Merge remote-tracking branch 'upstream/master'

holyspectral · Mar 2, 2018 · 3713168 · 3713168
2 parents 187a711 + c6183b4
commit 3713168
Show file tree

Hide file tree

Showing 22 changed files with 645 additions and 142 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -1,14 +1,25 @@
 language: go
-before_script:
-  - go vet $(go list ./... | grep -v /vendor/)
+
 go:
-  - 1.5
+  - 1.7
+  - 1.8
+  - 1.9
   - tip
+
 install:
+  - go get -u github.com/golang/lint/golint
   - go get -v github.com/onsi/ginkgo/ginkgo
   - go get -v github.com/onsi/gomega
+  - go get -v golang.org/x/crypto/ssh
+  - go get github.com/GoASTScanner/gas/cmd/gas/...
   - go get -v -t ./...
   - export PATH=$PATH:$HOME/gopath/bin
 
+before_script:
+  - test -z "$(gofmt -s -l -w $(find . -type f -name '*.go' -not -path './vendor/*') | tee /dev/stderr)"
+  - test -z "$(golint . |  tee /dev/stderr)"
+  - go vet $(go list ./... | grep -v /vendor/)
+  - gas ./...
+
 script: ginkgo -r
 
diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json
diff --git a/README.md b/README.md
@@ -41,6 +41,7 @@ or to specify a set of rules to explicitly exclude using the '-exclude=' flag.
   - G103: Audit the use of unsafe block
   - G104: Audit errors not checked
   - G105: Audit the use of math/big.Int.Exp
+  - G106: Audit the use of ssh.InsecureIgnoreHostKey
   - G201: SQL query construction using format string
   - G202: SQL query construction using string concatenation
   - G203: Use of unescaped data in HTML templates
@@ -104,7 +105,7 @@ $ gas -nosec=true ./...
 
 ### Output formats
 
-Gas currently supports text, json and csv output formats. By default
+Gas currently supports text, json, csv and JUnit XML output formats. By default
 results will be reported to stdout, but can also be written to an output
 file. The output format is controlled by the '-fmt' flag, and the output file is controlled by the '-out' flag as follows:
 
