gosec: add configuration (#1930)

.golangci.example.yml

@@ -334,6 +334,30 @@ linters-settings:
         #     reason: "testing if blocked version constraint works."  # Reason why the version constraint exists. (Optional)
       local_replace_directives: false                                 # Set to true to raise lint issues for packages that are loaded from a local path via replace directive
 
+  gosec:
+    # To select a subset of rules to run.
+    # Available rules: https://github.com/securego/gosec#available-rules
+    includes:
+      - G401
+      - G306
+      - G101
+    # To specify a set of rules to explicitly exclude.
+    # Available rules: https://github.com/securego/gosec#available-rules
+    excludes:
+      - G204
+    # To specify the configuration of rules.
+    # The configuration of rules is not fully documented by gosec:
+    # https://github.com/securego/gosec#configuration
+    # https://github.com/securego/gosec/blob/569328eade2ccbad4ce2d0f21ee158ab5356a5cf/rules/rulelist.go#L60-L102
+    config:
+      G306: "0600"
+      G101:
+        pattern: "(?i)example"
+        ignore_entropy: false
+        entropy_threshold: "80.0"
+        per_char_threshold: "3.0"
+        truncate: "32"
+
   govet:
     # report about shadowed variables
     check-shadowing: true

go.sum

@@ -80,8 +80,6 @@ github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kB
 github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
 github.com/bkielbasa/cyclop v1.2.0 h1:7Jmnh0yL2DjKfw28p86YTd/B4lRGcNuu12sKE35sM7A=
 github.com/bkielbasa/cyclop v1.2.0/go.mod h1:qOI0yy6A7dYC4Zgsa72Ppm9kONl0RoIlPbzot9mhmeI=
-github.com/bombsimon/wsl/v3 v3.2.0 h1:x3QUbwW7tPGcCNridvqmhSRthZMTALnkg5/1J+vaUas=
-github.com/bombsimon/wsl/v3 v3.2.0/go.mod h1:st10JtZYLE4D5sC7b8xV4zTKZwAQjCH/Hy2Pm1FNZIc=
 github.com/bombsimon/wsl/v3 v3.3.0 h1:Mka/+kRLoQJq7g2rggtgQsjuI/K5Efd87WX96EWFxjM=
 github.com/bombsimon/wsl/v3 v3.3.0/go.mod h1:st10JtZYLE4D5sC7b8xV4zTKZwAQjCH/Hy2Pm1FNZIc=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
@@ -123,7 +121,6 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/denis-tingajkin/go-header v0.4.2 h1:jEeSF4sdv8/3cT/WY8AgDHUoItNSoEZ7qg9dX7pc218=
 github.com/denis-tingajkin/go-header v0.4.2/go.mod h1:eLRHAVXzE5atsKAnNRDB90WHCFFnBUn4RN0nRcs1LJA=
-github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
@@ -623,8 +620,6 @@ github.com/tklauser/numcpus v0.2.1/go.mod h1:9aU+wOc6WjUIZEwWMP62PL/41d65P+iks1g
 github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20200427203606-3cfed13b9966/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
-github.com/tomarrell/wrapcheck v1.1.0 h1:zMmCL57nBBeB375MZ5i91Vde8utQTdyOn7ZId6WFIEo=
-github.com/tomarrell/wrapcheck v1.1.0/go.mod h1:Bd3i1FaEKe3XmcPoHhNQ+HM0S8P6eIXoQIoGj/ndJkU=
 github.com/tomarrell/wrapcheck v1.2.0 h1:N1PWGT8l+6jZVTcm00kGjx9IEA8oDMSjipqY73ye5c0=
 github.com/tomarrell/wrapcheck v1.2.0/go.mod h1:Bd3i1FaEKe3XmcPoHhNQ+HM0S8P6eIXoQIoGj/ndJkU=
 github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce/go.mod h1:o8v6yHRoik09Xen7gje4m9ERNah1d1PPsVq1VEx9vE4=

pkg/config/linters_settings.go

@@ -103,6 +103,7 @@ type LintersSettings struct {
 	Gomnd            GoMndSettings
 	GoModDirectives  GoModDirectivesSettings
 	Gomodguard       GoModGuardSettings
+	Gosec            GoSecSettings
 	Govet            GovetSettings
 	Ifshort          IfshortSettings
 	ImportAs         ImportAsSettings
@@ -268,6 +269,12 @@ type GoModGuardSettings struct {
 	} `mapstructure:"blocked"`
 }
 
+type GoSecSettings struct {
+	Includes []string
+	Excludes []string
+	Config   map[string]interface{} `mapstructure:"config"`
+}
+
 type GovetSettings struct {
 	CheckShadowing bool `mapstructure:"check-shadowing"`
 	Settings       map[string]map[string]interface{}

pkg/golinters/gosec.go

@@ -6,6 +6,7 @@ import (
 	"io/ioutil"
 	"log"
 	"strconv"
+	"strings"
 	"sync"
 
 	"github.com/securego/gosec/v2"
@@ -13,6 +14,7 @@ import (
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/packages"
 
