rules

package
v2.21.4-beta1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 2, 2024 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewArchive

func NewArchive(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewArchive creates a new rule which detects the file traversal when extracting zip/tar archives

func NewBadTempFile

func NewBadTempFile(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewBadTempFile detects direct writes to predictable path in temporary directory

func NewBindsToAllNetworkInterfaces

func NewBindsToAllNetworkInterfaces(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewBindsToAllNetworkInterfaces detects socket connections that are setup to listen on all network interfaces.

func NewBlocklistedImportCGI

func NewBlocklistedImportCGI(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewBlocklistedImportCGI fails if CGI is imported

func NewBlocklistedImportDES

func NewBlocklistedImportDES(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewBlocklistedImportDES fails if DES is imported

func NewBlocklistedImportMD4

func NewBlocklistedImportMD4(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewBlocklistedImportMD4 fails if MD4 is imported

func NewBlocklistedImportMD5

func NewBlocklistedImportMD5(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewBlocklistedImportMD5 fails if MD5 is imported

func NewBlocklistedImportRC4

func NewBlocklistedImportRC4(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewBlocklistedImportRC4 fails if DES is imported

func NewBlocklistedImportRIPEMD160

func NewBlocklistedImportRIPEMD160(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewBlocklistedImportRIPEMD160 fails if RIPEMD160 is imported

func NewBlocklistedImportSHA1

func NewBlocklistedImportSHA1(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewBlocklistedImportSHA1 fails if SHA1 is imported

func NewBlocklistedImports

func NewBlocklistedImports(id string, _ gosec.Config, blocklist map[string]string) (gosec.Rule, []ast.Node)

NewBlocklistedImports reports when a blocklisted import is being used. Typically when a deprecated technology is being used.

func NewDecompressionBombCheck

func NewDecompressionBombCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewDecompressionBombCheck detects if there is potential DoS vulnerability via decompression bomb

func NewDirectoryTraversal

func NewDirectoryTraversal(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewDirectoryTraversal attempts to find the use of http.Dir("/")

func NewFilePerms

func NewFilePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewFilePerms creates a rule to detect file creation with a more permissive than configured permission mask.

func NewHTTPServeWithoutTimeouts

func NewHTTPServeWithoutTimeouts(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewHTTPServeWithoutTimeouts detects use of net/http serve functions that have no support for setting timeouts.

func NewHardcodedCredentials

func NewHardcodedCredentials(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewHardcodedCredentials attempts to find high entropy string constants being assigned to variables that appear to be related to credentials.

func NewImplicitAliasing

func NewImplicitAliasing(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewImplicitAliasing detects implicit memory aliasing of type: for blah := SomeCall() {... SomeOtherCall(&blah) ...}

func NewIntegerOverflowCheck

func NewIntegerOverflowCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewIntegerOverflowCheck detects if there is potential Integer OverFlow

func NewIntermediateTLSCheck

func NewIntermediateTLSCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewIntermediateTLSCheck creates a check for Intermediate TLS ciphers DO NOT EDIT - generated by tlsconfig tool

func NewMkdirPerms

func NewMkdirPerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewMkdirPerms creates a rule to detect directory creation with more permissive than configured permission mask.

func NewModernTLSCheck

func NewModernTLSCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewModernTLSCheck creates a check for Modern TLS ciphers DO NOT EDIT - generated by tlsconfig tool

func NewNoErrorCheck

func NewNoErrorCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewNoErrorCheck detects if the returned error is unchecked

func NewOldTLSCheck

func NewOldTLSCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewOldTLSCheck creates a check for Old TLS ciphers DO NOT EDIT - generated by tlsconfig tool

func NewOsCreatePerms

func NewOsCreatePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewOsCreatePerms reates a rule to detect file creation with a more permissive than configured permission mask.

func NewPprofCheck

func NewPprofCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewPprofCheck detects when the profiling endpoint is automatically exposed

func NewReadFile

func NewReadFile(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewReadFile detects cases where we read files

func NewSQLStrConcat

func NewSQLStrConcat(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewSQLStrConcat looks for cases where we are building SQL strings via concatenation

func NewSQLStrFormat

func NewSQLStrFormat(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewSQLStrFormat looks for cases where we're building SQL query strings using format strings

func NewSSHHostKey

func NewSSHHostKey(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewSSHHostKey rule detects the use of insecure ssh HostKeyCallback.

func NewSSRFCheck

func NewSSRFCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewSSRFCheck detects cases where HTTP requests are sent

func NewSlowloris

func NewSlowloris(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewSlowloris attempts to find the http.Server struct and check if the ReadHeaderTimeout is configured.

func NewSubproc

func NewSubproc(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewSubproc detects cases where we are forking out to an external process

func NewTemplateCheck

func NewTemplateCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewTemplateCheck constructs the template check rule. This rule is used to find use of templates where HTML/JS escaping is not being used

func NewUsesWeakCryptographyEncryption

func NewUsesWeakCryptographyEncryption(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewUsesWeakCryptographyEncryption detects uses of des.*, rc4.*

func NewUsesWeakCryptographyHash

func NewUsesWeakCryptographyHash(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewUsesWeakCryptographyHash detects uses of md5.*, sha1.*

func NewUsesWeakDeprecatedCryptographyHash

func NewUsesWeakDeprecatedCryptographyHash(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewUsesWeakCryptographyHash detects uses of md4.New, ripemd160.New

func NewUsingOldMathBig

func NewUsingOldMathBig(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewUsingOldMathBig rule detects the use of Rat.SetString from math/big.

func NewUsingUnsafe

func NewUsingUnsafe(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewUsingUnsafe rule detects the use of the unsafe package. This is only really useful for auditing purposes.

func NewWeakKeyStrength

func NewWeakKeyStrength(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewWeakKeyStrength builds a rule that detects RSA keys < 2048 bits

func NewWeakRandCheck

func NewWeakRandCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node)

NewWeakRandCheck detects the use of random number generator that isn't cryptographically secure

func NewWritePerms

func NewWritePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node)

NewWritePerms creates a rule to detect file Writes with bad permissions.

Types

type RuleDefinition

type RuleDefinition struct {
	ID          string
	Description string
	Create      gosec.RuleBuilder
}

RuleDefinition contains the description of a rule and a mechanism to create it.

type RuleFilter

type RuleFilter func(string) bool

RuleFilter can be used to include or exclude a rule depending on the return value of the function

func NewRuleFilter

func NewRuleFilter(action bool, ruleIDs ...string) RuleFilter

NewRuleFilter is a closure that will include/exclude the rule ID's based on the supplied boolean value.

type RuleList

type RuleList struct {
	Rules          map[string]RuleDefinition
	RuleSuppressed map[string]bool
}

RuleList contains a mapping of rule ID's to rule definitions and a mapping of rule ID's to whether rules are suppressed.

func Generate

func Generate(trackSuppressions bool, filters ...RuleFilter) RuleList

Generate the list of rules to use

func (RuleList) RulesInfo

func (rl RuleList) RulesInfo() (map[string]gosec.RuleBuilder, map[string]bool)

RulesInfo returns all the create methods and the rule suppressed map for a given list

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL