feat: add tls.SignatureScheme

sashamelentyev · Sep 2, 2022 · 48078cb · 48078cb
1 parent 1b365e2
commit 48078cb
Show file tree

Hide file tree

Showing 5 changed files with 165 additions and 21 deletions.
diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go
@@ -23,6 +23,7 @@ const (
 	RPCDefaultPathFlag    = "rpc-default-path"
 	OSDevNullFlag         = "os-dev-null"
 	SQLIsolationLevelFlag = "sql-isolation-level"
+	TLSSignatureScheme    = "tls-signature-scheme"
 )
 
 // New returns new usestdlibvars analyzer.
@@ -47,6 +48,7 @@ func flags() flag.FlagSet {
 	flags.Bool(RPCDefaultPathFlag, false, "suggest the use of rpc.DefaultXXPath")
 	flags.Bool(OSDevNullFlag, false, "suggest the use of os.DevNull")
 	flags.Bool(SQLIsolationLevelFlag, false, "suggest the use of sql.LevelXX.String()")
+	flags.Bool(TLSSignatureScheme, false, "suggest the use of tls.SignatureScheme.String()")
 	return *flags
 }
 
@@ -105,6 +107,10 @@ func run(pass *analysis.Pass) (interface{}, error) {
 				checkSQLIsolationLevel(pass, n)
 			}
 
+			if lookupFlag(pass, TLSSignatureScheme) {
+				checkTLSSignatureScheme(pass, n)
+			}
+
 		case *ast.CompositeLit:
 			typ, ok := n.Type.(*ast.SelectorExpr)
 			if !ok {
@@ -417,6 +423,14 @@ func checkSQLIsolationLevel(pass *analysis.Pass, basicLit *ast.BasicLit) {
 	}
 }
 
+func checkTLSSignatureScheme(pass *analysis.Pass, basicLit *ast.BasicLit) {
+	currentVal := getBasicLitValue(basicLit)
+
+	if newVal, ok := mapping.TLSSignatureScheme[currentVal]; ok {
+		report(pass, basicLit.Pos(), currentVal, newVal)
+	}
+}
+
 // getBasicLitFromArgs gets the *ast.BasicLit of a function argument.
 //
 // Arguments:

diff --git a/pkg/analyzer/analyzer_test.go b/pkg/analyzer/analyzer_test.go
@@ -16,31 +16,26 @@ func TestUseStdlibVars(t *testing.T) {
 		"a/time",
 		"a/os",
 		"a/sql",
+		"a/tls",
 	}
 
 	a := analyzer.New()
 
-	if err := a.Flags.Set(analyzer.TimeWeekdayFlag, "true"); err != nil {
-		t.Error(err)
-	}
-	if err := a.Flags.Set(analyzer.TimeMonthFlag, "true"); err != nil {
-		t.Error(err)
-	}
-	if err := a.Flags.Set(analyzer.TimeLayoutFlag, "true"); err != nil {
-		t.Error(err)
-	}
-	if err := a.Flags.Set(analyzer.CryptoHashFlag, "true"); err != nil {
-		t.Error(err)
-	}
-	if err := a.Flags.Set(analyzer.RPCDefaultPathFlag, "true"); err != nil {
-		t.Error(err)
-	}
-	if err := a.Flags.Set(analyzer.OSDevNullFlag, "true"); err != nil {
-		t.Error(err)
-	}
-	if err := a.Flags.Set(analyzer.SQLIsolationLevelFlag, "true"); err != nil {
-		t.Error(err)
-	}
+	mustNil(t, a.Flags.Set(analyzer.TimeWeekdayFlag, "true"))
+	mustNil(t, a.Flags.Set(analyzer.TimeMonthFlag, "true"))
+	mustNil(t, a.Flags.Set(analyzer.TimeLayoutFlag, "true"))
+	mustNil(t, a.Flags.Set(analyzer.CryptoHashFlag, "true"))
+	mustNil(t, a.Flags.Set(analyzer.RPCDefaultPathFlag, "true"))
+	mustNil(t, a.Flags.Set(analyzer.OSDevNullFlag, "true"))
+	mustNil(t, a.Flags.Set(analyzer.SQLIsolationLevelFlag, "true"))
+	mustNil(t, a.Flags.Set(analyzer.TLSSignatureScheme, "true"))
 
 	analysistest.Run(t, analysistest.TestData(), a, pkgs...)
 }
+
+func mustNil(t *testing.T, err error) {
+	t.Helper()
+	if err != nil {
+		t.Error(err)
+	}
+}
diff --git a/pkg/analyzer/internal/gen.go b/pkg/analyzer/internal/gen.go
@@ -95,6 +95,12 @@ func main() {
 			templateName: "test-template.go.tmpl",
 			fileName:     "pkg/analyzer/testdata/src/a/sql/isolationlevel.go",
 		},
+		{
+			mapping:      mapping.TLSSignatureScheme,
+			packageName:  "sql_test",
+			templateName: "test-template.go.tmpl",
+			fileName:     "pkg/analyzer/testdata/src/a/tls/signaturescheme.go",
+		},
 	}
 
 	for _, operation := range operations {

diff --git a/pkg/analyzer/internal/mapping/mapping.go b/pkg/analyzer/internal/mapping/mapping.go
@@ -2,6 +2,7 @@ package mapping
 
 import (
 	"crypto"
+	"crypto/tls"
 	"database/sql"
 	"net/http"
 	"net/rpc"
@@ -176,3 +177,18 @@ var SQLIsolationLevel = map[string]string{
 	// sql.LevelSerializable.String():    "sql.LevelSerializable.String()",
 	// sql.LevelLinearizable.String():    "sql.LevelLinearizable.String()",
 }
+
+var TLSSignatureScheme = map[string]string{
+	tls.PSSWithSHA256.String():          "tls.PSSWithSHA256.String()",
+	tls.ECDSAWithP256AndSHA256.String(): "tls.ECDSAWithP256AndSHA256.String()",
+	tls.Ed25519.String():                "tls.Ed25519.String()",
+	tls.PSSWithSHA384.String():          "tls.PSSWithSHA384.String()",
+	tls.PSSWithSHA512.String():          "tls.PSSWithSHA512.String()",
+	tls.PKCS1WithSHA256.String():        "tls.PKCS1WithSHA256.String()",
+	tls.PKCS1WithSHA384.String():        "tls.PKCS1WithSHA384.String()",
+	tls.PKCS1WithSHA512.String():        "tls.PKCS1WithSHA512.String()",
+	tls.ECDSAWithP384AndSHA384.String(): "tls.ECDSAWithP384AndSHA384.String()",
+	tls.ECDSAWithP521AndSHA512.String(): "tls.ECDSAWithP521AndSHA512.String()",
+	tls.PKCS1WithSHA1.String():          "tls.PKCS1WithSHA1.String()",
+	tls.ECDSAWithSHA1.String():          "tls.ECDSAWithSHA1.String()",
+}
diff --git a/pkg/analyzer/testdata/src/a/tls/signaturescheme.go b/pkg/analyzer/testdata/src/a/tls/signaturescheme.go