Go security checker
9fc8e20 Add favicon for HTML template (#628)
91dae7f Update the design of HTML report
e72f54e Fix HTML template and display the gosec version
c3f25b8 fix html report tag styling (#623)
433a674 show nosec in html report summary (#621)
d040f07 Handle gosec version in SARIF report
51f7411 Add arm64 support (#618)
e7ac882 Update go version to 1.16 (#616)
3a9a6ad Sarif provide Snippet with Issue.Code
1325319 Create dependabot.yml (#614)
d8cfcd6 Allow the user to enable/disable colorisation of the text report in the stdout
a8b633f Adding stdout and verbose flags and refactor how the report is saved
103c429 Enable golangcli and improve testing for formatters
4df7f1c Fix typos, Go Report link and Gofmt
f4ea33d Update how the test coverage is generated
c4f5932 Refactor : Replace Cwe with cwe.Weakness
ddfa253 Define a report package with core and per format sub-packages
cc83d4c Generate the SARIF types, handle taxonomies and separate responsibilities
0fa5d0b Fix the go modules after updating to get the tests passing (#605)
3763953 Migrate sonar types in a dedicated package (#604)
b519743 chore(deps): update all dependencies (#599)
569328e Fix typos (#594)
0695fa0 Add -u to local install instructions (#595)
7f2308b Tidy up the moduels after updating (#593)
f21b0b8 chore(deps): update all dependencies (#592)
148e608 Adding KICS to USERS.md (#590)
27a5ffb Quiet warnings about integer truncation (#586) bf2cd23 Update all dependencies (#585) 01ee764 Fix typo in USERS.md (#583) 9c047e3 Add support for Go 1.16 in the CI and release workflows (#581) 1fce461 fix: WriteParams rule to work also with golang 1.16 (#577) dcbcc4d Use a more generic path for sonarqube import path (#573) 2777e50 Update README with a note which describes how to import a SonarQube report (#572) 897c203 Reset the state of TLS rule after each version check (#570) 6c57ae1 Fix sarif formatting issues (#565) b6524ce Update all dependencies
a4746e1 Update all dependencies (#533) 6bd6e4b Use $(go env GOPATH) that works even when GOPATH is not set aef335a Fix typo in README.md 0ce48a5 Reproducible junit report (#529) 868556b Update README with the correct path to tlsconfig command 13519fd Update the tls configuration generate to handle also the NSS alternative names e351067 Update all dependencies 166e4f5 Update README file with some more details required to run successfully a scan with the docker image f5cc32a Update the Go version to 1.15 in the Makefile ea0fa28 Update the Github go action version to 1.6.0 feea8bb Fix the action tag 6688a97 Fix the github action for Go 1.15 7234349 Add Go 1.15 to the supported version and phase out the Go 1.12 a3895d5 Fix typo in README file 17c9555 Incorrect local installation instructions for v2 f13b8bc Add also filepath.Rel as a sanitization method for input argument in the G304 rule 047729a Fix the rule G304 to handle the case when the input is cleaned as a variable assignment b60ddc2 feat: adds support for path.Join and for tar archives in G305 673a139 Update all dependencies 110b62b Add io.CopyBuffer function to rule G110 6bcd89a Mark all lines of a multi-line finding 4d4e594 Add some comments d1467ac Extend the code snippet included in the issue and refactored how the code snippet is printed 37d1af0 Expand the arguments to a list of strings when they are provided as a single string 59cbe00 Update all dependencies ade81d3 Rename file for consistency 03f12f3 Change naming rule from blacklist to blocklist 3784ffe Fix panic when reading the version from debug info in Go 1.13 55d368f Improve the TLS version checking ad1cb7e Make sure some version information is set when no version was injected into the binary 1d2c951 Extend the rule G304 with os.OpenFile and add a test to cover it 0c1a71b Add more tests samples to increase coverage fe07fcf Fix unit test when checking a mix of good and bad random functions 6bbf8f9 Extend the insecure random rule with more insecure random functions af699f6 Exclude .git directory from scan (#485) 6202b38 Update all dependencies (#484) 6a130d5 Update the link pointing to issues to CWE mapping to use the master version (#483) 826db1c Fix the build tags propagation 7da9248 Change the issue test to verify that a multi-line finding contains a line range 7aedcc5 Remove print line from tests 30e93bf Improve the SQL strings concat rules to handle multiple string concatenation 68bce94 Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context 32be4a5 Make sure all rules are mapped to CWE numbers 8630c43 Add null pointer check in G601 1418b85 ondisk -> onDisk b2cfc5d USERS.md type in the title fixed. 425b8f9 Display a sponsor button in the repository 0714a1e Update the users file with some more projects and companies 1b915dd Set up a gosec's users list 668512f Update bad_defer.go ee3146e Rule which detects aliasing of values in RangeStmt 8662624 Update the build badge to ge the status from GitHub workflow a5db4e1 Run mod tidy to clean up the dependencies fb44007 Enhance the hardcoded credentials rule to check the equality and non-equality of strings a2a40de Update the README with an example to configure the hard-coded credentials rule 802292c Fix the configuration parsing for hardcoded credentials c58f356 Set the default color on only for text format 1a113d6 Turn the color always on when the text format is set c4417de Use the latest color package to get the color working with tmux 656691b feature(formatter/text): Add color option on text format (#460) 51e4317 Automate the release process using a GitHub workflow 341059e Update the GitHub action name to be more desriptive 3b6c3f1 Update README with some instruction how to run gosec as a GitHub action 08202fe Add a GitHub action to