Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package gosec for openSUSE:Factory checked
in at 2023-02-07 18:48:54
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/gosec (Old)
and /work/SRC/openSUSE:Factory/.gosec.new.4462 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gosec"
Tue Feb 7 18:48:54 2023 rev:8 rq:1063471 version:2.15.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/gosec/gosec.changes 2022-12-20
20:21:34.730237243 +0100
+++ /work/SRC/openSUSE:Factory/.gosec.new.4462/gosec.changes 2023-02-07
18:49:01.943114679 +0100
@@ -1,0 +2,35 @@
+Mon Feb 6 15:09:19 UTC 2023 - Felix Niederwanger <felix.niederwan...@suse.com>
+
+* Update to version 2.15.0
+
+- Fix dependencies after renovate update
+- chore(deps): update all dependencies (#922)
+- Update to Go 1.20 and fix unit tests (#923)
+- Update Go to latest version (#920)
+- Update hardcoded_credentials.go fix: adaper equal expr which const value at
left (#917)
+- Fix github latest URL (#918)
+- Fix github release url (#916)
+- chore(deps): update module github.com/onsi/ginkgo/v2 to v2.7.0 (#914)
+- Update Go version in CI script (#913)
+- Track back when a file path was sanitized with filepath.Clean (#912)
+- Fix the TLS config rule when parsing the settings from a variable (#911)
+- Fix build after updating the dependencies (#910)
+- chore(deps): update all dependencies (#909)
+- Fix dependencies after renovate update (#907)
+- chore(deps): update all dependencies (#906)
+- Update slack badge and link (#905)
+- Auto-detect TLS MinVersion integer base (#903)
+- Adding s390x support (#902)
+- chore(deps): update all dependencies (#904)
+- chore(deps): update all dependencies (#898)
+- Additional types for bad defer check (#897)
+- chore(deps): update all dependencies (#894)
+- chore(deps): update all dependencies (#892)
+- Update Go version in CI scripts (#889)
+- chore(deps): update all dependencies (#888)
+- Allow to override build date with SOURCE_DATE_EPOCH (#887)
+- chore(deps): update all dependencies (#886)
+- chore(deps): update all dependencies (#884)
+- fileperms: bitwise permission comparison (#883)
+
+-------------------------------------------------------------------
Old:
----
gosec-2.14.0.obscpio
New:
----
gosec-2.15.0.obscpio
gosec-2.15.0.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ gosec.spec ++++++
--- /var/tmp/diff_new_pack.u2SjCk/_old 2023-02-07 18:49:02.723118871 +0100
+++ /var/tmp/diff_new_pack.u2SjCk/_new 2023-02-07 18:49:02.731118914 +0100
@@ -17,7 +17,7 @@
Name: gosec
-Version: 2.14.0
+Version: 2.15.0
Release: 0
Summary: Golang security checker
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.u2SjCk/_old 2023-02-07 18:49:02.775119151 +0100
+++ /var/tmp/diff_new_pack.u2SjCk/_new 2023-02-07 18:49:02.779119172 +0100
@@ -3,7 +3,7 @@
<param name="filename">gosec</param>
<param name="url">https://github.com/securego/gosec.git</param>
<param name="scm">git</param>
- <param name="version">v2.14.0</param>
+ <param name="version">v2.15.0</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="versionrewrite-pattern">v(.*)</param>
<param name="versionrewrite-replacement">\1</param>
++++++ gosec-2.14.0.obscpio -> gosec-2.15.0.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.14.0/.github/workflows/ci.yml
new/gosec-2.15.0/.github/workflows/ci.yml
--- old/gosec-2.14.0/.github/workflows/ci.yml 2022-12-12 12:20:22.000000000
+0100
+++ new/gosec-2.15.0/.github/workflows/ci.yml 2023-02-06 14:39:25.000000000
+0100
@@ -10,17 +10,15 @@
test:
strategy:
matrix:
- go_version:
