1// (c) Copyright 2016 Hewlett Packard Enterprise Development LP 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15package rules 16 17import ( 18 "go/ast" 19 20 "github.com/securego/gosec/v2" 21) 22 23type usingUnsafe struct { 24 gosec.MetaData 25 pkg string 26 calls []string 27} 28 29func (r *usingUnsafe) ID() string { 30 return r.MetaData.ID 31} 32 33func (r *usingUnsafe) Match(n ast.Node, c *gosec.Context) (gi *gosec.Issue, err error) { 34 if _, matches := gosec.MatchCallByPackage(n, c, r.pkg, r.calls...); matches { 35 return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil 36 } 37 return nil, nil 38} 39 40// NewUsingUnsafe rule detects the use of the unsafe package. This is only 41// really useful for auditing purposes. 42func NewUsingUnsafe(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { 43 return &usingUnsafe{ 44 pkg: "unsafe", 45 calls: []string{"Alignof", "Offsetof", "Sizeof", "Pointer"}, 46 MetaData: gosec.MetaData{ 47 ID: id, 48 What: "Use of unsafe calls should be audited", 49 Severity: gosec.Low, 50 Confidence: gosec.High, 51 }, 52 }, []ast.Node{(*ast.CallExpr)(nil)} 53} 54