run gosec c6e10af Handle properly the gosec module version v2 e946c8c Update all dependencies e030aa4 Remove the go 1.14 version from github action ee176ff Fix the job names in the Github workflow cabccc7 Add to GitHub workflow some jobs for go1.13 and go1.12 a111777 Change the GitHub workflow to use only the latest Go version 722acb6 Change the GitHub workflow to run the builds only on ubuntu-latest platform 5284f34 Change the GitHub workflow to use an action which install Go using a Go version from the matrix 8de5fb6 Migrate the build to GitHub Actions 7da9f46 Fix the call list info to handle selector expressions cf25904 Fix the subproc rule to handle correctly the CommandContext check f97f861 Update the subproc rule to detect the syscall.ForkExec and syscall.StartProces calls c998389 re-generate install.sh with latest godownloader (#446) 7525fe4 Rule for defering methods which return errors (#441) a2ac0bf Update all dependencies (#445) a305f10 Fileperms (#442) 00363ed remove support for go 1.11 (#444) d13bb6d Update all dependencies 17df5b3 Fix typos 3e069e7 Fix the errors rule whitelist to work on types methods 459e2d3 Modify rule for integer overflow to have more acurate results (#434) a4d7b36 Add G110(Potential DoS vulnerability via decompression bomb) 3d5c97b Add a test sample for Cgo files 81e8278 Add the Cgo files to the analysed files and ingonre all non-Go files a1969e2 Handle all errors in the formatter tests (#431) 9cb83e1 Add a rule which detects when there is potential integer overflow (#422) f43a957 Check for both default and alternative nosec tags (#426) 79fbf3a Add golint format to output format (#428) 57c3788 Update all dependencies (#427) 5d61373 fix(docker) gcc and libc-dev required bindings cb4f343 Update all dependencies (#417) df484bf cmd/tlsconfig: remove support for deprecated tls.VersionSSL30 (#412) b4c76d4 Update all dependencies (#410) 99170e0 Update the README with some details about the CWE mapping (#407) 53be8dd Add CWE rule mappings (#405) 28c1128 Add more tests to improve the coverage of resolve d78f026 Format import to make codecov happy 50e1fe2 Improve the SSRF rule to report an issue for package scoped variables 07770ae Add a test for composite literals when trying to resolve an AST tree node f413f14 Handle the ValueSpec when trying to resolve an AST tree node c1970ff Handle the ValueSpec when trying to resolve an AST tree node ea9faae Update the Go version to 1.13 in the Dockerfile (#403) 186dec7 Convert the global settings to correct type when reading them from file (#399) e680875 Replace the deprecated load mode with more specific flags are recommended in the packages docs (#400) ad375d3 Update golang.org/x/tools commit hash to 7c411de (#389) 607f240 reconfigure rennoavate bot (#395) 832d7bb Update README with CII Best Practicies badge 29341f6 Fix the rule G108/pporf to handle the case when the pporf import has not name b504783 Change unit tests to check for one thing (#381) 7dbc65b Update golang.org/x/tools commit hash to 3ac2a5b (#387) f3bd9fb Update golang.org/x/tools commit hash to 0f9bb8f c6ac709 Update golang.org/x/net commit hash to aa69164 7a6460d Update golang.org/x/crypto commit hash to 9ee001b d8f249a Update README with rule G108 9cee24c Add a rule which detects when pprof endpoint is automatically exposed 73fbc9b Update golang.org/x/net commit hash to 1a5e07d 124da07 Update golang.org/x/tools commit hash to 5eefd05 (#378) 915e9ee Update golang.org/x/sys commit hash to b4ddaad (#374) e7b3ae9 Clarify and add new unit tests for rule G107 (#376) f90efff Update golang.org/x/tools commit hash to 2dc213d (#375) 90e9759 Update golang.org/x/net commit hash to c858923 (#373) 709ed1b Change rule G204 to be less restrictive (#339) 98749b7 Update golang.org/x/net commit hash to 24e19bd (#372) d8f6c4f Update golang.org/x/sys commit hash to c3b328c (#371) 3204194 Update golang.org/x/tools commit hash to 92af9d6 (#370) 140048b Update golang.org/x/sys commit hash to 7ad0cfa a65402b Update golang.org/x/tools commit hash to 6bfd74c (#365) b9c4c66 Expose analyzer API (#366) 29fddff turn on automerge for rennovate bot bee7b5a Update golang.org/x/crypto commit hash to 227b76d (#363) 069c31f Update golang.org/x/tools commit hash to 16c5e0f (#362) 3e65f8f Update golang.org/x/sys commit hash to bbd1755 (#361) f5d5e20 Update golang.org/x/tools commit hash to dd2b5c8 (#360) a1c9c76 Remove the unused code to increase the test coverage 338b50d Remove rule G105 which detects the use of math/big#Int.Exp 43e3664 Build the tls config generator only with Go versions compatible with Go 1.12 81b6dc8 Regenerate the TLS configuration based on latest Mozilla's recommended ciphers 76ce9f0 Update to config struct to unmarshal the mozilla server-side TLS conf version 5 e050355 Update the TLS config generator to handle TLS version 1.3 c0510fc Update golang.org/x/tools commit hash to 0673112 (#359) a57a033 Update golang.org/x/sys commit hash to f460065 (#356) 8063751 Update golang.org/x/crypto commit hash to 094676d (#355) 7851918 Add support to exclude arbitrary folders from scanning (#353) 1c35be8 Add renovate.json (#354) fde1f82 Update the tag format in the release steps (#348) 992f173 Update README file with a note on dependencies (#351) e442cf3 Add Go 1.13 to the tested version in the travis build file (#350) 4ecbe32 Update go modules to latest compatible version and removed unused dependencies (#349) 8932f70 Add flag to handle '#nosec' alternative (#346) 4b59c94 Prevent null pointer exception in Sonarqube (#334) 39f7e7b Display filtered number of issues instead of total in stats e28a56a Merge pull request #330 from ccojocar/fix-whitelist-G104 63b44b6 Add some more tests to make codecov happy 1412357 Add some documentation for G104 whitelist configuration Signed-off-by: Cosmin Cojocar [email protected] f344524 Fix the whitelist on G104 rule and add a test 78a4949 Load rules on each code sample in order to reconfigure them ed9934f Refactor the rules tests to be able to configure the analyzer config per test sample 36a82ea Merge pull request #328 from ccojocar/fix-sonarqute-report 020479a Support multiple root paths when generating the Sonarqube report 46e55b9 Fix the file path in the Sonarqube report 04dc713 One approach for fixing the false positive identified in #325. 