Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package gosec for openSUSE:Factory checked
in at 2022-03-02 18:22:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/gosec (Old)
and /work/SRC/openSUSE:Factory/.gosec.new.1958 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gosec"
Wed Mar 2 18:22:36 2022 rev:2 rq:958490 version:2.10.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/gosec/gosec.changes 2022-02-07
23:38:57.202090161 +0100
+++ /work/SRC/openSUSE:Factory/.gosec.new.1958/gosec.changes 2022-03-02
18:22:44.668659442 +0100
@@ -1,0 +2,18 @@
+Wed Mar 2 07:35:25 UTC 2022 - Felix Niederwanger <felix.niederwan...@suse.com>
+
+* Update to version 2.10.0:
+
+- Extend the release action to sign the docker image and binary files with
cosign (#781)
+- feat: add concurrency option to parallelize package loading (#778)
+- chore(deps): update all dependencies
+- Process the code snippet before adding it to the SARIF report
+- Updated sponsor link in README.md
+- chore(deps): update golang.org/x/crypto commit hash to 30dcbda
+- chore(deps): update all dependencies
+- Use the CWE name as a name in the SARIF report
+- chore(deps): update all dependencies (#771)
+- Resolve the TLS min version when is declarted in the same package but in a
different file
+- Add a test for tls min version defined in a different file
+- chore(deps): update all dependencies (#765)
+
+-------------------------------------------------------------------
Old:
----
gosec-2.9.6.tar.gz
New:
----
gosec-2.10.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ gosec.spec ++++++
--- /var/tmp/diff_new_pack.lAtp7c/_old 2022-03-02 18:22:45.348659467 +0100
+++ /var/tmp/diff_new_pack.lAtp7c/_new 2022-03-02 18:22:45.360659466 +0100
@@ -17,7 +17,7 @@
Name: gosec
-Version: 2.9.6
+Version: 2.10.0
Release: 0
Summary: Golang security checker
License: Apache-2.0
++++++ gosec-2.9.6.tar.gz -> gosec-2.10.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.9.6/.github/workflows/release.yml
new/gosec-2.10.0/.github/workflows/release.yml
--- old/gosec-2.9.6/.github/workflows/release.yml 2022-01-17
13:50:37.000000000 +0100
+++ new/gosec-2.10.0/.github/workflows/release.yml 2022-02-22
21:33:42.000000000 +0100
@@ -18,27 +18,57 @@
uses: actions/setup-go@v2
with:
go-version: 1.17
- - name : Get release version
- id: get_version
- run: echo ::set-env name=RELEASE_VERSION::$(echo ${GITHUB_REF:10})
+ - name: Install Cosign
+ uses: sigstore/cosign-installer@main
+ with:
+ cosign-release: 'v1.5.2'
+ - name: Store Cosign private key in a file
+ run: 'echo "$COSIGN_KEY" > /tmp/cosign.key'
+ shell: bash
+ env:
+ COSIGN_KEY: ${{secrets.COSIGN_KEY}}
+ - name: Set up QEMU
+ uses: docker/setup-qemu-action@v1
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@v1
+ - name: Login to DockerHub
+ uses: docker/login-action@v1
+ with:
+ username: ${{secrets.DOCKER_USERNAME}}
+ password: ${{secrets.DOCKER_PASSWORD}}
- name: Generate SBOM
uses: CycloneDX/gh-gomod-generate-sbom@v1
with:
version: v1
args: mod -licenses -json -output bom.json
+ - name: Docker meta
+ uses: docker/metadata-action@v3
+ id: meta
+ with:
+ images: securego/gosec
+ flavor: |
+ latest=true
+ tags: |
+ type=sha,format=long
+ type=semver,pattern={{version}}
- name: Release Binaries
uses: goreleaser/goreleaser-action@v2
with:
version: latest
args: release --rm-dist
env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+ COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
- name: Release Docker Image
- uses: elgohr/Publish-Docker-Github-Action@master
+ uses: docker/build-push-action@v2
with:
- name: securego/gosec
- username: ${{ secrets.DOCKER_USERNAME }}
- password: ${{ secrets.DOCKER_PASSWORD }}
- buildargs: GO_VERSION=1.17
- tags: "latest,${{ env.RELEASE_VERSION }}"
- tag_names: true
+ platforms: linux/amd64,linux/arm/v7,linux/arm64
+ tags: ${{steps.meta.outputs.tags}}
+ labels: ${{steps.meta.outputs.labels}}
+ push: true
+ build-args: GO_VERSION=1.17
+ - name: Sign Docker Image
+ run: cosign sign -key /tmp/cosign.key ${TAGS}
+ env:
+ TAGS: ${{steps.meta.outputs.tags}}
+ COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.9.6/.goreleaser.yml
new/gosec-2.10.0/.goreleaser.yml
--- old/gosec-2.9.6/.goreleaser.yml 2022-01-17 13:50:37.000000000 +0100
+++ new/gosec-2.10.0/.goreleaser.yml 2022-02-22 21:33:42.000000000 +0100
@@ -9,7 +9,7 @@
name: gosec
builds:
- - main : ./cmd/gosec/
+ - main: ./cmd/gosec/
binary: gosec
goos:
- darwin
@@ -21,3 +21,10 @@
ldflags: -X main.Version={{.Version}} -X main.GitTag={{.Tag}} -X
main.BuildDate={{.Date}}
env:
- CGO_ENABLED=0
+
+signs:
+- cmd: cosign
+ stdin: '{{ .Env.COSIGN_PASSWORD}}'
+ args: ["sign-blob", "--key=/tmp/cosign.key", "--output=${signature}",
"${artifact}"]
+ artifacts: all
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.9.6/README.md new/gosec-2.10.0/README.md
--- old/gosec-2.9.6/README.md 2022-01-17 13:50:37.000000000 +0100
+++ new/gosec-2.10.0/README.md 2022-02-22 21:33:42.000000000 +0100
@@ -407,6 +407,19 @@
The GitHub [release workflow](.github/workflows/release.yml) triggers
immediately after the tag is pushed upstream. This flow will
release the binaries using the [goreleaser](https://goreleaser.com/actions/)
action and then it will build and publish the docker image into Docker Hub.
+The released artifacts are signed using [cosign](https://docs.sigstore.dev/).
You can use the public key from [cosign.pub](cosign.pub)
+file to verify the signature of docker image and binaries files.
+
+The docker image signature can be verified with the following command:
+```
+cosign verify --key cosign.pub securego/gosec:<TAG>
+```
+
+The binary files signature can be verified with the following command:
+```
+cosign verify-blob --key cosign.pub --signature
gosec_<VERSION>_darwin_amd64.tar.gz.sig gosec_<VERSION>_darwin_amd64.tar.gz
+```
+
### Docker image
You can also build locally the docker image by using the command:
@@ -450,4 +463,4 @@
Support this project by becoming a sponsor. Your logo will show up here with a
link to your website
-<a href="https://github.com/Daimler"; target="_blank"><img
src="https://avatars.githubusercontent.com/u/34240465?s=80&v=4";></a>
+<a href="https://github.com/mercedes-benz"; target="_blank"><img
src="https://avatars.githubusercontent.com/u/34240465?s=80&v=4";></a>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.9.6/analyzer.go new/gosec-2.10.0/analyzer.go
--- old/gosec-2.9.6/analyzer.go 2022-01-17 13:50:37.000000000 +0100
+++ new/gosec-2.10.0/analyzer.go 2022-02-22 21:33:42.000000000 +0100
@@ -29,6 +29,7 @@
"regexp"
"strconv"
"strings"
+ "sync"
"golang.org/x/tools/go/packages"
)
@@ -88,6 +89,7 @@
excludeGenerated bool
showIgnored bool
trackSuppressions bool
+ concurrency int
}
// SuppressionInfo object is to record the kind and the justification that used
@@ -98,7 +100,7 @@
}
// NewAnalyzer builds a new analyzer.
