Skip to content

Commit

Permalink
build(deps): bump github.com/securego/gosec/v2 from 5f0084eb01a9 to 8…
Browse files Browse the repository at this point in the history
…1cda2f91fbe (#4927)
  • Loading branch information
ldez authored Aug 20, 2024
1 parent 741df1f commit f338f3e
Show file tree
Hide file tree
Showing 7 changed files with 84 additions and 29 deletions.
16 changes: 14 additions & 2 deletions .golangci.next.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -853,6 +853,7 @@ linters-settings:
- G112 # Potential slowloris attack
- G113 # Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772)
- G114 # Use of net/http serve function that has no support for setting timeouts
- G115 # Potential integer overflow when converting between integer types
- G201 # SQL query construction using format string
- G202 # SQL query construction using string concatenation
- G203 # Use of unescaped data in HTML templates
Expand All @@ -864,16 +865,21 @@ linters-settings:
- G305 # File traversal when extracting zip/tar archive
- G306 # Poor file permissions used when writing to a new file
- G307 # Poor file permissions used when creating a file with os.Create
- G401 # Detect the usage of DES, RC4, MD5 or SHA1
- G401 # Detect the usage of MD5 or SHA1
- G402 # Look for bad TLS connection settings
- G403 # Ensure minimum RSA key length of 2048 bits
- G404 # Insecure random number source (rand)
- G405 # Detect the usage of DES or RC4
- G406 # Detect the usage of MD4 or RIPEMD160
- G501 # Import blocklist: crypto/md5
- G502 # Import blocklist: crypto/des
- G503 # Import blocklist: crypto/rc4
- G504 # Import blocklist: net/http/cgi
- G505 # Import blocklist: crypto/sha1
- G506 # Import blocklist: golang.org/x/crypto/md4
- G507 #Import blocklist: golang.org/x/crypto/ripemd160
- G601 # Implicit memory aliasing of items from a range statement
- G602 # Slice access out of bounds

# To specify a set of rules to explicitly exclude.
# Available rules: https://github.com/securego/gosec#available-rules
Expand All @@ -892,6 +898,7 @@ linters-settings:
- G112 # Potential slowloris attack
- G113 # Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772)
- G114 # Use of net/http serve function that has no support for setting timeouts
- G115 # Potential integer overflow when converting between integer types
- G201 # SQL query construction using format string
- G202 # SQL query construction using string concatenation
- G203 # Use of unescaped data in HTML templates
Expand All @@ -903,16 +910,21 @@ linters-settings:
- G305 # File traversal when extracting zip/tar archive
- G306 # Poor file permissions used when writing to a new file
- G307 # Poor file permissions used when creating a file with os.Create
- G401 # Detect the usage of DES, RC4, MD5 or SHA1
- G401 # Detect the usage of MD5 or SHA1
- G402 # Look for bad TLS connection settings
- G403 # Ensure minimum RSA key length of 2048 bits
- G404 # Insecure random number source (rand)
- G405 # Detect the usage of DES or RC4
- G406 # Detect the usage of MD4 or RIPEMD160
- G501 # Import blocklist: crypto/md5
- G502 # Import blocklist: crypto/des
- G503 # Import blocklist: crypto/rc4
- G504 # Import blocklist: net/http/cgi
- G505 # Import blocklist: crypto/sha1
- G506 # Import blocklist: golang.org/x/crypto/md4
- G507 #Import blocklist: golang.org/x/crypto/ripemd160
- G601 # Implicit memory aliasing of items from a range statement
- G602 # Slice access out of bounds

# Exclude generated files
# Default: false
Expand Down
15 changes: 15 additions & 0 deletions .golangci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,21 @@ issues:
linters: [gocritic]
text: "rangeValCopy: each iteration copies 160 bytes \\(consider pointers or indexing\\)"

# Related to file sizes.
- path: pkg/goanalysis/runner_loadingpackage.go
linters: [gosec]
text: "G115: integer overflow conversion uintptr -> int"

# Related to PID.
- path: test/bench/bench_test.go
linters: [gosec]
text: "G115: integer overflow conversion int -> int32"

# Related to the result of computation but divided multiple times by 1024.
- path: test/bench/bench_test.go
linters: [gosec]
text: "G115: integer overflow conversion uint64 -> int"

exclude-dirs:
- test/testdata_etc # test files
- internal/cache # extracted from Go code
Expand Down
8 changes: 4 additions & 4 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ require (
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
github.com/sashamelentyev/interfacebloat v1.1.0
github.com/sashamelentyev/usestdlibvars v1.27.0
github.com/securego/gosec/v2 v2.20.1-0.20240525090044-5f0084eb01a9
github.com/securego/gosec/v2 v2.20.1-0.20240820084340-81cda2f91fbe
github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c
github.com/shirou/gopsutil/v3 v3.24.5
github.com/sirupsen/logrus v1.9.3
Expand Down Expand Up @@ -124,7 +124,7 @@ require (
go-simpler.org/musttag v0.12.2
go-simpler.org/sloglint v0.7.2
go.uber.org/automaxprocs v1.5.3
golang.org/x/exp v0.0.0-20240103183307-be819d1f06fc
golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
golang.org/x/tools v0.24.0
gopkg.in/yaml.v3 v3.0.1
honnef.co/go/tools v0.5.1
Expand Down Expand Up @@ -192,8 +192,8 @@ require (
golang.org/x/mod v0.20.0 // indirect
golang.org/x/sync v0.8.0 // indirect
golang.org/x/sys v0.23.0 // indirect
golang.org/x/text v0.15.0 // indirect
google.golang.org/protobuf v1.33.0 // indirect
golang.org/x/text v0.17.0 // indirect
google.golang.org/protobuf v1.34.2 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
)
32 changes: 16 additions & 16 deletions go.sum

