From d4367de2e27bfea8989ed7039ca239f2d86efafd Mon Sep 17 00:00:00 2001 From: Tim Kelsey Date: Fri, 29 Jul 2016 11:19:50 +0100 Subject: [PATCH] Adding a config block to the analyzer, parsed from JSON A CLI option can now be given to tell GAS it should parse data from a JSON file. Fatal errors are given if the file is not readable or is not valid JSON. --- core/analyzer.go | 20 ++++++++++++++++++-- main.go | 4 +++- rules/bind_test.go | 7 ++++--- rules/errors_test.go | 6 +++--- rules/fileperms_test.go | 7 ++++--- rules/hardcoded_credentials_test.go | 5 +++-- rules/httpoxy_test.go | 2 +- rules/nosec_test.go | 4 ++-- rules/rand_test.go | 4 ++-- rules/rsa_test.go | 5 +++-- rules/sql_test.go | 12 ++++++------ rules/subproc_test.go | 9 +++++---- rules/tempfiles_test.go | 5 +++-- rules/templates_test.go | 11 ++++++----- rules/tls_test.go | 8 ++++---- rules/unsafe_test.go | 5 +++-- rules/weakcrypto_test.go | 9 +++++---- 17 files changed, 75 insertions(+), 48 deletions(-) diff --git a/core/analyzer.go b/core/analyzer.go index e20bf1c68b..304e0451ff 100644 --- a/core/analyzer.go +++ b/core/analyzer.go @@ -15,11 +15,13 @@ package core import ( + "encoding/json" "go/ast" "go/importer" "go/parser" "go/token" "go/types" + "io/ioutil" "log" "os" "reflect" @@ -53,19 +55,33 @@ type Analyzer struct { logger *log.Logger Issues []Issue `json:"issues"` Stats Metrics `json:"metrics"` + Config map[string]interface{} } -func NewAnalyzer(ignoreNosec bool, logger *log.Logger) Analyzer { +func NewAnalyzer(ignoreNosec bool, conf *string, logger *log.Logger) Analyzer { if logger == nil { logger = log.New(os.Stdout, "[gas]", 0) } - return Analyzer{ + a := Analyzer{ ignoreNosec: ignoreNosec, ruleset: make(RuleSet), Issues: make([]Issue, 0), context: Context{token.NewFileSet(), nil, nil, nil}, logger: logger, + Config: nil, } + + if conf != nil && *conf != "" { // if we have a config + if data, err := ioutil.ReadFile(*conf); err == nil { + if err := json.Unmarshal(data, &(a.Config)); err != nil { + logger.Fatal("Could not parse JSON config: ", *conf, ": ", err) + } + } else { + logger.Fatal("Could not read config file: ", *conf) + } + } + + return a } func (gas *Analyzer) process(filename string, source interface{}) error { diff --git a/main.go b/main.go index e64bf90673..97fd4c23e3 100644 --- a/main.go +++ b/main.go @@ -35,6 +35,8 @@ var flagFormat = flag.String("fmt", "text", "Set output format. Valid options ar // output file var flagOutput = flag.String("out", "", "Set output file for results") +var flagConfig = flag.String("conf", "", "Path to optional config file") + var usageText = ` GAS - Go AST Scanner @@ -99,7 +101,7 @@ func main() { } // Setup analyzer - analyzer := gas.NewAnalyzer(*flagIgnoreNoSec, logger) + analyzer := gas.NewAnalyzer(*flagIgnoreNoSec, flagConfig, logger) if !rules.overwritten { rules.useDefaults() } diff --git a/rules/bind_test.go b/rules/bind_test.go index 13ca4eee18..512e08fee7 100644 --- a/rules/bind_test.go +++ b/rules/bind_test.go @@ -15,12 +15,13 @@ package rules import ( - gas "github.com/HewlettPackard/gas/core" "testing" + + gas "github.com/HewlettPackard/gas/core" ) func TestBind0000(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewBindsToAllNetworkInterfaces()) issues := gasTestRunner(` @@ -41,7 +42,7 @@ func TestBind0000(t *testing.T) { } func TestBindEmptyHost(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewBindsToAllNetworkInterfaces()) issues := gasTestRunner(` diff --git a/rules/errors_test.go b/rules/errors_test.go index f45161f9e5..4689ed47b5 100644 --- a/rules/errors_test.go +++ b/rules/errors_test.go @@ -21,7 +21,7 @@ import ( ) func TestErrorsMulti(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewNoErrorCheck()) issues := gasTestRunner( @@ -43,7 +43,7 @@ func TestErrorsMulti(t *testing.T) { } func TestErrorsSingle(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewNoErrorCheck()) issues := gasTestRunner( @@ -65,7 +65,7 @@ func TestErrorsSingle(t *testing.T) { } func TestErrorsGood(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewNoErrorCheck()) issues := gasTestRunner( diff --git