196edd3 Add checksum clarification in README 0ebfa2f Rework analyzer unit test to pass the go tip version (#318) 9d9098f print version string (#317) ee80733 Add a flag to filter issues by confidence (#316) 29cec13 Fix formatting in README, remove prerequisite and reworked the Makefile tests goals (#313) b68ac76 Fix formatting 3e69a8c Append the package load errors to analyser's errors aac9b00 Refactor properly the package error parsing and cover all test cases 625718d Refactor the test for Go build errors 3af4ae9 Fix some lint warnings bac6f0f Add tests for an empty package without any test file 76b2c12 Add a test to cover the processing of empty packages b04c1ce Fix error parsing from package 92b3644 Fix error parsing when the loaded package is empty 48e3932 Remove tests case from import tracker 25b5a1a Add tests to cover the import tracker from file 5ef2bee Track only the import from the file which is checked f1ea7f6 Add tests for analyser test pacakge check 6e5135f Update README with some instructions to enable the tests and vendor folder scanning b49c953 Add a flag which allows to scan also the tests files f1d49a6 Remove unused code ed2e0aa Update local install command in README file 4dfaf0a Refactor the analyzer to process one package at the time adcfe94 Fix test for helpers 5ae5266 Add some tests that covers the helper function which list the package paths e419eb8 Exclude correctly the vendor folder from the scanned packages 85eb8a5 Scan the go packages path recursively starting from a root folder 8522199 Improve logging in the analyser ea16ff1 Remove GOPATH check to allow running gosec outside of GOPATH 6c174a6 Update README file 7935fd8 Rework the Dockerfile for Go modules 806908a Remove the dep tool installation from travis CI 950e84c Handle errors to fix lint warnings ee73b9e Remove dep and Use only Go modules to manage dependencies 85d1808 Go modules support for 1.12 (#297) eaba99d fix comment. 4cd14f9 remove panic 66e7c8d Extract to a constant 1b28d32 fix sonarIssues struct 8eab50e update README.md to add support of sonarqube. 989eb3f Update Hound errors ddfe54d Add sonarqube output c5e6c4a fix no-fail flag logic 2bd007e Update README 8b27d1c Update go version to 1.11.5 in the docker file 9cd538f Fix README typo 62b5195 Report for Golang errors (#284) 9cdfec4 Change test 8048b15 Add more badges in the README file e2752bc revert to default GOPATH if necessary (#279) 04ce7ba add a no-fail flag a966ff7 Fix -conf example in README.md b662615 Fix typo 5d33e6e Update the README with some details about the configuration file f87af5f Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274) 14ed63d Do not flag the unhandled errors which are explicitly ignored 12400f9 Update README with the code coverage batch 72e95e8 Geneate and upload the test coverage report to codecove.io 24e3094 Extend the bind rule to handle the case when the net.Listen address in provided from a const 9b32fca Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call f14f17f Add a helper function which extracts the string parameters values of a call expression 2695567 Build the code sample for string builder only fron Go 1.10 onwards ae82798 Fix the WriteSring test by handling the error adb4222 whitelist strings.Builder method in rule G104 9b966a4 add test case for strings.Builder G104 whitelist inclusion 4180994 Make G201 ignore CallExpr with no args (#262) 443f84f Fix golint link (#263) 3116b07 Fix typos in comments and rulelist (#256) e0a150b Merge pull request #254 from kishaningithub/253 97bc137 Add CI Installation steps and correct markdown lint errors 8c09a83 Add install.sh script d032909 Merge pull request #251 from NeverOddOrEven/fix-html-template 027dc2b This fixes the html template when using '-fmt=html' - resolves HTML escaping issues within the template - resolves reference issues to reportInfo struct i.e. issues -> Issues, metrics -> Stats f9b4187 Merge pull request #249 from andrewhsu/go 1ecd47e bump Dockerfile golang from 1.10 to 1.11 2cc6838 Merge pull request #248 from ccojocar/code-samples-multiple-files 64d58c2 Refactor the test code sample to support multiple files per sample d3f1980 Fix false positives for SQL string concatenation with constants from another file (#247) 5f98926 Refactor Dockerfile (#245) 7f6509a Update README.md (#246) 762ff3a Allow quoted strings to be used to format SQL queries (#240) ec32ce6 Support Go 1.11 (#239) 145f1a0 Removed wrapping feature (#238) 419c929 G107 - SSRF (#236) 63b25c1 Fix typo in README (#235) 7fd9446 update to G304 which adds binary expressions and file joining (#233) e4ba96a Update README ec0f8ec Set the GOROOT and GOPATH env variables in Dockerfile 247828c Update docker base image to 1.10.3-alpine3.8 b689199 Add Fprintf to Rule G201 a7cff91 Small update to G201 and added ConcatString Function (#228) 1c438e3 Tweak makefile to match up with docker repo (#231) 9577fd0 Update README e543f46 Use the Linux build for Docker image dbd0f8f Use the make build goal when creeating the docker image f06a84e Merge pull request #227 from ccojocar/sha1 8dfa8dc Update README fb0dc73 Add sha1 to weak crypto primitives 90a1c1d Merge pull request #225 from jvmatl/jvmatl-patch-1 0d2e16d Document #nosec use with a list of rules 639987a Merge pull request #223 from ccojocar/fail_by_severity de10a74 Fix the help message 4702cc5 Add a flag to specify the severity for which the scanning will be failed c0db486 Merge pull request #222 from ccojocar/vendor_folder_flag 6919d97 Add a flag to turn on scanning on vendor folder f5b44b0 Merge pull request #221 from Quasilyte/quasilyte/dupSubExpr 7d767b4 Merge pull request #220 from Quasilyte/quasilyte/sloppyLen 3c8707c fix duplicated index issue in Less method 2f61fad replace len(x)<=0 with len(x)==0 5fb530c Merge pull request #219 from ccojocar/goreleaser a8edd07 Update locked dependencies 2a6e887 Use the goreleaser tool to perform releases 5ba6475 Merge pull request #211 from WillAbides/commandcontext 1f9d09d remove extra bracket from test source 6a156e2 Merge branch 'master' into commandcontext 2785f7a Merge pull request #217 from ccojocar/derive_pkg_from_files 4c6396b Derive the package from given files 3f2b814 Update README.md 138e6de Add slack community link (#215) f254cec Merge pull request #216 from ccojocar/rename_gas_with_gosec e6641c6 Replace gas with gosec in the README file 893b87b Replace gas with gosec everywhere in the project da26f64 Rename github org (#214) 1923b6d Rule which detects a potential path traversal when extracting zip archives (#208) d7ec2fc add CommandContext as subprocess launcher 4ae8c95 Add an option for Go build tags (#201) 7790709 Discard the logs messages if the quite flag is set (#200) 830cb81 Support package resolution and filepaths (#187) b643ac2 Add rule ID to text output (#198) c25269e Regenerate the TLS config (#199) 542d0c0 Fix up some mistakes in the README instructions (#195) e809226 Build improvments (#179) 2115402 Add the rule ID to issues (#188) a036755 Fix TLS config template (#191) 7116c4d fix fmt errors ff2b30f Cleanup test output 66aea5c fix gofmt errors 15095a8 Merge branch 'jonmcclintock-nosec-specify-rule' 90fe5cb Port readfile rule to include ID and metadata 58a48c4 Merge branch 'nosec-specify-rule' of git://github.com/jonmcclintock/gas into jonmcclintock-nosec-specify-rule f3c8d59 Switch to valuespec instead of gendecl for hardcoded credential rule (#186) e76b258 New Rule Tainted file (#183) 429ac07 Change the exclude syntax to be a part of #nosec 7bb6f00 Merge branch 'master' of https://github.com/GoASTScanner/gas into nosec-specify-rule 57dd25a Add an issue template to the project (#185) 1d9f816 Add support for YAML output format (#177) 18700c2 Style tweak 6b484e7 Run gofmt 105edba Leftover from merge. 48d59d2 Merge branch 'nosec-specify-rule' of github.com:jonmcclintock/gas into nosec-specify-rule 1429033 Add support for #excluding specific rules 3713168 Merge remote-tracking branch 'upstream/master' c6183b4 Add nil pointer check to rule. (#181) edb362f Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178) 1c58cbd Make the folder permissions more permissive to avoid false positives (#175) d48668e Merge pull request #170 from cosmincojocar/build_more_checks 777b706 Merge pull request #167 from cosmincojocar/sort_by_severity 7355f0a Fix some gas warnings 230d286 Fix gofmt formatting e385ab8 Update the build file with more checks e15c057 Update the build file to validate gas from go version 1.7 onward 84bfbbf Switch to sort Interface to be backward compatible with older go versions d4ebb03 Sort the issues by severity in descending order before creating the report 6b28d5c Merge pull request #166 from cosmincojocar/fprint_whitelist ac4622d Merge pull request #165 from cosmincojocar/fix_gas_warnings a72a21b Merge pull request #164 from cosmincojocar/ssh_rule 6cd7a6d Add Fprint, Fprintf, Fprintln to NoErrorCheck whitelist c2c2155 Fix some gas warnings a7cdd9c Add ssh package to the build 179c178 Add some review fixes f1b903f Update README d3c3cd6 Add a rule to detect the usage of ssh InsecureIgnoreHostKey function 8b87505 Merge pull request #163 from wongherlung/fix-junit-failure-text 33fff95 Excape html string for junit output. e92170b Merge pull request #160 from wongherlung/junit-xml-output 862295c Return err instead of panic. 187a711 Unused import 485bc31 Fix go vet errors in tests f7c31f2 Using godep not glide for dependency management 846c9ff [Issue 159] Allow loader errors so that processing continues if there's a package loading problem. a293098 Merge pull request #161 from jonmcclintock/allow-loader-errors 8125622 Merge pull request #162 from gcmurphy/bugfix a97a196 Unused import 7c7fe75 Fix go vet errors in tests b49fef7 Using godep not glide for dependency management f111d5d [Issue 159] Allow loader errors so that processing continues if there's a package loading problem. 143df04 Fixed typo. 5b91afe Unexport junit xml structs and some further refactoring. fdc78c0 Changed failure text from json to plaintext. 4059fac Pretty print xml result for better viewing. 1346bd3 Edited README and help text. 2c1a0b8 Refactored code. 7539b37 Added xml header format. b8cdc32 Working version of xml result format. 07a2eec Merge pull request #156 from gcmurphy/bugfix 5361949 Sending log messages to multiple streams 51b4a4d Merge pull request #138 from jonmcclintock/sqli-format-whitelist bc2a61b Merge branch 'sqli-format-whitelist' of github.com:jonmcclintock/gas into sqli-format-whitelist 1ca3350 Rebase to master 8eb9cc0 Adjust SQL format-string rules to ignore inherently safe formats a0fc089 Merge pull request #154 from GoASTScanner/issue/153 806c1d0 Add install instructions b068284 Merge pull request #152 from ashanbrown/one-build 22dc893 Do a single build for all packages. 