Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package gosec for openSUSE:Factory checked in at 2022-06-23 10:23:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gosec (Old) and /work/SRC/openSUSE:Factory/.gosec.new.1548 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gosec" Thu Jun 23 10:23:40 2022 rev:4 rq:984265 version:2.12.0 Changes: -------- --- /work/SRC/openSUSE:Factory/gosec/gosec.changes 2022-05-05 23:06:52.449593308 +0200 +++ /work/SRC/openSUSE:Factory/.gosec.new.1548/gosec.changes 2022-06-23 10:24:00.875723312 +0200 @@ -1,0 +2,26 @@ +Tue Jun 21 03:00:17 UTC 2022 - Jeff Kowalczyk <jkowalc...@suse.com> + +- Enable _service tar_scm changelog automation +- Commit _servicedata to support tar_scm changelog automation + +------------------------------------------------------------------- +Wed Jun 15 06:40:28 UTC 2022 - Felix Niederwanger <felix.niederwan...@suse.com> + +- Update to version 2.12.0: + * chore(deps): update all dependencies (#822) + * Add check for usage of Rat.SetString in math/big with an overflow error (#819) + * Remove additional `--update` for apk in Dockerfile (#818) + * Update x/tools to pick up fix for golang/go#51629 (#817) + * chore(deps): update all dependencies (#816) + * chore(deps): update all dependencies (#812) + * chore(deps): update all dependencies (#811) + * Add new rule for Slowloris Attack + * Fix the dependencies after renovate upate (#806) + * chore(deps): update all dependencies (#805) + * Update the description message of template rule (#803) + * Fix typo in ReadMe (#802) + * Fix build after renovate update (#800) + * Fix use rule IDs to retrieve the rule config + * chore(deps): update all dependencies (#796) + +------------------------------------------------------------------- Old: ---- gosec-2.11.0.tar.gz New: ---- _servicedata gosec-2.12.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gosec.spec ++++++ --- /var/tmp/diff_new_pack.v3xnk2/_old 2022-06-23 10:24:01.463723951 +0200 +++ /var/tmp/diff_new_pack.v3xnk2/_new 2022-06-23 10:24:01.467723956 +0200 @@ -17,15 +17,15 @@ Name: gosec -Version: 2.11.0 +Version: 2.12.0 Release: 0 Summary: Golang security checker License: Apache-2.0 URL: https://github.com/securego/gosec Source: gosec-%{version}.tar.gz Source1: vendor.tar.gz -BuildRequires: golang-packaging BuildRequires: go >= 1.16 +BuildRequires: golang-packaging %{go_nostrip} %description ++++++ _service ++++++ --- /var/tmp/diff_new_pack.v3xnk2/_old 2022-06-23 10:24:01.503723995 +0200 +++ /var/tmp/diff_new_pack.v3xnk2/_new 2022-06-23 10:24:01.507723999 +0200 @@ -2,9 +2,10 @@ <service name="tar_scm" mode="disabled"> <param name="url">https://github.com/securego/gosec.git</param> <param name="scm">git</param> - <param name="revision">master</param> - <param name="version">v2.9.6</param> + <param name="exclude">.git</param> + <param name="revision">v2.12.0</param> <param name="versionformat">@PARENT_TAG@</param> + <param name="changesgenerate">enable</param> <param name="versionrewrite-pattern">v(.*)</param> </service> <service name="set_version" mode="disabled"/> ++++++ _servicedata ++++++ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/securego/gosec.git</param> <param name="changesrevision">a9b0ef0a1136cc93caacd1ca281a8b6d883946e5</param></service></servicedata> (No newline at EOF) ++++++ gosec-2.11.0.tar.gz -> gosec-2.12.