- - '1.18.8' # TODO: remove this once actions/setup-go@v3 uses latest
as latest; see https://github.com/securego/gosec/pull/880
- - '1.19.3' # TODO: remove this once actions/setup-go@v3 uses latest
as latest; see https://github.com/securego/gosec/pull/880
+ version: [{go: '1.19.5', golangci: 'v1.50.1'}, {go: '1.20', golangci:
'latest'}]
runs-on: ubuntu-latest
env:
GO111MODULE: on
steps:
- - name: Setup go ${{ matrix.go_version }}
+ - name: Setup go ${{ matrix.version.go }}
uses: actions/setup-go@v3
with:
- go-version: ${{ matrix.go_version }}
+ go-version: ${{ matrix.version.go }}
- name: Checkout Source
uses: actions/checkout@v3
- uses: actions/cache@v3
@@ -32,7 +30,7 @@
- name: lint
uses: golangci/golangci-lint-action@v3
with:
- version: latest
+ version: ${{ matrix.version.golangci }}
- name: Run Tests
run: make test
coverage:
@@ -44,7 +42,7 @@
- name: Setup go
uses: actions/setup-go@v3
with:
- go-version: '1.19.2' # TODO: remove this once actions/setup-go@v3
uses latest as latest; see https://github.com/securego/gosec/pull/880
+ go-version: '1.20'
- name: Checkout Source
uses: actions/checkout@v3
- uses: actions/cache@v3
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.14.0/.github/workflows/release.yml
new/gosec-2.15.0/.github/workflows/release.yml
--- old/gosec-2.14.0/.github/workflows/release.yml 2022-12-12
12:20:22.000000000 +0100
+++ new/gosec-2.15.0/.github/workflows/release.yml 2023-02-06
14:39:25.000000000 +0100
@@ -17,11 +17,11 @@
- name: Set up Go
uses: actions/setup-go@v3
with:
- go-version: '1.19.3'
+ go-version: '1.20'
- name: Install Cosign
uses: sigstore/cosign-installer@v2
with:
- cosign-release: 'v1.6.0'
+ cosign-release: 'v1.13.1'
- name: Store Cosign private key in a file
run: 'echo "$COSIGN_KEY" > /tmp/cosign.key'
shell: bash
@@ -52,21 +52,21 @@
type=sha,format=long
type=semver,pattern={{version}}
- name: Release Binaries
- uses: goreleaser/goreleaser-action@v3
+ uses: goreleaser/goreleaser-action@v4
with:
version: latest
- args: release --rm-dist
+ args: release --clean
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
- name: Release Docker Image
- uses: docker/build-push-action@v3
+ uses: docker/build-push-action@v4
with:
platforms: linux/amd64,linux/arm/v7,linux/arm64
tags: ${{steps.meta.outputs.tags}}
labels: ${{steps.meta.outputs.labels}}
push: true
- build-args: GO_VERSION=1.19
+ build-args: GO_VERSION=1.20
- name: Sign Docker Image
run: cosign sign -key /tmp/cosign.key ${TAGS}
env:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.14.0/Makefile new/gosec-2.15.0/Makefile
--- old/gosec-2.14.0/Makefile 2022-12-12 12:20:22.000000000 +0100
+++ new/gosec-2.15.0/Makefile 2023-02-06 14:39:25.000000000 +0100
@@ -14,12 +14,11 @@
GO_NOMOD :=GO111MODULE=off go
GOPATH ?= $(shell $(GO) env GOPATH)
GOBIN ?= $(GOPATH)/bin
-GOLINT ?= $(GOBIN)/golint
GOSEC ?= $(GOBIN)/gosec
GINKGO ?= $(GOBIN)/ginkgo
GO_MINOR_VERSION = $(shell $(GO) version | cut -c 14- | cut -d' ' -f1 | cut
-d'.' -f2)
GOVULN_MIN_VERSION = 17
-GO_VERSION = 1.19
+GO_VERSION = 1.20
default:
$(MAKE) build
@@ -34,7 +33,7 @@
go install golang.org/x/vuln/cmd/govulncheck@latest; \
fi
-test: install-test-deps build fmt lint sec govulncheck
+test: install-test-deps build fmt vet sec govulncheck
$(GINKGO) -v --fail-fast
fmt:
@@ -42,10 +41,7 @@
@FORMATTED=`$(GO) fmt ./...`
@([ ! -z "$(FORMATTED)" ] && printf "Fixed unformatted
files:\n$(FORMATTED)") || true
-lint:
- @echo "LINTING: golint"
- $(GO_NOMOD) get -u golang.org/x/lint/golint
- $(GOLINT) -set_exit_status ./...
+vet:
@echo "VETTING"
$(GO) vet ./...
