feat(gosec): add includes and excludes options.

golangci · Apr 24, 2021 · 4c82143 · 4c82143
1 parent db80e16
commit 4c82143
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 4 deletions.
diff --git a/.golangci.example.yml b/.golangci.example.yml
@@ -334,6 +334,18 @@ linters-settings:
         #     reason: "testing if blocked version constraint works."  # Reason why the version constraint exists. (Optional)
       local_replace_directives: false                                 # Set to true to raise lint issues for packages that are loaded from a local path via replace directive
 
+  gosec:
+    # To select a subset of rules to run.
+    # Available rules: https://github.com/securego/gosec#available-rules
+    includes:
+      - G401
+      - G501
+      - G204
+    # To specify a set of rules to explicitly exclude.
+    # Available rules: https://github.com/securego/gosec#available-rules
+    excludes:
+      - G204
+
   govet:
     # report about shadowed variables
     check-shadowing: true

diff --git a/pkg/config/linters_settings.go b/pkg/config/linters_settings.go
@@ -103,6 +103,7 @@ type LintersSettings struct {
 	Gomnd            GoMndSettings
 	GoModDirectives  GoModDirectivesSettings
 	Gomodguard       GoModGuardSettings
+	Gosec            GoSecSettings
 	Govet            GovetSettings
 	Ifshort          IfshortSettings
 	ImportAs         ImportAsSettings
@@ -268,6 +269,11 @@ type GoModGuardSettings struct {
 	} `mapstructure:"blocked"`
 }
 
+type GoSecSettings struct {
+	Includes []string
+	Excludes []string
+}
+
 type GovetSettings struct {
 	CheckShadowing bool `mapstructure:"check-shadowing"`
 	Settings       map[string]map[string]interface{}

diff --git a/pkg/golinters/gosec.go b/pkg/golinters/gosec.go
@@ -13,19 +13,27 @@ import (
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/packages"
 
+	"github.com/golangci/golangci-lint/pkg/config"
 	"github.com/golangci/golangci-lint/pkg/golinters/goanalysis"
 	"github.com/golangci/golangci-lint/pkg/lint/linter"
 	"github.com/golangci/golangci-lint/pkg/result"
 )
 
 const gosecName = "gosec"
 
-func NewGosec() *goanalysis.Linter {
+func NewGosec(settings *config.GoSecSettings) *goanalysis.Linter {
 	var mu sync.Mutex
 	var resIssues []goanalysis.Issue
 
 	gasConfig := gosec.NewConfig()
-	enabledRules := rules.Generate()
+
+	var filters []rules.RuleFilter
+	if settings != nil {
+		filters = gosecRuleFilters(settings.Includes, settings.Excludes)
+	}
+
+	ruleDefinitions := rules.Generate(filters...)
+
 	logger := log.New(ioutil.Discard, "", 0)
 
 	analyzer := &analysis.Analyzer{
@@ -40,7 +48,8 @@ func NewGosec() *goanalysis.Linter {
 	).WithContextSetter(func(lintCtx *linter.Context) {
 		analyzer.Run = func(pass *analysis.Pass) (interface{}, error) {
 			gosecAnalyzer := gosec.NewAnalyzer(gasConfig, true, logger)
-			gosecAnalyzer.LoadRules(enabledRules.Builders())
+			gosecAnalyzer.LoadRules(ruleDefinitions.Builders())
+
 			pkg := &packages.Package{
 				Fset:      pass.Fset,
 				Syntax:    pass.Files,
@@ -95,3 +104,18 @@ func NewGosec() *goanalysis.Linter {
 		return resIssues
 	}).WithLoadMode(goanalysis.LoadModeTypesInfo)
 }
+
+// based on https://github.com/securego/gosec/blob/569328eade2ccbad4ce2d0f21ee158ab5356a5cf/cmd/gosec/main.go#L170-L188
+func gosecRuleFilters(includes, excludes []string) []rules.RuleFilter {
+	var filters []rules.RuleFilter
+
+	if len(includes) > 0 {
+		filters = append(filters, rules.NewRuleFilter(false, includes...))
+	}
+
+	if len(excludes) > 0 {
+		filters = append(filters, rules.NewRuleFilter(true, excludes...))
+	}
+
+	return filters
+}
diff --git a/pkg/lint/lintersdb/manager.go b/pkg/lint/lintersdb/manager.go
@@ -112,6 +112,7 @@ func (m Manager) GetAllSupportedLinterConfigs() []*linter.Config {
 	var importAsCfg *config.ImportAsSettings
 	var goModDirectivesCfg *config.GoModDirectivesSettings
 	var tagliatelleCfg *config.TagliatelleSettings
+	var gosecCfg *config.GoSecSettings
 
 	if m.cfg != nil {
 		govetCfg = &m.cfg.LintersSettings.Govet
@@ -127,6 +128,7 @@ func (m Manager) GetAllSupportedLinterConfigs() []*linter.Config {
 		importAsCfg = &m.cfg.LintersSettings.ImportAs
 		goModDirectivesCfg = &m.cfg.LintersSettings.GoModDirectives
 		tagliatelleCfg = &m.cfg.LintersSettings.Tagliatelle
+		gosecCfg = &m.cfg.LintersSettings.Gosec
 	}
 
 	const megacheckName = "megacheck"
@@ -190,7 +192,7 @@ func (m Manager) GetAllSupportedLinterConfigs() []*linter.Config {
 			WithLoadForGoAnalysis().
 			WithPresets(linter.PresetStyle).
 			WithURL("https://github.com/dominikh/go-tools/tree/master/stylecheck"),
-		linter.NewConfig(golinters.NewGosec()).
+		linter.NewConfig(golinters.NewGosec(gosecCfg)).
 			WithSince("v1.0.0").
 			WithLoadForGoAnalysis().
 			WithPresets(linter.PresetBugs).