085e0f6 Merge pull request #150 from GoASTScanner/experimental aecbc87 Use explicit packages in call lists 9a2bec1 Merge pull request #149 from GoASTScanner/experimental b6f85d5 Fix nil pointer dereference in complit types 3520a5a Merge pull request #146 from GoASTScanner/experimental 867d300 Fix lint issues d452dcb Fix ginko invocation 4c49716 move utils to separate executable e925d3c Migrated old test cases. 25d74c6 address review comments af25ac1 fix golint errors picked up by hound-ci cfa4327 fix hound-ci errors 97cde35 update travis-ci to use ginkgo tests e3b6fd9 update readme to provide info regarding package level scans 02901b9 actually skip tests until implementation exists d4311c9 make it clear that these tests have not been implemented yet 67dc432 use godep instead of glide 2b2999b Add tests for excludes with comments 37cada1 Add support for #excluding specific rules 7dfebaf Adjust SQL format-string rules to ignore inherently safe formats 27b2fd9 Merge pull request #136 from lanzafame/experimental 6de76c9 Merge pull request #135 from cosmincojocar/update_mondern_tls_chipers 5a11336 remove commited binary 9c959ca Issue.Line is already a string 3caf7c3 Add test cases c36954f Add the CHACHA20 to good ciphers in modern tls check f22c701 Merge pull request #133 from awiens/master b120a3e Updating Dockerfile with requested changes 5f0f8f8 Adding Docker container and changing README 6943f9e Major rework of codebase f4b705a Use glide to manage vendored dependencies 026fe4c Simplify analyzer and command line interface 65b18da Hack to address circular dependency in rulelist 5160048 Move rule definitions into own file 50bbc53 Isolate import tracking functionality bf78d02 Restructure and introduce a standalone config cacf21f Restructure to focus on lib rather than cli 8df48f9 Fix to reporting to use output formats 9b08174 Process via packages instead of files 1beec25 Merge pull request #128 from cosmincojocar/improve_skip e94e232 Merge pull request #129 from cosmincojocar/big_exp 7dc4638 Update the README 5b71c2b Add a test for math/big.Int.Exp rule 65b8e74 Add a rule for big.Exp function call 3ae2762 Add support for partial path match in the skip option 0573847 Merge pull request #125 from mockturtl/patch-1 b74c83e BindsToAllNetworkInterfaces should check TLS also 177fa7d Merge pull request #122 from GoASTScanner/testfixes 622440f Correct bad test cases and intermitent failure 5c302fb Merge pull request #121 from cosmincojocar/tls 2262f5d Add a check for PreferServerCipherSuites flag of tls.Config 1c8e7ff Merge pull request #118 from GoASTScanner/issue/117 1c99e45 Fix recursive case on Windows platforms 72caf3d Merge pull request #115 from GoASTScanner/bugfix 3e9b66a Temporarily disable typechecker fatal error f6aeaa8 Merge pull request #114 from GoASTScanner/feature 4099783 Go 1.5 does not support width precision specifier 4b70300 Exclude vendor directory from go vet aaddac5 Add the zxcvbn library to vendor list 9bc0239 Introduce entropy checking of string cc52ef5 Merge pull request #112 from GoASTScanner/bugfix a7ec9cc Backport test case for 1.5 f9868aa Fix additional test case ab4867b Fix test cases with invalid sample code d3f0a08 Report a failure and exit if type checking fails bc21a39 Merge pull request #110 from GoASTScanner/bugfix d1303fe Improve specitivity of error message for GenDecl 0545d13 Merge pull request #109 from GoASTScanner/bugfix 1e736c8 Fix test case (invalid sample code) d1e67fc Ensure hardcoded credentials only examines strings d4f9b88 Merge pull request #104 from endophage/help_fix 5f1c2df updating skip cli help and readme description c68ed64 Merge pull request #102 from GoASTScanner/bugfix 94ac200 Tests broken if logger is not initialized 1ba8b93 Reduce logging messages a tad 465338b Merge pull request #101 from GoASTScanner/bugfix 191750f Recreate fileset each time we process a file b5308ff Merge pull request #98 from endophage/recursive 365e9f6 Merge pull request #99 from mcpeak/fix-nosec 1a481fa adding support for arbitrary paths with ... 942f40a Fix nosec to work as documented 3911321 Merge pull request #97 from GoASTScanner/experimental 6ace60b Address unhandled error conditions 8f78248 Merge pull request #92 from GoASTScanner/experimental e1e435c Merge pull request #93 from GoASTScanner/bugfix dcfd97c Remove ast.Print debug message from tryresolve 129be15 Update error test case 5242a2c Extend helpers and call list d29c648 Add match call by type d30c5cd Merge pull request #91 from GoASTScanner/experimental 63e8b1a Update unsafe rule to match package explicitly b26f5cf Merge pull request #90 from GoASTScanner/experimental 39b18a1 Remove debug print messages 5b3192b Merge pull request #88 from GoASTScanner/experimental ca42de2 Initialize fresh import info for each file 6ef59ba Merge pull request #86 from GoASTScanner/experimental c7bb2dd Fix additional crash condition 5012c34 Handle inbalanced declaration of constants 9301684 Merge pull request #83 from GoASTScanner/experimental a3fcd96 Update hardcoded credentials rule for GenDecls bf103da Allow rules to register against multiple ast nodes c6587df Merge pull request #82 from GoASTScanner/experimental 1d732b8 Ensure os.OpenFile file permissions are checked 423a303 Merge pull request #81 from GoASTScanner/experimental 97dcc72 Incorrect rule mapping in rulelist 7dd3032 Merge pull request #76 from GoASTScanner/experimental be96ef2 Fix alias logic c833bfa Merge branch 'tam7t-rand-pkg-helper' e0db3f4 Merge branch 'rand-pkg-helper' of git://github.com/tam7t/gas into tam7t-rand-pkg-helper 9f54d25 Merge pull request #75 from GoASTScanner/experimental 20f2a98 Ensure initialization only imports are ignored 7a275fd MatchCallByPackage updated to avoid GetCallObject d163260 Merge pull request #71 from GoASTScanner/call_list 238d1e0 Merge pull request #73 from GoASTScanner/tools b02c0fa Add imports dumper 2c9d8fc Skip files if they don't exist d205060 Update to dump specific context information d8bf436 Merge pull request #72 from GoASTScanner/tools 14e6635 Add tool to inspect call objects in file 0bc4d48 Add an experimental way to whitelist calls afb84ff rand: use a MatchCallByPackage helper 8a473c7 Merge pull request #69 from GoASTScanner/helpers 0fef3ad Split out MatchCallByObject into two functions ce2c328 Merge pull request #68 from GoASTScanner/command_line_fixes f71ade6 Update usage to indicate html is supported d72cee8 Add quiet mode 9fa0b72 Merge pull request #67 from GoASTScanner/use_types c405754 Add MatchCall helper that utilizes type checker 9e2abd5 Merge pull request #66 from csstaub/cs/html-output aadcf8d Merge pull request #60 from tam7t/fix-rand 4ff5915 rand: refactor to use types package 75e0e1a rand: resolve math/rand package 068e8a8 Merge pull request #65 from GoASTScanner/sql_fix d60a2b4 Confirmed correct behavior for SQL tests 853b097 Merge pull request #63 from GoASTScanner/travis_ci 686927c Address go vet failure in SQL rule 344ebd1 Add go vet to travis-ci 65d572f Merge pull request #62 from GoASTScanner/correct_imports 74b6633 Updated imports to new repository location. b8ce40e Remove debugging println 4cd269f Merge pull request #58 from levigross/master 9c3c102 Fixed comment b92fa02 Make sure to exit 1 if we find an issue fadc6d4 Merge pull request #52 from gcmurphy/use_glob b8e78c6 Merge pull request #56 from s7v7nislands/fix_unsafe eedb0c2 fix fmt 92dda9c fix unsafe check 911c696 Add support for HTML output 59fbf74 Refactor path matching logic a4fd848 Merge pull request #49 from gcmurphy/master 7f4bdd5 Merge pull request #48 from gcmurphy/godoc d05a241 MatcMatchCompLit should be MatchCompList b5a98c1 Add godocs.org bagdge 9ca975d Add gas to .gitignore 0ee8e1b Merge pull request #47 from gcmurphy/readme 0bce177 Fix typos in godocs bb42840 Merge pull request #42 from HewlettPackard/code_docs e4b1e28 Merge pull request #46 from drewwells/feature/exclusions a2b7f3e Add LICENSE information to README.md 929edb4 Update README.md to use rule ID's 365ae31 prefix patterns with **/ to match subdirectories 223cded Adding some inline documentation for godoc 37205e9 Merge pull request #41 from HewlettPackard/usage df373b8 Fix usage information 82947bb Merge pull request #39 from HewlettPackard/rule_selection 713949f Rule selection rules 51ffe1b Merge pull request #40 from dragonndev/master b29e45f Merge pull request #38 from HewlettPackard/cli_docs 5b867f2 Clarified output format options. 6d831c0 Updating docs for new CLI "skip" option 235308f Merge pull request #35 from HewlettPackard/config_cli e3b1d33 Configuration 4e30ca3 Merge pull request #37 from HewlettPackard/travis_ci 9521472 Add build status to README.md 58e6823 Merge pull request #36 from HewlettPackard/travis_ci f36388a Merge pull request #34 from HewlettPackard/blacklist 9bd62d1 Add travis ci profile 45f3b5f Creating blacklist import rules 7e1d7ee Merge pull request #33 from HewlettPackard/config_fix da55fd1 Fixing config 84f0162 Merge pull request #32 from HewlettPackard/resolve_1 d2d49f1 Try to resolve all elements in an expression to a known const 12d370b Merge pull request #31 from HewlettPackard/config d4367de Adding a config block to the analyzer, parsed from JSON 8261ee5 Merge pull request #29 from HewlettPackard/fix_regexp cee5fad Fix incorrect regexp matches 0bf1ece Merge pull request #27 from cwkuo/fix-windows-file-contains 0737ea6 Fix os.IsExist() condition in filelist.Contains() b659538 Merge pull request #26 from HewlettPackard/fix_annotations 68aac25 Fixing annotations 28f0f1a Merge pull request #23 from csstaub/cs/detect-math-rand c53af75 Detect use of rand.Read from math/rand c5d2715 Merge pull request #24 from csstaub/cs/smarter-creds-check e86addb Merge pull request #22 from csstaub/cs/csv 3cd0ebe Smarter hard-coded credentials check 2ec102c Use encoding/csv for CSV output 81b5e98 Merge pull request #21 from HewlettPackard/better_sql 3e4d96e Better SQLi testing 2d0a26d Merge pull request #18 from HewlettPackard/issue16 48910f5 Merge pull request #20 from hyakuhei/Fix_Readme 9651a40 Fixed-up some language in README.md 0dd7ec9 Merge pull request #19 from HewlettPackard/issue17 1cff726 Fix exclude documentation a7ebf35 Expand cases accepted by -exclude debb1f5 Merge pull request #14 from csstaub/cs/fix-json 271cff1 Use encoding/json for -fmt json output 50fb7f4 Merge pull request #10 from HewlettPackard/issue9 37cc56d Merge pull request #11 from csstaub/cs/fix-json c6e25a9 Make sure -fmt json produces valid output 2f84b67 Handle import error rather than panic on failure 9ce14dc Disclaimer about project status f9bf428 Merge pull request #6 from HewlettPackard/tools 0bd254c Check input files and handle panic condition e2caa92 Merge pull request #5 from HewlettPackard/docs 2cac390 Update the README to include newer rules 59deedb Merge pull request #4 from HewlettPackard/httpoxy 3615933 Adding check for httpoxy 4f3d620 Initial public release