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.11.0/.github/workflows/ci.yml new/gosec-2.12.0/.github/workflows/ci.yml --- old/gosec-2.11.0/.github/workflows/ci.yml 2022-03-21 16:53:22.000000000 +0100 +++ new/gosec-2.12.0/.github/workflows/ci.yml 2022-06-13 19:48:12.000000000 +0200 @@ -24,7 +24,7 @@ go-version: ${{ matrix.go_version }} - name: Checkout Source uses: actions/checkout@v3 - - uses: actions/cache@v2 + - uses: actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} @@ -48,7 +48,7 @@ go-version: '1.18' - name: Checkout Source uses: actions/checkout@v3 - - uses: actions/cache@v2 + - uses: actions/cache@v3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} @@ -57,7 +57,7 @@ - name: Create Test Coverage run: make test-coverage - name: Upload Test Coverage - uses: codecov/codecov-action@v2 + uses: codecov/codecov-action@v3 with: token: ${{ secrets.CODECOV_TOKEN }} fail_ci_if_error: true diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.11.0/.github/workflows/release.yml new/gosec-2.12.0/.github/workflows/release.yml --- old/gosec-2.11.0/.github/workflows/release.yml 2022-03-21 16:53:22.000000000 +0100 +++ new/gosec-2.12.0/.github/workflows/release.yml 2022-06-13 19:48:12.000000000 +0200 @@ -28,11 +28,11 @@ env: COSIGN_KEY: ${{secrets.COSIGN_KEY}} - name: Set up QEMU - uses: docker/setup-qemu-action@v1 + uses: docker/setup-qemu-action@v2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@v2 - name: Login to DockerHub - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: username: ${{secrets.DOCKER_USERNAME}} password: ${{secrets.DOCKER_PASSWORD}} @@ -42,7 +42,7 @@ version: v1 args: mod -licenses -json -output bom.json - name: Docker meta - uses: docker/metadata-action@v3 + uses: docker/metadata-action@v4 id: meta with: images: securego/gosec @@ -52,7 +52,7 @@ type=sha,format=long type=semver,pattern={{version}} - name: Release Binaries - uses: goreleaser/goreleaser-action@v2 + uses: goreleaser/goreleaser-action@v3 with: version: latest args: release --rm-dist @@ -60,7 +60,7 @@ GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} - name: Release Docker Image - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v3 with: platforms: linux/amd64,linux/arm/v7,linux/arm64 tags: ${{steps.meta.outputs.tags}} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.11.0/.github/workflows/scan.yml new/gosec-2.12.0/.github/workflows/scan.yml --- old/gosec-2.11.0/.github/workflows/scan.yml 2022-03-21 16:53:22.000000000 +0100 +++ new/gosec-2.12.0/.github/workflows/scan.yml 2022-06-13 19:48:12.000000000 +0200 @@ -20,7 +20,7 @@ # we let the report trigger content trigger a failure using the GitHub Security features. args: '-no-fail -fmt sarif -out results.sarif ./...' - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository sarif_file: results.sarif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.11.0/Dockerfile new/gosec-2.12.0/Dockerfile --- old/gosec-2.11.0/Dockerfile 2022-03-21 16:53:22.000000000 +0100 +++ new/gosec-2.12.0/Dockerfile 2022-06-13 19:48:12.000000000 +0200 @@ -1,6 +1,6 @@ ARG GO_VERSION FROM golang:${GO_VERSION}-alpine AS builder -RUN apk add --update --no-cache ca-certificates make git curl gcc libc-dev +RUN apk add --no-cache ca-certificates make git curl gcc libc-dev RUN mkdir -p /build WORKDIR /build COPY . /build/ @@ -8,7 +8,7 @@ RUN make build-linux FROM golang:${GO_VERSION}-alpine -RUN apk add --update --no-cache ca-certificates bash git gcc libc-dev openssh +RUN apk add --no-cache ca-certificates bash git gcc libc-dev openssh ENV GO111MODULE on COPY --from=builder /build/gosec /bin/gosec COPY entrypoint.sh /bin/entrypoint.sh diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.11.0/README.md new/gosec-2.12.0/README.md --- old/gosec-2.11.0/README.md 2022-03-21 16:53:22.000000000 +0100 +++ new/gosec-2.12.0/README.md 2022-06-13 19:48:12.000000000 +0200 @@ -144,6 +144,8 @@ - G109: Potential Integer overflow made by strconv.Atoi result conversion to int16/32 - G110: Potential DoS vulnerability via decompression bomb - G111: Potential directory traversal +- G112: Potential slowloris attack +- G113: Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772) - G201: SQL query construction using format string - G202: SQL query construction using string concatenation - G203: Use of unescaped data in HTML templates @@ -219,7 +221,7 @@ } ``` -You can also configure the hard-coded credentials rule `G101` with additional patters, or adjust the entropy threshold: +You can also configure the hard-coded credentials rule `G101` with additional patterns, or adjust the entropy threshold: ```JSON { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.11.0/call_list.go new/gosec-2.12.0/call_list.go --- old/gosec-2.11.0/call_list.go 2022-03-21 16:53:22.000000000 +0100 +++ new/gosec-2.12.0/call_list.go 2022-06-13 19:48:12.000000000 +0200 @@ -47,7 +47,7 @@ } // Contains returns true if the package and function are -/// members of this call list. +// members of this call list. func (c CallList) Contains(selector, ident string) bool { if idents, ok := c[selector]; ok { _, found := idents[ident] @@ -77,17 +77,26 @@ return nil } - // Use only explicit path (optionally strip vendor path prefix) to reduce conflicts - path, ok := GetImportPath(selector, ctx) - if !ok { - return nil + // Selector can have two forms: + // 1. A short name if a module function is called (expr.Name). + // E.g., "big" if called function from math/big. + // 2. A full name if a structure function is called (TypeOf(expr)). + // E.g., "math/big.Rat" if called function of Rat structure from math/big. + if !strings.ContainsRune(selector, '.') { + // Use only explicit path (optionally strip vendor path prefix) to reduce conflicts + path, ok := GetImportPath(selector, ctx) + if !ok { + return nil + } + selector = path } + if stripVendor { - if vendorIdx := strings.Index(path, vendorPath); vendorIdx >= 0 { - path = path[vendorIdx+len(vendorPath):] + if vendorIdx := strings.Index(selector, vendorPath); vendorIdx >= 0 { + selector = selector[vendorIdx+len(vendorPath):] } } - if !c.Contains(path, ident) { + if !c.Contains(selector, ident) { return nil } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.11.0/cwe/data.go new/gosec-2.12.0/cwe/data.go --- old/gosec-2.11.0/cwe/data.go 2022-03-21 16:53:22.000000000 +0100 +++ new/gosec-2.12.0/cwe/data.go 2022-06-13 19:48:12.000000000 +0200 @@ -90,6 +90,11 @@ Name: "Insecure Temporary File", }, { + ID: "400", + Description: "The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.", + Name: "Uncontrolled Resource Consumption", + }, + { ID: "409", Description: "The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.", Name: "Improper Handling of Highly Compressed Data (Data Amplification)", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.11.0/go.mod new/gosec-2.12.0/go.mod --- old/gosec-2.11.0/go.mod 2022-03-21 16:53:22.000000000 +0100 +++ new/gosec-2.12.0/go.mod 2022-06-13 19:48:12.000000000 +0200 @@ -2,16 +2,16 @@ require ( github.com/google/uuid v1.3.0 - github.com/gookit/color v1.5.0 - github.com/lib/pq v1.10.4 + github.com/gookit/color v1.5.1 + github.com/lib/pq v1.10.6 github.com/mozilla/tls-observatory v0.0.0-20210609171429-7bc42856d2e5 github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354 - github.com/onsi/ginkgo/v2 v2.1.3 - github.com/onsi/gomega v1.18.1 - golang.org/x/crypto v0.0.0-20220313003712-b769efc7c000 + github.com/onsi/ginkgo/v2 v2.1.4 + github.com/onsi/gomega v1.19.0 + golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 golang.org/x/text v0.3.7 - golang.org/x/tools v0.1.9 + golang.org/x/tools v0.1.11 gopkg.in/yaml.v2 v2.4.0 ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.11.0/go.sum new/gosec-2.12.0/go.sum --- old/gosec-2.11.0/go.sum 2022-03-21 16:53:22.000000000 +0100 +++ new/gosec-2.12.0/go.sum 2022-06-13 19:48:12.000000000 +0200 @@ -166,8 +166,8 @@ github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= -github.com/gookit/color v1.5.0 h1:1Opow3+BWDwqor78DcJkJCIwnkviFi+rrOANki9BUFw= -github.com/gookit/color v1.5.0/go.mod h1:43aQb+Zerm/BWh2GnrgOQm7ffz7tvQXEKV6BFMl7wAo= +github.com/gookit/color v1.5.1 h1:Vjg2VEcdHpwq+oY63s/ksHrgJYCTo0bwWvmmYWdE9fQ= +github.com/gookit/color v1.5.1/go.mod h1:wZFzea4X8qN6vHOSP2apMb4/+w/orMznEzYsIHPaqKM= github.com/gordonklaus/ineffassign v0.0.0-20200309095847-7953dde2c7bf/go.mod h1:cuNKsD1zp2v6XfE/orVX2QE1LC+i254ceGcVeDT3pTU= github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75/go.mod h1:g2644b03hfBX9Ov0ZBDgXXens4rxSxmqFBbhvKv2yVA= github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= @@ -220,8 +220,8 @@ github.com/letsencrypt/pkcs11key/v4 v4.0.0/go.mod h1:EFUvBDay26dErnNb70Nd0/VW3tJiIbETBPTl9ATXQag= github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.9.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= -github.com/lib/pq v1.10.4 h1:SO9z7FRPzA03QhHKJrH5BXA6HU1rS4V2nIVrrNC1iYk= -github.com/lib/pq v1.10.4/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/lib/pq v1.10.6 h1:jbk+ZieJ0D7EVGJYpL9QTz7/YW6UHbmdnZWYyK5cdBs= +github.com/lib/pq v1.10.6/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= @@ -266,14 +266,14 @@ github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc= github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= -github.com/onsi/ginkgo/v2 v2.0.0/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= -github.com/onsi/ginkgo/v2 v2.1.3 h1:e/3Cwtogj0HA+25nMP1jCMDIf8RtRYbGwGGuBIFztkc= github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= +github.com/onsi/ginkgo/v2 v2.1.4 h1:GNapqRSid3zijZ9H77KrgVG4/8KqiyRsxcSxe+7ApXY= +github.com/onsi/ginkgo/v2 v2.1.4/go.mod h1:um6tUpWM/cxCK3/FK8BXqEiUMUwRgSM4JXG47RKZmLU= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= -github.com/onsi/gomega v1.18.1 h1:M1GfJqGRrBrrGGsbxzV5dqM2U2ApXefZCQpkukxYRLE= -github.com/onsi/gomega v1.18.1/go.mod h1:0q+aL8jAiMXy9hbwj2mr5GziHiwhAIQpFmmtT5hitRs= +github.com/onsi/gomega v1.19.0 h1:4ieX6qQjPP/BfC3mpsAtIGGlxTWPeA3Inl/7DtXw1tw= +github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= @@ -327,8 +327,8 @@ github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= -github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.2 h1:4jaiDzPyXQvSd7D0EjG45355tLlV3VOECpq10pLC+8s= +github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals= github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20200427203606-3cfed13b9966/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= @@ -376,8 +376,9 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= -golang.org/x/crypto v0.0.0-20220313003712-b769efc7c000 h1:SL+8VVnkqyshUSz5iNnXtrBQzvFF2SkROm6t5RczFAE= -golang.org/x/crypto v0.0.0-20220313003712-b769efc7c000/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e h1:T8NU3HyQ8ClP4SEE+KbFlg6n0NhuTsN4MyznaarGsZM= +golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -411,8 +412,9 @@ golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.5.1 h1:OJxoQ/rynoF0dcCdI7cLPktw/hR2cueqYfjm43oqK38= -golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= +golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -447,10 +449,12 @@ golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2 h1:CIJ76btIcR3eFI5EgSo6k1qKw9KJexJuRLI9G7Hp5wE= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220225172249-27dd8689420f h1:oA4XRj0qtSt8Yo1Zms0CUlsT3KG69V2UGQWPBxujDmc= +golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -516,11 +520,13 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8 h1:OH54vjqzRWmbJ62fjuhxy7AxFFgoHN0/DPc/UrL8cAs= +golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= -golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -581,12 +587,12 @@ golang.org/x/tools v0.0.0-20200630154851-b2d8b0336632/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200706234117-b22de6825cf7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.9 h1:j9KsMiaP1c3B0OTQGth0/k+miLGTgLsAFUCrF2vLcF8= -golang.org/x/tools v0.1.9/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU= +golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E= +golang.org/x/tools v0.1.11 h1:loJ25fNOEhSXfHrpoGj91eCUThwdNX6u24rO1xnNteY= +golang.org/x/tools v0.1.11/go.mod h1:SgwaegtQh8clINPpECJMqnxLv9I09HLqnW3RMqW0CA4= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= @@ -693,8 +699,9 @@ gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= -gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.11.0/helpers.go new/gosec-2.12.0/helpers.go --- old/gosec-2.11.0/helpers.go 2022-03-21 16:53:22.000000000 +0100 +++ new/gosec-2.12.0/helpers.go 2022-06-13 19:48:12.000000000 +0200 @@ -449,3 +449,12 @@ root = strings.TrimSuffix(root, "...") return filepath.Abs(root) } + +// GoVersion returns parsed version of Go from runtime +func GoVersion() (int, int, int) { + versionParts := strings.Split(runtime.Version(), ".") + major, _ := strconv.Atoi(versionParts[0][2:]) + minor, _ := strconv.Atoi(versionParts[1]) + build, _ := strconv.Atoi(versionParts[2]) + return major, minor, build +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.11.0/issue.go new/gosec-2.12.0/issue.go --- old/gosec-2.11.0/issue.go 2022-03-21 16:53:22.000000000 +0100 +++ new/gosec-2.12.0/issue.go 2022-06-13 19:48:12.000000000 +0200 @@ -64,6 +64,8 @@ "G109": "190", "G110": "409", "G111": "22", + "G112": "400", + "G113": "190", "G201": "89", "G202": "89", "G203": "79", @@ -181,7 +183,7 @@ var code string if file, err := os.Open(fobj.Name()); err == nil { - defer file.Close() //#nosec + defer file.Close() // #nosec s := codeSnippetStartLine(node, fobj) e := codeSnippetEndLine(node, fobj) code, err = codeSnippet(file, s, e, node) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.11.0/report/formatter_test.go new/gosec-2.12.0/report/formatter_test.go --- old/gosec-2.11.0/report/formatter_test.go 2022-03-21 16:53:22.000000000 +0100 +++ new/gosec-2.12.0/report/formatter_test.go 2022-06-13 19:48:12.000000000 +0200 @@ -277,9 +277,10 @@ Context("When using different report formats", func() { grules := []string{ "G101", "G102", "G103", "G104", "G106", "G107", "G109", - "G110", "G111", "G201", "G202", "G203", "G204", "G301", - "G302", "G303", "G304", "G305", "G401", "G402", "G403", - "G404", "G501", "G502", "G503", "G504", "G505", + "G110", "G111", "G112", "G113", "G201", "G202", "G203", + "G204", "G301", "G302", "G303", "G304", "G305", "G401", + "G402", "G403", "G404", "G501", "G502", "G503", "G504", + "G505", "G601", } It("csv formatted report should contain the CWE mapping", func() { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.11.0/report/html/template.html new/gosec-2.12.0/report/html/template.html --- old/gosec-2.11.0/report/html/template.html 2022-03-21 16:53:22.000000000 +0100 +++ new/gosec-2.12.0/report/html/template.html 2022-06-13 19:48:12.000000000 +0200 @@ -4,10 +4,10 @@ <meta charset="utf-8"> <title>Golang Security Checker</title> <link rel="shortcut icon" type="image/png" href="https://securego.io/img/favicon.png";> - <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/bulma/0.9.3/css/bulma.min.css"; integrity="sha512-IgmDkwzs96t4SrChW29No3NXBIBv8baW490zk5aXvhCD8vuZM3yUSkbyTBcXohkySecyzIrUwiF/qV0cuPcL3Q==" crossorigin="anonymous"/> - <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.5.0/styles/default.min.css"; integrity="sha512-hasIneQUHlh06VNBe7f6ZcHmeRTLIaQWFd43YriJ0UND19bvYRauxthDg8E4eVNPm9bRUhr5JGeqH7FRFXQu5g==" crossorigin="anonymous"/> - <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.5.0/highlight.min.js"; integrity="sha512-BNc7saQYlxCL10lykUYhFBcnzdKMnjx5fp5s5wPucDyZ7rKNwCoqJh1GwEAIhuePEK4WM9askJBRsu7ma0Rzvg==" crossorigin="anonymous"></script> - <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.5.0/languages/go.min.js"; integrity="sha512-5FrrCMl+OdDp4V0/+Og+q950cGMbPLR0D9o3rE0d9e7VYfGkci4zIrwqTXQOvv5Oo4ZhMaZGwZHXH2uKxfe+iw==" crossorigin="anonymous"></script> + <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/bulma/0.9.4/css/bulma.min