 0 { fmt.Println("fake test") } fmt.Println(s[0]) } `}, 1, gosec.NewConfig()}, {[]string{` package main import "fmt" func main() { s := make([]int, 16) for i := 0; i < 17; i++ { s = append(s, i) } if len(s) < 16 { fmt.Println(s[10:16]) } else { fmt.Println(s[3:18]) } fmt.Println(s[0]) for i := range s { fmt.Println(s[i]) } } `}, 0, gosec.NewConfig()}, } 070701000000C1000081A400000000000000000000000166F55269000000EF000000000000000000000000000000000000001E00000000gosec-2.21.4/testutils/log.gopackage testutils import ( "bytes" "log" ) // NewLogger returns a logger and the buffer that it will be written to func NewLogger() (*log.Logger, *bytes.Buffer) { var buf bytes.Buffer return log.New(&buf, "", log.Lshortfile), &buf } 070701000000C2000081A400000000000000000000000166F5526900000C97000000000000000000000000000000000000001E00000000gosec-2.21.4/testutils/pkg.gopackage testutils import ( "fmt" "go/build" "log" "os" "path" "strings" "golang.org/x/tools/go/packages" "github.com/securego/gosec/v2" ) type buildObj struct { pkg *build.Package config *packages.Config pkgs []*packages.Package } // TestPackage is a mock package for testing purposes type TestPackage struct { Path string Files map[string]string onDisk bool build *buildObj } // NewTestPackage will create a new and empty package. Must call Close() to cleanup // auxiliary files func NewTestPackage() *TestPackage { workingDir, err := os.MkdirTemp("", "gosecs_test") if err != nil { return nil } return &TestPackage{ Path: workingDir, Files: make(map[string]string), onDisk: false, build: nil, } } // AddFile inserts the filename and contents into the package contents func (p *TestPackage) AddFile(filename, content string) { p.Files[path.Join(p.Path, filename)] = content } func (p *TestPackage) write() error { if p.onDisk { return nil } for filename, content := range p.Files { if e := os.WriteFile(filename, []byte(content), 0o644); e != nil /* #nosec G306 */ { return e } } p.onDisk = true return nil } // Build ensures all files are persisted to disk and built func (p *TestPackage) Build() error { if p.build != nil { return nil } if err := p.write(); err != nil { return err } basePackage, err := build.Default.ImportDir(p.Path, build.ImportComment) if err != nil { return err } var packageFiles []string for _, filename := range basePackage.GoFiles { packageFiles = append(packageFiles, path.Join(p.Path, filename)) } conf := &packages.Config{ Mode: gosec.LoadMode, Tests: false, } pkgs, err := packages.Load(conf, packageFiles...) if err != nil { return err } p.build = &buildObj{ pkg: basePackage, config: conf, pkgs: pkgs, } return nil } // CreateContext builds a context out of supplied package context func (p *TestPackage) CreateContext(filename string) *gosec.Context { if err := p.Build(); err != nil { log.Fatal(err) return nil } for _, pkg := range p.build.pkgs { for _, file := range pkg.Syntax { pkgFile := pkg.Fset.File(file.Pos()).Name() strip := fmt.Sprintf("%s%c", p.Path, os.PathSeparator) pkgFile = strings.TrimPrefix(pkgFile, strip) if pkgFile == filename { ctx := &gosec.Context{ FileSet: pkg.Fset, Root: file, Config: gosec.NewConfig(), Info: pkg.TypesInfo, Pkg: pkg.Types, Imports: gosec.NewImportTracker(), PassedValues: make(map[string]interface{}), } ctx.Imports.TrackPackages(ctx.Pkg.Imports()...) return ctx } } } return nil } // Close will delete the package and all files in that directory func (p *TestPackage) Close() { if p.onDisk { err := os.RemoveAll(p.Path) if err != nil { log.Fatal(err) } } } // Pkgs returns the current built packages func (p *TestPackage) Pkgs() []*packages.Package { if p.build != nil { return p.build.pkgs } return []*packages.Package{} } // PrintErrors prints to os.Stderr the accumulated errors of built packages func (p *TestPackage) PrintErrors() int { return packages.PrintErrors(p.Pkgs()) } 070701000000C3000081A400000000000000000000000166F55269000000F1000000000000000000000000000000000000002700000000gosec-2.21.4/testutils/sample_types.gopackage testutils import "github.com/securego/gosec/v2" // CodeSample encapsulates a snippet of source code that compiles, and how many errors should be detected type CodeSample struct { Code []string Errors int Config gosec.Config } 070701000000C4000081A400000000000000000000000166F552690000028C000000000000000000000000000000000000002200000000gosec-2.21.4/testutils/visitor.gopackage testutils import ( "go/ast" "github.com/securego/gosec/v2" ) // MockVisitor is useful for stubbing out ast.Visitor with callback // and looking for specific conditions to exist. type MockVisitor struct { Context *gosec.Context Callback func(n ast.Node, ctx *gosec.Context) bool } // NewMockVisitor creates a new empty struct, the Context and // Callback must be set manually. See call_list_test.go for an example. func NewMockVisitor() *MockVisitor { return &MockVisitor{} } // Visit satisfies the ast.Visitor interface func (v *MockVisitor) Visit(n ast.Node) ast.Visitor { if v.Callback(n, v.Context) { return v } return nil } 070701000000C5000041ED00000000000000000000000266F5526900000000000000000000000000000000000000000000001300000000gosec-2.21.4/tools070701000000C6000081A400000000000000000000000166F55269000000AF000000000000000000000000000000000000001C00000000gosec-2.21.4/tools/tools.go//go:build tools // +build tools package tools // nolint import ( _ "github.com/lib/pq" _ "golang.org/x/crypto/ssh" _ "golang.org/x/lint/golint" _ "golang.org/x/text" ) 07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000B00000000TRAILER!!!1511 blocks
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor