From 7368dd3604a0e4a9410b606d7d66e6e2168d98b9 Mon Sep 17 00:00:00 2001 From: Hiroki Suezawa Date: Fri, 3 Jan 2020 23:09:41 +0900 Subject: [PATCH] Update gosec and add column Signed-off-by: Hiroki Suezawa --- go.mod | 4 +- go.sum | 14 +++--- pkg/golinters/gosec.go | 7 +++ vendor/github.com/securego/gosec/Dockerfile | 6 +-- vendor/github.com/securego/gosec/README.md | 34 ++++++++------ vendor/github.com/securego/gosec/config.go | 18 +++++++- vendor/github.com/securego/gosec/go.mod | 10 ++--- vendor/github.com/securego/gosec/go.sum | 20 +++++++++ vendor/github.com/securego/gosec/issue.go | 45 +++++++++++++++++++ vendor/github.com/securego/gosec/resolve.go | 29 ++++++++---- .../github.com/securego/gosec/rules/ssrf.go | 11 ++++- vendor/modules.txt | 4 +- 12 files changed, 158 insertions(+), 44 deletions(-) diff --git a/go.mod b/go.mod index c557911d..1743705f 100644 --- a/go.mod +++ b/go.mod @@ -28,7 +28,7 @@ require ( github.com/mitchellh/go-homedir v1.1.0 github.com/mitchellh/go-ps v0.0.0-20190716172923-621e5597135b github.com/pkg/errors v0.8.1 - github.com/securego/gosec v0.0.0-20191002120514-e680875ea14d + github.com/securego/gosec v0.0.0-20200103095621-79fbf3af8d83 github.com/shirou/gopsutil v0.0.0-20190901111213-e4ec7b275ada // v2.19.8 github.com/sirupsen/logrus v1.4.2 github.com/sourcegraph/go-diff v0.5.1 @@ -42,7 +42,7 @@ require ( github.com/ultraware/whitespace v0.0.4 github.com/uudashr/gocognit v1.0.1 github.com/valyala/quicktemplate v1.2.0 - golang.org/x/tools v0.0.0-20191113232020-e2727e816f5a + golang.org/x/tools v0.0.0-20200102140908-9497f49d5709 gopkg.in/yaml.v2 v2.2.7 honnef.co/go/tools v0.0.1-2019.2.3 mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed diff --git a/go.sum b/go.sum index 4dd0446a..5ba5f71b 100644 --- a/go.sum +++ b/go.sum @@ -174,10 +174,10 @@ github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d h1:AREM5mwr4u1 github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d/go.mod h1:o96djdrsSGy3AWPyBgZMAGfxZNfgntdJG+11KU4QvbU= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.10.1 h1:q/mM8GF/n0shIN8SaAZ0V+jnLPzen6WIVZdiwrRlMlo= -github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/gomega v1.7.0 h1:XPnZz8VVBHjVsy1vzJmRwIcSwiUO+JFfrv/xGiigmME= -github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/ginkgo v1.11.0 h1:JAKSXpt1YjtLA7YpPiqO9ss6sNXEsPfSGdwN0UHqzrw= +github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/gomega v1.8.1 h1:C5Dqfs/LeauYDX0jJXIe2SWmwCbGzx9yF8C8xy3Lh34= +github.com/onsi/gomega v1.8.1/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA= github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= github.com/pelletier/go-toml v1.2.0 h1:T5zMGML61Wp+FlcbWjRDT7yAxhJNAiPPLOFECq181zc= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= @@ -200,8 +200,8 @@ github.com/quasilyte/go-consistent v0.0.0-20190521200055-c6f3937de18c/go.mod h1: github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= -github.com/securego/gosec v0.0.0-20191002120514-e680875ea14d h1:BzRvVq1EHuIjxpijCEKpAxzKUUMurOQ4sknehIATRh8= -github.com/securego/gosec v0.0.0-20191002120514-e680875ea14d/go.mod h1:w5+eXa0mYznDkHaMCXA4XYffjlH+cy1oyKbfzJXa2Do= +github.com/securego/gosec v0.0.0-20200103095621-79fbf3af8d83 h1:AtnWoOvTioyDXFvu96MWEeE8qj4COSQnJogzLy/u41A= +github.com/securego/gosec v0.0.0-20200103095621-79fbf3af8d83/go.mod h1:vvbZ2Ae7AzSq3/kywjUDxSNq2SJ27RxCz2un0H3ePqE= github.com/shirou/gopsutil v0.0.0-20190901111213-e4ec7b275ada h1:WokF3GuxBeL+n4Lk4Fa8v9mbdjlrl7bHuneF4N1bk2I= github.com/shirou/gopsutil v0.0.0-20190901111213-e4ec7b275ada/go.mod h1:WWnYX4lzhCH5h/3YBfyVA3VbLYjlMZZAQcW9ojMexNc= github.com/shirou/w32 v0.0.0-20160930032740-bb4de0191aa4 h1:udFKJ0aHUL60LboW/A+DfgoHVedieIzIXE8uylPue0U= @@ -274,7 +274,6 @@ golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnf golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= @@ -310,6 +309,7 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= diff --git a/pkg/golinters/gosec.go b/pkg/golinters/gosec.go index acc0bee7..0b84824c 100644 --- a/pkg/golinters/gosec.go +++ b/pkg/golinters/gosec.go @@ -67,10 +67,17 @@ func NewGosec() *goanalysis.Linter { line = r.From } + column, err := strconv.Atoi(i.Col) + if err != nil { + lintCtx.Log.Warnf("Can't convert gosec column number %q of %v to int: %s", i.Col, i, err) + continue + } + res = append(res, goanalysis.NewIssue(&result.Issue{ //nolint:scopelint Pos: token.Position{ Filename: i.File, Line: line, + Column: column, }, Text: text, LineRange: r, diff --git a/vendor/github.com/securego/gosec/Dockerfile b/vendor/github.com/securego/gosec/Dockerfile index de7e153a..7e8fe02f 100644 --- a/vendor/github.com/securego/gosec/Dockerfile +++ b/vendor/github.com/securego/gosec/Dockerfile @@ -1,6 +1,6 @@ -ARG GO_VERSION=1.12 +ARG GO_VERSION=1.13 FROM golang:${GO_VERSION}-alpine AS builder -RUN apk add --update --no-cache ca-certificates make git curl +RUN apk add --update --no-cache ca-certificates make git curl gcc libc-dev RUN mkdir -p /build WORKDIR /build COPY . /build/ @@ -8,7 +8,7 @@ RUN go mod download RUN make build-linux FROM golang:${GO_VERSION}-alpine -RUN apk add --update --no-cache ca-certificates git +RUN apk add --update --no-cache ca-certificates git gcc libc-dev ENV GO111MODULE on COPY --from=builder /build/gosec /bin/gosec ENTRYPOINT ["/bin/gosec"] diff --git a/vendor/github.com/securego/gosec/README.md b/vendor/github.com/securego/gosec/README.md index ea39ad37..ca4eb15e 100644 --- a/vendor/github.com/securego/gosec/README.md +++ b/vendor/github.com/securego/gosec/README.md @@ -7,8 +7,8 @@ Inspects source code for security problems by scanning the Go AST. ## License -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. +Licensed under the Apache License, Version 2.0 (the "License"). +You may not use this file except in compliance with the License. You may obtain a copy of the License [here](http://www.apache.org/licenses/LICENSE-2.0). ## Project status @@ -59,7 +59,7 @@ go get github.com/securego/gosec/cmd/gosec Gosec can be configured to only run a subset of rules, to exclude certain file paths, and produce reports in different formats. By default all rules will be run against the supplied input files. To recursively scan from the current -directory you can supply './...' as the input argument. +directory you can supply `./...` as the input argument. ### Available rules @@ -96,8 +96,8 @@ directory you can supply './...' as the input argument. ### Selecting rules -By default gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the '-include=' flag, -or to specify a set of rules to explicitly exclude using the '-exclude=' flag. +By default, gosec will run all rules against the supplied file paths. It is however possible to select a subset of rules to run via the `-include=` flag, +or to specify a set of rules to explicitly exclude using the `-exclude=` flag. ```bash # Run a specific set of rules @@ -106,6 +106,9 @@ $ gosec -include=G101,G203,G401 ./... # Run everything except for rule G303 $ gosec -exclude=G303 ./... ``` +### CWE Mapping + +Every issue detected by `gosec` is mapped to a [CWE (Common Weakness Enumeration)](http://cwe.mitre.org/data/index.html) which describes in more generic terms the vulnerability. The exact mapping can be found [here](https://github.com/securego/gosec/blob/53be8dd8644ee48802114178cff6eb7e29757414/issue.go#L49). ### Configuration @@ -140,7 +143,7 @@ of functions which will be skipped when auditing the not checked errors: ### Dependencies -gosec will fetch automatically the dependencies of the code which is being analyzed when go modules are turned on (e.g.