-func NewAnalyzer(conf Config, tests bool, excludeGenerated bool,
trackSuppressions bool, logger *log.Logger) *Analyzer {
+func NewAnalyzer(conf Config, tests bool, excludeGenerated bool,
trackSuppressions bool, concurrency int, logger *log.Logger) *Analyzer {
ignoreNoSec := false
if enabled, err := conf.IsGlobalEnabled(Nosec); err == nil {
ignoreNoSec = enabled
@@ -121,6 +123,7 @@
stats: &Metrics{},
errors: make(map[string][]Error),
tests: tests,
+ concurrency: concurrency,
excludeGenerated: excludeGenerated,
trackSuppressions: trackSuppressions,
}
@@ -153,15 +156,64 @@
Tests: gosec.tests,
}
+ type result struct {
+ pkgPath string
+ pkgs []*packages.Package
+ err error
+ }
+
+ results := make(chan result)
+ jobs := make(chan string, len(packagePaths))
+ quit := make(chan struct{})
+
+ var wg sync.WaitGroup
+
+ worker := func(j chan string, r chan result, quit chan struct{}) {
+ for {
+ select {
+ case s := <-j:
+ packages, err := gosec.load(s, config)
+ select {
+ case r <- result{pkgPath: s, pkgs: packages,
err: err}:
+ case <-quit:
+ // we've been told to stop, probably an
error while
+ // processing a previous result.
+ wg.Done()
+ return
+ }
+ default:
+ // j is empty and there are no jobs left
+ wg.Done()
+ return
+ }
+ }
+ }
+
+ // fill the buffer
for _, pkgPath := range packagePaths {
- pkgs, err := gosec.load(pkgPath, config)
- if err != nil {
- gosec.AppendError(pkgPath, err)
+ jobs <- pkgPath
+ }
+
+ for i := 0; i < gosec.concurrency; i++ {
+ wg.Add(1)
+ go worker(jobs, results, quit)
+ }
+
+ go func() {
+ wg.Wait()
+ close(results)
+ }()
+
+ for r := range results {
+ if r.err != nil {
+ gosec.AppendError(r.pkgPath, r.err)
}
- for _, pkg := range pkgs {
+ for _, pkg := range r.pkgs {
if pkg.Name != "" {
err := gosec.ParseErrors(pkg)
if err != nil {
+ close(quit)
+ wg.Wait() // wait for the goroutines to
stop
return fmt.Errorf("parsing errors in
pkg %q: %w", pkg.Name, err)
}
gosec.Check(pkg)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.9.6/analyzer_test.go
new/gosec-2.10.0/analyzer_test.go
--- old/gosec-2.9.6/analyzer_test.go 2022-01-17 13:50:37.000000000 +0100
+++ new/gosec-2.10.0/analyzer_test.go 2022-02-22 21:33:42.000000000 +0100
@@ -24,7 +24,7 @@
)
BeforeEach(func() {
logger, _ = testutils.NewLogger()
- analyzer = gosec.NewAnalyzer(nil, tests, false, false, logger)
+ analyzer = gosec.NewAnalyzer(nil, tests, false, false, 1,
logger)
})
Context("when processing a package", func() {
@@ -77,6 +77,29 @@
Expect(metrics.NumFiles).To(Equal(2))
})
+ It("should be able to analyze multiple Go files concurrently",
func() {
+ customAnalyzer := gosec.NewAnalyzer(nil, true, true,
false, 32, logger)
+
customAnalyzer.LoadRules(rules.Generate(false).RulesInfo())
+ pkg := testutils.NewTestPackage()
+ defer pkg.Close()
+ pkg.AddFile("foo.go", `
+ package main
+ func main(){
+ bar()
+ }`)
+ pkg.AddFile("bar.go", `
+ package main
+ func bar(){
+ println("package has two files!")
