forked from securego/gosec
-
Notifications
You must be signed in to change notification settings - Fork 0
/
rules_test.go
157 lines (124 loc) · 4.09 KB
/
rules_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
package rules_test
import (
"fmt"
"log"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
"github.com/securego/gosec"
"github.com/securego/gosec/rules"
"github.com/securego/gosec/testutils"
)
var _ = Describe("gosec rules", func() {
var (
logger *log.Logger
config gosec.Config
analyzer *gosec.Analyzer
runner func(string, []testutils.CodeSample)
buildTags []string
)
BeforeEach(func() {
logger, _ = testutils.NewLogger()
config = gosec.NewConfig()
analyzer = gosec.NewAnalyzer(config, logger)
runner = func(rule string, samples []testutils.CodeSample) {
analyzer.LoadRules(rules.Generate(rules.NewRuleFilter(false, rule)).Builders())
for n, sample := range samples {
analyzer.Reset()
pkg := testutils.NewTestPackage()
defer pkg.Close()
for i, code := range sample.Code {
pkg.AddFile(fmt.Sprintf("sample_%d_%d.go", n, i), code)
}
err := pkg.Build()
Expect(err).ShouldNot(HaveOccurred())
err = analyzer.Process(buildTags, pkg.Path)
Expect(err).ShouldNot(HaveOccurred())
issues, _ := analyzer.Report()
if len(issues) != sample.Errors {
fmt.Println(sample.Code)
}
Expect(issues).Should(HaveLen(sample.Errors))
}
}
})
Context("report correct errors for all samples", func() {
It("should detect hardcoded credentials", func() {
runner("G101", testutils.SampleCodeG101)
})
It("should detect binding to all network interfaces", func() {
runner("G102", testutils.SampleCodeG102)
})
It("should use of unsafe block", func() {
runner("G103", testutils.SampleCodeG103)
})
It("should errors not being checked", func() {
runner("G104", testutils.SampleCodeG104)
})
It("should detect of big.Exp function", func() {
runner("G105", testutils.SampleCodeG105)
})
It("should detect of ssh.InsecureIgnoreHostKey function", func() {
runner("G106", testutils.SampleCodeG106)
})
It("should detect ssrf via http requests with variable url", func() {
runner("G107", testutils.SampleCodeG107)
})
It("should detect sql injection via format strings", func() {
runner("G201", testutils.SampleCodeG201)
})
It("should detect sql injection via string concatenation", func() {
runner("G202", testutils.SampleCodeG202)
})
It("should detect unescaped html in templates", func() {
runner("G203", testutils.SampleCodeG203)
})
It("should detect command execution", func() {
runner("G204", testutils.SampleCodeG204)
})
It("should detect poor file permissions on mkdir", func() {
runner("G301", testutils.SampleCodeG301)
})
It("should detect poor permissions when creating or chmod a file", func() {
runner("G302", testutils.SampleCodeG302)
})
It("should detect insecure temp file creation", func() {
runner("G303", testutils.SampleCodeG303)
})
It("should detect file path provided as taint input", func() {
runner("G304", testutils.SampleCodeG304)
})
It("should detect file path traversal when extracting zip archive", func() {
runner("G305", testutils.SampleCodeG305)
})
It("should detect weak crypto algorithms", func() {
runner("G401", testutils.SampleCodeG401)
})
It("should detect weak crypto algorithms", func() {
runner("G401", testutils.SampleCodeG401b)
})
It("should find insecure tls settings", func() {
runner("G402", testutils.SampleCodeG402)
})
It("should detect weak creation of weak rsa keys", func() {
runner("G403", testutils.SampleCodeG403)
})
It("should find non cryptographically secure random number sources", func() {
runner("G404", testutils.SampleCodeG404)
})
It("should detect blacklisted imports - MD5", func() {
runner("G501", testutils.SampleCodeG501)
})
It("should detect blacklisted imports - DES", func() {
runner("G502", testutils.SampleCodeG502)
})
It("should detect blacklisted imports - RC4", func() {
runner("G503", testutils.SampleCodeG503)
})
It("should detect blacklisted imports - CGI (httpoxy)", func() {
runner("G504", testutils.SampleCodeG504)
})
It("should detect blacklisted imports - SHA1", func() {
runner("G505", testutils.SampleCodeG505)
})
})
})