Enable golangcli and improve testing for formatters

.github/workflows/ci.yml

@@ -7,6 +7,16 @@ on:
     branches:
       - master
 jobs:
+  golangci:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v2
+        continue-on-error: true
+        with:
+          version: latest
   tests-go-1-16:
     runs-on: ubuntu-latest
     env:

.golangci.yml

@@ -0,0 +1,13 @@
+linters:
+  enable:
+  - megacheck
+  - govet
+  - unparam
+  - unconvert
+  - misspell
+  - gofmt
+  - golint
+  - gosec
+  - nakedret
+  - dogsled
+  - depguard

cwe/cwe_suite_test.go

@@ -0,0 +1,13 @@
+package cwe_test
+
+import (
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	"testing"
+)
+
+func TestCwe(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Cwe Suite")
+}

cwe/data.go

@@ -1,106 +1,129 @@
 package cwe
 
-var data = map[string]*Weakness{
-	"118": {
-		ID:          "118",
-		Description: "The software does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.",
-		Name:        "Incorrect Access of Indexable Resource ('Range Error')",
-	},
-	"190": {
-		ID:          "190",
-		Description: "The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.",
-		Name:        "Integer Overflow or Wraparound",
-	},
-	"200": {
-		ID:          "200",
-		Description: "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.",
-		Name:        "Exposure of Sensitive Information to an Unauthorized Actor",
-	},
-	"22": {
-		ID:          "22",
-		Description: "The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.",
-		Name:        "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
-	},
-	"242": {
-		ID:          "242",
-		Description: "The program calls a function that can never be guaranteed to work safely.",
-		Name:        "Use of Inherently Dangerous Function",
-	},
-	"276": {
-		ID:          "276",
-		Description: "During installation, installed file permissions are set to allow anyone to modify those files.",
-		Name:        "Incorrect Default Permissions",
-	},
-	"295": {
-		ID:          "295",
-		Description: "The software does not validate, or incorrectly validates, a certificate.",
-		Name:        "Improper Certificate Validation",
-	},
-	"310": {
-		ID:          "310",
-		Description: "Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.",
-		Name:        "Cryptographic Issues",
-	},
-	"322": {
-		ID:          "322",
-		Description: "The software performs a key exchange with an actor without verifying the identity of that actor.",
-		Name:        "Key Exchange without Entity Authentication",
-	},
-	"326": {
-		ID:          "326",
-		Description: "The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.",
-		Name:        "Inadequate Encryption Strength",
-	},
-	"327": {
-		ID:          "327",
-		Description: "The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.",
-		Name:        "Use of a Broken or Risky Cryptographic Algorithm",
-	},
-	"338": {
-		ID:          "338",
-		Description: "The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.",
-		Name:        "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
-	},
-	"377": {
-		ID:          "377",
-		Description: "Creating and using insecure temporary files can leave application and system data vulnerable to attack.",
-		Name:        "Insecure Temporary File",
-	},
-	"409": {
-		ID:          "409",
-		Description: "The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.",
-		Name:        "Improper Handling of Highly Compressed Data (Data Amplification)",
-	},
-	"703": {
-		ID:          "703",
-		Description: "The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.",
-		Name:        "Improper Check or Handling of Exceptional Conditions",
-	},
-	"78": {
-		ID:          "78",
-		Description: "The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.",
-		Name:        "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
-	},
-	"79": {
-		ID:          "79",
-		Description: "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.",
-		Name:        "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
-	},
-	"798": {
-		ID:          "798",
-		Description: "The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.",
-		Name:        "Use of Hard-coded Credentials",
-	},
-	"88": {
-		ID:          "88",
-		Description: "The software constructs a string for a command to executed by a separate component\nin another control sphere, but it does not properly delimit the\nintended arguments, options, or switches within that command string.",
-		Name:        "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')",
-	},