+	"github.com/golangci/golangci-lint/pkg/config"
 	"github.com/golangci/golangci-lint/pkg/golinters/goanalysis"
 	"github.com/golangci/golangci-lint/pkg/lint/linter"
 	"github.com/golangci/golangci-lint/pkg/result"
@@ -20,12 +22,25 @@ import (
 
 const gosecName = "gosec"
 
-func NewGosec() *goanalysis.Linter {
+func NewGosec(settings *config.GoSecSettings) *goanalysis.Linter {
 	var mu sync.Mutex
 	var resIssues []goanalysis.Issue
 
 	gasConfig := gosec.NewConfig()
-	enabledRules := rules.Generate()
+
+	var filters []rules.RuleFilter
+	if settings != nil {
+		filters = gosecRuleFilters(settings.Includes, settings.Excludes)
+
+		for k, v := range settings.Config {
+			// Uses ToUpper because the parsing of the map's key change the key to lowercase.
+			// The value is not impacted by that: the case is respected.
+			gasConfig.Set(strings.ToUpper(k), v)
+		}
+	}
+
+	ruleDefinitions := rules.Generate(filters...)
+
 	logger := log.New(ioutil.Discard, "", 0)
 
 	analyzer := &analysis.Analyzer{
@@ -40,7 +55,8 @@ func NewGosec() *goanalysis.Linter {
 	).WithContextSetter(func(lintCtx *linter.Context) {
 		analyzer.Run = func(pass *analysis.Pass) (interface{}, error) {
 			gosecAnalyzer := gosec.NewAnalyzer(gasConfig, true, logger)
-			gosecAnalyzer.LoadRules(enabledRules.Builders())
+			gosecAnalyzer.LoadRules(ruleDefinitions.Builders())
+
 			pkg := &packages.Package{
 				Fset:      pass.Fset,
 				Syntax:    pass.Files,
@@ -95,3 +111,18 @@ func NewGosec() *goanalysis.Linter {
 		return resIssues
 	}).WithLoadMode(goanalysis.LoadModeTypesInfo)
 }
+
+// based on https://github.com/securego/gosec/blob/569328eade2ccbad4ce2d0f21ee158ab5356a5cf/cmd/gosec/main.go#L170-L188
+func gosecRuleFilters(includes, excludes []string) []rules.RuleFilter {
+	var filters []rules.RuleFilter
+
+	if len(includes) > 0 {
+		filters = append(filters, rules.NewRuleFilter(false, includes...))
+	}
+
+	if len(excludes) > 0 {
+		filters = append(filters, rules.NewRuleFilter(true, excludes...))
+	}
+
+	return filters
+}

pkg/lint/lintersdb/manager.go

@@ -112,6 +112,7 @@ func (m Manager) GetAllSupportedLinterConfigs() []*linter.Config {
 	var importAsCfg *config.ImportAsSettings
 	var goModDirectivesCfg *config.GoModDirectivesSettings
 	var tagliatelleCfg *config.TagliatelleSettings
+	var gosecCfg *config.GoSecSettings
 
 	if m.cfg != nil {
 		govetCfg = &m.cfg.LintersSettings.Govet
@@ -127,6 +128,7 @@ func (m Manager) GetAllSupportedLinterConfigs() []*linter.Config {
 		importAsCfg = &m.cfg.LintersSettings.ImportAs
 		goModDirectivesCfg = &m.cfg.LintersSettings.GoModDirectives
 		tagliatelleCfg = &m.cfg.LintersSettings.Tagliatelle
+		gosecCfg = &m.cfg.LintersSettings.Gosec
 	}
 
 	const megacheckName = "megacheck"
@@ -190,7 +192,7 @@ func (m Manager) GetAllSupportedLinterConfigs() []*linter.Config {
 			WithLoadForGoAnalysis().
 			WithPresets(linter.PresetStyle).
 			WithURL("https://github.com/dominikh/go-tools/tree/master/stylecheck"),
-		linter.NewConfig(golinters.NewGosec()).
+		linter.NewConfig(golinters.NewGosec(gosecCfg)).
 			WithSince("v1.0.0").
 			WithLoadForGoAnalysis().
 			WithPresets(linter.PresetBugs).

test/testdata/configs/gosec.yml

@@ -0,0 +1,13 @@
+linters-settings:
+  gosec:
+    includes:
+      - G306
+      - G101
+    config:
+      G306: "0666"
+      G101:
+        pattern: "(?i)simple"
+        ignore_entropy: false
+        entropy_threshold: "80.0"
+        per_char_threshold: "3.0"
+        truncate: "32"

test/testdata/gosec_rules_config.go

@@ -0,0 +1,12 @@
+//args: -Egosec
+//config_path: testdata/configs/gosec.yml
+package testdata
+
+import "io/ioutil"
+
+const gosecToken = "62ebc7a03d6ca24dca1258fd4b48462f6fed1545"
+const gosecSimple = "62ebc7a03d6ca24dca1258fd4b48462f6fed1545" // ERROR "G101: Potential hardcoded credentials"
+
+func gosecCustom() {
+	ioutil.WriteFile("filename", []byte("test"), 0755) // ERROR "G306: Expect WriteFile permissions to be 0666 or less"
+}