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.14.0/analyzer_test.go
new/gosec-2.15.0/analyzer_test.go
--- old/gosec-2.14.0/analyzer_test.go 2022-12-12 12:20:22.000000000 +0100
+++ new/gosec-2.15.0/analyzer_test.go 2023-02-06 14:39:25.000000000 +0100
@@ -4,6 +4,7 @@
"errors"
"log"
"os"
+ "regexp"
"strings"
. "github.com/onsi/ginkgo/v2"
@@ -152,13 +153,19 @@
err = analyzer.Process(buildTags, pkg.Path)
Expect(err).ShouldNot(HaveOccurred())
_, _, errors := analyzer.Report()
- Expect(len(errors)).To(Equal(1))
+ foundErr := false
for _, ferr := range errors {
Expect(len(ferr)).To(Equal(1))
+ match, err := regexp.MatchString(ferr[0].Err,
`expected declaration, found '}'`)
+ if !match || err != nil {
+ continue
+ }
+ foundErr = true
Expect(ferr[0].Line).To(Equal(4))
Expect(ferr[0].Column).To(Equal(5))
Expect(ferr[0].Err).Should(MatchRegexp(`expected declaration, found '}'`))
}
+ Expect(foundErr).To(BeTrue())
})
It("should not report errors when a nosec line comment is
present", func() {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.14.0/cmd/tlsconfig/rule_template.go
new/gosec-2.15.0/cmd/tlsconfig/rule_template.go
--- old/gosec-2.14.0/cmd/tlsconfig/rule_template.go 2022-12-12
12:20:22.000000000 +0100
+++ new/gosec-2.15.0/cmd/tlsconfig/rule_template.go 2023-02-06
14:39:25.000000000 +0100
@@ -15,6 +15,6 @@
{{range $cipherName := .Ciphers }} "{{$cipherName}}",
{{end}}
},
- }, []ast.Node{(*ast.CompositeLit)(nil)}
+ }, []ast.Node{(*ast.CompositeLit)(nil), (*ast.AssignStmt)(nil)}
}
`))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.14.0/go.mod new/gosec-2.15.0/go.mod
--- old/gosec-2.14.0/go.mod 2022-12-12 12:20:22.000000000 +0100
+++ new/gosec-2.15.0/go.mod 2023-02-06 14:39:25.000000000 +0100
@@ -6,13 +6,13 @@
github.com/lib/pq v1.10.7
github.com/mozilla/tls-observatory v0.0.0-20210609171429-7bc42856d2e5
github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354
- github.com/onsi/ginkgo/v2 v2.6.0
- github.com/onsi/gomega v1.24.1
- golang.org/x/crypto v0.4.0
+ github.com/onsi/ginkgo/v2 v2.8.0
+ github.com/onsi/gomega v1.26.0
+ golang.org/x/crypto v0.5.0
golang.org/x/lint v0.0.0-20210508222113-6edffad5e616
- golang.org/x/text v0.5.0
- golang.org/x/tools v0.4.0
- gopkg.in/yaml.v2 v2.4.0
+ golang.org/x/text v0.6.0
+ golang.org/x/tools v0.5.0
+ gopkg.in/yaml.v3 v3.0.1
)
require (
@@ -20,9 +20,8 @@
github.com/google/go-cmp v0.5.9 // indirect
github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect
golang.org/x/mod v0.7.0 // indirect
- golang.org/x/net v0.3.0 // indirect
- golang.org/x/sys v0.3.0 // indirect
- gopkg.in/yaml.v3 v3.0.1 // indirect
+ golang.org/x/net v0.5.0 // indirect
+ golang.org/x/sys v0.4.0 // indirect
)
go 1.19
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.14.0/go.sum new/gosec-2.15.0/go.sum
--- old/gosec-2.14.0/go.sum 2022-12-12 12:20:22.000000000 +0100
+++ new/gosec-2.15.0/go.sum 2023-02-06 14:39:25.000000000 +0100
@@ -258,11 +258,11 @@
github.com/olekukonko/tablewriter v0.0.2/go.mod
h1:rSAaSIOAGT9odnlyGlUfAJaoc5w2fSBUmeGDbRWPxyQ=
github.com/onsi/ginkgo v1.6.0/go.mod
h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.10.3/go.mod
h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo/v2 v2.6.0
h1:9t9b9vRUbFq3C4qKFCGkVuq/fIHji802N1nrtkh1mNc=
-github.com/onsi/ginkgo/v2 v2.6.0/go.mod
h1:63DOGlLAH8+REH8jUGdL3YpCpu7JODesutUjdENfUAc=
+github.com/onsi/ginkgo/v2 v2.8.0
h1:pAM+oBNPrpXRs+E/8spkeGx9QgekbRVyr74EUvRVOUI=
+github.com/onsi/ginkgo/v2 v2.8.0/go.mod
h1:6JsQiECmxCa3V5st74AL/AmsV482EDdVrGaVW6z3oYU=
github.com/onsi/gomega v1.7.1/go.mod
h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
-github.com/onsi/gomega v1.24.1 h1:KORJXNNTzJXzu4ScJWssJfJMnJ+2QJqhoQSRwNlze9E=
-github.com/onsi/gomega v1.24.1/go.mod
h1:3AOiACssS3/MajrniINInwbfOOtfZvplPzuRSmvt1jM=
