Documentation ¶
Index ¶
- func NewArchive(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewBadTempFile(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewBindsToAllNetworkInterfaces(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewBlocklistedImportCGI(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewBlocklistedImportDES(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewBlocklistedImportMD5(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewBlocklistedImportRC4(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewBlocklistedImportSHA1(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewBlocklistedImports(id string, conf gosec.Config, blocklist map[string]string) (gosec.Rule, []ast.Node)
- func NewDecompressionBombCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewDeferredClosing(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewDirectoryTraversal(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewFilePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewHTTPServeWithoutTimeouts(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewHardcodedCredentials(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewImplicitAliasing(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewIntegerOverflowCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewIntermediateTLSCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewMkdirPerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewModernTLSCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewNoErrorCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewOldTLSCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewPprofCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewReadFile(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewSQLStrConcat(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewSQLStrFormat(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewSSHHostKey(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewSSRFCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewSlowloris(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewSubproc(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewTemplateCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewUsesWeakCryptography(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewUsingOldMathBig(id string, _ gosec.Config) (gosec.Rule, []ast.Node)
- func NewUsingUnsafe(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewWeakKeyStrength(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewWeakRandCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- func NewWritePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node)
- type RuleDefinition
- type RuleFilter
- type RuleList
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewArchive ¶
NewArchive creates a new rule which detects the file traversal when extracting zip/tar archives
func NewBadTempFile ¶
NewBadTempFile detects direct writes to predictable path in temporary directory
func NewBindsToAllNetworkInterfaces ¶
NewBindsToAllNetworkInterfaces detects socket connections that are setup to listen on all network interfaces.
func NewBlocklistedImportCGI ¶
NewBlocklistedImportCGI fails if CGI is imported
func NewBlocklistedImportDES ¶
NewBlocklistedImportDES fails if DES is imported
func NewBlocklistedImportMD5 ¶
NewBlocklistedImportMD5 fails if MD5 is imported
func NewBlocklistedImportRC4 ¶
NewBlocklistedImportRC4 fails if DES is imported
func NewBlocklistedImportSHA1 ¶
NewBlocklistedImportSHA1 fails if SHA1 is imported
func NewBlocklistedImports ¶
func NewBlocklistedImports(id string, conf gosec.Config, blocklist map[string]string) (gosec.Rule, []ast.Node)
NewBlocklistedImports reports when a blocklisted import is being used. Typically when a deprecated technology is being used.
func NewDecompressionBombCheck ¶
NewDecompressionBombCheck detects if there is potential DoS vulnerability via decompression bomb
func NewDeferredClosing ¶
NewDeferredClosing detects unsafe defer of error returning methods
func NewDirectoryTraversal ¶
NewDirectoryTraversal attempts to find the use of http.Dir("/")
func NewFilePerms ¶
NewFilePerms creates a rule to detect file creation with a more permissive than configured permission mask.
func NewHTTPServeWithoutTimeouts ¶
NewHTTPServeWithoutTimeouts detects use of net/http serve functions that have no support for setting timeouts.
func NewHardcodedCredentials ¶
NewHardcodedCredentials attempts to find high entropy string constants being assigned to variables that appear to be related to credentials.
func NewImplicitAliasing ¶
NewImplicitAliasing detects implicit memory aliasing of type: for blah := SomeCall() {... SomeOtherCall(&blah) ...}
func NewIntegerOverflowCheck ¶
NewIntegerOverflowCheck detects if there is potential Integer OverFlow
func NewIntermediateTLSCheck ¶
NewIntermediateTLSCheck creates a check for Intermediate TLS ciphers DO NOT EDIT - generated by tlsconfig tool
func NewMkdirPerms ¶
NewMkdirPerms creates a rule to detect directory creation with more permissive than configured permission mask.
func NewModernTLSCheck ¶
NewModernTLSCheck creates a check for Modern TLS ciphers DO NOT EDIT - generated by tlsconfig tool
func NewNoErrorCheck ¶
NewNoErrorCheck detects if the returned error is unchecked
func NewOldTLSCheck ¶
NewOldTLSCheck creates a check for Old TLS ciphers DO NOT EDIT - generated by tlsconfig tool
func NewPprofCheck ¶
NewPprofCheck detects when the profiling endpoint is automatically exposed
func NewReadFile ¶
NewReadFile detects cases where we read files
func NewSQLStrConcat ¶
NewSQLStrConcat looks for cases where we are building SQL strings via concatenation
func NewSQLStrFormat ¶
NewSQLStrFormat looks for cases where we're building SQL query strings using format strings
func NewSSHHostKey ¶
NewSSHHostKey rule detects the use of insecure ssh HostKeyCallback.
func NewSSRFCheck ¶
NewSSRFCheck detects cases where HTTP requests are sent
func NewSlowloris ¶
NewSlowloris attempts to find the http.Server struct and check if the ReadHeaderTimeout is configured.
func NewSubproc ¶
NewSubproc detects cases where we are forking out to an external process
func NewTemplateCheck ¶
NewTemplateCheck constructs the template check rule. This rule is used to find use of templates where HTML/JS escaping is not being used
func NewUsesWeakCryptography ¶
NewUsesWeakCryptography detects uses of des.* md5.* or rc4.*
func NewUsingOldMathBig ¶
NewUsingOldMathBig rule detects the use of Rat.SetString from math/big.
func NewUsingUnsafe ¶
NewUsingUnsafe rule detects the use of the unsafe package. This is only really useful for auditing purposes.
func NewWeakKeyStrength ¶
NewWeakKeyStrength builds a rule that detects RSA keys < 2048 bits
func NewWeakRandCheck ¶
NewWeakRandCheck detects the use of random number generator that isn't cryptographically secure
func NewWritePerms ¶
NewWritePerms creates a rule to detect file Writes with bad permissions.
Types ¶
type RuleDefinition ¶
RuleDefinition contains the description of a rule and a mechanism to create it.
type RuleFilter ¶
RuleFilter can be used to include or exclude a rule depending on the return value of the function
func NewRuleFilter ¶
func NewRuleFilter(action bool, ruleIDs ...string) RuleFilter
NewRuleFilter is a closure that will include/exclude the rule ID's based on the supplied boolean value.
type RuleList ¶
type RuleList struct { Rules map[string]RuleDefinition RuleSuppressed map[string]bool }
RuleList contains a mapping of rule ID's to rule definitions and a mapping of rule ID's to whether rules are suppressed.
func Generate ¶
func Generate(trackSuppressions bool, filters ...RuleFilter) RuleList
Generate the list of rules to use
Source Files ¶
- archive.go
- bad_defer.go
- bind.go
- blocklist.go
- decompression-bomb.go
- directory-traversal.go
- errors.go
- fileperms.go
- hardcoded_credentials.go
- http_serve.go
- implicit_aliasing.go
- integer_overflow.go
- math_big_rat.go
- pprof.go
- rand.go
- readfile.go
- rsa.go
- rulelist.go
- slowloris.go
- sql.go
- ssh.go
- ssrf.go
- subproc.go
- tempfiles.go
- templates.go
- tls.go
- tls_config.go
- unsafe.go
- weakcrypto.go