1// (c) Copyright 2016 Hewlett Packard Enterprise Development LP 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15package rules 16 17import "github.com/securego/gosec/v2" 18 19// RuleDefinition contains the description of a rule and a mechanism to 20// create it. 21type RuleDefinition struct { 22 ID string 23 Description string 24 Create gosec.RuleBuilder 25} 26 27// RuleList is a mapping of rule ID's to rule definitions 28type RuleList map[string]RuleDefinition 29 30// Builders returns all the create methods for a given rule list 31func (rl RuleList) Builders() map[string]gosec.RuleBuilder { 32 builders := make(map[string]gosec.RuleBuilder) 33 for _, def := range rl { 34 builders[def.ID] = def.Create 35 } 36 return builders 37} 38 39// RuleFilter can be used to include or exclude a rule depending on the return 40// value of the function 41type RuleFilter func(string) bool 42 43// NewRuleFilter is a closure that will include/exclude the rule ID's based on 44// the supplied boolean value. 45func NewRuleFilter(action bool, ruleIDs ...string) RuleFilter { 46 rulelist := make(map[string]bool) 47 for _, rule := range ruleIDs { 48 rulelist[rule] = true 49 } 50 return func(rule string) bool { 51 if _, found := rulelist[rule]; found { 52 return action 53 } 54 return !action 55 } 56} 57 58// Generate the list of rules to use 59func Generate(filters ...RuleFilter) RuleList { 60 rules := []RuleDefinition{ 61 // misc 62 {"G101", "Look for hardcoded credentials", NewHardcodedCredentials}, 63 {"G102", "Bind to all interfaces", NewBindsToAllNetworkInterfaces}, 64 {"G103", "Audit the use of unsafe block", NewUsingUnsafe}, 65 {"G104", "Audit errors not checked", NewNoErrorCheck}, 66 {"G106", "Audit the use of ssh.InsecureIgnoreHostKey function", NewSSHHostKey}, 67 {"G107", "Url provided to HTTP request as taint input", NewSSRFCheck}, 68 {"G108", "Profiling endpoint is automatically exposed", NewPprofCheck}, 69 {"G109", "Converting strconv.Atoi result to int32/int16", NewIntegerOverflowCheck}, 70 {"G110", "Detect io.Copy instead of io.CopyN when decompression", NewDecompressionBombCheck}, 71 72 // injection 73 {"G201", "SQL query construction using format string", NewSQLStrFormat}, 74 {"G202", "SQL query construction using string concatenation", NewSQLStrConcat}, 75 {"G203", "Use of unescaped data in HTML templates", NewTemplateCheck}, 76 {"G204", "Audit use of command execution", NewSubproc}, 77 78 // filesystem 79 {"G301", "Poor file permissions used when creating a directory", NewMkdirPerms}, 80 {"G302", "Poor file permissions used when creation file or using chmod", NewFilePerms}, 81 {"G303", "Creating tempfile using a predictable path", NewBadTempFile}, 82 {"G304", "File path provided as taint input", NewReadFile}, 83 {"G305", "File path traversal when extracting zip archive", NewArchive}, 84 {"G306", "Poor file permissions used when writing to a file", NewWritePerms}, 85 {"G307", "Unsafe defer call of a method returning an error", NewDeferredClosing}, 86 87 // crypto 88 {"G401", "Detect the usage of DES, RC4, MD5 or SHA1", NewUsesWeakCryptography}, 89 {"G402", "Look for bad TLS connection settings", NewIntermediateTLSCheck}, 90 {"G403", "Ensure minimum RSA key length of 2048 bits", NewWeakKeyStrength}, 91 {"G404", "Insecure random number source (rand)", NewWeakRandCheck}, 92 93 // blocklist 94 {"G501", "Import blocklist: crypto/md5", NewBlocklistedImportMD5}, 95 {"G502", "Import blocklist: crypto/des", NewBlocklistedImportDES}, 96 {"G503", "Import blocklist: crypto/rc4", NewBlocklistedImportRC4}, 97 {"G504", "Import blocklist: net/http/cgi", NewBlocklistedImportCGI}, 98 {"G505", "Import blocklist: crypto/sha1", NewBlocklistedImportSHA1}, 99 100 // memory safety 101 {"G601", "Implicit memory aliasing in RangeStmt", NewImplicitAliasing}, 102 } 103 104 ruleMap := make(map[string]RuleDefinition) 105 106RULES: 107 for _, rule := range rules { 108 for _, filter := range filters { 109 if filter(rule.ID) { 110 continue RULES 111 } 112 } 113 ruleMap[rule.ID] = rule 114 } 115 return ruleMap 116} 117