Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package gosec for openSUSE:Factory checked in at 2022-08-23 14:29:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gosec (Old) and /work/SRC/openSUSE:Factory/.gosec.new.2083 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gosec" Tue Aug 23 14:29:35 2022 rev:5 rq:998691 version:2.13.1 Changes: -------- --- /work/SRC/openSUSE:Factory/gosec/gosec.changes 2022-06-23 10:24:00.875723312 +0200 +++ /work/SRC/openSUSE:Factory/.gosec.new.2083/gosec.changes 2022-08-23 14:29:44.923625388 +0200 @@ -2 +2 @@ -Tue Jun 21 03:00:17 UTC 2022 - Jeff Kowalczyk <jkowalc...@suse.com> +Mon Aug 22 08:47:01 UTC 2022 - Felix Niederwanger <felix.niederwan...@suse.com> @@ -4,2 +4 @@ -- Enable _service tar_scm changelog automation -- Commit _servicedata to support tar_scm changelog automation +* Update to version 2.13.1 @@ -7,2 +6,44 @@ -------------------------------------------------------------------- -Wed Jun 15 06:40:28 UTC 2022 - Felix Niederwanger <felix.niederwan...@suse.com> +- fix: make sure that nil Cwe pointer is handled when getting the CWE ID +- test: remove white spaces from template +- fix: handle nil CWE pointer in text template + +* Update to version 2.13.0 + +- chore(deps): update dependency babel-standalone to v7 +- chore: update module go to 1.19 +- chore: fix lint warnings +- chore: add support for Go 1.19 +- fix: parsing of the Go version (#844) +- Detect use of net/http functions that have no support for setting timeouts (#842) +- Refactor SQL rules for better extensibility (#841) +- chore(deps): update module golang.org/x/tools to v0.1.12 (#840) +- Fix lint warning +- Check the suppressed issues when generating the exit code +- Fix for G402. Check package path instead of package name (#838) +- fix G204 bugs (#835) +- Phase out support for Go 1.16 since is not supported anymore by Go team (#837) +- chore(deps): update all dependencies (#836) +- chore(deps): update dependency highlight.js to v11.6.0 (#830) +- fix: filepaths with git anywhere in them being erroneously excluded (#828) +- Fix wrong location for G109 (#829) +- chore(deps): update golang.org/x/crypto digest to 0559593 (#826) +- fix ReadTimeout for G112 rule +- Pin cosign-installer to v2 (#824) + +* Update to version 2.12.0 + +- chore(deps): update all dependencies (#822) +- Add check for usage of Rat.SetString in math/big with an overflow error (#819) +- Remove additional --update for apk in Dockerfile (#818) +- Update x/tools to pick up fix for golang/go#51629 (#817) +- chore(deps): update all dependencies (#816) +- chore(deps): update all dependencies (#812) +- chore(deps): update all dependencies (#811) +- Add new rule for Slowloris Attack +- Fix the dependencies after renovate upate (#806) +- chore(deps): update all dependencies (#805) +- Update the description message of template rule (#803) +- Fix typo in ReadMe (#802) +- Fix build after renovate update (#800) +- Fix use rule IDs to retrieve the rule config +- chore(deps): update all dependencies (#796) @@ -10,16 +50,0 @@ -- Update to version 2.12.0: - * chore(deps): update all dependencies (#822) - * Add check for usage of Rat.SetString in math/big with an overflow error (#819) - * Remove additional `--update` for apk in Dockerfile (#818) - * Update x/tools to pick up fix for golang/go#51629 (#817) - * chore(deps): update all dependencies (#816) - * chore(deps): update all dependencies (#812) - * chore(deps): update all dependencies (#811) - * Add new rule for Slowloris Attack - * Fix the dependencies after renovate upate (#806) - * chore(deps): update all dependencies (#805) - * Update the description message of template rule (#803) - * Fix typo in ReadMe (#802) - * Fix build after renovate update (#800) - * Fix use rule IDs to retrieve the rule config - * chore(deps): update all dependencies (#796) Old: ---- _servicedata gosec-2.12.0.tar.gz New: ---- gosec-2.13.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gosec.spec ++++++ --- /var/tmp/diff_new_pack.juGEiC/_old 2022-08-23 14:29:45.663626934 +0200 +++ /var/tmp/diff_new_pack.juGEiC/_new 2022-08-23 14:29:45.671626951 +0200 @@ -17,15 +17,15 @@ Name: gosec -Version: 2.12.0 +Version: 2.13.1 Release: 0 Summary: Golang security checker License: Apache-2.0 URL: https://github.com/securego/gosec Source: gosec-%{version}.tar.gz Source1: vendor.tar.gz -BuildRequires: go >= 1.16 BuildRequires: golang-packaging +BuildRequires: go >= 1.16 %{go_nostrip} %description ++++++ _service ++++++ --- /var/tmp/diff_new_pack.juGEiC/_old 2022-08-23 14:29:45.715627043 +0200 +++ /var/tmp/diff_new_pack.juGEiC/_new 2022-08-23 14:29:45.719627052 +0200 @@ -2,10 +2,9 @@ <service name="tar_scm" mode="disabled"> <param name="url">https://github.com/securego/gosec.git</param> <param name="scm">git</param> - <param name="exclude">.git</param> - <param name="revision">v2.12.0</param> + <param name="revision">master</param> + <param name="version">v2.13.1</param> <param name="versionformat">@PARENT_TAG@</param> - <param name="changesgenerate">enable</param> <param name="versionrewrite-pattern">v(.*)</param> </service> <service name="set_version" mode="disabled"/> ++++++ gosec-2.12.0.tar.gz -> gosec-2.13.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/.github/workflows/ci.yml new/gosec-2.13.1/.github/workflows/ci.yml --- old/gosec-2.12.0/.github/workflows/ci.yml 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/.github/workflows/ci.yml 2022-08-22 10:23:10.000000000 +0200 @@ -11,9 +11,9 @@ strategy: matrix: go_version: - - '1.16' - '1.17' - '1.18' + - '1.19' runs-on: ubuntu-latest env: GO111MODULE: on @@ -45,7 +45,7 @@ - name: Setup go uses: actions/setup-go@v3 with: - go-version: '1.18' + go-version: '1.19' - name: Checkout Source uses: actions/checkout@v3 - uses: actions/cache@v3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/.github/workflows/release.yml new/gosec-2.13.1/.github/workflows/release.yml --- old/gosec-2.12.0/.github/workflows/release.yml 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/.github/workflows/release.yml 2022-08-22 10:23:10.000000000 +0200 @@ -10,16 +10,16 @@ GO111MODULE: on ACTIONS_ALLOW_UNSECURE_COMMANDS: true steps: - - name: Checkout Source + - name: Checkout Source uses: actions/checkout@v3 - name: Unshallow run: git fetch --prune --unshallow - name: Set up Go uses: actions/setup-go@v3 with: - go-version: 1.18 + go-version: 1.19 - name: Install Cosign - uses: sigstore/cosign-installer@main + uses: sigstore/cosign-installer@v2 with: cosign-release: 'v1.6.0' - name: Store Cosign private key in a file @@ -66,7 +66,7 @@ tags: ${{steps.meta.outputs.tags}} labels: ${{steps.meta.outputs.labels}} push: true - build-args: GO_VERSION=1.18 + build-args: GO_VERSION=1.19 - name: Sign Docker Image run: cosign sign -key /tmp/cosign.key ${TAGS} env: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/README.md new/gosec-2.13.1/README.md --- old/gosec-2.12.0/README.md 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/README.md 2022-08-22 10:23:10.000000000 +0200 @@ -146,6 +146,7 @@ - G111: Potential directory traversal - G112: Potential slowloris attack - G113: Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772) +- G114: Use of net/http serve function that has no support for setting timeouts - G201: SQL query construction using format string - G202: SQL query construction using string concatenation - G203: Use of unescaped data in HTML templates diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/analyzer_test.go new/gosec-2.13.1/analyzer_test.go --- old/gosec-2.12.0/analyzer_test.go 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/analyzer_test.go 2022-08-22 10:23:10.000000000 +0200 @@ -2,7 +2,6 @@ import ( "errors" - "io/ioutil" "log" "os" "strings" @@ -30,7 +29,7 @@ Context("when processing a package", func() { It("should not report an error if the package contains no Go files", func() { analyzer.LoadRules(rules.Generate(false).RulesInfo()) - dir, err := ioutil.TempDir("", "empty") + dir, err := os.MkdirTemp("", "empty") defer os.RemoveAll(dir) Expect(err).ShouldNot(HaveOccurred()) err = analyzer.Process(buildTags, dir) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/cmd/gosec/main.go new/gosec-2.13.1/cmd/gosec/main.go --- old/gosec-2.12.0/cmd/gosec/main.go 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/cmd/gosec/main.go 2022-08-22 10:23:10.000000000 +0200 @@ -17,7 +17,7 @@ import ( "flag" "fmt" - "io/ioutil" + "io" "log" "os" "runtime" @@ -71,7 +71,7 @@ } var ( - //#nosec flag + // #nosec flag flagIgnoreNoSec = flag.Bool("nosec", false, "Ignores #nosec comments when set") // show ignored @@ -80,7 +80,7 @@ // format output flagFormat = flag.String("fmt", "text", "Set output format. Valid options are: json, yaml, csv, junit-xml, html, sonarqube, golint, sarif or text") - //#nosec alternative tag + // #nosec alternative tag flagAlternativeNoSec = flag.String("nosec-tag", "", "Set an alternative string for #nosec. Some examples: #dontanalyze, #falsepositive") // output file @@ -148,7 +148,7 @@ logger *log.Logger ) -//#nosec +// #nosec func usage() { usageText := fmt.Sprintf(usageText, Version, GitTag, BuildDate) fmt.Fprintln(os.Stderr, usageText) @@ -173,12 +173,12 @@ func loadConfig(configFile string) (gosec.Config, error) { config := gosec.NewConfig() if configFile != "" { - //#nosec + // #nosec file, err := os.Open(configFile) if err != nil { return nil, err } - defer file.Close() //#nosec G307 + defer file.Close() // #nosec G307 if _, err := config.ReadFrom(file); err != nil { return nil, err } @@ -253,11 +253,11 @@ } func saveReport(filename, format string, rootPaths []string, reportInfo *gosec.ReportInfo) error { - outfile, err := os.Create(filename) //#nosec G304 + outfile, err := os.Create(filename) // #nosec G304 if err != nil { return err } - defer outfile.Close() //#nosec G307 + defer outfile.Close() // #nosec G307 err = report.CreateReport(outfile, format, false, rootPaths, reportInfo) if err != nil { return err @@ -293,6 +293,19 @@ return result, trueIssues } +func exit(issues []*gosec.Issue, errors map[string][]gosec.Error, noFail bool) { + nsi := 0 + for _, issue := range issues { + if len(issue.Suppressions) == 0 { + nsi++ + } + } + if (nsi > 0 || len(errors) > 0) && !noFail { + os.Exit(1) + } + os.Exit(0) +} + func main() { // Makes sure some version information is set prepareVersionInfo() @@ -306,9 +319,9 @@ if err != nil { fmt.Fprintf(os.Stderr, "\nError: failed to exclude the %q directory from scan", "vendor") } - err = flag.Set("exclude-dir", ".git") + err = flag.Set("exclude-dir", "\\.git/") if err != nil { - fmt.Fprintf(os.Stderr, "\nError: failed to exclude the %q directory from scan", ".git") + fmt.Fprintf(os.Stderr, "\nError: failed to exclude the %q directory from scan", "\\.git/") } // set for exclude @@ -324,7 +337,7 @@ // Ensure at least one file was specified or that the recursive -r flag was set. if flag.NArg() == 0 && !*flagRecursive { - fmt.Fprintf(os.Stderr, "\nError: FILE [FILE...] or './...' or -r expected\n") //#nosec + fmt.Fprintf(os.Stderr, "\nError: FILE [FILE...] or './...' or -r expected\n") // #nosec flag.Usage() os.Exit(1) } @@ -341,7 +354,7 @@ } if *flagQuiet { - logger = log.New(ioutil.Discard, "", 0) + logger = log.New(io.Discard, "", 0) } else { logger = log.New(logWriter, "[gosec] ", log.LstdFlags) } @@ -447,10 +460,7 @@ } // Finalize logging - logWriter.Close() //#nosec + logWriter.Close() // #nosec - // Do we have an issue? If so exit 1 unless NoFail is set - if (len(issues) > 0 || len(errors) > 0) && !*flagNoFail { - os.Exit(1) - } + exit(issues, errors, *flagNoFail) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/cmd/tlsconfig/tlsconfig.go new/gosec-2.13.1/cmd/tlsconfig/tlsconfig.go --- old/gosec-2.12.0/cmd/tlsconfig/tlsconfig.go 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/cmd/tlsconfig/tlsconfig.go 2022-08-22 10:23:10.000000000 +0200 @@ -7,9 +7,9 @@ "flag" "fmt" "go/format" - "io/ioutil" "log" "net/http" + "os" "path/filepath" "github.com/mozilla/tls-observatory/constants" @@ -187,7 +187,7 @@ } outputPath := filepath.Join(dir, *outputFile) - if err := ioutil.WriteFile(outputPath, src, 0o644); err != nil { + if err := os.WriteFile(outputPath, src, 0o644); err != nil { log.Fatalf("Writing output: %s", err) } //#nosec G306 } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/config.go new/gosec-2.13.1/config.go --- old/gosec-2.12.0/config.go 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/config.go 2022-08-22 10:23:10.000000000 +0200 @@ -5,7 +5,6 @@ "encoding/json" "fmt" "io" - "io/ioutil" ) const ( @@ -64,7 +63,7 @@ // should be used with io.Reader to load configuration from // file or from string etc. func (c Config) ReadFrom(r io.Reader) (int64, error) { - data, err := ioutil.ReadAll(r) + data, err := io.ReadAll(r) if err != nil { return int64(len(data)), err } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/cwe/types.go new/gosec-2.13.1/cwe/types.go --- old/gosec-2.12.0/cwe/types.go 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/cwe/types.go 2022-08-22 10:23:10.000000000 +0200 @@ -19,7 +19,11 @@ // SprintID format the CWE ID func (w *Weakness) SprintID() string { - return fmt.Sprintf("%s-%s", Acronym, w.ID) + id := "0000" + if w != nil { + id = w.ID + } + return fmt.Sprintf("%s-%s", Acronym, id) } // MarshalJSON print only id and URL diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/go.mod new/gosec-2.13.1/go.mod --- old/gosec-2.12.0/go.mod 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/go.mod 2022-08-22 10:23:10.000000000 +0200 @@ -7,12 +7,21 @@ github.com/mozilla/tls-observatory v0.0.0-20210609171429-7bc42856d2e5 github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354 github.com/onsi/ginkgo/v2 v2.1.4 - github.com/onsi/gomega v1.19.0 - golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e + github.com/onsi/gomega v1.20.0 + golang.org/x/crypto v0.0.0-20220817201139-bc19a97f63c8 golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 golang.org/x/text v0.3.7 - golang.org/x/tools v0.1.11 + golang.org/x/tools v0.1.12 gopkg.in/yaml.v2 v2.4.0 ) -go 1.16 +require ( + github.com/google/go-cmp v0.5.8 // indirect + github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect + golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect + golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect + golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect +) + +go 1.19 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/go.sum new/gosec-2.13.1/go.sum --- old/gosec-2.12.0/go.sum 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/go.sum 2022-08-22 10:23:10.000000000 +0200 @@ -89,7 +89,6 @@ github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= -github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fullstorydev/grpcurl v1.6.0/go.mod h1:ZQ+ayqbKMJNhzLmbpCiurTVlaK2M/3nqZCxaQ2Ze/sM= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= @@ -102,7 +101,6 @@ github.com/go-redis/redis v6.15.8+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= -github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= @@ -133,9 +131,7 @@ github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= -github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg= @@ -146,7 +142,8 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg= +github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= @@ -156,7 +153,6 @@ github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200507031123-427632fa3b1c/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/trillian v1.3.11/go.mod h1:0tPraVHrSDkA3BO6vKX67zgLXs6SsOAbHEivX+9mPgw= github.com/google/uuid v0.0.0-20161128191214-064e2069ce9c/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -187,7 +183,6 @@ github.com/huandu/xstrings v1.0.0/go.mod h1:4qWG/gcEcfX4z/mBDHJ++3ReCw9ibxbsNJbcucJdbSo= github.com/huandu/xstrings v1.2.0/go.mod h1:DvyZB1rfVYsBIigL8HwpZgxHwXozlTgGqn63UyNX5k4= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= -github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.4/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= @@ -256,24 +251,16 @@ github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354 h1:4kuARK6Y6FxaNu/BnU2OAaLF86eTVhP2hjTB6iMvItA= github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354/go.mod h1:KSVJerMDfblTH7p5MZaTt+8zaT2iEk3AkVb9PQdZuE8= github.com/nishanths/predeclared v0.0.0-20190419143655-18a43bb90ffc/go.mod h1:62PewwiQTlm/7Rj+cxVYqZvDIUc+JjZq6GHAC1fsObQ= -github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= -github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= github.com/olekukonko/tablewriter v0.0.1/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= github.com/olekukonko/tablewriter v0.0.2/go.mod h1:rSAaSIOAGT9odnlyGlUfAJaoc5w2fSBUmeGDbRWPxyQ= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= -github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc= -github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= -github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= github.com/onsi/ginkgo/v2 v2.1.4 h1:GNapqRSid3zijZ9H77KrgVG4/8KqiyRsxcSxe+7ApXY= github.com/onsi/ginkgo/v2 v2.1.4/go.mod h1:um6tUpWM/cxCK3/FK8BXqEiUMUwRgSM4JXG47RKZmLU= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= -github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= -github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= -github.com/onsi/gomega v1.19.0 h1:4ieX6qQjPP/BfC3mpsAtIGGlxTWPeA3Inl/7DtXw1tw= -github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= +github.com/onsi/gomega v1.20.0 h1:8W0cWlwFkflGPLltQvLRB7ZVD5HuP6ng320w2IS245Q= +github.com/onsi/gomega v1.20.0/go.mod h1:DtrZpjmvpn2mPm4YWQa0/ALMDj9v4YxLgojwPeREyVo= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= @@ -325,7 +312,6 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= -github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.2 h1:4jaiDzPyXQvSd7D0EjG45355tLlV3VOECpq10pLC+8s= github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals= @@ -347,8 +333,6 @@ github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= go.etcd.io/etcd v0.0.0-20200513171258-e048e166ab9c/go.mod h1:xCI7ZzBfRuGgBXyXO6yfWfDmlWd35khcWpUa4L0xI/k= @@ -376,9 +360,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e h1:T8NU3HyQ8ClP4SEE+KbFlg6n0NhuTsN4MyznaarGsZM= -golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220817201139-bc19a97f63c8 h1:GIAS/yBem/gq2MUqgNIzUHW7cJMmx3TGZOrnyYaNQ6c= +golang.org/x/crypto v0.0.0-20220817201139-bc19a97f63c8/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -412,7 +395,6 @@ golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -444,17 +426,11 @@ golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= -golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20220225172249-27dd8689420f h1:oA4XRj0qtSt8Yo1Zms0CUlsT3KG69V2UGQWPBxujDmc= -golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b h1:PxfKdU9lEEDYjdIzOtC4qFWgkU2rGHdKlKowJSMN9h0= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -469,8 +445,6 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -488,13 +462,10 @@ golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -514,25 +485,16 @@ golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8 h1:OH54vjqzRWmbJ62fjuhxy7AxFFgoHN0/DPc/UrL8cAs= -golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f h1:v4INt8xihDGvnrfjMDVXGxw9wrfxYyCjk0KbXjhR55s= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= -golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -586,14 +548,11 @@ golang.org/x/tools v0.0.0-20200626171337-aa94e735be7f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200630154851-b2d8b0336632/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200706234117-b22de6825cf7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E= -golang.org/x/tools v0.1.11 h1:loJ25fNOEhSXfHrpoGj91eCUThwdNX6u24rO1xnNteY= -golang.org/x/tools v0.1.11/go.mod h1:SgwaegtQh8clINPpECJMqnxLv9I09HLqnW3RMqW0CA4= +golang.org/x/tools v0.1.12 h1:VveCTK38A2rkS8ZqFY25HIDFscX5X9OoEhJd3quQmXU= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= @@ -672,9 +631,7 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= -google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= -google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/lk= -google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -696,7 +653,6 @@ gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.6/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/helpers.go new/gosec-2.13.1/helpers.go --- old/gosec-2.12.0/helpers.go 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/helpers.go 2022-08-22 10:23:10.000000000 +0200 @@ -34,12 +34,15 @@ // initialization only imports. // // Usage: -// node, matched := MatchCallByPackage(n, ctx, "math/rand", "Read") // +// node, matched := MatchCallByPackage(n, ctx, "math/rand", "Read") func MatchCallByPackage(n ast.Node, c *Context, pkg string, names ...string) (*ast.CallExpr, bool) { importedName, found := GetImportedName(pkg, c) if !found { - return nil, false + importedName, found = GetAliasedName(pkg, c) + if !found { + return nil, false + } } if callExpr, ok := n.(*ast.CallExpr); ok { @@ -245,7 +248,7 @@ } // GetImportedName returns the name used for the package within the -// code. It will resolve aliases and ignores initialization only imports. +// code. It will ignore initialization only imports. func GetImportedName(path string, ctx *Context) (string, bool) { importName, imported := ctx.Imports.Imported[path] if !imported { @@ -256,20 +259,39 @@ return "", false } - if alias, ok := ctx.Imports.Aliased[path]; ok { - importName = alias + return importName, true +} + +// GetAliasedName returns the aliased name used for the package within the +// code. It will ignore initialization only imports. +func GetAliasedName(path string, ctx *Context) (string, bool) { + importName, imported := ctx.Imports.Aliased[path] + if !imported { + return "", false + } + + if _, initonly := ctx.Imports.InitOnly[path]; initonly { + return "", false } + return importName, true } // GetImportPath resolves the full import path of an identifier based on -// the imports in the current context. +// the imports in the current context(including aliases). func GetImportPath(name string, ctx *Context) (string, bool) { for path := range ctx.Imports.Imported { if imported, ok := GetImportedName(path, ctx); ok && imported == name { return path, true } } + + for path := range ctx.Imports.Aliased { + if imported, ok := GetAliasedName(path, ctx); ok && imported == name { + return path, true + } + } + return "", false } @@ -452,9 +474,25 @@ // GoVersion returns parsed version of Go from runtime func GoVersion() (int, int, int) { - versionParts := strings.Split(runtime.Version(), ".") - major, _ := strconv.Atoi(versionParts[0][2:]) - minor, _ := strconv.Atoi(versionParts[1]) - build, _ := strconv.Atoi(versionParts[2]) + return parseGoVersion(runtime.Version()) +} + +// parseGoVersion parses Go version. +// example: +// - go1.19rc2 +// - go1.19beta2 +// - go1.19.4 +// - go1.19 +func parseGoVersion(version string) (int, int, int) { + exp := regexp.MustCompile(`go(\d+).(\d+)(?:.(\d+))?.*`) + parts := exp.FindStringSubmatch(version) + if len(parts) <= 1 { + return 0, 0, 0 + } + + major, _ := strconv.Atoi(parts[1]) + minor, _ := strconv.Atoi(parts[2]) + build, _ := strconv.Atoi(parts[3]) + return major, minor, build } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/helpers_test.go new/gosec-2.13.1/helpers_test.go --- old/gosec-2.12.0/helpers_test.go 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/helpers_test.go 2022-08-22 10:23:10.000000000 +0200 @@ -2,7 +2,6 @@ import ( "go/ast" - "io/ioutil" "os" "path/filepath" "regexp" @@ -18,9 +17,9 @@ var dir string JustBeforeEach(func() { var err error - dir, err = ioutil.TempDir("", "gosec") + dir, err = os.MkdirTemp("", "gosec") Expect(err).ShouldNot(HaveOccurred()) - _, err = ioutil.TempFile(dir, "test*.go") + _, err = os.MkdirTemp(dir, "test*.go") Expect(err).ShouldNot(HaveOccurred()) }) AfterEach(func() { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/issue.go new/gosec-2.13.1/issue.go --- old/gosec-2.12.0/issue.go 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/issue.go 2022-08-22 10:23:10.000000000 +0200 @@ -66,6 +66,7 @@ "G111": "22", "G112": "400", "G113": "190", + "G114": "676", "G201": "89", "G202": "89", "G203": "79", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/report/golint/writer.go new/gosec-2.13.1/report/golint/writer.go --- old/gosec-2.12.0/report/golint/writer.go 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/report/golint/writer.go 2022-08-22 10:23:10.000000000 +0200 @@ -15,7 +15,7 @@ for _, issue := range data.Issues { what := issue.What - if issue.Cwe.ID != "" { + if issue.Cwe != nil && issue.Cwe.ID != "" { what = fmt.Sprintf("[%s] %s", issue.Cwe.SprintID(), issue.What) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/report/html/template.html new/gosec-2.13.1/report/html/template.html --- old/gosec-2.12.0/report/html/template.html 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/report/html/template.html 2022-08-22 10:23:10.000000000 +0200 @@ -5,12 +5,12 @@ <title>Golang Security Checker</title> <link rel="shortcut icon" type="image/png" href="https://securego.io/img/favicon.png";> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/bulma/0.9.4/css/bulma.min.css"; integrity="sha512-HqxHUkJM0SYcbvxUw5P60SzdOTy/QVwA1JJrvaXJv4q7lmbDZCmZaqz01UPOaQveoxfYRv1tHozWGPMcuTBuvQ==" crossorigin="anonymous"/> - <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.5.1/styles/default.min.css"; integrity="sha512-hasIneQUHlh06VNBe7f6ZcHmeRTLIaQWFd43YriJ0UND19bvYRauxthDg8E4eVNPm9bRUhr5JGeqH7FRFXQu5g==" crossorigin="anonymous"/> - <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.5.1/highlight.min.js"; integrity="sha512-yUUc0qWm2rhM7X0EFe82LNnv2moqArj5nro/w1bi05A09hRVeIZbN6jlMoyu0+4I/Bu4Ck/85JQIU82T82M28w==" crossorigin="anonymous"></script> - <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.5.1/languages/go.min.js"; integrity="sha512-E39wu3ruoRgZiQ3GXdHGjdbHB3jyiq6zi6VCxT/31VnbIcKMiG0oIissj7E3XHPM8QM4CLHQzsCtiKwJXv99Og==" crossorigin="anonymous"></script> + <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.6.0/styles/default.min.css"; integrity="sha512-hasIneQUHlh06VNBe7f6ZcHmeRTLIaQWFd43YriJ0UND19bvYRauxthDg8E4eVNPm9bRUhr5JGeqH7FRFXQu5g==" crossorigin="anonymous"/> + <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.6.0/highlight.min.js"; integrity="sha512-gU7kztaQEl7SHJyraPfZLQCNnrKdaQi5ndOyt4L4UPL/FHDd/uB9Je6KDARIqwnNNE27hnqoWLBq+Kpe4iHfeQ==" crossorigin="anonymous"></script> + <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.6.0/languages/go.min.js"; integrity="sha512-6m7H6Bk2KM24+q+jB5KGHNS/qjz2+9E3DCJiDPHRUzqkMT6myjxX6ZG3poLVNIBn31lPhufOZcLHfYwsl53aHQ==" crossorigin="anonymous"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/react/15.7.0/react.min.js"; integrity="sha512-+TFn1Gqbwx/qgwW3NU1/YtFYTfHGeD1e/8YfJZzkb6TFEZP4SUwp1Az9DMeWh3qC0F+YPKXbV3YclMUwBTvO3g==" crossorigin="anonymous"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/react/15.6.1/react-dom.min.js"; integrity="sha512-8C49ZG/SaQnWaUgCHTU1o8uIQNYE6R8me38SwF26g2Q0byEXF4Jlvm+T/JAMHMeTBiEVPslSZRv9Xt4AV0pfmw==" crossorigin="anonymous"></script> - <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/babel-standalone/6.26.0/babel.min.js"; integrity="sha512-kp7YHLxuJDJcOzStgd6vtpxr4ZU9kjn77e6dBsivSz+pUuAuMlE2UTdKB7jjsWT84qbS8kdCWHPETnP/ctrFsA==" crossorigin="anonymous"></script> + <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/babel-standalone/7.18.12/babel.min.js"; integrity="sha512-AiVzbSxXraEL1ZC5MTLFal3rPCl56WrCIoXdur5U31SQ1byUZzgOnhqGeCFqwD6Owv9Q1DhS82Cpz+Tdym8hjQ==" crossorigin="anonymous"></script> <style> .field-label { min-width: 80px; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/report/junit/formatter.go new/gosec-2.13.1/report/junit/formatter.go --- old/gosec-2.12.0/report/junit/formatter.go 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/report/junit/formatter.go 2022-08-22 10:23:10.000000000 +0200 @@ -8,11 +8,15 @@ ) func generatePlaintext(issue *gosec.Issue) string { + cweID := "CWE" + if issue.Cwe != nil { + cweID = issue.Cwe.ID + } return "Results:\n" + "[" + issue.File + ":" + issue.Line + "] - " + issue.What + " (Confidence: " + strconv.Itoa(int(issue.Confidence)) + ", Severity: " + strconv.Itoa(int(issue.Severity)) + - ", CWE: " + issue.Cwe.ID + ")\n" + "> " + html.EscapeString(issue.Code) + ", CWE: " + cweID + ")\n" + "> " + html.EscapeString(issue.Code) } // GenerateReport Convert a gosec report to a JUnit Report diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/report/sarif/formatter.go new/gosec-2.13.1/report/sarif/formatter.go --- old/gosec-2.12.0/report/sarif/formatter.go 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/report/sarif/formatter.go 2022-08-22 10:23:10.000000000 +0200 @@ -27,12 +27,14 @@ weaknesses := make(map[string]*cwe.Weakness) for _, issue := range data.Issues { - _, ok := weaknesses[issue.Cwe.ID] - if !ok { - weakness := cwe.Get(issue.Cwe.ID) - weaknesses[issue.Cwe.ID] = weakness - cweTaxon := parseSarifTaxon(weakness) - cweTaxa = append(cweTaxa, cweTaxon) + if issue.Cwe != nil { + _, ok := weaknesses[issue.Cwe.ID] + if !ok { + weakness := cwe.Get(issue.Cwe.ID) + weaknesses[issue.Cwe.ID] = weakness + cweTaxon := parseSarifTaxon(weakness) + cweTaxa = append(cweTaxa, cweTaxon) + } } r, ok := rulesIndices[issue.RuleID] @@ -97,6 +99,9 @@ } func buildSarifReportingDescriptorRelationship(weakness *cwe.Weakness) *ReportingDescriptorRelationship { + if weakness == nil { + return nil + } return &ReportingDescriptorRelationship{ Target: &ReportingDescriptorReference{ ID: weakness.ID, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/report/text/template.txt new/gosec-2.13.1/report/text/template.txt --- old/gosec-2.12.0/report/text/template.txt 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/report/text/template.txt 2022-08-22 10:23:10.000000000 +0200 @@ -6,7 +6,7 @@ {{end}} {{end}} {{ range $index, $issue := .Issues }} -[{{ highlight $issue.FileLocation $issue.Severity $issue.NoSec }}] - {{ $issue.RuleID }}{{ if $issue.NoSec }} ({{- success "NoSec" -}}){{ end }} ({{ $issue.Cwe.SprintID }}): {{ $issue.What }} (Confidence: {{ $issue.Confidence}}, Severity: {{ $issue.Severity }}) +[{{ highlight $issue.FileLocation $issue.Severity $issue.NoSec }}] - {{ $issue.RuleID }}{{ if $issue.NoSec }} ({{- success "NoSec" -}}){{ end }} ({{ if $issue.Cwe }}{{$issue.Cwe.SprintID}}{{ else }}{{"CWE"}}{{ end }}): {{ $issue.What }} (Confidence: {{ $issue.Confidence}}, Severity: {{ $issue.Severity }}) {{ printCode $issue }} {{ end }} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/rules/http_serve.go new/gosec-2.13.1/rules/http_serve.go --- old/gosec-2.12.0/rules/http_serve.go 1970-01-01 01:00:00.000000000 +0100 +++ new/gosec-2.13.1/rules/http_serve.go 2022-08-22 10:23:10.000000000 +0200 @@ -0,0 +1,38 @@ +package rules + +import ( + "go/ast" + + "github.com/securego/gosec/v2" +) + +type httpServeWithoutTimeouts struct { + gosec.MetaData + pkg string + calls []string +} + +func (r *httpServeWithoutTimeouts) ID() string { + return r.MetaData.ID +} + +func (r *httpServeWithoutTimeouts) Match(n ast.Node, c *gosec.Context) (gi *gosec.Issue, err error) { + if _, matches := gosec.MatchCallByPackage(n, c, r.pkg, r.calls...); matches { + return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil + } + return nil, nil +} + +// NewHTTPServeWithoutTimeouts detects use of net/http serve functions that have no support for setting timeouts. +func NewHTTPServeWithoutTimeouts(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { + return &httpServeWithoutTimeouts{ + pkg: "net/http", + calls: []string{"ListenAndServe", "ListenAndServeTLS", "Serve", "ServeTLS"}, + MetaData: gosec.MetaData{ + ID: id, + What: "Use of net/http serve function that has no support for setting timeouts", + Severity: gosec.Medium, + Confidence: gosec.High, + }, + }, []ast.Node{(*ast.CallExpr)(nil)} +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/rules/integer_overflow.go new/gosec-2.13.1/rules/integer_overflow.go --- old/gosec-2.12.0/rules/integer_overflow.go 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/rules/integer_overflow.go 2022-08-22 10:23:10.000000000 +0200 @@ -61,7 +61,7 @@ if fun, ok := n.Fun.(*ast.Ident); ok { if fun.Name == "int32" || fun.Name == "int16" { if idt, ok := n.Args[0].(*ast.Ident); ok { - if n, ok := atoiVarObj[idt.Obj]; ok { + if _, ok := atoiVarObj[idt.Obj]; ok { // Detect int32(v) and int16(v) return gosec.NewIssue(ctx, n, i.ID(), i.What, i.Severity, i.Confidence), nil } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/rules/rulelist.go new/gosec-2.13.1/rules/rulelist.go --- old/gosec-2.12.0/rules/rulelist.go 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/rules/rulelist.go 2022-08-22 10:23:10.000000000 +0200 @@ -76,6 +76,7 @@ {"G111", "Detect http.Dir('/') as a potential risk", NewDirectoryTraversal}, {"G112", "Detect ReadHeaderTimeout not configured as a potential risk", NewSlowloris}, {"G113", "Usage of Rat.SetString in math/big with an overflow", NewUsingOldMathBig}, + {"G114", "Use of net/http serve function that has no support for setting timeouts", NewHTTPServeWithoutTimeouts}, // injection {"G201", "SQL query construction using format string", NewSQLStrFormat}, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/rules/rules_test.go new/gosec-2.13.1/rules/rules_test.go --- old/gosec-2.12.0/rules/rules_test.go 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/rules/rules_test.go 2022-08-22 10:23:10.000000000 +0200 @@ -102,6 +102,10 @@ runner("G113", testutils.SampleCodeG113) }) + It("should detect uses of net/http serve functions that have no support for setting timeouts", func() { + runner("G114", testutils.SampleCodeG114) + }) + It("should detect sql injection via format strings", func() { runner("G201", testutils.SampleCodeG201) }) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/rules/slowloris.go new/gosec-2.13.1/rules/slowloris.go --- old/gosec-2.12.0/rules/slowloris.go 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/rules/slowloris.go 2022-08-22 10:23:10.000000000 +0200 @@ -35,7 +35,7 @@ for _, elt := range node.Elts { if kv, ok := elt.