.css"; integrity="sha512-HqxHUkJM0SYcbvxUw5P60SzdOTy/QVwA1JJrvaXJv4q7lmbDZCmZaqz01UPOaQveoxfYRv1tHozWGPMcuTBuvQ==" crossorigin="anonymous"/> + <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.5.1/styles/default.min.css"; integrity="sha512-hasIneQUHlh06VNBe7f6ZcHmeRTLIaQWFd43YriJ0UND19bvYRauxthDg8E4eVNPm9bRUhr5JGeqH7FRFXQu5g==" crossorigin="anonymous"/> + <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.5.1/highlight.min.js"; integrity="sha512-yUUc0qWm2rhM7X0EFe82LNnv2moqArj5nro/w1bi05A09hRVeIZbN6jlMoyu0+4I/Bu4Ck/85JQIU82T82M28w==" crossorigin="anonymous"></script> + <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.5.1/languages/go.min.js"; integrity="sha512-E39wu3ruoRgZiQ3GXdHGjdbHB3jyiq6zi6VCxT/31VnbIcKMiG0oIissj7E3XHPM8QM4CLHQzsCtiKwJXv99Og==" crossorigin="anonymous"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/react/15.7.0/react.min.js"; integrity="sha512-+TFn1Gqbwx/qgwW3NU1/YtFYTfHGeD1e/8YfJZzkb6TFEZP4SUwp1Az9DMeWh3qC0F+YPKXbV3YclMUwBTvO3g==" crossorigin="anonymous"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/react/15.6.1/react-dom.min.js"; integrity="sha512-8C49ZG/SaQnWaUgCHTU1o8uIQNYE6R8me38SwF26g2Q0byEXF4Jlvm+T/JAMHMeTBiEVPslSZRv9Xt4AV0pfmw==" crossorigin="anonymous"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/babel-standalone/6.26.0/babel.min.js"; integrity="sha512-kp7YHLxuJDJcOzStgd6vtpxr4ZU9kjn77e6dBsivSz+pUuAuMlE2UTdKB7jjsWT84qbS8kdCWHPETnP/ctrFsA==" crossorigin="anonymous"></script> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.11.0/rules/directory-traversal.go new/gosec-2.12.0/rules/directory-traversal.go --- old/gosec-2.11.0/rules/directory-traversal.go 2022-03-21 16:53:22.000000000 +0100 +++ new/gosec-2.12.0/rules/directory-traversal.go 2022-06-13 19:48:12.000000000 +0200 @@ -43,7 +43,7 @@ // NewDirectoryTraversal attempts to find the use of http.Dir("/") func NewDirectoryTraversal(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { pattern := `http\.Dir\("\/"\)|http\.Dir\('\/'\)` - if val, ok := conf["G101"]; ok { + if val, ok := conf[id]; ok { conf := val.(map[string]interface{}) if configPattern, ok := conf["pattern"]; ok { if cfgPattern, ok := configPattern.(string); ok { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.11.0/rules/errors.go new/gosec-2.12.0/rules/errors.go --- old/gosec-2.11.0/rules/errors.go 2022-03-21 16:53:22.000000000 +0100 +++ new/gosec-2.12.0/rules/errors.go 2022-06-13 19:48:12.000000000 +0200 @@ -89,7 +89,7 @@ whitelist.Add("hash.Hash", "Write") whitelist.Add("os", "Unsetenv") - if configured, ok := conf["G104"]; ok { + if configured, ok := conf[id]; ok { if whitelisted, ok := configured.(map[string]interface{}); ok { for pkg, funcs := range whitelisted { if funcs, ok := funcs.([]interface{}); ok { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.11.0/rules/fileperms.go new/gosec-2.12.0/rules/fileperms.go --- old/gosec-2.11.0/rules/fileperms.go 2022-03-21 16:53:22.000000000 +0100 +++ new/gosec-2.12.0/rules/fileperms.go 2022-06-13 19:48:12.000000000 +0200 @@ -64,7 +64,7 @@ // NewWritePerms creates a rule to detect file Writes with bad permissions. func NewWritePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { - mode := getConfiguredMode(conf, "G306", 0o600) + mode := getConfiguredMode(conf, id, 0o600) return &filePermissions{ mode: mode, pkgs: []string{"io/ioutil", "os"}, @@ -81,7 +81,7 @@ // NewFilePerms creates a rule to detect file creation with a more permissive than configured // permission mask. func NewFilePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { - mode := getConfiguredMode(conf, "G302", 0o600) + mode := getConfiguredMode(conf, id, 0o600) return &filePermissions{ mode: mode, pkgs: []string{"os"}, @@ -98,7 +98,7 @@ // NewMkdirPerms creates a rule to detect directory creation with more permissive than // configured permission mask. func NewMkdirPerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { - mode := getConfiguredMode(conf, "G301", 0o750) + mode := getConfiguredMode(conf, id, 0o750) return &filePermissions{ mode: mode, pkgs: []string{"os"}, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.11.0/rules/hardcoded_credentials.go new/gosec-2.12.0/rules/hardcoded_credentials.go --- old/gosec-2.11.0/rules/hardcoded_credentials.go 2022-03-21 16:53:22.000000000 +0100 +++ new/gosec-2.12.0/rules/hardcoded_credentials.go 2022-06-13 19:48:12.000000000 +0200 @@ -122,7 +122,7 @@ perCharThreshold := 3.0 ignoreEntropy := false truncateString := 16 - if val, ok := conf["G101"]; ok { + if val, ok := conf[id]; ok { conf := val.(map[string]interface{}) if configPattern, ok := conf["pattern"]; ok { if cfgPattern, ok := configPattern.(string); ok { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.11.0/rules/math_big_rat.go new/gosec-2.12.0/rules/math_big_rat.go --- old/gosec-2.11.0/rules/math_big_rat.go 1970-01-01 01:00:00.000000000 +0100 +++ new/gosec-2.12.0/rules/math_big_rat.go 2022-06-13 19:48:12.000000000 +0200 @@ -0,0 +1,44 @@ +package rules + +import ( + "go/ast" + + "github.com/securego/gosec/v2" +) + +type usingOldMathBig struct { + gosec.MetaData + calls gosec.CallList +} + +func (r *usingOldMathBig) ID() string { + return r.MetaData.ID +} + +func (r *usingOldMathBig) Match(node ast.Node, ctx *gosec.Context) (gi *gosec.Issue, err error) { + if callExpr := r.calls.ContainsPkgCallExpr(node, ctx, false); callExpr == nil { + return nil, nil + } + + confidence := gosec.Low + major, minor, build := gosec.GoVersion() + if major == 1 && (minor == 16 && build < 14 || minor == 17 && build < 7) { + confidence = gosec.Medium + } + + return gosec.NewIssue(ctx, node, r.ID(), r.What, r.Severity, confidence), nil +} + +// NewUsingOldMathBig rule detects the use of Rat.SetString from math/big. +func NewUsingOldMathBig(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { + calls := gosec.NewCallList() + calls.Add("math/big.Rat", "SetString") + return &usingOldMathBig{ + calls: calls, + MetaData: gosec.MetaData{ + ID: id, + What: "Potential uncontrolled memory consumption in Rat.SetString (CVE-2022-23772)", + Severity: gosec.High, + }, + }, []ast.Node{(*ast.CallExpr)(nil)} +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.11.0/rules/rulelist.go new/gosec-2.12.0/rules/rulelist.go --- old/gosec-2.11.0/rules/rulelist.go 2022-03-21 16:53:22.000000000 +0100 +++ new/gosec-2.12.0/rules/rulelist.go 2022-06-13 19:48:12.000000000 +0200 @@ -74,6 +74,8 @@ {"G109", "Converting strconv.Atoi result to int32/int16", NewIntegerOverflowCheck}, {"G110", "Detect io.Copy instead of io.CopyN when decompression", NewDecompressionBombCheck}, {"G111", "Detect http.Dir('/') as a potential risk", NewDirectoryTraversal}, + {"G112", "Detect ReadHeaderTimeout not configured as a potential risk", NewSlowloris}, + {"G113", "Usage of Rat.SetString in math/big with an overflow", NewUsingOldMathBig}, // injection {"G201", "SQL query construction using format string", NewSQLStrFormat}, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.11.0/rules/rules_test.go new/gosec-2.12.0/rules/rules_test.go --- old/gosec-2.11.0/rules/rules_test.go 2022-03-21 16:53:22.000000000 +0100 +++ new/gosec-2.12.0/rules/rules_test.go 2022-06-13 19:48:12.000000000 +0200 @@ -94,6 +94,14 @@ runner("G111", testutils.SampleCodeG111) }) + It("should detect potential slowloris attack", func() { + runner("G112", testutils.SampleCodeG112) + }) + + It("should detect potential uncontrolled memory consumption in Rat.SetString", func() { + runner("G113", testutils.SampleCodeG113) + }) + It("should detect sql injection via format strings", func() { runner("G201", testutils.SampleCodeG201) }) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.11.0/rules/slowloris.go