+ }`)
+ err := pkg.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = customAnalyzer.Process(buildTags, pkg.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ _, metrics, _ := customAnalyzer.Report()
+ Expect(metrics.NumFiles).To(Equal(2))
+ })
+
It("should be able to analyze multiple Go packages", func() {
analyzer.LoadRules(rules.Generate(false).RulesInfo())
pkg1 := testutils.NewTestPackage()
@@ -262,7 +285,7 @@
// overwrite nosec option
nosecIgnoreConfig := gosec.NewConfig()
nosecIgnoreConfig.SetGlobal(gosec.Nosec, "true")
- customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig,
tests, false, false, logger)
+ customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig,
tests, false, false, 1, logger)
customAnalyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G401")).RulesInfo())
nosecPackage := testutils.NewTestPackage()
@@ -286,7 +309,7 @@
nosecIgnoreConfig := gosec.NewConfig()
nosecIgnoreConfig.SetGlobal(gosec.Nosec, "true")
nosecIgnoreConfig.SetGlobal(gosec.ShowIgnored, "true")
- customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig,
tests, false, false, logger)
+ customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig,
tests, false, false, 1, logger)
customAnalyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G401")).RulesInfo())
nosecPackage := testutils.NewTestPackage()
@@ -379,7 +402,7 @@
// overwrite nosec option
nosecIgnoreConfig := gosec.NewConfig()
nosecIgnoreConfig.SetGlobal(gosec.NoSecAlternative,
"#falsePositive")
- customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig,
tests, false, false, logger)
+ customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig,
tests, false, false, 1, logger)
customAnalyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G401")).RulesInfo())
nosecPackage := testutils.NewTestPackage()
@@ -402,7 +425,7 @@
// overwrite nosec option
nosecIgnoreConfig := gosec.NewConfig()
nosecIgnoreConfig.SetGlobal(gosec.NoSecAlternative,
"#falsePositive")
- customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig,
tests, false, false, logger)
+ customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig,
tests, false, false, 1, logger)
customAnalyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G401")).RulesInfo())
nosecPackage := testutils.NewTestPackage()
@@ -418,7 +441,7 @@
})
It("should be able to analyze Go test package", func() {
- customAnalyzer := gosec.NewAnalyzer(nil, true, false,
false, logger)
+ customAnalyzer := gosec.NewAnalyzer(nil, true, false,
false, 1, logger)
customAnalyzer.LoadRules(rules.Generate(false).RulesInfo())
pkg := testutils.NewTestPackage()
defer pkg.Close()
@@ -443,7 +466,7 @@
Expect(issues).Should(HaveLen(1))
})
It("should be able to scan generated files if NOT excluded",
func() {
- customAnalyzer := gosec.NewAnalyzer(nil, true, false,
false, logger)
+ customAnalyzer := gosec.NewAnalyzer(nil, true, false,
false, 1, logger)
customAnalyzer.LoadRules(rules.Generate(false).RulesInfo())
pkg := testutils.NewTestPackage()
defer pkg.Close()
@@ -464,7 +487,7 @@
Expect(issues).Should(HaveLen(1))
})
It("should be able to skip generated files if excluded", func()
{
- customAnalyzer := gosec.NewAnalyzer(nil, true, true,
false, logger)
+ customAnalyzer := gosec.NewAnalyzer(nil, true, true,
false, 1, logger)
customAnalyzer.LoadRules(rules.Generate(false).RulesInfo())
pkg := testutils.NewTestPackage()
defer pkg.Close()
@@ -671,7 +694,7 @@
Context("when tracking suppressions", func() {
BeforeEach(func() {
- analyzer = gosec.NewAnalyzer(nil, tests, false, true,
logger)
+ analyzer = gosec.NewAnalyzer(nil, tests, false, true,
1, logger)
})
It("should not report an error if the violation is suppressed",
