1package rules_test 2 3import ( 4 "fmt" 5 "log" 6 7 . "github.com/onsi/ginkgo" 8 . "github.com/onsi/gomega" 9 10 "github.com/securego/gosec/v2" 11 "github.com/securego/gosec/v2/rules" 12 "github.com/securego/gosec/v2/testutils" 13) 14 15var _ = Describe("gosec rules", func() { 16 17 var ( 18 logger *log.Logger 19 config gosec.Config 20 analyzer *gosec.Analyzer 21 runner func(string, []testutils.CodeSample) 22 buildTags []string 23 tests bool 24 ) 25 26 BeforeEach(func() { 27 logger, _ = testutils.NewLogger() 28 config = gosec.NewConfig() 29 analyzer = gosec.NewAnalyzer(config, tests, logger) 30 runner = func(rule string, samples []testutils.CodeSample) { 31 for n, sample := range samples { 32 analyzer.Reset() 33 analyzer.SetConfig(sample.Config) 34 analyzer.LoadRules(rules.Generate(rules.NewRuleFilter(false, rule)).Builders()) 35 pkg := testutils.NewTestPackage() 36 defer pkg.Close() 37 for i, code := range sample.Code { 38 pkg.AddFile(fmt.Sprintf("sample_%d_%d.go", n, i), code) 39 } 40 err := pkg.Build() 41 Expect(err).ShouldNot(HaveOccurred()) 42 Expect(pkg.PrintErrors()).Should(BeZero()) 43 err = analyzer.Process(buildTags, pkg.Path) 44 Expect(err).ShouldNot(HaveOccurred()) 45 issues, _, _ := analyzer.Report() 46 if len(issues) != sample.Errors { 47 fmt.Println(sample.Code) 48 } 49 Expect(issues).Should(HaveLen(sample.Errors)) 50 } 51 } 52 }) 53 54 Context("report correct errors for all samples", func() { 55 It("should detect hardcoded credentials", func() { 56 runner("G101", testutils.SampleCodeG101) 57 }) 58 59 It("should detect binding to all network interfaces", func() { 60 runner("G102", testutils.SampleCodeG102) 61 }) 62 63 It("should use of unsafe block", func() { 64 runner("G103", testutils.SampleCodeG103) 65 }) 66 67 It("should detect errors not being checked", func() { 68 runner("G104", testutils.SampleCodeG104) 69 }) 70 71 It("should detect errors not being checked in audit mode", func() { 72 runner("G104", testutils.SampleCodeG104Audit) 73 }) 74 75 It("should detect of ssh.InsecureIgnoreHostKey function", func() { 76 runner("G106", testutils.SampleCodeG106) 77 }) 78 79 It("should detect ssrf via http requests with variable url", func() { 80 runner("G107", testutils.SampleCodeG107) 81 }) 82 83 It("should detect pprof endpoint", func() { 84 runner("G108", testutils.SampleCodeG108) 85 }) 86 87 It("should detect integer overflow", func() { 88 runner("G109", testutils.SampleCodeG109) 89 }) 90 91 It("should detect DoS vulnerability via decompression bomb", func() { 92 runner("G110", testutils.SampleCodeG110) 93 }) 94 95 It("should detect sql injection via format strings", func() { 96 runner("G201", testutils.SampleCodeG201) 97 }) 98 99 It("should detect sql injection via string concatenation", func() { 100 runner("G202", testutils.SampleCodeG202) 101 }) 102 103 It("should detect unescaped html in templates", func() { 104 runner("G203", testutils.SampleCodeG203) 105 }) 106 107 It("should detect command execution", func() { 108 runner("G204", testutils.SampleCodeG204) 109 }) 110 111 It("should detect poor file permissions on mkdir", func() { 112 runner("G301", testutils.SampleCodeG301) 113 }) 114 115 It("should detect poor permissions when creating or chmod a file", func() { 116 runner("G302", testutils.SampleCodeG302) 117 }) 118 119 It("should detect insecure temp file creation", func() { 120 runner("G303", testutils.SampleCodeG303) 121 }) 122 123 It("should detect file path provided as taint input", func() { 124 runner("G304", testutils.SampleCodeG304) 125 }) 126 127 It("should detect file path traversal when extracting zip archive", func() { 128 runner("G305", testutils.SampleCodeG305) 129 }) 130 131 It("should detect poor permissions when writing to a file", func() { 132 runner("G306", testutils.SampleCodeG306) 133 }) 134 135 It("should detect unsafe defer of os.Close", func() { 136 runner("G307", testutils.SampleCodeG307) 137 }) 138 139 It("should detect weak crypto algorithms", func() { 140 runner("G401", testutils.SampleCodeG401) 141 }) 142 143 It("should detect weak crypto algorithms", func() { 144 runner("G401", testutils.SampleCodeG401b) 145 }) 146 147 It("should find insecure tls settings", func() { 148 runner("G402", testutils.SampleCodeG402) 149 }) 150 151 It("should detect weak creation of weak rsa keys", func() { 152 runner("G403", testutils.SampleCodeG403) 153 }) 154 155 It("should find non cryptographically secure random number sources", func() { 156 runner("G404", testutils.SampleCodeG404) 157 }) 158 159 It("should detect blocklisted imports - MD5", func() { 160 runner("G501", testutils.SampleCodeG501) 161 }) 162 163 It("should detect blocklisted imports - DES", func() { 164 runner("G502", testutils.SampleCodeG502) 165 }) 166 167 It("should detect blocklisted imports - RC4", func() { 168 runner("G503", testutils.SampleCodeG503) 169 }) 170 171 It("should detect blocklisted imports - CGI (httpoxy)", func() { 172 runner("G504", testutils.SampleCodeG504) 173 }) 174 175 It("should detect blocklisted imports - SHA1", func() { 176 runner("G505", testutils.SampleCodeG505) 177 }) 178 179 It("should detect implicit aliasing in ForRange", func() { 180 runner("G601", testutils.SampleCodeG601) 181 }) 182 183 }) 184 185}) 186