a/rules/fileperms_test.go b/rules/fileperms_test.go index e5e5016e1a..9a5eaa5f6f 100644 --- a/rules/fileperms_test.go +++ b/rules/fileperms_test.go @@ -15,12 +15,13 @@ package rules import ( - gas "github.com/HewlettPackard/gas/core" "testing" + + gas "github.com/HewlettPackard/gas/core" ) func TestChmod(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewChmodPerms()) issues := gasTestRunner(` @@ -35,7 +36,7 @@ func TestChmod(t *testing.T) { } func TestMkdir(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewMkdirPerms()) issues := gasTestRunner(` diff --git a/rules/hardcoded_credentials_test.go b/rules/hardcoded_credentials_test.go index e59fe376e4..bbcf2be598 100644 --- a/rules/hardcoded_credentials_test.go +++ b/rules/hardcoded_credentials_test.go @@ -15,12 +15,13 @@ package rules import ( - gas "github.com/HewlettPackard/gas/core" "testing" + + gas "github.com/HewlettPackard/gas/core" ) func TestHardcoded(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewHardcodedCredentials()) issues := gasTestRunner( diff --git a/rules/httpoxy_test.go b/rules/httpoxy_test.go index d85a5c13d1..0d422603b6 100644 --- a/rules/httpoxy_test.go +++ b/rules/httpoxy_test.go @@ -21,7 +21,7 @@ import ( ) func TestHttpoxy(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewHttpoxyTest()) issues := gasTestRunner(` diff --git a/rules/nosec_test.go b/rules/nosec_test.go index e6616a5fb4..b7bbc10eb0 100644 --- a/rules/nosec_test.go +++ b/rules/nosec_test.go @@ -21,7 +21,7 @@ import ( ) func TestNosec(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewSubproc()) issues := gasTestRunner( @@ -39,7 +39,7 @@ func TestNosec(t *testing.T) { } func TestNosecBlock(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewSubproc()) issues := gasTestRunner( diff --git a/rules/rand_test.go b/rules/rand_test.go index a65a7239b7..faab03560b 100644 --- a/rules/rand_test.go +++ b/rules/rand_test.go @@ -21,7 +21,7 @@ import ( ) func TestRandOk(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewWeakRandCheck()) issues := gasTestRunner( @@ -38,7 +38,7 @@ func TestRandOk(t *testing.T) { } func TestRandBad(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewWeakRandCheck()) issues := gasTestRunner( diff --git a/rules/rsa_test.go b/rules/rsa_test.go index 64e804ca1a..9ec2a51b46 100644 --- a/rules/rsa_test.go +++ b/rules/rsa_test.go @@ -15,12 +15,13 @@ package rules import ( - gas "github.com/HewlettPackard/gas/core" "testing" + + gas "github.com/HewlettPackard/gas/core" ) func TestRSAKeys(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewWeakKeyStrength()) issues := gasTestRunner( diff --git a/rules/sql_test.go b/rules/sql_test.go index 3dc6171b6d..df8031cb7c 100644 --- a/rules/sql_test.go +++ b/rules/sql_test.go @@ -21,7 +21,7 @@ import ( ) func TestSQLInjectionViaConcatenation(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewSqlStrConcat()) source := ` @@ -48,7 +48,7 @@ func TestSQLInjectionViaConcatenation(t *testing.T) { } func TestSQLInjectionViaIntepolation(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewSqlStrFormat()) source := ` @@ -77,7 +77,7 @@ func TestSQLInjectionViaIntepolation(t *testing.T) { } func TestSQLInjectionFalsePositiveA(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewSqlStrConcat()) analyzer.AddRule(NewSqlStrFormat()) @@ -112,7 +112,7 @@ func TestSQLInjectionFalsePositiveA(t *testing.T) { } func TestSQLInjectionFalsePositiveB(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewSqlStrConcat()) analyzer.AddRule(NewSqlStrFormat()) @@ -147,7 +147,7 @@ func TestSQLInjectionFalsePositiveB(t *testing.T) { } func TestSQLInjectionFalsePositiveC(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewSqlStrConcat()) analyzer.AddRule(NewSqlStrFormat()) @@ -182,7 +182,7 @@ func TestSQLInjectionFalsePositiveC(t *testing.T) { } func TestSQLInjectionFalsePositiveD(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewSqlStrConcat()) analyzer.AddRule(NewSqlStrFormat()) diff --git a/rules/subproc_test.go b/rules/subproc_test.go index 6ea95d0d64..4f9528c57b 100644 --- a/rules/subproc_test.go +++ b/rules/subproc_test.go @@ -15,12 +15,13 @@ package rules import ( - gas "github.com/HewlettPackard/gas/core" "testing" + + gas "github.com/HewlettPackard/gas/core" ) func TestSubprocess(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewSubproc()) issues := gasTestRunner(` @@ -46,7 +47,7 @@ func TestSubprocess(t *testing.T) { } func TestSubprocessVar(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewSubproc()) issues := gasTestRunner(` @@ -73,7 +74,7 @@ func TestSubprocessVar(t *testing.T) { } func TestSubprocessPath(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewSubproc()) issues := gasTestRunner(` diff --git a/rules/tempfiles_test.go b/rules/tempfiles_test.go index 911e6445d8..1a5fc68527 100644 --- a/rules/tempfiles_test.go +++ b/rules/tempfiles_test.go @@ -15,12 +15,13 @@ package rules import ( - gas "github.com/HewlettPackard/gas/core" "testing" + + gas "github.com/HewlettPackard/gas/core" ) func TestTempfiles(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewBadTempFile()) source := ` diff --git a/rules/templates_test.go b/rules/templates_test.go index c969182629..e1f84ed2f2 100644 --- a/rules/templates_test.go +++ b/rules/templates_test.go @@ -15,12 +15,13 @@ package rules import ( - gas "github.com/HewlettPackard/gas/core" "testing" + + gas "github.com/HewlettPackard/gas/core" ) func TestTemplateCheckSafe(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewTemplateCheck()) source := ` @@ -47,7 +48,7 @@ func TestTemplateCheckSafe(t *testing.T) { } func TestTemplateCheckBadHTML(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewTemplateCheck()) source := ` @@ -75,7 +76,7 @@ func TestTemplateCheckBadHTML(t *testing.T) { } func TestTemplateCheckBadJS(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewTemplateCheck()) source := ` @@ -103,7 +104,7 @@ func TestTemplateCheckBadJS(t *testing.T) { } func TestTemplateCheckBadURL(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewTemplateCheck()) source := ` diff --git a/rules/tls_test.go b/rules/tls_test.go index 0c103b04e3..6ead5d2c0c 100644 --- a/rules/tls_test.go +++ b/rules/tls_test.go @@ -21,7 +21,7 @@ import ( ) func TestInsecureSkipVerify(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewModernTlsCheck()) issues := gasTestRunner(` @@ -49,7 +49,7 @@ func TestInsecureSkipVerify(t *testing.T) { } func TestInsecureMinVersion(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewModernTlsCheck()) issues := gasTestRunner(` @@ -77,7 +77,7 @@ func TestInsecureMinVersion(t *testing.T) { } func TestInsecureMaxVersion(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewModernTlsCheck()) issues := gasTestRunner(` @@ -105,7 +105,7 @@ func TestInsecureMaxVersion(t *testing.T) { } func TestInsecureCipherSuite(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewModernTlsCheck()) issues := gasTestRunner(` diff --git a/rules/unsafe_test.go b/rules/unsafe_test.go index 326a43045d..2a35649669 100644 --- a/rules/unsafe_test.go +++ b/rules/unsafe_test.go @@ -15,12 +15,13 @@ package rules import ( - gas "github.com/HewlettPackard/gas/core" "testing" + + gas "github.com/HewlettPackard/gas/core" ) func TestUnsafe(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewUsingUnsafe()) issues := gasTestRunner(` diff --git a/rules/weakcrypto_test.go b/rules/weakcrypto_test.go index 774d51b7ea..388aebd031 100644 --- a/rules/weakcrypto_test.go +++ b/rules/weakcrypto_test.go @@ -15,12 +15,13 @@ package rules import ( - gas "github.com/HewlettPackard/gas/core" "testing" + + gas "github.com/HewlettPackard/gas/core" ) func TestMD5(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewImportsWeakCryptography()) analyzer.AddRule(NewUsesWeakCryptography()) @@ -41,7 +42,7 @@ func TestMD5(t *testing.T) { } func TestDES(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewImportsWeakCryptography()) analyzer.AddRule(NewUsesWeakCryptography()) @@ -80,7 +81,7 @@ func TestDES(t *testing.T) { } func TestRC4(t *testing.T) { - analyzer := gas.NewAnalyzer(false, nil) + analyzer := gas.NewAnalyzer(false, nil, nil) analyzer.AddRule(NewImportsWeakCryptography()) analyzer.AddRule(NewUsesWeakCryptography())