6bcd89a Mark all lines of a multi-line finding 4d4e594 Add some comments d1467ac Extend the code snippet included in the issue and refactored how the code snippet is printed 37d1af0 Expand the arguments to a list of strings when they are provided as a single string 59cbe00 Update all dependencies ade81d3 Rename file for consistency 03f12f3 Change naming rule from blacklist to blocklist 3784ffe Fix panic when reading the version from debug info in Go 1.13 55d368f Improve the TLS version checking ad1cb7e Make sure some version information is set when no version was injected into the binary 1d2c951 Extend the rule G304 with os.OpenFile and add a test to cover it 0c1a71b Add more tests samples to increase coverage fe07fcf Fix unit test when checking a mix of good and bad random functions 6bbf8f9 Extend the insecure random rule with more insecure random functions af699f6 Exclude .git directory from scan (#485) 6202b38 Update all dependencies (#484) 6a130d5 Update the link pointing to issues to CWE mapping to use the master version (#483) 826db1c Fix the build tags propagation 7da9248 Change the issue test to verify that a multi-line finding contains a line range 7aedcc5 Remove print line from tests 30e93bf Improve the SQL strings concat rules to handle multiple string concatenation 68bce94 Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context 32be4a5 Make sure all rules are mapped to CWE numbers 8630c43 Add null pointer check in G601 1418b85 ondisk -> onDisk b2cfc5d USERS.md type in the title fixed. 425b8f9 Display a sponsor button in the repository 0714a1e Update the users file with some more projects and companies 1b915dd Set up a gosec's users list 668512f Update bad_defer.go
ee3146e Rule which detects aliasing of values in RangeStmt 8662624 Update the build badge to ge the status from GitHub workflow a5db4e1 Run mod tidy to clean up the dependencies fb44007 Enhance the hardcoded credentials rule to check the equality and non-equality of strings a2a40de Update the README with an example to configure the hard-coded credentials rule 802292c Fix the configuration parsing for hardcoded credentials c58f356 Set the default color on only for text format 1a113d6 Turn the color always on when the text format is set c4417de Use the latest color package to get the color working with tmux 656691b feature(formatter/text): Add color option on text format (#460) 51e4317 Automate the release process using a GitHub workflow 341059e Update the GitHub action name to be more desriptive 3b6c3f1 Update README with some instruction how to run gosec as a GitHub action 08202fe Add a GitHub action to run gosec c6e10af Handle properly the gosec module version v2 e946c8c Update all dependencies e030aa4 Remove the go 1.14 version from github action ee176ff Fix the job names in the Github workflow cabccc7 Add to GitHub workflow some jobs for go1.13 and go1.12 a111777 Change the GitHub workflow to use only the latest Go version 722acb6 Change the GitHub workflow to run the builds only on ubuntu-latest platform 5284f34 Change the GitHub workflow to use an action which install Go using a Go version from the matrix 8de5fb6 Migrate the build to GitHub Actions 7da9f46 Fix the call list info to handle selector expressions cf25904 Fix the subproc rule to handle correctly the CommandContext check f97f861 Update the subproc rule to detect the syscall.ForkExec and syscall.StartProces calls c998389 re-generate install.sh with latest godownloader (#446) 7525fe4 Rule for defering methods which return errors (#441) a2ac0bf Update all dependencies (#445) a305f10 Fileperms (#442) 00363ed remove support for go 1.11 (#444) d13bb6d Update all dependencies
17df5b3 Fix typos 3e069e7 Fix the errors rule whitelist to work on types methods 459e2d3 Modify rule for integer overflow to have more acurate results (#434) a4d7b36 Add G110(Potential DoS vulnerability via decompression bomb) 3d5c97b Add a test sample for Cgo files 81e8278 Add the Cgo files to the analysed files and ingonre all non-Go files a1969e2 Handle all errors in the formatter tests (#431) 9cb83e1 Add a rule which detects when there is potential integer overflow (#422) f43a957 Check for both default and alternative nosec tags (#426) 79fbf3a Add golint format to output format (#428) 57c3788 Update all dependencies (#427) 5d61373 fix(docker) gcc and libc-dev required bindings cb4f343 Update all dependencies (#417) df484bf cmd/tlsconfig: remove support for deprecated tls.VersionSSL30 (#412) b4c76d4 Update all dependencies (#410) 99170e0 Update the README with some details about the CWE mapping (#407) 53be8dd Add CWE rule mappings (#405)
28c1128 Add more tests to improve the coverage of resolve d78f026 Format import to make codecov happy 50e1fe2 Improve the SSRF rule to report an issue for package scoped variables 07770ae Add a test for composite literals when trying to resolve an AST tree node f413f14 Handle the ValueSpec when trying to resolve an AST tree node c1970ff Handle the ValueSpec when trying to resolve an AST tree node ea9faae Update the Go version to 1.13 in the Dockerfile (#403) 186dec7 Convert the global settings to correct type when reading them from file (#399) e680875 Replace the deprecated load mode with more specific flags are recommended in the packages docs (#400) ad375d3 Update golang.org/x/tools commit hash to 7c411de (#389) 607f240 reconfigure rennoavate bot (#395) 832d7bb Update README with CII Best Practicies badge 29341f6 Fix the rule G108/pporf to handle the case when the pporf import has not name b504783 Change unit tests to check for one thing (#381) 7dbc65b Update golang.org/x/tools commit hash to 3ac2a5b (#387) f3bd9fb Update golang.org/x/tools commit hash to 0f9bb8f c6ac709 Update golang.org/x/net commit hash to aa69164 7a6460d Update golang.org/x/crypto commit hash to 9ee001b d8f249a Update README with rule G108 9cee24c Add a rule which detects when pprof endpoint is automatically exposed 73fbc9b Update golang.org/x/net commit hash to 1a5e07d 124da07 Update golang.org/x/tools commit hash to 5eefd05 (#378) 915e9ee Update golang.org/x/sys commit hash to b4ddaad (#374) e7b3ae9 Clarify and add new unit tests for rule G107 (#376) f90efff Update golang.org/x/tools commit hash to 2dc213d (#375) 90e9759 Update golang.org/x/net commit hash to c858923 (#373) 709ed1b Change rule G204 to be less restrictive (#339) 98749b7 Update golang.org/x/net commit hash to 24e19bd (#372) d8f6c4f Update golang.org/x/sys commit hash to c3b328c (#371) 3204194 Update golang.org/x/tools commit hash to 92af9d6 (#370) 140048b Update golang.org/x/sys commit hash to 7ad0cfa a65402b Update golang.org/x/tools commit hash to 6bfd74c (#365) b9c4c66 Expose analyzer API (#366) 29fddff turn on automerge for rennovate bot bee7b5a Update golang.org/x/crypto commit hash to 227b76d (#363) 069c31f Update golang.org/x/tools commit hash to 16c5e0f (#362) 3e65f8f Update golang.org/x/sys commit hash to bbd1755 (#361) f5d5e20 Update golang.org/x/tools commit hash to dd2b5c8 (#360) a1c9c76 Remove the unused code to increase the test coverage 338b50d Remove rule G105 which detects the use of math/big#Int.Exp 43e3664 Build the tls config generator only with Go versions compatible with Go 1.12 81b6dc8 Regenerate the TLS configuration based on latest Mozilla's recommended ciphers 76ce9f0 Update to config struct to unmarshal the mozilla server-side TLS conf version 5 e050355 Update the TLS config generator to handle TLS version 1.3 c0510fc Update golang.org/x/tools commit hash to 0673112 (#359) a57a033 Update golang.org/x/sys commit hash to f460065 (#356) 8063751 Update golang.org/x/crypto commit hash to 094676d (#355) 7851918 Add support to exclude arbitrary folders from scanning (#353) 1c35be8 Add renovate.json (#354) fde1f82 Update the tag format in the release steps (#348) 992f173 Update README file with a note on dependencies (#351) e442cf3 Add Go 1.13 to the tested version in the travis build file (#350) 4ecbe32 Update go modules to latest compatible version and removed unused dependencies (#349) 8932f70 Add flag to handle '#nosec' alternative (#346) 4b59c94 Prevent null pointer exception in Sonarqube (#334) 39f7e7b Display filtered number of issues instead of total in stats e28a56a Merge pull request #330 from ccojocar/fix-whitelist-G104 63b44b6 Add some more tests to make codecov happy 1412357 Add some documentation for G104 whitelist configuration Signed-off-by: Cosmin Cojocar [email protected] f344524 Fix the whitelist on G104 rule and add a test 78a4949 Load rules on each code sample in order to reconfigure them ed9934f Refactor the rules tests to be able to configure the analyzer config per test sample 36a82ea Merge pull request #328 from ccojocar/fix-sonarqute-report 020479a Support multiple root paths when generating the Sonarqube report 46e55b9 Fix the file path in the Sonarqube report 04dc713 One approach for fixing the false positive identified in #325. 196edd3 Add checksum clarification in README 0ebfa2f Rework analyzer unit test to pass the go tip version (#318) 9d9098f print version string (#317) ee80733 Add a flag to filter issues by confidence (#316)
29cec13 Fix formatting in README, remove prerequisite and reworked the Makefile tests goals (#313) b68ac76 Fix formatting 3e69a8c Append the package load errors to analyser's errors aac9b00 Refactor properly the package error parsing and cover all test cases 625718d Refactor the test for Go build errors 3af4ae9 Fix some lint warnings bac6f0f Add tests for an empty package without any test file 76b2c12 Add a test to cover the processing of empty packages b04c1ce Fix error parsing from package 92b3644 Fix error parsing when the loaded package is empty 48e3932 Remove tests case from import tracker 25b5a1a Add tests to cover the import tracker from file 5ef2bee Track only the import from the file which is checked f1ea7f6 Add tests for analyser test pacakge check 6e5135f Update README with some instructions to enable the tests and vendor folder scanning b49c953 Add a flag which allows to scan also the tests files f1d49a6 Remove unused code ed2e0aa Update local install command in README file 4dfaf0a Refactor the analyzer to process one package at the time adcfe94 Fix test for helpers 5ae5266 Add some tests that covers the helper function which list the package paths e419eb8 Exclude correctly the vendor folder from the scanned packages 85eb8a5 Scan the go packages path recursively starting from a root folder 8522199 Improve logging in the analyser ea16ff1 Remove GOPATH check to allow running gosec outside of GOPATH 6c174a6 Update README file 7935fd8 Rework the Dockerfile for Go modules 806908a Remove the dep tool installation from travis CI 950e84c Handle errors to fix lint warnings ee73b9e Remove dep and Use only Go modules to manage dependencies 85d1808 Go modules support for 1.12 (#297) eaba99d fix comment. 4cd14f9 remove panic 66e7c8d Extract to a constant 1b28d32 fix sonarIssues struct 8eab50e update README.md to add support of sonarqube. 989eb3f Update Hound errors ddfe54d Add sonarqube output c5e6c4a fix no-fail flag logic 2bd007e Update README 8b27d1c Update go version to 1.11.5 in the docker file 9cd538f Fix README typo
62b5195 Report for Golang errors (#284) 9cdfec4 Change test 8048b15 Add more badges in the README file e2752bc revert to default GOPATH if necessary (#279) 04ce7ba add a no-fail flag a966ff7 Fix -conf example in README.md b662615 Fix typo 5d33e6e Update the README with some details about the configuration file f87af5f Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274) 14ed63d Do not flag the unhandled errors which are explicitly ignored 12400f9 Update README with the code coverage batch 72e95e8 Geneate and upload the test coverage report to codecove.io 24e3094 Extend the bind rule to handle the case when the net.Listen address in provided from a const 9b32fca Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call f14f17f Add a helper function which extracts the string parameters values of a call expression