rules

package
v2.15.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 5, 2023 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewArchive

func NewArchive(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewArchive creates a new rule which detects the file traversal when extracting zip/tar archives

func NewBadTempFile

func NewBadTempFile(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewBadTempFile detects direct writes to predictable path in temporary directory

func NewBindsToAllNetworkInterfaces

func NewBindsToAllNetworkInterfaces(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewBindsToAllNetworkInterfaces detects socket connections that are setup to listen on all network interfaces.

func NewBlocklistedImportCGI

func NewBlocklistedImportCGI(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewBlocklistedImportCGI fails if CGI is imported

func NewBlocklistedImportDES

func NewBlocklistedImportDES(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewBlocklistedImportDES fails if DES is imported

func NewBlocklistedImportMD5

func NewBlocklistedImportMD5(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewBlocklistedImportMD5 fails if MD5 is imported

func NewBlocklistedImportRC4

func NewBlocklistedImportRC4(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewBlocklistedImportRC4 fails if DES is imported

func NewBlocklistedImportSHA1

func NewBlocklistedImportSHA1(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewBlocklistedImportSHA1 fails if SHA1 is imported

func NewBlocklistedImports

func NewBlocklistedImports(id string, conf gosec.Config, blocklist map[string]string) (gosec.Rule, []ast.Node)

NewBlocklistedImports reports when a blocklisted import is being used. Typically when a deprecated technology is being used.

func NewDecompressionBombCheck

func NewDecompressionBombCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewDecompressionBombCheck detects if there is potential DoS vulnerability via decompression bomb

func NewDeferredClosing

func NewDeferredClosing(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewDeferredClosing detects unsafe defer of error returning methods

func NewDirectoryTraversal

func NewDirectoryTraversal(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewDirectoryTraversal attempts to find the use of http.Dir("/")

func NewFilePerms

func NewFilePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewFilePerms creates a rule to detect file creation with a more permissive than configured permission mask.

func NewHTTPServeWithoutTimeouts

func NewHTTPServeWithoutTimeouts(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewHTTPServeWithoutTimeouts detects use of net/http serve functions that have no support for setting timeouts.

func NewHardcodedCredentials

func NewHardcodedCredentials(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewHardcodedCredentials attempts to find high entropy string constants being assigned to variables that appear to be related to credentials.

func NewImplicitAliasing

func NewImplicitAliasing(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewImplicitAliasing detects implicit memory aliasing of type: for blah := SomeCall() {... SomeOtherCall(&blah) ...}

func NewIntegerOverflowCheck

func NewIntegerOverflowCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewIntegerOverflowCheck detects if there is potential Integer OverFlow

func NewIntermediateTLSCheck

func NewIntermediateTLSCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewIntermediateTLSCheck creates a check for Intermediate TLS ciphers DO NOT EDIT - generated by tlsconfig tool

func NewMkdirPerms

func NewMkdirPerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewMkdirPerms creates a rule to detect directory creation with more permissive than configured permission mask.

func NewModernTLSCheck

func NewModernTLSCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewModernTLSCheck creates a check for Modern TLS ciphers DO NOT EDIT - generated by tlsconfig tool

func NewNoErrorCheck

func NewNoErrorCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewNoErrorCheck detects if the returned error is unchecked

func NewOldTLSCheck

func NewOldTLSCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewOldTLSCheck creates a check for Old TLS ciphers DO NOT EDIT - generated by tlsconfig tool

func NewPprofCheck

func NewPprofCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewPprofCheck detects when the profiling endpoint is automatically exposed

func NewReadFile

func NewReadFile(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewReadFile detects cases where we read files

func NewSQLStrConcat

func NewSQLStrConcat(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewSQLStrConcat looks for cases where we are building SQL strings via concatenation

func NewSQLStrFormat

func NewSQLStrFormat(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewSQLStrFormat looks for cases where we're building SQL query strings using format strings

func NewSSHHostKey

func NewSSHHostKey(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewSSHHostKey rule detects the use of insecure ssh HostKeyCallback.

func NewSSRFCheck

func NewSSRFCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewSSRFCheck detects cases where HTTP requests are sent

func NewSlowloris

func NewSlowloris(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewSlowloris attempts to find the http.Server struct and check if the ReadHeaderTimeout is configured.

func NewSubproc

func NewSubproc(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewSubproc detects cases where we are forking out to an external process

func NewTemplateCheck

func NewTemplateCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewTemplateCheck constructs the template check rule. This rule is used to find use of templates where HTML/JS escaping is not being used

func NewUsesWeakCryptography

func NewUsesWeakCryptography(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewUsesWeakCryptography detects uses of des.* md5.* or rc4.*

func NewUsingOldMathBig

func NewUsingOldMathBig(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewUsingOldMathBig rule detects the use of Rat.SetString from math/big.

func NewUsingUnsafe

func NewUsingUnsafe(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewUsingUnsafe rule detects the use of the unsafe package. This is only really useful for auditing purposes.

func NewWeakKeyStrength

func NewWeakKeyStrength(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewWeakKeyStrength builds a rule that detects RSA keys < 2048 bits

func NewWeakRandCheck

func NewWeakRandCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewWeakRandCheck detects the use of random number generator that isn't cryptographically secure

func NewWritePerms

func NewWritePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewWritePerms creates a rule to detect file Writes with bad permissions.

Types

type RuleDefinition

type RuleDefinition struct {
	ID          string
	Description string
	Create      gosec.RuleBuilder
}

RuleDefinition contains the description of a rule and a mechanism to create it.

type RuleFilter

type RuleFilter func(string) bool

RuleFilter can be used to include or exclude a rule depending on the return value of the function

func NewRuleFilter

func NewRuleFilter(action bool, ruleIDs ...string) RuleFilter

NewRuleFilter is a closure that will include/exclude the rule ID's based on the supplied boolean value.

type RuleList

type RuleList struct {
	Rules          map[string]RuleDefinition
	RuleSuppressed map[string]bool
}

RuleList contains a mapping of rule ID's to rule definitions and a mapping of rule ID's to whether rules are suppressed.

func Generate

func Generate(trackSuppressions bool, filters ...RuleFilter) RuleList

Generate the list of rules to use

func (RuleList) RulesInfo

func (rl RuleList) RulesInfo() (map[string]gosec.RuleBuilder, map[string]bool)

RulesInfo returns all the create methods and the rule suppressed map for a given list

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL