Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package gosec for openSUSE:Factory checked
in at 2022-10-18 12:45:07
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/gosec (Old)
and /work/SRC/openSUSE:Factory/.gosec.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gosec"
Tue Oct 18 12:45:07 2022 rev:6 rq:1026508 version:2.14.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/gosec/gosec.changes 2022-08-23
14:29:44.923625388 +0200
+++ /work/SRC/openSUSE:Factory/.gosec.new.2275/gosec.changes 2022-10-18
12:45:33.177799287 +0200
@@ -1,0 +2,25 @@
+Mon Oct 17 13:45:23 UTC 2022 - Felix Niederwanger <felix.niederwan...@suse.com>
+
+* Update to versin 2.14.0
+
+- Pin release build to Go version 1.19.2 (#882)
+- Refactor to support duplicate imports with different aliases (#865)
+- chore(deps): update all dependencies (#881)
+- go.mod: ginkgo/v2 v2.3.1, golang.org/x/text v0.3.8, update go versions (#880)
+- Update Go version to 1.19 in the makefile (#876)
+- chore(deps): update all dependencies (#875)
+- Add CWE-676 to cwe mapping (#874)
+- chore(deps): update all dependencies (#872)
+- Add a way to use private repositories on GitHub (#869)
+- chore(deps): update all dependencies (#868)
+- Check go version when installing govulncheck
+- Check go version when running govulncheck
+- Add vulncheck to the test steps
+- chore(deps): update all dependencies
+- Fix false positives for G404 with aliased packages
+- chore(deps): update all dependencies
+- chore(deps): update all dependencies
+- fix: add a CWE ID mapping to rule G114
+- chore(deps): update golang.org/x/crypto digest to bc19a97
+
+-------------------------------------------------------------------
Old:
----
gosec-2.13.1.tar.gz
New:
----
gosec-2.14.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ gosec.spec ++++++
--- /var/tmp/diff_new_pack.DCdRS9/_old 2022-10-18 12:45:33.933801009 +0200
+++ /var/tmp/diff_new_pack.DCdRS9/_new 2022-10-18 12:45:33.937801018 +0200
@@ -17,7 +17,7 @@
Name: gosec
-Version: 2.13.1
+Version: 2.14.0
Release: 0
Summary: Golang security checker
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.DCdRS9/_old 2022-10-18 12:45:33.981801118 +0200
+++ /var/tmp/diff_new_pack.DCdRS9/_new 2022-10-18 12:45:33.985801127 +0200
@@ -3,7 +3,7 @@
<param name="url">https://github.com/securego/gosec.git</param>
<param name="scm">git</param>
<param name="revision">master</param>
- <param name="version">v2.13.1</param>
+ <param name="version">v2.14.0</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="versionrewrite-pattern">v(.*)</param>
</service>
++++++ gosec-2.13.1.tar.gz -> gosec-2.14.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.13.1/.github/workflows/ci.yml
new/gosec-2.14.0/.github/workflows/ci.yml
--- old/gosec-2.13.1/.github/workflows/ci.yml 2022-08-22 10:23:10.000000000
+0200
+++ new/gosec-2.14.0/.github/workflows/ci.yml 2022-10-17 11:06:43.000000000
+0200
@@ -11,9 +11,8 @@
strategy:
matrix:
go_version:
- - '1.17'
- - '1.18'
- - '1.19'
+ - '1.18.7' # TODO: remove this once actions/setup-go@v3 uses latest
as latest; see https://github.com/securego/gosec/pull/880
+ - '1.19.2' # TODO: remove this once actions/setup-go@v3 uses latest
as latest; see https://github.com/securego/gosec/pull/880
runs-on: ubuntu-latest
env:
GO111MODULE: on
@@ -45,7 +44,7 @@
- name: Setup go
uses: actions/setup-go@v3
with:
- go-version: '1.19'
+ go-version: '1.19.2' # TODO: remove this once actions/setup-go@v3
uses latest as latest; see https://github.com/securego/gosec/pull/880
- name: Checkout Source
uses: actions/checkout@v3
- uses: actions/cache@v3
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.13.1/.github/workflows/release.yml
new/gosec-2.14.0/.github/workflows/release.yml
--- old/gosec-2.13.1/.github/workflows/release.yml 2022-08-22
10:23:10.000000000 +0200
+++ new/gosec-2.14.0/.github/workflows/release.yml 2022-10-17
11:06:43.000000000 +0200
@@ -17,7 +17,7 @@
- name: Set up Go
uses: actions/setup-go@v3
with:
- go-version: 1.19
+ go-version: '1.19.2'
- name: Install Cosign
uses: sigstore/cosign-installer@v2
with:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.13.1/Makefile new/gosec-2.14.0/Makefile
--- old/gosec-2.13.1/Makefile 2022-08-22 10:23:10.000000000 +0200
+++ new/gosec-2.14.0/Makefile 2022-10-17 11:06:43.000000000 +0200
@@ -12,7 +12,9 @@
GOLINT ?= $(GOBIN)/golint
GOSEC ?= $(GOBIN)/gosec
GINKGO ?= $(GOBIN)/ginkgo
-GO_VERSION = 1.18
+GO_MINOR_VERSION = $(shell $(GO) version | cut -c 14- | cut -d' ' -f1 | cut
-d'.' -f2)
+GOVULN_MIN_VERSION = 17
+GO_VERSION = 1.19
default:
$(MAKE) build
@@ -22,7 +24,12 @@
$(GO_NOMOD) get -u golang.org/x/crypto/ssh
$(GO_NOMOD) get -u github.com/lib/pq
-test: install-test-deps build fmt lint sec
+install-govulncheck:
+ @if [ $(GO_MINOR_VERSION) -gt $(GOVULN_MIN_VERSION) ]; then \
+ go install golang.org/x/vuln/cmd/govulncheck@latest; \
+ fi
+
+test: install-test-deps build fmt lint sec govulncheck
$(GINKGO) -v --fail-fast
fmt:
@@ -45,6 +52,12 @@
@echo "SECURITY SCANNING"
./$(BIN) ./...
+govulncheck: install-govulncheck
+ @echo "CHECKING VULNERABILITIES"
+ @if [ $(GO_MINOR_VERSION) -gt $(GOVULN_MIN_VERSION) ]; then \
+ govulncheck ./...; \
+ fi
+
test-coverage: install-test-deps
go test -race -v -count=1 -coverprofile=coverage.out ./...
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.13.1/analyzer.go new/gosec-2.14.0/analyzer.go
--- old/gosec-2.13.1/analyzer.go 2022-08-22 10:23:10.000000000 +0200
+++ new/gosec-2.14.0/analyzer.go 2022-10-17 11:06:43.000000000 +0200
@@ -172,9 +172,9 @@
for {
select {
case s := <-j:
- packages, err := gosec.load(s, config)
+ pkgs, err := gosec.load(s, config)
select {
- case r <- result{pkgPath: s, pkgs: packages,
err: err}:
+ case r <- result{pkgPath: s, pkgs: pkgs, err:
err}:
case <-quit:
// we've been told to stop, probably an
error while
// processing a previous result.
@@ -296,7 +296,6 @@
gosec.context.Pkg = pkg.Types
gosec.context.PkgFiles = pkg.Syntax
gosec.context.Imports = NewImportTracker()
- gosec.context.Imports.TrackFile(file)
gosec.context.PassedValues = make(map[string]interface{})
ast.Walk(gosec, file)
gosec.stats.NumFiles++
@@ -434,6 +433,12 @@
}
return gosec
}
+ switch i := n.(type) {
+ case *ast.File:
+ // Using ast.File instead of ast.ImportSpec, so that we can
track
+ // all imports at once.
+ gosec.context.Imports.TrackFile(i)
+ }
// Get any new rule exclusions.
ignoredRules := gosec.ignore(n)
@@ -453,9 +458,6 @@
// Push the new set onto the stack.
gosec.context.Ignores = append([]map[string][]SuppressionInfo{ignores},
gosec.context.Ignores...)
- // Track aliased and initialization imports
- gosec.context.Imports.TrackImport(n)
-
for _, rule := range gosec.ruleset.RegisteredFor(n) {
// Check if all rules are ignored.
generalSuppressions, generalIgnored := ignores[aliasOfAllRules]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.13.1/cwe/data.go new/gosec-2.14.0/cwe/data.go
--- old/gosec-2.13.1/cwe/data.go 2022-08-22 10:23:10.000000000 +0200
+++ new/gosec-2.14.0/cwe/data.go 2022-10-17 11:06:43.000000000 +0200
@@ -129,6 +129,11 @@
Description: "The software constructs all or part of an
SQL command using externally-influenced input from an upstream component, but
it does not neutralize or incorrectly neutralizes special elements that could
modify the intended SQL command when it is sent to a downstream component.",
Name: "Improper Neutralization of Special
Elements used in an SQL Command ('SQL Injection')",
},
+ {
+ ID: "676",
+ Description: "The program invokes a potentially
dangerous function that could introduce a vulnerability if it is used
incorrectly, but the function can also be used safely.",
+ Name: "Use of Potentially Dangerous Function",
+ },
}
)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.13.1/entrypoint.sh
new/gosec-2.14.0/entrypoint.sh
--- old/gosec-2.13.1/entrypoint.sh 2022-08-22 10:23:10.000000000 +0200
+++ new/gosec-2.14.0/entrypoint.sh 2022-10-17 11:06:43.000000000 +0200
@@ -4,4 +4,8 @@
# provides all arguments concatenated as a single string.
ARGS=("$@")
+if [[ ! -z "${GITHUB_AUTHENTICATION_TOKEN}" ]]; then
+ git config --global --add
url."https://x-access-token:${GITHUB_AUTHENTICATION_TOKEN}@github.com/".insteadOf
"https://github.com/";
+fi
+
/bin/gosec ${ARGS[*]}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.13.1/go.mod new/gosec-2.14.0/go.mod
--- old/gosec-2.13.1/go.mod 2022-08-22 10:23:10.000000000 +0200
+++ new/gosec-2.14.0/go.mod 2022-10-17 11:06:43.000000000 +0200
@@ -2,15 +2,15 @@
require (
github.com/google/uuid v1.3.0
- github.com/gookit/color v1.5.1
- github.com/lib/pq v1.10.6
+ github.com/gookit/color v1.5.2
+ github.com/lib/pq v1.10.7
github.com/mozilla/tls-observatory v0.0.0-20210609171429-7bc42856d2e5
github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354
- github.com/onsi/ginkgo/v2 v2.1.4
- github.com/onsi/gomega v1.20.0
- golang.org/x/crypto v0.0.0-20220817201139-bc19a97f63c8
+ github.com/onsi/ginkgo/v2 v2.3.1
+ github.com/onsi/gomega v1.22.1
+ golang.org/x/crypto v0.0.0-20221012134737-56aed061732a
golang.org/x/lint v0.0.0-20210508222113-6edffad5e616
- golang.org/x/text v0.3.7
+ golang.org/x/text v0.3.8
golang.org/x/tools v0.1.12
gopkg.in/yaml.v2 v2.4.0
)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.13.1/go.sum new/gosec-2.14.0/go.sum
--- old/gosec-2.13.1/go.sum 2022-08-22 10:23:10.000000000 +0200
+++ new/gosec-2.14.0/go.sum 2022-10-17 11:06:43.000000000 +0200
@@ -162,8 +162,8 @@
github.com/google/uuid v1.3.0/go.mod
h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/googleapis/gax-go/v2 v2.0.4/go.mod
h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
github.com/googleapis/gax-go/v2 v2.0.5/go.mod
h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/gookit/color v1.5.1 h1:Vjg2VEcdHpwq+oY63s/ksHrgJYCTo0bwWvmmYWdE9fQ=
-github.com/gookit/color v1.5.1/go.mod
h1:wZFzea4X8qN6vHOSP2apMb4/+w/orMznEzYsIHPaqKM=
+github.com/gookit/color v1.5.2 h1:uLnfXcaFjlrDnQDT+NCBcfhrXqYTx/rcCa6xn01Y8yI=
+github.com/gookit/color v1.5.2/go.mod
h1:w8h4bGiHeeBpvQVePTutdbERIUf3oJE5lZ8HM0UgXyg=
github.com/gordonklaus/ineffassign v0.0.0-20200309095847-7953dde2c7bf/go.mod
h1:cuNKsD1zp2v6XfE/orVX2QE1LC+i254ceGcVeDT3pTU=
github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75/go.mod
h1:g2644b03hfBX9Ov0ZBDgXXens4rxSxmqFBbhvKv2yVA=
github.com/gorilla/mux v1.8.0/go.mod
h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
@@ -215,8 +215,8 @@
github.com/letsencrypt/pkcs11key/v4 v4.0.0/go.mod
h1:EFUvBDay26dErnNb70Nd0/VW3tJiIbETBPTl9ATXQag=
github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
github.com/lib/pq v1.9.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/lib/pq v1.10.6 h1:jbk+ZieJ0D7EVGJYpL9QTz7/YW6UHbmdnZWYyK5cdBs=
-github.com/lib/pq v1.10.6/go.mod
h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/lib/pq v1.10.7 h1:p7ZhMD+KsSRozJr34udlUrhboJwWAgCg34+/ZZNvZZw=
+github.com/lib/pq v1.10.7/go.mod
h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
github.com/magiconair/properties v1.8.0/go.mod
h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
github.com/mattn/go-colorable v0.0.9/go.mod
h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
github.com/mattn/go-colorable v0.1.4/go.mod
h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
@@ -256,11 +256,11 @@
github.com/olekukonko/tablewriter v0.0.2/go.mod
h1:rSAaSIOAGT9odnlyGlUfAJaoc5w2fSBUmeGDbRWPxyQ=
github.com/onsi/ginkgo v1.6.0/go.mod
h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.10.3/go.mod
h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo/v2 v2.1.4
h1:GNapqRSid3zijZ9H77KrgVG4/8KqiyRsxcSxe+7ApXY=
-github.com/onsi/ginkgo/v2 v2.1.4/go.mod
h1:um6tUpWM/cxCK3/FK8BXqEiUMUwRgSM4JXG47RKZmLU=
+github.com/onsi/ginkgo/v2 v2.3.1
h1:8SbseP7qM32WcvE6VaN6vfXxv698izmsJ1UQX9ve7T8=
+github.com/onsi/ginkgo/v2 v2.3.1/go.mod
h1:Sv4yQXwG5VmF7tm3Q5Z+RWUpPo24LF1mpnz2crUb8Ys=
github.com/onsi/gomega v1.7.1/go.mod
h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
-github.com/onsi/gomega v1.20.0 h1:8W0cWlwFkflGPLltQvLRB7ZVD5HuP6ng320w2IS245Q=
-github.com/onsi/gomega v1.20.0/go.mod
h1:DtrZpjmvpn2mPm4YWQa0/ALMDj9v4YxLgojwPeREyVo=
+github.com/onsi/gomega v1.22.1 h1:pY8O4lBfsHKZHM/6nrxkhVPUznOlIu3quZcKP/M20KI=
+github.com/onsi/gomega v1.22.1/go.mod
h1:x6n7VNe4hw0vkyYUM4mjIXx3JbLiPaBPNgB7PRQ1tuM=
github.com/opentracing/opentracing-go v1.1.0/go.mod
h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
github.com/pelletier/go-toml v1.2.0/go.mod
h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod
h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
@@ -307,14 +307,16 @@
github.com/spf13/viper v1.3.2/go.mod
h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
github.com/stretchr/objx v0.1.0/go.mod
h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.1.1/go.mod
h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod
h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
github.com/stretchr/testify v0.0.0-20170130113145-4d4bfba8f1d1/go.mod
h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/testify v1.1.4/go.mod
h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/testify v1.2.2/go.mod
h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/testify v1.3.0/go.mod
h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/stretchr/testify v1.4.0/go.mod
h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
github.com/stretchr/testify v1.6.1/go.mod
h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.2
h1:4jaiDzPyXQvSd7D0EjG45355tLlV3VOECpq10pLC+8s=
-github.com/stretchr/testify v1.7.2/go.mod
h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
+github.com/stretchr/testify v1.7.1/go.mod
h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0
h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
+github.com/stretchr/testify v1.8.0/go.mod
h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod
h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod
h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
github.com/tmc/grpc-websocket-proxy v0.0.0-20200427203606-3cfed13b9966/go.mod
h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
@@ -360,8 +362,8 @@
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod
h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod
h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod
h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.0.0-20220817201139-bc19a97f63c8
h1:GIAS/yBem/gq2MUqgNIzUHW7cJMmx3TGZOrnyYaNQ6c=
-golang.org/x/crypto v0.0.0-20220817201139-bc19a97f63c8/go.mod
h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20221012134737-56aed061732a
h1:NmSIgad6KjE6VvHciPZuNRTKxGhlPfD6OA87W/PLkqg=
+golang.org/x/crypto v0.0.0-20221012134737-56aed061732a/go.mod
h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod
h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod
h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod
h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -495,8 +497,8 @@
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod
h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.3.8 h1:nAL+RVCQ9uMn3vJZbV+MRnydTJFPf8qqY42YiA6MrqY=
+golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod
h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod
h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod
h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.13.1/helpers.go new/gosec-2.14.0/helpers.go
--- old/gosec-2.13.1/helpers.go 2022-08-22 10:23:10.000000000 +0200
+++ new/gosec-2.14.0/helpers.go 2022-10-17 11:06:43.000000000 +0200
@@ -37,12 +37,9 @@
//
// node, matched := MatchCallByPackage(n, ctx, "math/rand", "Read")
func MatchCallByPackage(n ast.Node, c *Context, pkg string, names ...string)
(*ast.CallExpr, bool) {
- importedName, found := GetImportedName(pkg, c)
+ importedNames, found := GetImportedNames(pkg, c)
if !found {
- importedName, found = GetAliasedName(pkg, c)
- if !found {
- return nil, false
- }
+ return nil, false
}
if callExpr, ok := n.(*ast.CallExpr); ok {
@@ -50,7 +47,10 @@
if err != nil {
return nil, false
}
- if packageName == importedName {
+ for _, in := range importedNames {
+ if packageName != in {
+ continue
+ }
for _, name := range names {
if callName == name {
return callExpr, true
@@ -247,48 +247,23 @@
return result
}
-// GetImportedName returns the name used for the package within the
-// code. It will ignore initialization only imports.
-func GetImportedName(path string, ctx *Context) (string, bool) {
- importName, imported := ctx.Imports.Imported[path]
- if !imported {
- return "", false
- }
-
- if _, initonly := ctx.Imports.InitOnly[path]; initonly {
- return "", false
- }
-
- return importName, true
-}
-
-// GetAliasedName returns the aliased name used for the package within the
-// code. It will ignore initialization only imports.
-func GetAliasedName(path string, ctx *Context) (string, bool) {
- importName, imported := ctx.Imports.Aliased[path]
- if !imported {
- return "", false
- }
-
- if _, initonly := ctx.Imports.InitOnly[path]; initonly {
- return "", false
- }
-
- return importName, true
+// GetImportedNames returns the name(s)/alias(es) used for the package within
+// the code. It ignores initialization-only imports.
+func GetImportedNames(path string, ctx *Context) (names []string, found bool) {
+ importNames, imported := ctx.Imports.Imported[path]
+ return importNames, imported
}
// GetImportPath resolves the full import path of an identifier based on
// the imports in the current context(including aliases).
func GetImportPath(name string, ctx *Context) (string, bool) {
for path := range ctx.Imports.Imported {
- if imported, ok := GetImportedName(path, ctx); ok && imported
== name {
- return path, true
- }
- }
-
- for path := range ctx.Imports.Aliased {
- if imported, ok := GetAliasedName(path, ctx); ok && imported ==
name {
- return path, true
+ if imported, ok := GetImportedNames(path, ctx); ok {
+ for _, n := range imported {
+ if n == name {
+ return path, true
+ }
+ }
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.13.1/import_tracker.go
new/gosec-2.14.0/import_tracker.go
--- old/gosec-2.13.1/import_tracker.go 2022-08-22 10:23:10.000000000 +0200
+++ new/gosec-2.14.0/import_tracker.go 2022-10-17 11:06:43.000000000 +0200
@@ -22,54 +22,51 @@
// by a source file. It is able to differentiate between plain imports, aliased
// imports and init only imports.
type ImportTracker struct {
- Imported map[string]string
- Aliased map[string]string
- InitOnly map[string]bool
+ // Imported is a map of Imported with their associated names/aliases.
+ Imported map[string][]string
}
// NewImportTracker creates an empty Import tracker instance
func NewImportTracker() *ImportTracker {
return &ImportTracker{
- make(map[string]string),
- make(map[string]string),
- make(map[string]bool),
+ Imported: make(map[string][]string),
}
}
// TrackFile track all the imports used by the supplied file
func (t *ImportTracker) TrackFile(file *ast.File) {
for _, imp := range file.Imports {
- path := strings.Trim(imp.Path.Value, `"`)
- parts := strings.Split(path, "/")
- if len(parts) > 0 {
- name := parts[len(parts)-1]
- t.Imported[path] = name
- }
+ t.TrackImport(imp)
}
}
// TrackPackages tracks all the imports used by the supplied packages
func (t *ImportTracker) TrackPackages(pkgs ...*types.Package) {
for _, pkg := range pkgs {
- t.Imported[pkg.Path()] = pkg.Name()
+ t.Imported[pkg.Path()] = []string{pkg.Name()}
}
}
-// TrackImport tracks imports and handles the 'unsafe' import
-func (t *ImportTracker) TrackImport(n ast.Node) {
- if imported, ok := n.(*ast.ImportSpec); ok {
- path := strings.Trim(imported.Path.Value, `"`)
- if imported.Name != nil {
- if imported.Name.Name == "_" {
- // Initialization only import
- t.InitOnly[path] = true
- } else {
- // Aliased import
- t.Aliased[path] = imported.Name.Name
- }
- }
- if path == "unsafe" {
- t.Imported[path] = path
+// TrackImport tracks imports.
+func (t *ImportTracker) TrackImport(imported *ast.ImportSpec) {
+ importPath := strings.Trim(imported.Path.Value, `"`)
+ if imported.Name != nil {
+ if imported.Name.Name == "_" {
+ // Initialization only import
+ } else {
+ // Aliased import
+ t.Imported[importPath] = append(t.Imported[importPath],
imported.Name.String())
}
+ } else {
+ t.Imported[importPath] = append(t.Imported[importPath],
importName(importPath))
+ }
+}
+
+func importName(importPath string) string {
+ parts := strings.Split(importPath, "/")
+ name := importPath
+ if len(parts) > 0 {
+ name = parts[len(parts)-1]
}
+ return name
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.13.1/import_tracker_test.go
new/gosec-2.14.0/import_tracker_test.go