+github.com/onsi/gomega v1.26.0 h1:03cDLK28U6hWvCAns6NeydX3zIm4SF3ci69ulidS32Q=
+github.com/onsi/gomega v1.26.0/go.mod
h1:r+zV744Re+DiYCIPRlYOTxn0YkOLcAnW8k1xXdMPGhM=
github.com/opentracing/opentracing-go v1.1.0/go.mod
h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
github.com/pelletier/go-toml v1.2.0/go.mod
h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod
h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
@@ -364,8 +364,8 @@
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod
h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod
h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod
h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.4.0 h1:UVQgzMY87xqpKNgb+kDsll2Igd33HszWHFLmpaRMq/8=
-golang.org/x/crypto v0.4.0/go.mod
h1:3quD/ATkf6oY+rnes5c3ExXTbLc8mueNue5/DoinL80=
+golang.org/x/crypto v0.5.0 h1:U/0M97KRkSFvyD/3FSmdP5W5swImpNgle/EHFhOsQPE=
+golang.org/x/crypto v0.5.0/go.mod
h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod
h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod
h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod
h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -433,8 +433,8 @@
golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod
h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod
h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod
h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.3.0 h1:VWL6FNY2bEEmsGVKabSlHu5Irp34xmMRoqb/9lF9lxk=
-golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
+golang.org/x/net v0.5.0 h1:GyT4nK/YDHSqa1c4753ouYCDajOYKTja9Xb/OHtgvSw=
+golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod
h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod
h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod
h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -491,17 +491,17 @@
golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod
h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod
h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod
h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
-golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.4.0 h1:Zr2JFtRQNX3BCZ8YtxRE9hNJYC8J6I1MVbMg6owUp18=
+golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod
h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
-golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI=
+golang.org/x/term v0.4.0 h1:O7UWfv5+A2qiuulQk30kVinPoMtoIPeVaKLEgLpVkvg=
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod
h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod
h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM=
-golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.6.0 h1:3XmdazWV+ubf7QgHSTWeykHOci5oeekaGJBLkrkaw4k=
+golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod
h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod
h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod
h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -553,8 +553,8 @@
golang.org/x/tools v0.0.0-20200626171337-aa94e735be7f/go.mod
h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20200630154851-b2d8b0336632/go.mod
h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20200706234117-b22de6825cf7/go.mod
h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.4.0 h1:7mTAgkunk3fr4GAloyyCasadO6h9zSsQZbwvcaIciV4=
-golang.org/x/tools v0.4.0/go.mod
h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ=
+golang.org/x/tools v0.5.0 h1:+bSpV5HIeWkuvgaMfI3UmKRThoTA5ODJTUd8T17NO+4=
+golang.org/x/tools v0.5.0/go.mod
h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod
h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod
h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod
h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -658,7 +658,6 @@
gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.6/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod
h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.14.0/install.sh new/gosec-2.15.0/install.sh
--- old/gosec-2.14.0/install.sh 2022-12-12 12:20:22.000000000 +0100
+++ new/gosec-2.15.0/install.sh 2023-02-06 14:39:25.000000000 +0100
@@ -280,11 +280,13 @@
github_release() {
owner_repo=$1
version=$2
- test -z "$version" && version="latest"
- giturl="https://github.com/${owner_repo}/releases/${version}";
+ giturl="https://api.github.com/repos/${owner_repo}/releases/tags/${version}";
+ if [ -z "${version}" ]; then
+ giturl="https://api.github.com/repos/${owner_repo}/releases/latest";
+ fi
json=$(http_copy "$giturl" "Accept:application/json")
test -z "$json" && return 1
- version=$(echo "$json" | tr -s '\n' ' ' | sed 's/.*"tag_name":"//' | sed
's/".*//')
+ version=$(echo "$json" | tr -s '\n' ' ' | sed 's/.*"tag_name": *"//' | sed
's/".*//')
test -z "$version" && return 1
echo "$version"
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.14.0/report/formatter_test.go
new/gosec-2.15.0/report/formatter_test.go
--- old/gosec-2.14.0/report/formatter_test.go 2022-12-12 12:20:22.000000000
+0100
+++ new/gosec-2.15.0/report/formatter_test.go 2023-02-06 14:39:25.000000000
+0100
@@ -12,7 +12,7 @@
"github.com/securego/gosec/v2/cwe"
"github.com/securego/gosec/v2/report/junit"
"github.com/securego/gosec/v2/report/sonar"
- "gopkg.in/yaml.v2"
+ "gopkg.in/yaml.v3"
)
func createIssueWithFileWhat(file, what string) *gosec.Issue {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.14.0/report/html/template.html
new/gosec-2.15.0/report/html/template.html
--- old/gosec-2.14.0/report/html/template.html 2022-12-12 12:20:22.000000000
+0100
+++ new/gosec-2.15.0/report/html/template.html 2023-02-06 14:39:25.000000000
+0100
@@ -10,7 +10,7 @@
<script type="text/javascript"
src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.7.0/languages/go.min.js";
integrity="sha512-AzBQVo6m0++RbnY/eU9VbedSeokh6wzxEOTc6XGGjcxdFeKxT43bFyo5sHYEIZe8sf5VfiewyNtwOrhu/Mo55g=="
crossorigin="anonymous"></script>
<script type="text/javascript"
src="https://cdnjs.cloudflare.com/ajax/libs/react/15.7.0/react.min.js";
integrity="sha512-+TFn1Gqbwx/qgwW3NU1/YtFYTfHGeD1e/8YfJZzkb6TFEZP4SUwp1Az9DMeWh3qC0F+YPKXbV3YclMUwBTvO3g=="
crossorigin="anonymous"></script>
<script type="text/javascript"
src="https://cdnjs.cloudflare.com/ajax/libs/react/15.6.1/react-dom.min.js";
integrity="sha512-8C49ZG/SaQnWaUgCHTU1o8uIQNYE6R8me38SwF26g2Q0byEXF4Jlvm+T/JAMHMeTBiEVPslSZRv9Xt4AV0pfmw=="
crossorigin="anonymous"></script>
- <script type="text/javascript"
src="https://cdnjs.cloudflare.com/ajax/libs/babel-standalone/7.20.6/babel.min.js";
integrity="sha512-hBXPfNiOYaPUeKTCOcEXWa1pe3l2Yz7nEolIA7lXkvwu+wgEU6OIJFz1+h3NAiaF1qmWu8dTPmXBY0A0qQTaGw=="
crossorigin="anonymous"></script>
+ <script type="text/javascript"
src="https://cdnjs.cloudflare.com/ajax/libs/babel-standalone/7.20.15/babel.min.js";
integrity="sha512-Oy8gM3nNZgwbgd81x/VCtGpolDzgHK2Hpbn9nq4YhzDvxI4/ipCnoUeSHozXvTjOkzuZ1qqlUYjroqmclLhknA=="
crossorigin="anonymous"></script>
<style>
.field-label {
min-width: 80px;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.14.0/report/html/writer.go
new/gosec-2.15.0/report/html/writer.go
--- old/gosec-2.14.0/report/html/writer.go 2022-12-12 12:20:22.000000000
+0100
+++ new/gosec-2.15.0/report/html/writer.go 2023-02-06 14:39:25.000000000
+0100
@@ -1,7 +1,6 @@
package html
import (
- // use go embed to import template
_ "embed"
"html/template"
"io"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.14.0/report/yaml/writer.go
new/gosec-2.15.0/report/yaml/writer.go
--- old/gosec-2.14.0/report/yaml/writer.go 2022-12-12 12:20:22.000000000
+0100
+++ new/gosec-2.15.0/report/yaml/writer.go 2023-02-06 14:39:25.000000000
+0100
@@ -4,7 +4,7 @@
"io"
"github.com/securego/gosec/v2"