` GO111MODULE=on`). If this is not the case, +gosec will fetch automatically the dependencies of the code which is being analyzed when go module is turned on (e.g.` GO111MODULE=on`). If this is not the case, the dependencies need to be explicitly downloaded by running the `go get -d` command before the scan. ### Excluding test files and folders @@ -162,7 +165,8 @@ Also additional folders can be excluded as follows: ### Annotating code -As with all automated detection tools there will be cases of false positives. In cases where gosec reports a failure that has been manually verified as being safe it is possible to annotate the code with a '#nosec' comment. +As with all automated detection tools, there will be cases of false positives. In cases where gosec reports a failure that has been manually verified as being safe, +it is possible to annotate the code with a `#nosec` comment. The annotation causes gosec to stop processing any further nodes within the AST so can apply to a whole block or more granularly to a single expression. @@ -183,10 +187,12 @@ func main(){ ``` -When a specific false positive has been identified and verified as safe, you may wish to suppress only that single rule (or a specific set of rules) within a section of code, while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within the `#nosec` annotation, e.g: `/* #nosec G401 */` or `// #nosec G201 G202 G203 ` +When a specific false positive has been identified and verified as safe, you may wish to suppress only that single rule (or a specific set of rules) +within a section of code, while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within +the `#nosec` annotation, e.g: `/* #nosec G401 */` or `// #nosec G201 G202 G203` -In some cases you may also want to revisit places where #nosec annotations -have been used. To run the scanner and ignore any #nosec annotations you +In some cases you may also want to revisit places where `#nosec` annotations +have been used. To run the scanner and ignore any `#nosec` annotations you can do the following: ```bash @@ -204,7 +210,7 @@ gosec -tag debug,ignore ./... ### Output formats -gosec currently supports text, json, yaml, csv, sonarqube and JUnit XML output formats. By default +gosec currently supports text, json, yaml, csv, sonarqube, JUnit XML and golint output formats. By default results will be reported to stdout, but can also be written to an output file. The output format is controlled by the '-fmt' flag, and the output file is controlled by the '-out' flag as follows: @@ -244,7 +250,7 @@ The released version of the tool is available in the `dist` folder. The build in gosec - Golang security checker gosec analyzes Go source code to look for common programming mistakes that -can lead to security problems. + VERSION: 1.0.0 GIT TAG: v1.0.0 @@ -262,7 +268,7 @@ make image ``` You can run the `gosec` tool in a container against your local Go project. You just have to mount the project -into a volume as follow: +into a volume as follows: ```bash docker run -it -v /:/ securego/gosec //... @@ -284,4 +290,4 @@ You can invoke now the `go generate` in the root of the project: go generate ./... ``` -This will generate the `rules/tls_config.go` file with will contain the current ciphers recommendation from Mozilla. +This will generate the `rules/tls_config.go` file which will contain the current ciphers recommendation from Mozilla. diff --git a/vendor/github.com/securego/gosec/config.go b/vendor/github.com/securego/gosec/config.go index 14fd2b32..5b7f7393 100644 --- a/vendor/github.com/securego/gosec/config.go +++ b/vendor/github.com/securego/gosec/config.go @@ -38,6 +38,22 @@ func NewConfig() Config { return cfg } +func (c Config) keyToGlobalOptions(key string) GlobalOption { + return GlobalOption(key) +} + +func (c Config) convertGlobals() { + if globals, ok := c[Globals]; ok { + if settings, ok := globals.(map[string]interface{}); ok { + validGlobals := map[GlobalOption]string{} + for k, v := range settings { + validGlobals[c.keyToGlobalOptions(k)] = fmt.Sprintf("%v", v) + } + c[Globals] = validGlobals + } + } +} + // ReadFrom implements the io.ReaderFrom interface. This // should be used with io.Reader to load configuration from //file or from string etc. @@ -49,6 +65,7 @@ func (c Config) ReadFrom(r io.Reader) (int64, error) { if err = json.Unmarshal(data, &c); err != nil { return int64(len(data)), err } + c.convertGlobals() return int64(len(data)), nil } @@ -87,7 +104,6 @@ func (c Config) GetGlobal(option GlobalOption) (string, error) { } } return "", fmt.Errorf("no global config options found") - } // SetGlobal associates a value with a global configuration option diff --git a/vendor/github.com/securego/gosec/go.mod b/vendor/github.com/securego/gosec/go.mod index 0927b6ff..ee6c6983 100644 --- a/vendor/github.com/securego/gosec/go.mod +++ b/vendor/github.com/securego/gosec/go.mod @@ -7,16 +7,16 @@ require ( github.com/lib/pq v1.2.0 // indirect github.com/mozilla/tls-observatory v0.0.0-20190404164649-a3c1b6cfecfd github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d - github.com/onsi/ginkgo v1.10.1 - github.com/onsi/gomega v1.7.0 + github.com/onsi/ginkgo v1.11.0 + github.com/onsi/gomega v1.8.1 github.com/stretchr/objx v0.2.0 // indirect github.com/stretchr/testify v1.4.0 // indirect - golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392 // indirect golang.org/x/net v0.0.0-20190923162816-aa69164e4478 // indirect + golang.org/x/sys v0.0.0-20190922100055-0a153f010e69 // indirect golang.org/x/text v0.3.2 // indirect - golang.org/x/tools v0.0.0-20190930201159-7c411dea38b0 + golang.org/x/tools v0.0.0-20200102140908-9497f49d5709 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect - gopkg.in/yaml.v2 v2.2.2 + gopkg.in/yaml.v2 v2.2.7 ) go 1.13 diff --git a/vendor/github.com/securego/gosec/go.sum b/vendor/github.com/securego/gosec/go.sum index 3a38c4fc..3f2a05f8 100644 --- a/vendor/github.com/securego/gosec/go.sum +++ b/vendor/github.com/securego/gosec/go.sum @@ -28,10 +28,14 @@ github.com/onsi/ginkgo v1.8.0 h1:VkHVNpR4iVnU8XQR6DBm8BqYjN7CRzw+xKUbVVbbW9w= github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.10.1 h1:q/mM8GF/n0shIN8SaAZ0V+jnLPzen6WIVZdiwrRlMlo= github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/gomega v1.5.0 h1:izbySO9zDPmjJ8rDjLvkA2zJHIo+HkYXHnf7eN7SSyo= github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.7.0 h1:XPnZz8VVBHjVsy1vzJmRwIcSwiUO+JFfrv/xGiigmME= github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= +github.com/onsi/gomega v1.8.1/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -46,7 +50,10 @@ golang.org/x/crypto v0.0.0-20190907121410-71b5226ff739/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20190909091759-094676da4a83 h1:mgAKeshyNqWKdENOnQsg+8dRTwZFIwFaO3HNl52sweA= golang.org/x/crypto v0.0.0-20190909091759-094676da4a83/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392 h1:ACG4HJsFiNMf47Y4PeRoebLNy/2lXT9EtprMuTFWt1M= golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= @@ -58,6 +65,7 @@ golang.org/x/net v0.0.0-20190909003024-a7b16738d86b/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20190912160710-24e19bdeb0f2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190916140828-c8589233b77d/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190921015927-1a5e07d1ff72/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190923162816-aa69164e4478 h1:l5EDrHhldLYb3ZRHDUhXF7Om7MvYXnkV9/iQNo1lX6g= golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f h1:wMNYb4v58l5UBM7MYRLPG6ZhfOqbKu7X5eyFl8ZhKvA= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -75,6 +83,7 @@ golang.org/x/sys