rules

package
v0.0.0-...-d055baf Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 29, 2021 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewArchive 

func NewArchive(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewArchive creates a new rule which detects the file traversal when extracting zip/tar archives

func NewBadTempFile 

func NewBadTempFile(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewBadTempFile detects direct writes to predictable path in temporary directory

func NewBindsToAllNetworkInterfaces 

func NewBindsToAllNetworkInterfaces(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewBindsToAllNetworkInterfaces detects socket connections that are setup to listen on all network interfaces.

func NewBlocklistedImportCGI 

func NewBlocklistedImportCGI(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewBlocklistedImportCGI fails if CGI is imported

func NewBlocklistedImportDES 

func NewBlocklistedImportDES(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewBlocklistedImportDES fails if DES is imported

func NewBlocklistedImportMD5 

func NewBlocklistedImportMD5(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewBlocklistedImportMD5 fails if MD5 is imported

func NewBlocklistedImportRC4 

func NewBlocklistedImportRC4(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewBlocklistedImportRC4 fails if DES is imported

func NewBlocklistedImportSHA1 

func NewBlocklistedImportSHA1(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewBlocklistedImportSHA1 fails if SHA1 is imported

func NewBlocklistedImports 

func NewBlocklistedImports(id string, conf gosec.Config, blocklist map[string]string) (gosec.Rule, []ast.Node)

NewBlocklistedImports reports when a blocklisted import is being used. Typically when a deprecated technology is being used.

func NewDecompressionBombCheck 

func NewDecompressionBombCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewDecompressionBombCheck detects if there is potential DoS vulnerability via decompression bomb

func NewDeferredClosing 

func NewDeferredClosing(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewDeferredClosing detects unsafe defer of error returning methods

func NewFilePerms 

func NewFilePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewFilePerms creates a rule to detect file creation with a more permissive than configured permission mask.

func NewHardcodedCredentials 

func NewHardcodedCredentials(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewHardcodedCredentials attempts to find high entropy string constants being assigned to variables that appear to be related to credentials.

func NewImplicitAliasing 

func NewImplicitAliasing(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewImplicitAliasing detects implicit memory aliasing of type: for blah := SomeCall() {... SomeOtherCall(&blah) ...}

func NewIntegerOverflowCheck 

func NewIntegerOverflowCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewIntegerOverflowCheck detects if there is potential Integer OverFlow

func NewIntermediateTLSCheck 

func NewIntermediateTLSCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewIntermediateTLSCheck creates a check for Intermediate TLS ciphers DO NOT EDIT - generated by tlsconfig tool

func NewMkdirPerms 

func NewMkdirPerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewMkdirPerms creates a rule to detect directory creation with more permissive than configured permission mask.

func NewModernTLSCheck 

func NewModernTLSCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewModernTLSCheck creates a check for Modern TLS ciphers DO NOT EDIT - generated by tlsconfig tool

func NewNoErrorCheck 

func NewNoErrorCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewNoErrorCheck detects if the returned error is unchecked

func NewOldTLSCheck 

func NewOldTLSCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewOldTLSCheck creates a check for Old TLS ciphers DO NOT EDIT - generated by tlsconfig tool

func NewPprofCheck 

func NewPprofCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewPprofCheck detects when the profiling endpoint is automatically exposed

func NewReadFile 

func NewReadFile(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewReadFile detects cases where we read files

func NewSQLStrConcat 

func NewSQLStrConcat(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewSQLStrConcat looks for cases where we are building SQL strings via concatenation

func NewSQLStrFormat 

func NewSQLStrFormat(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewSQLStrFormat looks for cases where we're building SQL query strings using format strings

func NewSSHHostKey 

func NewSSHHostKey(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewSSHHostKey rule detects the use of insecure ssh HostKeyCallback.

func NewSSRFCheck 

func NewSSRFCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewSSRFCheck detects cases where HTTP requests are sent

func NewSubproc 

func NewSubproc(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewSubproc detects cases where we are forking out to an external process

func NewTemplateCheck 

func NewTemplateCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewTemplateCheck constructs the template check rule. This rule is used to find use of templates where HTML/JS escaping is not being used

func NewUsesWeakCryptography 

func NewUsesWeakCryptography(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewUsesWeakCryptography detects uses of des.* md5.* or rc4.*

func NewUsingUnsafe 

func NewUsingUnsafe(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewUsingUnsafe rule detects the use of the unsafe package. This is only really useful for auditing purposes.

func NewWeakKeyStrength 

func NewWeakKeyStrength(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewWeakKeyStrength builds a rule that detects RSA keys < 2048 bits

func NewWeakRandCheck 

func NewWeakRandCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewWeakRandCheck detects the use of random number generator that isn't cryptographically secure

func NewWritePerms 

func NewWritePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewWritePerms creates a rule to detect file Writes with bad permissions.

Types

type DynamicRule 

type DynamicRule struct {
	// contains filtered or unexported fields
}

func (*DynamicRule) ID 

func (d *DynamicRule) ID() string

func (*DynamicRule) Init 

func (d *DynamicRule) Init(id string, match func(ast.Node, *gosec.Context) (*gosec.Issue, error))

func (*DynamicRule) Match 

func (d *DynamicRule) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error)

type RuleDefinition 

type RuleDefinition struct {
	ID          string
	Description string
	Create      gosec.RuleBuilder
}

RuleDefinition contains the description of a rule and a mechanism to create it.

type RuleFilter 

type RuleFilter func(string) bool

RuleFilter can be used to include or exclude a rule depending on the return value of the function

func NewRuleFilter 

func NewRuleFilter(action bool, ruleIDs ...string) RuleFilter

NewRuleFilter is a closure that will include/exclude the rule ID's based on the supplied boolean value.

type RuleList 

type RuleList map[string]RuleDefinition

RuleList is a mapping of rule ID's to rule definitions

func Generate 

func Generate(filters ...RuleFilter) RuleList

func (RuleList) Builders 

func (rl RuleList) Builders() map[string]gosec.RuleBuilder

Builders returns all the create methods for a given rule list

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.