- "gopkg.in/yaml.v2"
+ "gopkg.in/yaml.v3"
)
// WriteReport write a report in yaml format to the output writer
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.14.0/rules/hardcoded_credentials.go
new/gosec-2.15.0/rules/hardcoded_credentials.go
--- old/gosec-2.14.0/rules/hardcoded_credentials.go 2022-12-12
12:20:22.000000000 +0100
+++ new/gosec-2.15.0/rules/hardcoded_credentials.go 2023-02-06
14:39:25.000000000 +0100
@@ -101,12 +101,19 @@
func (r *credentials) matchEqualityCheck(binaryExpr *ast.BinaryExpr, ctx
*gosec.Context) (*gosec.Issue, error) {
if binaryExpr.Op == token.EQL || binaryExpr.Op == token.NEQ {
- if ident, ok := binaryExpr.X.(*ast.Ident); ok {
- if r.pattern.MatchString(ident.Name) {
- if val, err := gosec.GetString(binaryExpr.Y);
err == nil {
- if r.ignoreEntropy || (!r.ignoreEntropy
&& r.isHighEntropyString(val)) {
- return gosec.NewIssue(ctx,
binaryExpr, r.ID(), r.What, r.Severity, r.Confidence), nil
- }
+ ident, ok := binaryExpr.X.(*ast.Ident)
+ if !ok {
+ ident, _ = binaryExpr.Y.(*ast.Ident)
+ }
+
+ if ident != nil && r.pattern.MatchString(ident.Name) {
+ valueNode := binaryExpr.Y
+ if !ok {
+ valueNode = binaryExpr.X
+ }
+ if val, err := gosec.GetString(valueNode); err == nil {
+ if r.ignoreEntropy || (!r.ignoreEntropy &&
r.isHighEntropyString(val)) {
+ return gosec.NewIssue(ctx, binaryExpr,
r.ID(), r.What, r.Severity, r.Confidence), nil
}
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.14.0/rules/readfile.go
new/gosec-2.15.0/rules/readfile.go
--- old/gosec-2.14.0/rules/readfile.go 2022-12-12 12:20:22.000000000 +0100
+++ new/gosec-2.15.0/rules/readfile.go 2023-02-06 14:39:25.000000000 +0100
@@ -24,8 +24,9 @@
type readfile struct {
gosec.MetaData
gosec.CallList
- pathJoin gosec.CallList
- clean gosec.CallList
+ pathJoin gosec.CallList
+ clean gosec.CallList
+ cleanedVar map[any]ast.Node
}
// ID returns the identifier for this rule
@@ -57,8 +58,11 @@
return false
}
-// isFilepathClean checks if there is a filepath.Clean before assigning to a
variable
+// isFilepathClean checks if there is a filepath.Clean for given variable
func (r *readfile) isFilepathClean(n *ast.Ident, c *gosec.Context) bool {
+ if _, ok := r.cleanedVar[n.Obj.Decl]; ok {
+ return true
+ }
if n.Obj.Kind != ast.Var {
return false
}
@@ -72,9 +76,21 @@
return false
}
+// trackFilepathClean tracks back the declaration of variable from
filepath.Clean argument
+func (r *readfile) trackFilepathClean(n ast.Node) {
+ if clean, ok := n.(*ast.CallExpr); ok && len(clean.Args) > 0 {
+ if ident, ok := clean.Args[0].(*ast.Ident); ok {
+ r.cleanedVar[ident.Obj.Decl] = n
+ }
+ }
+}
+
// Match inspects AST nodes to determine if the match the methods `os.Open` or
`ioutil.ReadFile`
func (r *readfile) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
- if node := r.ContainsPkgCallExpr(n, c, false); node != nil {
+ if node := r.clean.ContainsPkgCallExpr(n, c, false); node != nil {
+ r.trackFilepathClean(n)
+ return nil, nil
+ } else if node := r.ContainsPkgCallExpr(n, c, false); node != nil {
for _, arg := range node.Args {
// handles path joining functions in Arg
// eg. os.Open(filepath.Join("/tmp/", file))
@@ -116,6 +132,7 @@
Severity: gosec.Medium,
Confidence: gosec.High,
},
+ cleanedVar: map[any]ast.Node{},
}
rule.pathJoin.Add("path/filepath", "Join")
rule.pathJoin.Add("path", "Join")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.14.0/rules/tls.go
new/gosec-2.15.0/rules/tls.go
--- old/gosec-2.14.0/rules/tls.go 2022-12-12 12:20:22.000000000 +0100
+++ new/gosec-2.15.0/rules/tls.go 2023-02-06 14:39:25.000000000 +0100
@@ -63,31 +63,51 @@
return nil
}
-func (t *insecureConfigTLS) processTLSConfVal(n *ast.KeyValueExpr, c
*gosec.Context) *gosec.Issue {
- if ident, ok := n.Key.(*ast.Ident); ok {