func() {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.9.6/cmd/gosec/main.go
new/gosec-2.10.0/cmd/gosec/main.go
--- old/gosec-2.9.6/cmd/gosec/main.go 2022-01-17 13:50:37.000000000 +0100
+++ new/gosec-2.10.0/cmd/gosec/main.go 2022-02-22 21:33:42.000000000 +0100
@@ -20,6 +20,7 @@
"io/ioutil"
"log"
"os"
+ "runtime"
"sort"
"strings"
@@ -114,6 +115,9 @@
// fail by confidence
flagConfidence = flag.String("confidence", "low", "Filter out the
issues with a lower confidence than the given value. Valid options are: low,
medium, high")
+ // concurrency value
+ flagConcurrency = flag.Int("concurrency", runtime.NumCPU(),
"Concurrency value")
+
// do not fail
flagNoFail = flag.Bool("no-fail", false, "Do not fail the scanning,
even if issues were found")
@@ -371,7 +375,7 @@
}
// Create the analyzer
- analyzer := gosec.NewAnalyzer(config, *flagScanTests,
*flagExcludeGenerated, *flagTrackSuppressions, logger)
+ analyzer := gosec.NewAnalyzer(config, *flagScanTests,
*flagExcludeGenerated, *flagTrackSuppressions, *flagConcurrency, logger)
analyzer.LoadRules(ruleList.RulesInfo())
excludedDirs := gosec.ExcludedDirsRegExp(flagDirsExclude)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.9.6/cosign.pub new/gosec-2.10.0/cosign.pub
--- old/gosec-2.9.6/cosign.pub 1970-01-01 01:00:00.000000000 +0100
+++ new/gosec-2.10.0/cosign.pub 2022-02-22 21:33:42.000000000 +0100
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFphl7f2VuFRfsi4wqiLUCQ9xHQgV
+O2VMDNcvh+kxiymLXa+GkPzSKExFYIlVwfg13URvCiB+kFvITmLzuLiGQg==
+-----END PUBLIC KEY-----
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.9.6/go.mod new/gosec-2.10.0/go.mod
--- old/gosec-2.9.6/go.mod 2022-01-17 13:50:37.000000000 +0100
+++ new/gosec-2.10.0/go.mod 2022-02-22 21:33:42.000000000 +0100
@@ -6,12 +6,12 @@
github.com/lib/pq v1.10.4
github.com/mozilla/tls-observatory v0.0.0-20210609171429-7bc42856d2e5
github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354
- github.com/onsi/ginkgo/v2 v2.0.0
- github.com/onsi/gomega v1.17.0
- golang.org/x/crypto v0.0.0-20220112180741-5e0467b6c7ce
+ github.com/onsi/ginkgo/v2 v2.1.3
+ github.com/onsi/gomega v1.18.1
+ golang.org/x/crypto v0.0.0-20220214200702-86341886e292
golang.org/x/lint v0.0.0-20210508222113-6edffad5e616
golang.org/x/text v0.3.7
- golang.org/x/tools v0.1.8
+ golang.org/x/tools v0.1.9
gopkg.in/yaml.v2 v2.4.0
)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.9.6/go.sum new/gosec-2.10.0/go.sum
--- old/gosec-2.9.6/go.sum 2022-01-17 13:50:37.000000000 +0100
+++ new/gosec-2.10.0/go.sum 2022-02-22 21:33:42.000000000 +0100
@@ -89,7 +89,6 @@
github.com/fatih/color v1.7.0/go.mod
h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
github.com/fatih/color v1.10.0/go.mod
h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
github.com/fsnotify/fsnotify v1.4.7/go.mod
h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/fsnotify/fsnotify v1.4.9
h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
github.com/fsnotify/fsnotify v1.4.9/go.mod
h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
github.com/fullstorydev/grpcurl v1.6.0/go.mod
h1:ZQ+ayqbKMJNhzLmbpCiurTVlaK2M/3nqZCxaQ2Ze/sM=
github.com/ghodss/yaml v1.0.0/go.mod
h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
@@ -258,7 +257,6 @@
github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354/go.mod
h1:KSVJerMDfblTH7p5MZaTt+8zaT2iEk3AkVb9PQdZuE8=
github.com/nishanths/predeclared v0.0.0-20190419143655-18a43bb90ffc/go.mod
h1:62PewwiQTlm/7Rj+cxVYqZvDIUc+JjZq6GHAC1fsObQ=
github.com/nxadm/tail v1.4.4/go.mod
h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
-github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
github.com/nxadm/tail v1.4.8/go.mod