-	"89": {
-		ID:          "89",
-		Description: "The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.",
-		Name:        "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
-	},
+const (
+	//Acronym is the acronym of CWE
+	Acronym = "CWE"
+	//Version the CWE version
+	Version = "4.4"
+	//ReleaseDateUtc the release Date of CWE Version
+	ReleaseDateUtc = "2021-03-15"
+	//Organization MITRE
+	Organization = "MITRE"
+	//Description the description of CWE
+	Description = "The MITRE Common Weakness Enumeration"
+)
+
+var (
+	data = map[string]*Weakness{}
+
+	weaknesses = []*Weakness{
+		{
+			ID:          "118",
+			Description: "The software does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.",
+			Name:        "Incorrect Access of Indexable Resource ('Range Error')",
+		},
+		{
+			ID:          "190",
+			Description: "The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.",
+			Name:        "Integer Overflow or Wraparound",
+		},
+		{
+			ID:          "200",
+			Description: "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.",
+			Name:        "Exposure of Sensitive Information to an Unauthorized Actor",
+		},
+		{
+			ID:          "22",
+			Description: "The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.",
+			Name:        "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
+		},
+		{
+			ID:          "242",
+			Description: "The program calls a function that can never be guaranteed to work safely.",
+			Name:        "Use of Inherently Dangerous Function",
+		},
+		{
+			ID:          "276",
+			Description: "During installation, installed file permissions are set to allow anyone to modify those files.",
+			Name:        "Incorrect Default Permissions",
+		},
+		{
+			ID:          "295",
+			Description: "The software does not validate, or incorrectly validates, a certificate.",
+			Name:        "Improper Certificate Validation",
+		},
+		{
+			ID:          "310",
+			Description: "Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.",
+			Name:        "Cryptographic Issues",
+		},
+		{
+			ID:          "322",
+			Description: "The software performs a key exchange with an actor without verifying the identity of that actor.",
+			Name:        "Key Exchange without Entity Authentication",
+		},
+		{
+			ID:          "326",
+			Description: "The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.",
+			Name:        "Inadequate Encryption Strength",
+		},
+		{
+			ID:          "327",
+			Description: "The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.",
+			Name:        "Use of a Broken or Risky Cryptographic Algorithm",
+		},
+		{
+			ID:          "338",
+			Description: "The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.",
+			Name:        "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
+		},
+		{
+			ID:          "377",
+			Description: "Creating and using insecure temporary files can leave application and system data vulnerable to attack.",
+			Name:        "Insecure Temporary File",
+		},
+		{
+			ID:          "409",
+			Description: "The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.",
+			Name:        "Improper Handling of Highly Compressed Data (Data Amplification)",
+		},
+		{
+			ID:          "703",
+			Description: "The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.",
+			Name:        "Improper Check or Handling of Exceptional Conditions",
+		},
+		{
+			ID:          "78",
+			Description: "The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.",
+			Name:        "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
+		},
+		{
+			ID:          "79",
+			Description: "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.",
+			Name:        "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
+		},
+		{
+			ID:          "798",
+			Description: "The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.",
+			Name:        "Use of Hard-coded Credentials",
+		},
+		{
+			ID:          "88",
+			Description: "The software constructs a string for a command to executed by a separate component\nin another control sphere, but it does not properly delimit the\nintended arguments, options, or switches within that command string.",
+			Name:        "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')",
+		},
+		{
+			ID:          "89",
+			Description: "The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.",
+			Name:        "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
+		},
+	}
+)
+
+func init() {
+	for _, weakness := range weaknesses {
+		data[weakness.ID] = weakness
+	}
 }
 