+func (t *insecureConfigTLS) processTLSConf(n ast.Node, c *gosec.Context)
*gosec.Issue {
+ if kve, ok := n.(*ast.KeyValueExpr); ok {
+ issue := t.processTLSConfVal(kve.Key, kve.Value, c)
+ if issue != nil {
+ return issue
+ }
+ } else if assign, ok := n.(*ast.AssignStmt); ok {
+ if len(assign.Lhs) < 1 || len(assign.Rhs) < 1 {
+ return nil
+ }
+ if selector, ok := assign.Lhs[0].(*ast.SelectorExpr); ok {
+ issue := t.processTLSConfVal(selector.Sel,
assign.Rhs[0], c)
+ if issue != nil {
+ return issue
+ }
+ }
+ }
+ return nil
+}
+
+func (t *insecureConfigTLS) processTLSConfVal(key ast.Expr, value ast.Expr, c
*gosec.Context) *gosec.Issue {
+ if ident, ok := key.(*ast.Ident); ok {
switch ident.Name {
case "InsecureSkipVerify":
- if node, ok := n.Value.(*ast.Ident); ok {
+ if node, ok := value.(*ast.Ident); ok {
if node.Name != "false" {
- return gosec.NewIssue(c, n, t.ID(),
"TLS InsecureSkipVerify set true.", gosec.High, gosec.High)
+ return gosec.NewIssue(c, value, t.ID(),
"TLS InsecureSkipVerify set true.", gosec.High, gosec.High)
}
} else {
// TODO(tk): symbol tab look up to get the
actual value
- return gosec.NewIssue(c, n, t.ID(), "TLS
InsecureSkipVerify may be true.", gosec.High, gosec.Low)
+ return gosec.NewIssue(c, value, t.ID(), "TLS
InsecureSkipVerify may be true.", gosec.High, gosec.Low)
}
case "PreferServerCipherSuites":
- if node, ok := n.Value.(*ast.Ident); ok {
+ if node, ok := value.(*ast.Ident); ok {
if node.Name == "false" {
- return gosec.NewIssue(c, n, t.ID(),
"TLS PreferServerCipherSuites set false.", gosec.Medium, gosec.High)
+ return gosec.NewIssue(c, value, t.ID(),
"TLS PreferServerCipherSuites set false.", gosec.Medium, gosec.High)
}
} else {
// TODO(tk): symbol tab look up to get the
actual value
- return gosec.NewIssue(c, n, t.ID(), "TLS
PreferServerCipherSuites may be false.", gosec.Medium, gosec.Low)
+ return gosec.NewIssue(c, value, t.ID(), "TLS
PreferServerCipherSuites may be false.", gosec.Medium, gosec.Low)
}
case "MinVersion":
- if d, ok := n.Value.(*ast.Ident); ok {
+ if d, ok := value.(*ast.Ident); ok {
obj := d.Obj
if obj == nil {
for _, f := range c.PkgFiles {
@@ -118,10 +138,10 @@
t.actualMinVersion = ival
}
}
- } else if ival, ierr := gosec.GetInt(n.Value); ierr ==
nil {
+ } else if ival, ierr := gosec.GetInt(value); ierr ==
nil {
t.actualMinVersion = ival
} else {
- if se, ok := n.Value.(*ast.SelectorExpr); ok {
+ if se, ok := value.(*ast.SelectorExpr); ok {
if pkg, ok := se.X.(*ast.Ident); ok {
if ip, ok :=
gosec.GetImportPath(pkg.Name, c); ok && ip == "crypto/tls" {
t.actualMinVersion =
t.mapVersion(se.Sel.Name)
@@ -131,10 +151,10 @@
}
case "MaxVersion":
- if ival, ierr := gosec.GetInt(n.Value); ierr == nil {
+ if ival, ierr := gosec.GetInt(value); ierr == nil {
t.actualMaxVersion = ival
} else {
- if se, ok := n.Value.(*ast.SelectorExpr); ok {
+ if se, ok := value.(*ast.SelectorExpr); ok {
if pkg, ok := se.X.(*ast.Ident); ok {
if ip, ok :=
gosec.GetImportPath(pkg.Name, c); ok && ip == "crypto/tls" {
t.actualMaxVersion =
t.mapVersion(se.Sel.Name)
@@ -144,7 +164,7 @@
}
case "CipherSuites":
- if ret := t.processTLSCipherSuites(n.Value, c); ret !=
nil {
+ if ret := t.processTLSCipherSuites(value, c); ret !=
nil {
return ret
}
@@ -192,17 +212,27 @@
actualType := c.Info.TypeOf(complit.Type)
if actualType != nil && actualType.String() == t.requiredType {
for _, elt := range complit.Elts {
- if kve, ok := elt.(*ast.KeyValueExpr); ok {
- issue := t.processTLSConfVal(kve, c)
- if issue != nil {
- return issue, nil
- }
+ issue := t.processTLSConf(elt, c)
+ if issue != nil {
+ return issue, nil
}
}
issue := t.checkVersion(complit, c)
t.resetVersion()
return issue, nil
}
+ } else {
+ if assign, ok := n.(*ast.AssignStmt); ok && len(assign.Lhs) > 0
{
+ if selector, ok := assign.Lhs[0].(*ast.SelectorExpr);
ok {