v0.0.0-20190910064555-bbd175535a8b/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190911201528-7ad0cfa0b7b5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190913121621-c3b328c6e5a7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190922100055-0a153f010e69 h1:rOhMmluY6kLMhdnrivzec6lLgaVbMHMn2ISQXJeJ5EM= golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -105,7 +114,14 @@ golang.org/x/tools v0.0.0-20190924052046-3ac2a5bbd98a h1:DJzZ1GRmbjp7ihxzAN6UTVp golang.org/x/tools v0.0.0-20190924052046-3ac2a5bbd98a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190930201159-7c411dea38b0 h1:7+F62GGWUowoiJOUDivedlBECd/fTeUDJnCu0JetQO0= golang.org/x/tools v0.0.0-20190930201159-7c411dea38b0/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191101200257-8dbcdeb83d3f h1:+QO45yvqhfD79HVNFPAgvstYLFye8zA+rd0mHFsGV9s= +golang.org/x/tools v0.0.0-20191101200257-8dbcdeb83d3f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191217033636-bbbf87ae2631 h1:6/HU2wqgxuc1kG3FdVH8K60WlieDAlIYaVc21Cit9Us= +golang.org/x/tools v0.0.0-20191217033636-bbbf87ae2631/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200102140908-9497f49d5709 h1:AfG1EmoRkFK24HWWLxSrRKNg2G+oA3JVOG8GJsHWypQ= +golang.org/x/tools v0.0.0-20200102140908-9497f49d5709/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -117,3 +133,7 @@ gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWD gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.7 h1:VUgggvou5XRW9mHwD/yXxIYSMtY0zoKQf/v226p2nyo= +gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/vendor/github.com/securego/gosec/issue.go b/vendor/github.com/securego/gosec/issue.go index 9f0454eb..297030c0 100644 --- a/vendor/github.com/securego/gosec/issue.go +++ b/vendor/github.com/securego/gosec/issue.go @@ -34,15 +34,56 @@ const ( High ) +// Cwe id and url +type Cwe struct { + ID string + URL string +} + +// GetCwe creates a cwe object for a given RuleID +func GetCwe(id string) Cwe { + return Cwe{ID: id, URL: fmt.Sprintf("https://cwe.mitre.org/data/definitions/%s.html", id)} +} + +// IssueToCWE maps gosec rules to CWEs +var IssueToCWE = map[string]Cwe{ + "G101": GetCwe("798"), + "G102": GetCwe("200"), + "G103": GetCwe("242"), + "G104": GetCwe("703"), + "G106": GetCwe("322"), + "G107": GetCwe("88"), + "G201": GetCwe("89"), + "G202": GetCwe("89"), + "G203": GetCwe("79"), + "G204": GetCwe("78"), + "G301": GetCwe("276"), + "G302": GetCwe("276"), + "G303": GetCwe("377"), + "G304": GetCwe("22"), + "G305": GetCwe("22"), + "G401": GetCwe("326"), + "G402": GetCwe("295"), + "G403": GetCwe("310"), + "G404": GetCwe("338"), + "G501": GetCwe("327"), + "G502": GetCwe("327"), + "G503": GetCwe("327"), + "G504": GetCwe("327"), + "G505": GetCwe("327"), +} + // Issue is returned by a gosec rule if it discovers an issue with the scanned code. type Issue struct { Severity Score `json:"severity"` // issue severity (how problematic it is) Confidence Score `json:"confidence"` // issue confidence (how sure we are we found it) + Cwe Cwe `json:"cwe"` // Cwe associated with RuleID RuleID string `json:"rule_id"` // Human readable explanation What string `json:"details"` // Human readable explanation File string `json:"file"` // File name we found it in Code string `json:"code"` // Impacted code line Line string `json:"line"` // Line number in file + Col string `json:"column"` // Column number in line } // MetaData is embedded in all gosec rules. The Severity, Confidence and What message @@ -102,6 +143,8 @@ func NewIssue(ctx *Context, node ast.Node, ruleID, desc string, severity Score, line = fmt.Sprintf("%d-%d", start, end) } + col := strconv.Itoa(fobj.Position(node.Pos()).Column) + // #nosec if file, err := os.Open(fobj.Name()); err == nil { defer file.Close() @@ -116,10 +159,12 @@ func NewIssue(ctx *Context, node ast.Node, ruleID, desc string, severity Score, return &Issue{ File: name, Line: line, + Col: col, RuleID: ruleID, What: desc, Confidence: confidence, Severity: severity, Code: code, + Cwe: IssueToCWE[ruleID], } } diff --git a/vendor/github.com/securego/gosec/resolve.go b/vendor/github.com/securego/gosec/resolve.go index 3c20dd3a..cdc287e8 100644 --- a/vendor/github.com/securego/gosec/resolve.go +++ b/vendor/github.com/securego/gosec/resolve.go @@ -17,7 +17,6 @@ package gosec import "go/ast" func resolveIdent(n *ast.Ident, c *Context) bool { - if n.Obj == nil || n.Obj.Kind != ast.Var { return true } @@ -27,7 +26,22 @@ func resolveIdent(n *ast.Ident, c *Context) bool { return false } +func resolveValueSpec(n *ast.ValueSpec, c *Context) bool { + if len(n.Values) == 0 { + return false + } + for _, value := range n.Values { + if !TryResolve(value, c) { + return false + } + } + return true +} + func resolveAssign(n *ast.AssignStmt, c *Context) bool { + if len(n.Rhs) == 0 { + return false + } for _, arg := range n.Rhs { if !TryResolve(arg, c) { return false @@ -37,6 +51,9 @@ func resolveAssign(n *ast.AssignStmt, c *Context) bool { } func resolveCompLit(n *ast.CompositeLit, c *Context) bool { + if len(n.Elts) == 0 { + return false + } for _, arg := range n.Elts { if !TryResolve(arg, c) { return false @@ -54,29 +71,25 @@ func resolveCallExpr(n *ast.CallExpr, c *Context) bool { return false } -// TryResolve will attempt, given a subtree starting at some ATS node, to resolve +// TryResolve will attempt, given a subtree starting at some AST node, to resolve // all values contained within to a known constant. It is used to check for any // unknown values in compound expressions. func TryResolve(n ast.Node, c *Context) bool { switch node := n.(type) { case *ast.BasicLit: return true - case *ast.CompositeLit: return resolveCompLit(node, c) - case *ast.Ident: return resolveIdent(node, c) - + case *ast.ValueSpec: + return resolveValueSpec(node, c) case *ast.AssignStmt: return resolveAssign(node, c) - case *ast.CallExpr: return resolveCallExpr(node, c) - case *ast.BinaryExpr: return resolveBinExpr(node, c) } - return false } diff --git a/vendor/github.com/securego/gosec/rules/ssrf.go b/vendor/github.com/securego/gosec/rules/ssrf.go index 34aa5d42..b1409a5f 100644 --- a/vendor/github.com/securego/gosec/rules/ssrf.go +++ b/vendor/github.com/securego/gosec/rules/ssrf.go @@ -24,8 +24,15 @@ func (r *ssrf) ResolveVar(n *ast.CallExpr, c *gosec.Context) bool { arg := n.Args[0] if ident, ok := arg.(*ast.Ident); ok { obj := c.Info.ObjectOf(ident) - if _, ok := obj.(*types.Var); ok && !gosec.TryResolve(ident, c) { - return true + if _, ok := obj.(*types.Var); ok { + scope := c.Pkg.Scope() + if scope != nil && scope.Lookup(ident.Name) != nil { + // a URL defined in a variable at package scope can be changed at any time + return true + } + if !gosec.TryResolve(ident, c) { + return true + } } } } diff --git a/vendor/modules.txt b/vendor/modules.txt index 47906ae0..9482448c 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -134,7 +134,7 @@ github.com/pelletier/go-toml github.com/pkg/errors # github.com/pmezard/go-difflib v1.0.0 github.com/pmezard/go-difflib/difflib -# github.com/securego/gosec v0.0.0-20191002120514-e680875ea14d +# github.com/securego/gosec v0.0.0-20200103095621-79fbf3af8d83 github.com/securego/gosec github.com/securego/gosec/rules # github.com/shirou/gopsutil v0.0.0-20190901111213-e4ec7b275ada @@ -192,7 +192,7 @@ golang.org/x/sys/windows golang.org/x/text/transform golang.org/x/text/unicode/norm golang.org/x/text/width -# golang.org/x/tools v0.0.0-20191113232020-e2727e816f5a => github.com/golangci/tools v0.0.0-20190915081525-6aa350649b1c +# golang.org/x/tools v0.0.0-20200102140908-9497f49d5709 => github.com/golangci/tools v0.0.0-20190915081525-6aa350649b1c golang.org/x/tools/go/analysis golang.org/x/tools/go/analysis/passes/asmdecl golang.org/x/tools/go/analysis/passes/assign