h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod
h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo=
github.com/olekukonko/tablewriter v0.0.1/go.mod
h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo=
@@ -268,12 +266,14 @@
github.com/onsi/ginkgo v1.12.1/go.mod
h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc=
github.com/onsi/ginkgo v1.16.4/go.mod
h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
-github.com/onsi/ginkgo/v2 v2.0.0
h1:CcuG/HvWNkkaqCUpJifQY8z7qEMBJya6aLPx6ftGyjQ=
github.com/onsi/ginkgo/v2 v2.0.0/go.mod
h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c=
+github.com/onsi/ginkgo/v2 v2.1.3
h1:e/3Cwtogj0HA+25nMP1jCMDIf8RtRYbGwGGuBIFztkc=
+github.com/onsi/ginkgo/v2 v2.1.3/go.mod
h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c=
github.com/onsi/gomega v1.7.1/go.mod
h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
github.com/onsi/gomega v1.10.1/go.mod
h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
-github.com/onsi/gomega v1.17.0 h1:9Luw4uT5HTjHTN8+aNcSThgH1vdXnmdJ8xIfZ4wyTRE=
github.com/onsi/gomega v1.17.0/go.mod
h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
+github.com/onsi/gomega v1.18.1 h1:M1GfJqGRrBrrGGsbxzV5dqM2U2ApXefZCQpkukxYRLE=
+github.com/onsi/gomega v1.18.1/go.mod
h1:0q+aL8jAiMXy9hbwj2mr5GziHiwhAIQpFmmtT5hitRs=
github.com/opentracing/opentracing-go v1.1.0/go.mod
h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
github.com/pelletier/go-toml v1.2.0/go.mod
h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod
h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
@@ -376,8 +376,8 @@
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod
h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod
h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod
h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.0.0-20220112180741-5e0467b6c7ce
h1:Roh6XWxHFKrPgC/EQhVubSAGQ6Ozk6IdxHSzt1mR0EI=
-golang.org/x/crypto v0.0.0-20220112180741-5e0467b6c7ce/go.mod
h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220214200702-86341886e292
h1:f+lwQ+GtmgoY+A2YaQxlSOnDjXcQ7ZRLWOHbC6HtRqE=
+golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod
h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod
h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod
h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod
h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -515,8 +515,9 @@
golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod
h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod
h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod
h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211019181941-9d821ace8654
h1:id054HUawV2/6IGm2IV8KZQjqtwAOo2CYlOToYqa0d0=
golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod
h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e
h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM=
+golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod
h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod
h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1
h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod
h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -580,8 +581,8 @@
golang.org/x/tools v0.0.0-20200630154851-b2d8b0336632/go.mod
h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20200706234117-b22de6825cf7/go.mod
h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod
h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.8 h1:P1HhGGuLW4aAclzjtmJdf0mJOjVUZUzOTqkAkWL+l6w=
-golang.org/x/tools v0.1.8/go.mod
h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
+golang.org/x/tools v0.1.9 h1:j9KsMiaP1c3B0OTQGth0/k+miLGTgLsAFUCrF2vLcF8=
+golang.org/x/tools v0.1.9/go.mod
h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod
h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod
h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod
h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -679,7 +680,6 @@
gopkg.in/fsnotify.v1 v1.4.7/go.mod
h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
gopkg.in/gcfg.v1 v1.2.3/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o=
gopkg.in/resty.v1 v1.12.0/go.mod
h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
-gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7
h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod
h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
gopkg.in/warnings.v0 v0.1.2/go.mod
h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod
h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.9.6/report/html/writer.go
new/gosec-2.10.0/report/html/writer.go
--- old/gosec-2.9.6/report/html/writer.go 2022-01-17 13:50:37.000000000
+0100
+++ new/gosec-2.10.0/report/html/writer.go 2022-02-22 21:33:42.000000000
+0100
@@ -1,7 +1,6 @@
package html
import (
-
// use go embed to import template
_ "embed"
"html/template"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.9.6/report/sarif/formatter.go
new/gosec-2.10.0/report/sarif/formatter.go
--- old/gosec-2.9.6/report/sarif/formatter.go 2022-01-17 13:50:37.000000000
+0100
+++ new/gosec-2.10.0/report/sarif/formatter.go 2022-02-22 21:33:42.000000000
+0100
@@ -71,9 +71,14 @@
// parseSarifRule return SARIF rule field struct
func parseSarifRule(issue *gosec.Issue) *ReportingDescriptor {
+ cwe := gosec.GetCweByRule(issue.RuleID)
+ name := issue.RuleID
+ if cwe != nil {
+ name = cwe.Name
+ }
return &ReportingDescriptor{
ID: issue.RuleID,
- Name: issue.What,
+ Name: name,
ShortDescription: NewMultiformatMessageString(issue.What),
FullDescription: NewMultiformatMessageString(issue.What),
Help: NewMultiformatMessageString(fmt.Sprintf("%s\nSeverity:
%s\nConfidence: %s\n",
@@ -183,7 +188,24 @@
if err != nil {
return nil, err
}
- snippet := NewArtifactContent(issue.Code)
+ var code string
+ line := startLine
+ codeLines := strings.Split(issue.Code, "\n")
+ for _, codeLine := range codeLines {
+ lineStart := fmt.Sprintf("%d:", line)
+ if strings.HasPrefix(codeLine, lineStart) {
+ code += strings.TrimSpace(
+ strings.TrimPrefix(codeLine, lineStart))
+ if endLine > startLine {
+ code += "\n"
+ }
+ line++
+ if line > endLine {
+ break
+ }
+ }
+ }
+ snippet := NewArtifactContent(code)
return NewRegion(startLine, endLine, col, col,
"go").WithSnippet(snippet), nil
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.9.6/report/sarif/sarif_test.go
new/gosec-2.10.0/report/sarif/sarif_test.go
--- old/gosec-2.9.6/report/sarif/sarif_test.go 2022-01-17 13:50:37.000000000
+0100
+++ new/gosec-2.10.0/report/sarif/sarif_test.go 2022-02-22 21:33:42.000000000
+0100
@@ -56,5 +56,59 @@
hasSuppressions, _ :=
regexp.MatchString(`"suppressions": \[(\s*){`, result)
Expect(hasSuppressions).To(BeTrue())
})
+ It("sarif formatted report should contain the formatted one
line code snippet", func() {
+ ruleID := "G101"
+ cwe := gosec.GetCweByRule(ruleID)
+ code := "68: \t\t}\n69: \t\tvar data =
template.HTML(v.TmplFile)\n70: \t\tisTmpl := true\n"
+ expectedCode := "var data = template.HTML(v.TmplFile)"
+ issue := gosec.Issue{
+ File: "/home/src/project/test.go",
+ Line: "69",
+ Col: "14",
+ RuleID: ruleID,
+ What: "test",
+ Confidence: gosec.High,
+ Severity: gosec.High,
+ Code: code,
+ Cwe: cwe,
+ Suppressions: []gosec.SuppressionInfo{
+ {
+ Kind: "kind",
+ Justification: "justification",
+ },
+ },
+ }
+ reportInfo :=
gosec.NewReportInfo([]*gosec.Issue{&issue}, &gosec.Metrics{},
map[string][]gosec.Error{}).WithVersion("v2.7.0")