--- old/gosec-2.13.1/import_tracker_test.go 2022-08-22 10:23:10.000000000
+0200
+++ new/gosec-2.14.0/import_tracker_test.go 2022-10-17 11:06:43.000000000
+0200
@@ -27,7 +27,7 @@
files := pkgs[0].Syntax
Expect(files).Should(HaveLen(1))
tracker.TrackFile(files[0])
-
Expect(tracker.Imported).Should(Equal(map[string]string{"fmt": "fmt"}))
+
Expect(tracker.Imported).Should(Equal(map[string][]string{"fmt": {"fmt"}}))
})
It("should parse the named imports from file", func() {
tracker := gosec.NewImportTracker()
@@ -47,7 +47,7 @@
files := pkgs[0].Syntax
Expect(files).Should(HaveLen(1))
tracker.TrackFile(files[0])
-
Expect(tracker.Imported).Should(Equal(map[string]string{"fmt": "fmt"}))
+
Expect(tracker.Imported).Should(Equal(map[string][]string{"fmt": {"fm"}}))
})
})
})
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.13.1/report/html/template.html
new/gosec-2.14.0/report/html/template.html
--- old/gosec-2.13.1/report/html/template.html 2022-08-22 10:23:10.000000000
+0200
+++ new/gosec-2.14.0/report/html/template.html 2022-10-17 11:06:43.000000000
+0200
@@ -10,7 +10,7 @@
<script type="text/javascript"
src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.6.0/languages/go.min.js";
integrity="sha512-6m7H6Bk2KM24+q+jB5KGHNS/qjz2+9E3DCJiDPHRUzqkMT6myjxX6ZG3poLVNIBn31lPhufOZcLHfYwsl53aHQ=="
crossorigin="anonymous"></script>
<script type="text/javascript"
src="https://cdnjs.cloudflare.com/ajax/libs/react/15.7.0/react.min.js";
integrity="sha512-+TFn1Gqbwx/qgwW3NU1/YtFYTfHGeD1e/8YfJZzkb6TFEZP4SUwp1Az9DMeWh3qC0F+YPKXbV3YclMUwBTvO3g=="
crossorigin="anonymous"></script>
<script type="text/javascript"
src="https://cdnjs.cloudflare.com/ajax/libs/react/15.6.1/react-dom.min.js";
integrity="sha512-8C49ZG/SaQnWaUgCHTU1o8uIQNYE6R8me38SwF26g2Q0byEXF4Jlvm+T/JAMHMeTBiEVPslSZRv9Xt4AV0pfmw=="
crossorigin="anonymous"></script>
- <script type="text/javascript"
src="https://cdnjs.cloudflare.com/ajax/libs/babel-standalone/7.18.12/babel.min.js";
integrity="sha512-AiVzbSxXraEL1ZC5MTLFal3rPCl56WrCIoXdur5U31SQ1byUZzgOnhqGeCFqwD6Owv9Q1DhS82Cpz+Tdym8hjQ=="
crossorigin="anonymous"></script>
+ <script type="text/javascript"
src="https://cdnjs.cloudflare.com/ajax/libs/babel-standalone/7.19.5/babel.min.js";
integrity="sha512-bjGBAZIb0gEGD2ZwID09UEhmDpwhDgWPlLXfardtRtGVSkmK3FzzRN+pIq9Gh34qw4CDeOVbvw3L3+nyqnqTHw=="
crossorigin="anonymous"></script>
<style>
.field-label {
min-width: 80px;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.13.1/testutils/source.go
new/gosec-2.14.0/testutils/source.go
--- old/gosec-2.13.1/testutils/source.go 2022-08-22 10:23:10.000000000
+0200
+++ new/gosec-2.14.0/testutils/source.go 2022-10-17 11:06:43.000000000
+0200
@@ -3180,6 +3180,41 @@
bad := rand.Intn(10)
println(bad)
}`}, 1, gosec.NewConfig()},
+ {[]string{`
+package main
+
+import (
+ "crypto/rand"
+ "math/big"
+ rnd "math/rand"
+)
+
+func main() {
+ good, _ := rand.Int(rand.Reader, big.NewInt(int64(2)))
+ println(good)
+ bad := rnd.Intn(2)
+ println(bad)
+}
+`}, 1, gosec.NewConfig()},
+ {[]string{`
+package main
+
+import (
+ crand "crypto/rand"
+ "math/big"
+ "math/rand"
+ rand2 "math/rand"
+ rand3 "math/rand"
+)
+
+func main() {
+ _, _ = crand.Int(crand.Reader, big.NewInt(int64(2))) // good
+
+ _ = rand.Intn(2) // bad
+ _ = rand2.Intn(2) // bad
+ _ = rand3.Intn(2) // bad
+}
+`}, 3, gosec.NewConfig()},
}
// SampleCodeG501 - Blocklisted import MD5
++++++ vendor.tar.gz ++++++
++++ 10168 lines of diff (skipped)