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 7 additions & 1 deletion jsonschema/golangci.next.jsonschema.json
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,7 @@
"G112",
"G113",
"G114",
"G115",
"G201",
"G202",
"G203",
Expand All @@ -152,12 +153,17 @@
"G402",
"G403",
"G404",
"G405",
"G406",
"G501",
"G502",
"G503",
"G504",
"G505",
"G601"
"G506",
"G507",
"G601",
"G602"
]
},
"govet-analyzers": {
Expand Down
4 changes: 2 additions & 2 deletions pkg/goanalysis/runners.go
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,7 @@ func saveIssuesToCache(allPkgs []*packages.Package, pkgsFromCache map[*packages.
perPkgIssues[i.Pkg] = append(perPkgIssues[i.Pkg], *i)
}

savedIssuesCount := int32(0)
var savedIssuesCount int64 = 0
lintResKey := getIssuesCacheKey(analyzers)

workerCount := runtime.GOMAXPROCS(-1)
Expand Down Expand Up @@ -162,7 +162,7 @@ func saveIssuesToCache(allPkgs []*packages.Package, pkgsFromCache map[*packages.
})
}

atomic.AddInt32(&savedIssuesCount, int32(len(encodedIssues)))
atomic.AddInt64(&savedIssuesCount, int64(len(encodedIssues)))
if err := lintCtx.PkgCache.Put(pkg, pkgcache.HashModeNeedAllDeps, lintResKey, encodedIssues); err != nil {
lintCtx.Log.Infof("Failed to save package %s issues (%d) to cache: %s", pkg, len(pkgIssues), err)
} else {
Expand Down
30 changes: 26 additions & 4 deletions pkg/golinters/gosec/gosec.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"sync"

"github.com/securego/gosec/v2"
"github.com/securego/gosec/v2/analyzers"
"github.com/securego/gosec/v2/issue"
"github.com/securego/gosec/v2/rules"
"golang.org/x/tools/go/analysis"
Expand All @@ -27,16 +28,20 @@ func New(settings *config.GoSecSettings) *goanalysis.Linter {
var mu sync.Mutex
var resIssues []goanalysis.Issue

var filters []rules.RuleFilter
conf := gosec.NewConfig()

var ruleFilters []rules.RuleFilter
var analyzerFilters []analyzers.AnalyzerFilter
if settings != nil {
filters = gosecRuleFilters(settings.Includes, settings.Excludes)
ruleFilters = createRuleFilters(settings.Includes, settings.Excludes)
analyzerFilters = createAnalyzerFilters(settings.Includes, settings.Excludes)
conf = toGosecConfig(settings)
}

logger := log.New(io.Discard, "", 0)

ruleDefinitions := rules.Generate(false, filters...)
ruleDefinitions := rules.Generate(false, ruleFilters...)
analyzerDefinitions := analyzers.Generate(false, analyzerFilters...)

analyzer := &analysis.Analyzer{
Name: linterName,
Expand All @@ -53,7 +58,9 @@ func New(settings *config.GoSecSettings) *goanalysis.Linter {
analyzer.Run = func(pass *analysis.Pass) (any, error) {
// The `gosecAnalyzer` is here because of concurrency issue.
gosecAnalyzer := gosec.NewAnalyzer(conf, true, settings.ExcludeGenerated, false, settings.Concurrency, logger)

gosecAnalyzer.LoadRules(ruleDefinitions.RulesInfo())
gosecAnalyzer.LoadAnalyzers(analyzerDefinitions.AnalyzersInfo())

issues := runGoSec(lintCtx, pass, settings, gosecAnalyzer)

Expand Down Expand Up @@ -176,8 +183,23 @@ func convertGosecGlobals(globalOptionFromConfig any, conf gosec.Config) {
}
}

// based on https://github.com/securego/gosec/blob/81cda2f91fbe1bf4735feb55febcae03e697a92b/cmd/gosec/main.go#L258-L275
func createAnalyzerFilters(includes, excludes []string) []analyzers.AnalyzerFilter {
var filters []analyzers.AnalyzerFilter

if len(includes) > 0 {
filters = append(filters, analyzers.NewAnalyzerFilter(false, includes...))
}

if len(excludes) > 0 {
filters = append(filters, analyzers.NewAnalyzerFilter(true, excludes...))
}

return filters
}

// based on https://github.com/securego/gosec/blob/569328eade2ccbad4ce2d0f21ee158ab5356a5cf/cmd/gosec/main.go#L170-L188
func gosecRuleFilters(includes, excludes []string) []rules.RuleFilter {
func createRuleFilters(includes, excludes []string) []rules.RuleFilter {
var filters []rules.RuleFilter

if len(includes) > 0 {
Expand Down

0 comments on commit f338f3e

Please sign in to comment.