+ sarifReport, err := sarif.GenerateReport([]string{},
reportInfo)
+ Expect(err).ShouldNot(HaveOccurred())
+
Expect(sarifReport.Runs[0].Results[0].Locations[0].PhysicalLocation.Region.Snippet.Text).Should(Equal(expectedCode))
+ })
+ It("sarif formatted report should contain the formatted
multiple line code snippet", func() {
+ ruleID := "G101"
+ cwe := gosec.GetCweByRule(ruleID)
+ code := "68: }\n69: var data =
template.HTML(v.TmplFile)\n70: isTmpl := true\n"
+ expectedCode := "var data =
template.HTML(v.TmplFile)\nisTmpl := true\n"
+ issue := gosec.Issue{
+ File: "/home/src/project/test.go",
+ Line: "69-70",
+ Col: "14",
+ RuleID: ruleID,
+ What: "test",
+ Confidence: gosec.High,
+ Severity: gosec.High,
+ Code: code,
+ Cwe: cwe,
+ Suppressions: []gosec.SuppressionInfo{
+ {
+ Kind: "kind",
+ Justification: "justification",
+ },
+ },
+ }
+ reportInfo :=
gosec.NewReportInfo([]*gosec.Issue{&issue}, &gosec.Metrics{},
map[string][]gosec.Error{}).WithVersion("v2.7.0")
+ sarifReport, err := sarif.GenerateReport([]string{},
reportInfo)
+ Expect(err).ShouldNot(HaveOccurred())
+
Expect(sarifReport.Runs[0].Results[0].Locations[0].PhysicalLocation.Region.Snippet.Text).Should(Equal(expectedCode))
+ })
})
})
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.9.6/report/text/writer.go
new/gosec-2.10.0/report/text/writer.go
--- old/gosec-2.9.6/report/text/writer.go 2022-01-17 13:50:37.000000000
+0100
+++ new/gosec-2.10.0/report/text/writer.go 2022-02-22 21:33:42.000000000
+0100
@@ -3,9 +3,7 @@
import (
"bufio"
"bytes"
-
- // use go embed to import template
- _ "embed"
+ _ "embed" // use go embed to import template
"fmt"
"io"
"strconv"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.9.6/rules/rules_test.go
new/gosec-2.10.0/rules/rules_test.go
--- old/gosec-2.9.6/rules/rules_test.go 2022-01-17 13:50:37.000000000 +0100
+++ new/gosec-2.10.0/rules/rules_test.go 2022-02-22 21:33:42.000000000
+0100
@@ -24,7 +24,7 @@
BeforeEach(func() {
logger, _ = testutils.NewLogger()
config = gosec.NewConfig()
- analyzer = gosec.NewAnalyzer(config, tests, false, false,
logger)
+ analyzer = gosec.NewAnalyzer(config, tests, false, false, 1,
logger)
runner = func(rule string, samples []testutils.CodeSample) {
for n, sample := range samples {
analyzer.Reset()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.9.6/rules/tls.go
new/gosec-2.10.0/rules/tls.go
--- old/gosec-2.9.6/rules/tls.go 2022-01-17 13:50:37.000000000 +0100
+++ new/gosec-2.10.0/rules/tls.go 2022-02-22 21:33:42.000000000 +0100
@@ -88,7 +88,16 @@
case "MinVersion":
if d, ok := n.Value.(*ast.Ident); ok {
- if vs, ok := d.Obj.Decl.(*ast.ValueSpec); ok &&
len(vs.Values) > 0 {
+ obj := d.Obj
+ if obj == nil {
+ for _, f := range c.PkgFiles {
+ obj = f.Scope.Lookup(d.Name)
+ if obj != nil {
+ break
+ }
+ }
+ }
+ if vs, ok := obj.Decl.(*ast.ValueSpec); ok &&
len(vs.Values) > 0 {
if s, ok :=
vs.Values[0].(*ast.SelectorExpr); ok {
x := s.X.(*ast.Ident).Name
sel := s.Sel.Name
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.9.6/testutils/source.go
new/gosec-2.10.0/testutils/source.go
--- old/gosec-2.9.6/testutils/source.go 2022-01-17 13:50:37.000000000 +0100
+++ new/gosec-2.10.0/testutils/source.go 2022-02-22 21:33:42.000000000
+0100
@@ -2838,6 +2838,27 @@
return &tls.Config{MinVersion: 0x0304}
}
`}, 1, gosec.NewConfig()},
+ {[]string{`
+package main
+
+import (
+ "crypto/tls"
+ "fmt"
+)
+
+func main() {
+ cfg := tls.Config{
+ MinVersion: MinVer,
+ }
+ fmt.Println("tls min version", cfg.MinVersion)
+}
+`, `
+package main
+
+import "crypto/tls"
+
+const MinVer = tls.VersionTLS13
+`}, 0, gosec.NewConfig()},
}
// SampleCodeG403 - weak key strength
++++++ vendor.tar.gz ++++++
++++ 9854 lines of diff (skipped)