(*ast.KeyValueExpr); ok { if ident, ok := kv.Key.(*ast.Ident); ok { - if ident.Name == "ReadHeaderTimeout" { + if ident.Name == "ReadHeaderTimeout" || ident.Name == "ReadTimeout" { return true } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/rules/sql.go new/gosec-2.13.1/rules/sql.go --- old/gosec-2.12.0/rules/sql.go 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/rules/sql.go 2022-08-22 10:23:10.000000000 +0200 @@ -15,9 +15,9 @@ package rules import ( + "fmt" "go/ast" "regexp" - "strings" "github.com/securego/gosec/v2" ) @@ -30,6 +30,51 @@ patterns []*regexp.Regexp } +var sqlCallIdents = map[string]map[string]int{ + "*database/sql.DB": { + "Exec": 0, + "ExecContext": 1, + "Query": 0, + "QueryContext": 1, + "QueryRow": 0, + "QueryRowContext": 1, + "Prepare": 0, + "PrepareContext": 1, + }, + "*database/sql.Tx": { + "Exec": 0, + "ExecContext": 1, + "Query": 0, + "QueryContext": 1, + "QueryRow": 0, + "QueryRowContext": 1, + "Prepare": 0, + "PrepareContext": 1, + }, +} + +// findQueryArg locates the argument taking raw SQL +func findQueryArg(call *ast.CallExpr, ctx *gosec.Context) (ast.Expr, error) { + typeName, fnName, err := gosec.GetCallInfo(call, ctx) + if err != nil { + return nil, err + } + i := -1 + if ni, ok := sqlCallIdents[typeName]; ok { + if i, ok = ni[fnName]; !ok { + i = -1 + } + } + if i == -1 { + return nil, fmt.Errorf("SQL argument index not found for %s.%s", typeName, fnName) + } + if i >= len(call.Args) { + return nil, nil + } + query := call.Args[i] + return query, nil +} + func (s *sqlStatement) ID() string { return s.MetaData.ID } @@ -69,16 +114,10 @@ // checkQuery verifies if the query parameters is a string concatenation func (s *sqlStrConcat) checkQuery(call *ast.CallExpr, ctx *gosec.Context) (*gosec.Issue, error) { - _, fnName, err := gosec.GetCallInfo(call, ctx) + query, err := findQueryArg(call, ctx) if err != nil { return nil, err } - var query ast.Node - if strings.HasSuffix(fnName, "Context") { - query = call.Args[1] - } else { - query = call.Args[0] - } if be, ok := query.(*ast.BinaryExpr); ok { operands := gosec.GetBinaryExprOperands(be) @@ -137,8 +176,11 @@ }, } - rule.AddAll("*database/sql.DB", "Query", "QueryContext", "QueryRow", "QueryRowContext", "Exec", "ExecContext", "Prepare", "PrepareContext") - rule.AddAll("*database/sql.Tx", "Query", "QueryContext", "QueryRow", "QueryRowContext", "Exec", "ExecContext", "Prepare", "PrepareContext") + for s, si := range sqlCallIdents { + for i := range si { + rule.Add(s, i) + } + } return rule, []ast.Node{(*ast.AssignStmt)(nil), (*ast.ExprStmt)(nil)} } @@ -171,16 +213,10 @@ } func (s *sqlStrFormat) checkQuery(call *ast.CallExpr, ctx *gosec.Context) (*gosec.Issue, error) { - _, fnName, err := gosec.GetCallInfo(call, ctx) + query, err := findQueryArg(call, ctx) if err != nil { return nil, err } - var query ast.Node - if strings.HasSuffix(fnName, "Context") { - query = call.Args[1] - } else { - query = call.Args[0] - } if ident, ok := query.(*ast.Ident); ok && ident.Obj != nil { decl := ident.Obj.Decl @@ -306,8 +342,11 @@ }, }, } - rule.AddAll("*database/sql.DB", "Query", "QueryContext", "QueryRow", "QueryRowContext", "Exec", "ExecContext", "Prepare", "PrepareContext") - rule.AddAll("*database/sql.Tx", "Query", "QueryContext", "QueryRow", "QueryRowContext", "Exec", "ExecContext", "Prepare", "PrepareContext") + for s, si := range sqlCallIdents { + for i := range si { + rule.Add(s, i) + } + } rule.fmtCalls.AddAll("fmt", "Sprint", "Sprintf", "Sprintln", "Fprintf") rule.noIssue.AddAll("os", "Stdout", "Stderr") rule.noIssueQuoted.Add("github.com/lib/pq", "QuoteIdentifier") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/rules/subproc.go new/gosec-2.13.1/rules/subproc.go --- old/gosec-2.12.0/rules/subproc.go 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/rules/subproc.go 2022-08-22 10:23:10.000000000 +0200 @@ -77,6 +77,13 @@ return gosec.NewIssue(c, n, r.ID(), "Subprocess launched with variable", gosec.Medium, gosec.High), nil } } + case *ast.ValueSpec: + _, valueSpec := ident.Obj.Decl.(*ast.ValueSpec) + if variable && valueSpec { + if !gosec.TryResolve(ident, c) { + return gosec.NewIssue(c, n, r.ID(), "Subprocess launched with variable", gosec.Medium, gosec.High), nil + } + } } } } else if !gosec.TryResolve(arg, c) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/rules/tls.go new/gosec-2.13.1/rules/tls.go --- old/gosec-2.12.0/rules/tls.go 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/rules/tls.go 2022-08-22 10:23:10.000000000 +0200 @@ -122,8 +122,10 @@ t.actualMinVersion = ival } else { if se, ok := n.Value.(*ast.SelectorExpr); ok { - if pkg, ok := se.X.(*ast.Ident); ok && pkg.Name == "tls" { - t.actualMinVersion = t.mapVersion(se.Sel.Name) + if pkg, ok := se.X.