 //Get Retrieves a CWE weakness by it's id

cwe/data_test.go

@@ -0,0 +1,22 @@
+package cwe_test
+
+import (
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"github.com/securego/gosec/v2/cwe"
+)
+
+var _ = Describe("CWE data", func() {
+	BeforeEach(func() {
+	})
+	Context("when consulting cwe data", func() {
+		It("it should retrieves the weakness", func() {
+			weakness := cwe.Get("798")
+			Expect(weakness).ShouldNot(BeNil())
+			Expect(weakness.ID).ShouldNot(BeNil())
+			Expect(weakness.Name).ShouldNot(BeNil())
+			Expect(weakness.Description).ShouldNot(BeNil())
+		})
+
+	})
+})

cwe/types.go

@@ -5,13 +5,6 @@ import (
 	"fmt"
 )
 
-const (
-	//URL is the base URL for CWE definitions
-	URL = "https://cwe.mitre.org/data/definitions/"
-	//Acronym is the acronym of CWE
-	Acronym = "CWE"
-)
-
 // Weakness defines a CWE weakness based on http://cwe.mitre.org/data/xsd/cwe_schema_v6.4.xsd
 type Weakness struct {
 	ID          string
@@ -21,7 +14,7 @@ type Weakness struct {
 
 //SprintURL format the CWE URL
 func (w *Weakness) SprintURL() string {
-	return fmt.Sprintf("%s%s.html", URL, w.ID)
+	return fmt.Sprintf("https://cwe.mitre.org/data/definitions/%s.html", w.ID)
 }
 
 //SprintID format the CWE ID
@@ -39,3 +32,13 @@ func (w *Weakness) MarshalJSON() ([]byte, error) {
 		URL: w.SprintURL(),
 	})
 }
+
+//InformationURI link to the published CWE PDF
+func InformationURI() string {
+	return fmt.Sprintf("https://cwe.mitre.org/data/published/cwe_v%s.pdf/", Version)
+}
+
+//DownloadURI link to the zipped XML of the CWE list
+func DownloadURI() string {
+	return fmt.Sprintf("https://cwe.mitre.org/data/xml/cwec_v%s.xml.zip", Version)
+}

cwe/types_test.go

@@ -0,0 +1,25 @@
+package cwe_test
+
+import (
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"github.com/securego/gosec/v2/cwe"
+)
+
+var _ = Describe("CWE Types", func() {
+	BeforeEach(func() {
+	})
+	Context("when consulting cwe types", func() {
+		It("it should retrieves the information and download URIs", func() {
+			Expect(cwe.InformationURI()).To(Equal("https://cwe.mitre.org/data/published/cwe_v4.4.pdf/"))
+			Expect(cwe.DownloadURI()).To(Equal("https://cwe.mitre.org/data/xml/cwec_v4.4.xml.zip"))
+		})
+
+		It("it should retrieves the weakness ID and URL", func() {
+			weakness := &cwe.Weakness{ID: "798"}
+			Expect(weakness).ShouldNot(BeNil())
+			Expect(weakness.SprintID()).To(Equal("CWE-798"))
+			Expect(weakness.SprintURL()).To(Equal("https://cwe.mitre.org/data/definitions/798.html"))
+		})
+	})
+})

report/formatter_test.go

@@ -294,7 +294,7 @@ var _ = Describe("Formatter", func() {
 				Expect(err).ShouldNot(HaveOccurred())
 				pattern := "/home/src/project/test.go,1,test,HIGH,HIGH,1: testcode,CWE-%s\n"
 				expect := fmt.Sprintf(pattern, cwe.ID)
-				Expect(string(buf.String())).To(Equal(expect))
+				Expect(buf.String()).To(Equal(expect))
 			}
 		})
 		It("xml formatted report should contain the CWE mapping", func() {
@@ -308,7 +308,7 @@ var _ = Describe("Formatter", func() {
 				Expect(err).ShouldNot(HaveOccurred())
 				pattern := "Results:\n\n\n[/home/src/project/test.go:1] - %s (CWE-%s): test (Confidence: HIGH, Severity: HIGH)\n  > 1: testcode\n\n\n\nSummary:\n   Files: 0\n   Lines: 0\n   Nosec: 0\n  Issues: 0\n\n"
 				expect := fmt.Sprintf(pattern, rule, cwe.ID)
-				Expect(string(buf.String())).To(Equal(expect))
+				Expect(buf.String()).To(Equal(expect))
 			}
 		})
 		It("json formatted report should contain the CWE mapping", func() {
@@ -442,7 +442,7 @@ var _ = Describe("Formatter", func() {
 				Expect(err).ShouldNot(HaveOccurred())
 				pattern := "/home/src/project/test.go:1:1: [CWE-%s] test (Rule:%s, Severity:HIGH, Confidence:HIGH)\n"
 				expect := fmt.Sprintf(pattern, cwe.ID, rule)
-				Expect(string(buf.String())).To(Equal(expect))
+				Expect(buf.String()).To(Equal(expect))
 			}
 		})
 		It("sarif formatted report should contain the CWE mapping", func() {