-
Notifications
You must be signed in to change notification settings - Fork 0
/
common.go
234 lines (201 loc) · 6.66 KB
/
common.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
package common
import (
"path/filepath"
"strings"
"sync"
"github.com/adedayo/checkmate-core/pkg/diagnostics"
"github.com/adedayo/checkmate-core/pkg/util"
)
//IsConfidentialFile indicates whether a file is potentially confidential based on its name or extension, with a narrative indicating
//what sort of file it may be if it is potentially confidential
func IsConfidentialFile(path string) (bool, string) {
extension := filepath.Ext(path)
baseName := strings.TrimSuffix(filepath.Base(path), extension)
if narrative, present := DangerousFileNames[baseName]; present {
return present, narrative
}
if narrative, present := CertsAndKeyStores[extension]; present {
return present, narrative
}
if narrative, present := DangerousExtensions[extension]; present {
return present, narrative
}
if narrative, present := FinancialAndAccountingExtensions[extension]; present && !excludeName(baseName) {
return present, narrative
}
return false, ""
}
func excludeName(basname string) bool {
switch strings.ToLower(basname) {
case "readme", "changelog":
return true
}
return false
}
//GetSensitiveFilesDescriptors gets all registered sensitive file descriptions
func GetSensitiveFilesDescriptors() (files []SensitiveFile) {
for file, description := range DangerousFileNames {
files = append(files, SensitiveFile{
Extension: file,
Description: description,
})
}
for ext, description := range CertsAndKeyStores {
files = append(files, SensitiveFile{
Extension: ext,
Description: description,
})
}
for ext, description := range DangerousExtensions {
files = append(files, SensitiveFile{
Extension: ext,
Description: description,
})
}
for ext, description := range FinancialAndAccountingExtensions {
files = append(files, SensitiveFile{
Extension: ext,
Description: description,
})
}
files = append(files, SensitiveFile{
Extension: "readme[.].*",
Description: "Readme files are usually non-sensitive",
Excluded: true,
})
files = append(files, SensitiveFile{
Extension: "changelog[.].*",
Description: "Changelog files are usually non-sensitive",
Excluded: true,
})
return
}
//SensitiveFile is a description of a potentially sensitive file based on its name or extension
type SensitiveFile struct {
//if the value does not start with a . then filename is intended
Extension string
Description string
Excluded bool //flag to indicate that this extension or filename should be ignored as non-sensitive
}
func appendMaps(maps ...map[string]string) map[string]string {
result := make(map[string]string)
for _, m := range maps {
for k := range m {
if v, present := result[k]; present {
data := []string{}
if strings.TrimSpace(m[k]) != "" {
data = append(data, m[k])
}
if strings.TrimSpace(v) != "" {
data = append(data, v)
}
result[k] = strings.Join(data, " or ")
} else {
result[k] = m[k]
}
}
}
return result
}
func makeMap(elements string) map[string]string {
result := make(map[string]string)
var nothing string
for _, s := range strings.Split(elements, ",") {
result["."+s] = nothing
}
return result
}
//SourceToSecurityDiagnostics is an interface that describes an object that can consume source and generates security diagnostics
type SourceToSecurityDiagnostics interface {
util.ResourceConsumer
diagnostics.SecurityDiagnosticsProvider
}
//PathToSecurityDiagnostics is an interface that describes an object that can consume a file path or URI and generates security diagnostics
type PathToSecurityDiagnostics interface {
util.PathConsumer
diagnostics.SecurityDiagnosticsProvider
}
//ResourceToSecurityDiagnostics is an interface that describes an object that consumes arbitrary resource and generates security diagnostics
type ResourceToSecurityDiagnostics interface {
util.ResourceConsumer
util.PathConsumer
diagnostics.SecurityDiagnosticsProvider
}
//RegisterDiagnosticsConsumer registers a callback to consume diagnostics
func RegisterDiagnosticsConsumer(callback func(d *diagnostics.SecurityDiagnostic), providers ...diagnostics.SecurityDiagnosticsProvider) {
consumer := c{
callback: callback,
}
for _, p := range providers {
p.AddConsumers(consumer)
}
}
type c struct {
callback func(d *diagnostics.SecurityDiagnostic)
}
func (n c) ReceiveDiagnostic(diagnostic *diagnostics.SecurityDiagnostic) {
n.callback(diagnostic)
}
//DiagnosticsAggregator implements a strategy for aggregating diagnostics, e.g. removing duplicates, overlap, less sever issues etc.
type DiagnosticsAggregator interface {
AddDiagnostic(diagnostic *diagnostics.SecurityDiagnostic)
Aggregate() []*diagnostics.SecurityDiagnostic //Called when aggregation strategy is required to be run
}
type simpleDiagnosticAggregator struct {
// input chan diagnostics.SecurityDiagnostic
// diagnostics []*diagnostics.SecurityDiagnostic
mutex sync.RWMutex
fileIndexedDiagnostics map[string][]*diagnostics.SecurityDiagnostic
}
func (sda *simpleDiagnosticAggregator) AddDiagnostic(diagnostic *diagnostics.SecurityDiagnostic) {
// sda.diagnostics = append(sda.diagnostics, diagnostic)
file := ""
if diagnostic.Location != nil {
file = *diagnostic.Location
}
sda.mutex.Lock()
if diags, present := sda.fileIndexedDiagnostics[file]; present {
sda.fileIndexedDiagnostics[file] = append(diags, diagnostic)
} else {
sda.fileIndexedDiagnostics[file] = []*diagnostics.SecurityDiagnostic{diagnostic}
}
sda.mutex.Unlock()
}
func (sda *simpleDiagnosticAggregator) Aggregate() (agg []*diagnostics.SecurityDiagnostic) {
for _, issues := range sda.fileIndexedDiagnostics {
agg = append(agg, removeOverlappingIssues(issues)...)
}
return
}
func removeOverlappingIssues(issues []*diagnostics.SecurityDiagnostic) []*diagnostics.SecurityDiagnostic {
excluded := make([]bool, len(issues))
out := make([]*diagnostics.SecurityDiagnostic, 0)
diagnostics := issues
for i, di := range diagnostics {
for j, dj := range diagnostics {
if j != i {
if dj.RawRange.Contains(&di.RawRange) &&
di.Justification.Headline.Confidence <= dj.Justification.Headline.Confidence &&
!di.RawRange.Contains(&dj.RawRange) {
excluded[i] = true
break
}
}
}
}
for i, di := range diagnostics {
if !excluded[i] {
out = append(out, di)
}
}
return out
}
//MakeSimpleAggregator creates a diagnostics aggregator that removes diagnostics whose range is completely
//overlapped by another diagnostic's range
func MakeSimpleAggregator() DiagnosticsAggregator {
return &simpleDiagnosticAggregator{
// diagnostics: make([]*diagnostics.SecurityDiagnostic, 0),
mutex: sync.RWMutex{},
fileIndexedDiagnostics: make(map[string][]*diagnostics.SecurityDiagnostic),
}
}