+ actualType := c.Info.TypeOf(selector.X)
+ if actualType != nil && actualType.String() ==
t.requiredType {
+ issue := t.processTLSConf(assign, c)
+ if issue != nil {
+ return issue, nil
+ }
+ }
+ }
+ }
}
return nil, nil
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.14.0/rules/tls_config.go
new/gosec-2.15.0/rules/tls_config.go
--- old/gosec-2.14.0/rules/tls_config.go 2022-12-12 12:20:22.000000000
+0100
+++ new/gosec-2.15.0/rules/tls_config.go 2023-02-06 14:39:25.000000000
+0100
@@ -19,7 +19,7 @@
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
},
- }, []ast.Node{(*ast.CompositeLit)(nil)}
+ }, []ast.Node{(*ast.CompositeLit)(nil), (*ast.AssignStmt)(nil)}
}
// NewIntermediateTLSCheck creates a check for Intermediate TLS ciphers
@@ -45,7 +45,7 @@
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
},
- }, []ast.Node{(*ast.CompositeLit)(nil)}
+ }, []ast.Node{(*ast.CompositeLit)(nil), (*ast.AssignStmt)(nil)}
}
// NewOldTLSCheck creates a check for Old TLS ciphers
@@ -88,5 +88,5 @@
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
},
- }, []ast.Node{(*ast.CompositeLit)(nil)}
+ }, []ast.Node{(*ast.CompositeLit)(nil), (*ast.AssignStmt)(nil)}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.14.0/testutils/source.go
new/gosec-2.15.0/testutils/source.go
--- old/gosec-2.14.0/testutils/source.go 2022-12-12 12:20:22.000000000
+0100
+++ new/gosec-2.15.0/testutils/source.go 2023-02-06 14:39:25.000000000
+0100
@@ -115,6 +115,17 @@
func main() {
var password string
+ if "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" == password {
+ fmt.Println("password equality")
+ }
+}`}, 1, gosec.NewConfig()},
+ {[]string{`
+package main
+
+import "fmt"
+
+func main() {
+ var password string
if password != "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" {
fmt.Println("password equality")
}
@@ -125,6 +136,17 @@
import "fmt"
func main() {
+ var password string
+ if "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" != password {
+ fmt.Println("password equality")
+ }
+}`}, 1, gosec.NewConfig()},
+ {[]string{`
+package main
+
+import "fmt"
+
+func main() {
var p string
if p != "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" {
fmt.Println("password equality")
@@ -135,6 +157,17 @@
import "fmt"
+func main() {
+ var p string
+ if "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" != p {
+ fmt.Println("password equality")
+ }
+}`}, 0, gosec.NewConfig()},
+ {[]string{`
+package main
+
+import "fmt"
+
const (
pw = "KjasdlkjapoIKLlka98098sdf012U/rL2sLdBqOHQUlt5Z6kCgKGDyCFA=="
)
@@ -2463,6 +2496,28 @@
"path/filepath"
)
+func openFile(dir string, filePath string) {
+ fp := filepath.Join(dir, filePath)
+ fp = filepath.Clean(fp)
+ _, err := os.OpenFile(fp, os.O_RDONLY, 0600)
+ if err != nil {
+ panic(err)
+ }
+}
+
+func main() {
+ repoFile := "path_of_file"
+ dir := "path_of_dir"
+ openFile(dir, repoFile)
+}
+`}, 0, gosec.NewConfig()}, {[]string{`
+package main
+
+import (
+ "os"
+ "path/filepath"
+)
+
func main() {
repoFile := "path_of_file"
relFile, err := filepath.Rel("./", repoFile)
@@ -2860,6 +2915,18 @@
fmt.Println(err)
}
}`}, 1, gosec.NewConfig()},
+ {[]string{`
+// InsecureSkipVerify from variable
+package main
+
+import (
+ "crypto/tls"
+)
+
+func main() {
+ var conf tls.Config
+ conf.InsecureSkipVerify = true
+}`}, 1, gosec.NewConfig()},
{[]string{
`
// Insecure minimum version
++++++ gosec.obsinfo ++++++
--- /var/tmp/diff_new_pack.u2SjCk/_old 2023-02-07 18:49:02.995120333 +0100
+++ /var/tmp/diff_new_pack.u2SjCk/_new 2023-02-07 18:49:02.999120355 +0100
@@ -1,5 +1,5 @@
name: gosec
-version: 2.14.0
-mtime: 1670844022
-commit: f9a8bf0152af9f9bda93de373ddb3762f0d12f14
+version: 2.15.0
+mtime: 1675690765
+commit: 2d6b0a5b0f61dd6eb5e34b8b2d38c267fa06ae62
++++++ vendor.tar.gz ++++++
++++ 25171 lines of diff (skipped)