@@ -113,3 +114,21 @@ file. The output format is controlled by the '-fmt' flag, and the output file is
 $ gas -fmt=json -out=results.json *.go
 ```
 
+### Generate TLS rule
+
+The configuration of TLS rule can be generated from [Mozilla's TLS ciphers recommendation](https://statics.tls.security.mozilla.org/server-side-tls-conf.json).
+
+
+First you need to install the generator tool:
+
+```
+go get github.com/GoASTScanner/gas/cmd/tlsconfig/...
+```
+
+You can invoke now the `go generate` in the root of the project:
+
+```
+go generate ./...
+```
+
+This will generate the `rules/tls_config.go` file with will contain the current ciphers recommendation from Mozilla.
diff --git a/analyzer.go b/analyzer.go
@@ -102,7 +102,10 @@ func (gas *Analyzer) Process(packagePaths ...string) error {
 		AllowErrors: true,
 	}
 	for _, packagePath := range packagePaths {
-		abspath, _ := filepath.Abs(packagePath)
+		abspath, err := filepath.Abs(packagePath)
+		if err != nil {
+			return err
+		}
 		gas.logger.Println("Searching directory:", abspath)
 
 		basePackage, err := build.Default.ImportDir(packagePath, build.ImportComment)

diff --git a/cmd/gas/main.go b/cmd/gas/main.go
@@ -59,7 +59,7 @@ var (
 	flagIgnoreNoSec = flag.Bool("nosec", false, "Ignores #nosec comments when set")
 
 	// format output
-	flagFormat = flag.String("fmt", "text", "Set output format. Valid options are: json, csv, html, or text")
+	flagFormat = flag.String("fmt", "text", "Set output format. Valid options are: json, csv, junit-xml, html, or text")
 
 	// output file
 	flagOutput = flag.String("out", "", "Set output file for results")
@@ -79,6 +79,9 @@ var (
 	// log to file or stderr
 	flagLogfile = flag.String("log", "", "Log messages to file rather than stderr")
 
+	// sort the issues by severity
+	flagSortIssues = flag.Bool("sort", true, "Sort issues by severity")
+
 	logger *log.Logger
 )
 
@@ -149,9 +152,15 @@ func saveOutput(filename, format string, issues []*gas.Issue, metrics *gas.Metri
 			return err
 		}
 		defer outfile.Close()
-		output.CreateReport(outfile, format, issues, metrics)
+		err = output.CreateReport(outfile, format, issues, metrics)
+		if err != nil {
+			return err
+		}
 	} else {
-		output.CreateReport(os.Stdout, format, issues, metrics)
+		err := output.CreateReport(os.Stdout, format, issues, metrics)
+		if err != nil {
+			return err
+		}
 	}
 	return nil
 }
@@ -166,7 +175,7 @@ func main() {
 
 	// Ensure at least one file was specified
 	if flag.NArg() == 0 {
-		fmt.Fprintf(os.Stderr, "\nError: FILE [FILE...] or './...' expected\n")
+		fmt.Fprintf(os.Stderr, "\nError: FILE [FILE...] or './...' expected\n") // #nosec
 		flag.Usage()
 		os.Exit(1)
 	}
@@ -225,13 +234,18 @@ func main() {
 		os.Exit(0)
 	}
 
+	// Sort the issue by severity
+	if *flagSortIssues {
+		sortIssues(issues)
+	}
+
 	// Create output report
 	if err := saveOutput(*flagOutput, *flagFormat, issues, metrics); err != nil {
 		logger.Fatal(err)
 	}
 
 	// Finialize logging
-	logWriter.Close()
+	logWriter.Close() // #nosec
 
 	// Do we have an issue? If so exit 1
 	if issuesFound {

diff --git a/cmd/gas/sort_issues.go b/cmd/gas/sort_issues.go
@@ -0,0 +1,20 @@
+package main
+
+import (
+	"sort"
+
+	"github.com/GoASTScanner/gas"
+)
+
+type sortBySeverity []*gas.Issue
+
+func (s sortBySeverity) Len() int { return len(s) }
+
+func (s sortBySeverity) Less(i, j int) bool { return s[i].Severity > s[i].Severity }
+
+func (s sortBySeverity) Swap(i, j int) { s[i], s[j] = s[j], s[i] }
+
+// sortIssues sorts the issues by severity in descending order
+func sortIssues(issues []*gas.Issue) {
+	sort.Sort(sortBySeverity(issues))
+}
diff --git a/cmd/tlsconfig/header_template.go b/cmd/tlsconfig/header_template.go
@@ -0,0 +1,13 @@
+package main
+
+import "text/template"
+
+var generatedHeaderTmpl = template.Must(template.New("generated").Parse(`
+package {{.}}
+
+import (
+	"go/ast"
+
+	"github.com/GoASTScanner/gas"
+)
+`))
diff --git a/cmd/tlsconfig/rule_template.go b/cmd/tlsconfig/rule_template.go
@@ -0,0 +1,19 @@
+package main
+
+import "text/template"
+
+var generatedRuleTmpl = template.Must(template.New("generated").Parse(`
+// New{{.Name}}TLSCheck creates a check for {{.Name}} TLS ciphers
+// DO NOT EDIT - generated by tlsconfig tool
+func New{{.Name}}TLSCheck(conf gas.Config) (gas.Rule, []ast.Node) {
+	return &insecureConfigTLS{
+		requiredType: "crypto/tls.Config",
+		MinVersion:   {{ .MinVersion }},
+		MaxVersion:   {{ .MaxVersion }},
+		goodCiphers: []string{
+{{range $cipherName := .Ciphers }} "{{$cipherName}}",
+{{end}}
+		},
+	}, []ast.Node{(*ast.CompositeLit)(nil)}
+}
+`))