(*ast.Ident); ok { + if ip, ok := gosec.GetImportPath(pkg.Name, c); ok && ip == "crypto/tls" { + t.actualMinVersion = t.mapVersion(se.Sel.Name) + } } } } @@ -133,8 +135,10 @@ t.actualMaxVersion = ival } else { if se, ok := n.Value.(*ast.SelectorExpr); ok { - if pkg, ok := se.X.(*ast.Ident); ok && pkg.Name == "tls" { - t.actualMaxVersion = t.mapVersion(se.Sel.Name) + if pkg, ok := se.X.(*ast.Ident); ok { + if ip, ok := gosec.GetImportPath(pkg.Name, c); ok && ip == "crypto/tls" { + t.actualMaxVersion = t.mapVersion(se.Sel.Name) + } } } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/testutils/pkg.go new/gosec-2.13.1/testutils/pkg.go --- old/gosec-2.12.0/testutils/pkg.go 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/testutils/pkg.go 2022-08-22 10:23:10.000000000 +0200 @@ -3,7 +3,6 @@ import ( "fmt" "go/build" - "io/ioutil" "log" "os" "path" @@ -30,7 +29,7 @@ // NewTestPackage will create a new and empty package. Must call Close() to cleanup // auxiliary files func NewTestPackage() *TestPackage { - workingDir, err := ioutil.TempDir("", "gosecs_test") + workingDir, err := os.MkdirTemp("", "gosecs_test") if err != nil { return nil } @@ -53,7 +52,7 @@ return nil } for filename, content := range p.Files { - if e := ioutil.WriteFile(filename, []byte(content), 0o644); e != nil { + if e := os.WriteFile(filename, []byte(content), 0o644); e != nil { return e } //#nosec G306 } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.12.0/testutils/source.go new/gosec-2.13.1/testutils/source.go --- old/gosec-2.12.0/testutils/source.go 2022-06-13 19:48:12.000000000 +0200 +++ new/gosec-2.13.1/testutils/source.go 2022-08-22 10:23:10.000000000 +0200 @@ -795,7 +795,8 @@ } value := int32(bigValue) fmt.Println(value) -}`}, 1, gosec.NewConfig()}, {[]string{` +}`}, 1, gosec.NewConfig()}, + {[]string{` package main import ( @@ -811,7 +812,8 @@ if int16(bigValue) < 0 { fmt.Println(bigValue) } -}`}, 1, gosec.NewConfig()}, {[]string{` +}`}, 1, gosec.NewConfig()}, + {[]string{` package main import ( @@ -825,7 +827,8 @@ panic(err) } fmt.Println(bigValue) -}`}, 0, gosec.NewConfig()}, {[]string{` +}`}, 0, gosec.NewConfig()}, + {[]string{` package main import ( @@ -846,7 +849,8 @@ bigValue := 30 value := int32(bigValue) fmt.Println(value) -}`}, 0, gosec.NewConfig()}, {[]string{` +}`}, 0, gosec.NewConfig()}, + {[]string{` package main import ( @@ -863,6 +867,17 @@ v := int32(value) fmt.Println(v) }`}, 0, gosec.NewConfig()}, + {[]string{` +package main +import ( + "fmt" + "strconv" +) +func main() { + a, err := strconv.Atoi("a") + b := int32(a) //#nosec G109 + fmt.Println(b, err) +}`}, 0, gosec.NewConfig()}, } // SampleCodeG110 - potential DoS vulnerability via decompression bomb @@ -1050,6 +1065,29 @@ } } `}, 0, gosec.NewConfig()}, + {[]string{` + package main + + import ( + "fmt" + "time" + "net/http" + ) + + func main() { + http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { + fmt.Fprintf(w, "Hello, %s!", r.URL.Path[1:]) + }) + server := &http.Server{ + Addr: ":1234", + ReadTimeout: 1 * time.Second, + } + err := server.ListenAndServe() + if err != nil { + panic(err) + } + } + `}, 0, gosec.NewConfig()}, } // SampleCodeG113 - Usage of Rat.SetString in math/big with an overflow @@ -1072,6 +1110,84 @@ }, 1, gosec.NewConfig()}, } + // SampleCodeG114 - Use of net/http serve functions that have no support for setting timeouts + SampleCodeG114 = []CodeSample{ + {[]string{ + ` +package main + +import ( + "log" + "net/http" +) + +func main() { + err := http.ListenAndServe(":8080", nil) + log.Fatal(err) +}`, + }, 1, gosec.NewConfig()}, + { + []string{ + ` +package main + +import ( + "log" + "net/http" +) + +func main() { + err := http.ListenAndServeTLS(":8443", "cert.pem", "key.pem", nil) + log.Fatal(err) +}`, + }, 1, gosec.NewConfig(), + }, + { + []string{ + ` +package main + +import ( + "log" + "net" + "net/http" +) + +func main() { + l, err := net.Listen("tcp", ":8080") + if err != nil { + log.Fatal(err) + } + defer l.Close() + err = http.Serve(l, nil) + log.Fatal(err) +}`, + }, 1, gosec.NewConfig(), + }, + { + []string{ + ` +package main + +import ( + "log" + "net" + "net/http" +) + +func main() { + l, err := net.Listen("tcp", ":8443") + if err != nil { + log.Fatal(err) + } + defer l.Close() + err = http.ServeTLS(l, nil, "cert.pem", "key.pem") + log.Fatal(err) +}`, + }, 1, gosec.NewConfig(), + }, + } + // SampleCodeG201 - SQL injection via format string SampleCodeG201 = []CodeSample{ {[]string{` @@ -1980,6 +2096,28 @@ log.Printf("Command finished with error: %v", err) } `}, 1, gosec.NewConfig()}, + {[]string{` +// Initializing a local variable using a environmental +// variable is consider as a dangerous user input +package main + +import ( + "log" + "os" + "os/exec" +) + +func main() { + var run = "sleep" + os.Getenv("SOMETHING") + cmd := exec.Command(run, "5") + err := cmd.Start() + if err != nil { + log.Fatal(err) + } + log.Printf("Waiting for command to finish...") + err = cmd.Wait() + log.Printf("Command finished with error: %v", err) +}`}, 1, gosec.NewConfig()}, } // SampleCodeG301 - mkdir permission check @@ -2949,6 +3087,19 @@ const MinVer = tls.VersionTLS13 `}, 0, gosec.NewConfig()}, + {[]string{` +package main + +import ( + "crypto/tls" + cryptotls "crypto/tls" +) + +func main() { + _ = tls.Config{MinVersion: tls.VersionTLS12} + _ = cryptotls.Config{MinVersion: cryptotls.VersionTLS12} +} +`}, 0, gosec.NewConfig()}, } // SampleCodeG403 - weak key strength ++++++ vendor.tar.gz ++++++ ++++ 37176 lines of diff (skipped)
![https://securego.io/img/favicon.png"](https://securego.io/img/favicon.png"){kind=link}