new/gosec-2.12.0/rules/slowloris.go --- old/gosec-2.11.0/rules/slowloris.go 1970-01-01 01:00:00.000000000 +0100 +++ new/gosec-2.12.0/rules/slowloris.go 2022-06-13 19:48:12.000000000 +0200 @@ -0,0 +1,70 @@ +// (c) Copyright 2016 Hewlett Packard Enterprise Development LP +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package rules + +import ( + "go/ast" + + "github.com/securego/gosec/v2" +) + +type slowloris struct { + gosec.MetaData +} + +func (r *slowloris) ID() string { + return r.MetaData.ID +} + +func containsReadHeaderTimeout(node *ast.CompositeLit) bool { + if node == nil { + return false + } + for _, elt := range node.Elts { + if kv, ok := elt.(*ast.KeyValueExpr); ok { + if ident, ok := kv.Key.(*ast.Ident); ok { + if ident.Name == "ReadHeaderTimeout" { + return true + } + } + } + } + return false +} + +func (r *slowloris) Match(n ast.Node, ctx *gosec.Context) (*gosec.Issue, error) { + switch node := n.(type) { + case *ast.CompositeLit: + actualType := ctx.Info.TypeOf(node.Type) + if actualType != nil && actualType.String() == "net/http.Server" { + if !containsReadHeaderTimeout(node) { + return gosec.NewIssue(ctx, node, r.ID(), r.What, r.Severity, r.Confidence), nil + } + } + } + return nil, nil +} + +// NewSlowloris attempts to find the http.Server struct and check if the ReadHeaderTimeout is configured. +func NewSlowloris(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { + return &slowloris{ + MetaData: gosec.MetaData{ + ID: id, + What: "Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server", + Confidence: gosec.Low, + Severity: gosec.Medium, + }, + }, []ast.Node{(*ast.CompositeLit)(nil)} +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.11.0/rules/templates.go new/gosec-2.12.0/rules/templates.go --- old/gosec-2.11.0/rules/templates.go 2022-03-21 16:53:22.000000000 +0100 +++ new/gosec-2.12.0/rules/templates.go 2022-06-13 19:48:12.000000000 +0200 @@ -54,7 +54,7 @@ ID: id, Severity: gosec.Medium, Confidence: gosec.Low, - What: "this method will not auto-escape HTML. Verify data is well formed.", + What: "The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.", }, }, []ast.Node{(*ast.CallExpr)(nil)} } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.11.0/testutils/source.go new/gosec-2.12.0/testutils/source.go --- old/gosec-2.11.0/testutils/source.go 2022-03-21 16:53:22.000000000 +0100 +++ new/gosec-2.12.0/testutils/source.go 2022-06-13 19:48:12.000000000 +0200 @@ -1005,6 +1005,73 @@ }`}, 1, gosec.NewConfig()}, } + // SampleCodeG112 - potential slowloris attack + SampleCodeG112 = []CodeSample{ + {[]string{` + package main + + import ( + "fmt" + "net/http" + ) + + func main() { + http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { + fmt.Fprintf(w, "Hello, %s!", r.URL.Path[1:]) + }) + err := (&http.Server{ + Addr: ":1234", + }).ListenAndServe() + if err != nil { + panic(err) + } + } + `}, 1, gosec.NewConfig()}, + {[]string{` + package main + + import ( + "fmt" + "time" + "net/http" + ) + + func main() { + http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { + fmt.Fprintf(w, "Hello, %s!", r.URL.Path[1:]) + }) + server := &http.Server{ + Addr: ":1234", + ReadHeaderTimeout: 3 * time.Second, + } + err := server.ListenAndServe() + if err != nil { + panic(err) + } + } + `}, 0, gosec.NewConfig()}, + } + + // SampleCodeG113 - Usage of Rat.SetString in math/big with an overflow + SampleCodeG113 = []CodeSample{ + {[]string{ + ` +package main + +import ( + "math/big" + "fmt" +) + +func main() { + r := big.Rat{} + r.SetString("13e-9223372036854775808") + + fmt.Println(r) +}`, + }, 1, gosec.NewConfig()}, + } + // SampleCodeG201 - SQL injection via format string SampleCodeG201 = []CodeSample{ {[]string{` ++++++ vendor.tar.gz ++++++ ++++ 10270 lines of diff (skipped)
![https://securego.io/img/favicon.png"](https://securego.io/img/favicon.png"){kind=link}