Releases: securego/gosec
v2.7.0
Changelog
27a5ffb Quiet warnings about integer truncation (#586)
bf2cd23 Update all dependencies (#585)
01ee764 Fix typo in USERS.md (#583)
9c047e3 Add support for Go 1.16 in the CI and release workflows (#581)
1fce461 fix: WriteParams rule to work also with golang 1.16 (#577)
dcbcc4d Use a more generic path for sonarqube import path (#573)
2777e50 Update README with a note which describes how to import a SonarQube report (#572)
897c203 Reset the state of TLS rule after each version check (#570)
6c57ae1 Fix sarif formatting issues (#565)
b6524ce Update all dependencies
v2.6.1
v2.5.0
Changelog
a4746e1 Update all dependencies (#533)
6bd6e4b Use $(go env GOPATH) that works even when GOPATH is not set
aef335a Fix typo in README.md
0ce48a5 Reproducible junit report (#529)
868556b Update README with the correct path to tlsconfig command
13519fd Update the tls configuration generate to handle also the NSS alternative names
e351067 Update all dependencies
166e4f5 Update README file with some more details required to run successfully a scan with the docker image
f5cc32a Update the Go version to 1.15 in the Makefile
ea0fa28 Update the Github go action version to 1.6.0
feea8bb Fix the action tag
6688a97 Fix the github action for Go 1.15
7234349 Add Go 1.15 to the supported version and phase out the Go 1.12
a3895d5 Fix typo in README file
17c9555 Incorrect local installation instructions for v2
f13b8bc Add also filepath.Rel as a sanitization method for input argument in the G304 rule
047729a Fix the rule G304 to handle the case when the input is cleaned as a variable assignment
b60ddc2 feat: adds support for path.Join and for tar archives in G305
673a139 Update all dependencies
110b62b Add io.CopyBuffer function to rule G110
6bcd89a Mark all lines of a multi-line finding
4d4e594 Add some comments
d1467ac Extend the code snippet included in the issue and refactored how the code snippet is printed
37d1af0 Expand the arguments to a list of strings when they are provided as a single string
59cbe00 Update all dependencies
ade81d3 Rename file for consistency
03f12f3 Change naming rule from blacklist to blocklist
3784ffe Fix panic when reading the version from debug info in Go 1.13
55d368f Improve the TLS version checking
ad1cb7e Make sure some version information is set when no version was injected into the binary
1d2c951 Extend the rule G304 with os.OpenFile and add a test to cover it
0c1a71b Add more tests samples to increase coverage
fe07fcf Fix unit test when checking a mix of good and bad random functions
6bbf8f9 Extend the insecure random rule with more insecure random functions
af699f6 Exclude .git directory from scan (#485)
6202b38 Update all dependencies (#484)
6a130d5 Update the link pointing to issues to CWE mapping to use the master version (#483)
826db1c Fix the build tags propagation
7da9248 Change the issue test to verify that a multi-line finding contains a line range
7aedcc5 Remove print line from tests
30e93bf Improve the SQL strings concat rules to handle multiple string concatenation
68bce94 Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context
32be4a5 Make sure all rules are mapped to CWE numbers
8630c43 Add null pointer check in G601
1418b85 ondisk -> onDisk
b2cfc5d USERS.md type in the title fixed.
425b8f9 Display a sponsor button in the repository
0714a1e Update the users file with some more projects and companies
1b915dd Set up a gosec's users list
668512f Update bad_defer.go
ee3146e Rule which detects aliasing of values in RangeStmt
8662624 Update the build badge to ge the status from GitHub workflow
a5db4e1 Run mod tidy to clean up the dependencies
fb44007 Enhance the hardcoded credentials rule to check the equality and non-equality of strings
a2a40de Update the README with an example to configure the hard-coded credentials rule
802292c Fix the configuration parsing for hardcoded credentials
c58f356 Set the default color on only for text format
1a113d6 Turn the color always on when the text format is set
c4417de Use the latest color package to get the color working with tmux
656691b feature(formatter/text): Add color option on text format (#460)
51e4317 Automate the release process using a GitHub workflow
341059e Update the GitHub action name to be more desriptive
3b6c3f1 Update README with some instruction how to run gosec as a GitHub action
08202fe Add a GitHub action to run gosec
c6e10af Handle properly the gosec module version v2
e946c8c Update all dependencies
e030aa4 Remove the go 1.14 version from github action
ee176ff Fix the job names in the Github workflow
cabccc7 Add to GitHub workflow some jobs for go1.13 and go1.12
a111777 Change the GitHub workflow to use only the latest Go version
722acb6 Change the GitHub workflow to run the builds only on ubuntu-latest platform
5284f34 Change the GitHub workflow to use an action which install Go using a Go version from the matrix
8de5fb6 Migrate the build to GitHub Actions
7da9f46 Fix the call list info to handle selector expressions
cf25904 Fix the subproc rule to handle correctly the CommandContext check
f97f861 Update the subproc rule to detect the syscall.ForkExec and syscall.StartProces calls
c998389 re-generate install.sh with latest godownloader (#446)
7525fe4 Rule for defering methods which return errors (#441)
a2ac0bf Update all dependencies (#445)
a305f10 Fileperms (#442)
00363ed remove support for go 1.11 (#444)
d13bb6d Update all dependencies
17df5b3 Fix typos
3e069e7 Fix the errors rule whitelist to work on types methods
459e2d3 Modify rule for integer overflow to have more acurate results (#434)
a4d7b36 Add G110(Potential DoS vulnerability via decompression bomb)
3d5c97b Add a test sample for Cgo files
81e8278 Add the Cgo files to the analysed files and ingonre all non-Go files
a1969e2 Handle all errors in the formatter tests (#431)
9cb83e1 Add a rule which detects when there is potential integer overflow (#422)
f43a957 Check for both default and alternative nosec tags (#426)
79fbf3a Add golint format to output format (#428)
57c3788 Update all dependencies (#427)
5d61373 fix(docker) gcc and libc-dev required bindings
cb4f343 Update all dependencies (#417)
df484bf cmd/tlsconfig: remove support for deprecated tls.VersionSSL30 (#412)
b4c76d4 Update all dependencies (#410)
99170e0 Update the README with some details about the CWE mapping (#407)
53be8dd Add CWE rule mappings (#405)
28c1128 Add more tests to improve the coverage of resolve
d78f026 Format import to make codecov happy
50e1fe2 Improve the SSRF rule to report an issue for package scoped variables
07770ae Add a test for composite literals when trying to resolve an AST tree node
f413f14 Handle the ValueSpec when trying to resolve an AST tree node
c1970ff Handle the ValueSpec when trying to resolve an AST tree node
ea9faae Update the Go version to 1.13 in the Dockerfile (#403)
186dec7 Convert the global settings to correct type when reading them from file (#399)
e680875 Replace the deprecated load mode with more specific flags are recommended in the packages docs (#400)
ad375d3 Update golang.org/x/tools commit hash to 7c411de (#389)
607f240 reconfigure rennoavate bot (#395)
832d7bb Update README with CII Best Practicies badge
29341f6 Fix the rule G108/pporf to handle the case when the pporf import has not name
b504783 Change unit tests to check for one thing (#381)
7dbc65b Update golang.org/x/tools commit hash to 3ac2a5b (#387)
f3bd9fb Update golang.org/x/tools commit hash to 0f9bb8f
c6ac709 Update golang.org/x/net commit hash to aa69164
7a6460d Update golang.org/x/crypto commit hash to 9ee001b
d8f249a Update README with rule G108
9cee24c Add a rule which detects when pprof endpoint is automatically exposed
73fbc9b Update golang.org/x/net commit hash to 1a5e07d
124da07 Update golang.org/x/tools commit hash to 5eefd05 (#378)
915e9ee Update golang.org/x/sys commit hash to b4ddaad (#374)
e7b3ae9 Clarify and add new unit tests for rule G107 (#376)
f90efff Update golang.org/x/tools commit hash to 2dc213d (#375)
90e9759 Update golang.org/x/net commit hash to c858923 (#373)
709ed1b Change rule G204 to be less restrictive (#339)
98749b7 Update golang.org/x/net commit hash to 24e19bd (#372)
d8f6c4f Update golang.org/x/sys commit hash to c3b328c (#371)
3204194 Update golang.org/x/tools commit hash to 92af9d6 (#370)
140048b Update golang.org/x/sys commit hash to 7ad0cfa
a65402b Update golang.org/x/tools commit hash to 6bfd74c (#365)
b9c4c66 Expose analyzer API (#366)
29fddff turn on automerge for rennovate bot
bee7b5a Update golang.org/x/crypto commit hash to 227b76d (#363)
069c31f Update golang.org/x/tools commit hash to 16c5e0f (#362)
3e65f8f Update golang.org/x/sys commit hash to bbd1755 (#361)
f5d5e20 Update golang.org/x/tools commit hash to dd2b5c8 (#360)
a1c9c76 Remove the unused code to increase the test coverage
338b50d Remove rule G105 which detects the use of math/big#Int.Exp
43e3664 Build the tls config generator only with Go versions compatible with Go 1.12
81b6dc8 Regenerate the TLS configuration based on latest Mozilla's recommended ciphers
76ce9f0 Update to config struct to unmarshal the mozilla server-side TLS conf version 5
e050355 Update the TLS config generator to handle TLS version 1.3
c0510fc Update golang.org/x/tools commit hash to 0673112 (#359)
a57a033 Update golang.org/x/sys commit hash to f460065 (#356)
8063751 Update golang.org/x/crypto commit hash to 094676d (#355)
7851918 Add support to exclude arbitrary folders from scanning (#353)
1c35be8 Add renovate.json (#354)
fde1f82 Update the tag format in the release steps (#348)
992f173 Update README file with a note on dependencies (#351)
e442cf3 Add Go 1.13 to the tested version in the travis build file (#350)
4ecbe32 Update go modules to latest compatible version and removed unused dependencies (#349)
8932f70 Add flag to handle '#nosec' alternative (#346)
4b59c94 Prevent null pointer exception in Sonarqube (#334)
39f7e7b Display filtered number of issues instead of total in stats
e28a56a Merge pull request #330 from ccojocar/fix-whitelist-G104
63b44b6 Add some more tests to make codecov happy
1412357 Add some documentation for G104 whitelist configuration Signed-off-by: Cosmin Cojocar cosmin.cojocar@gmx.ch
f344524 Fix the whitelist on G104 rule and add a test
78a4949 Load rules on each code sample in order to reconfigure them
ed9934f Refactor the rules tests to be able to configure the analyzer config per test sample
36a82ea Merge pull request #328 from ccojocar/fix-sonarqute-report
020479a Support multiple root paths when generating th...
v2.4.0
Changelog
6bcd89a Mark all lines of a multi-line finding
4d4e594 Add some comments
d1467ac Extend the code snippet included in the issue and refactored how the code snippet is printed
37d1af0 Expand the arguments to a list of strings when they are provided as a single string
59cbe00 Update all dependencies
ade81d3 Rename file for consistency
03f12f3 Change naming rule from blacklist to blocklist
3784ffe Fix panic when reading the version from debug info in Go 1.13
55d368f Improve the TLS version checking
ad1cb7e Make sure some version information is set when no version was injected into the binary
1d2c951 Extend the rule G304 with os.OpenFile and add a test to cover it
0c1a71b Add more tests samples to increase coverage
fe07fcf Fix unit test when checking a mix of good and bad random functions
6bbf8f9 Extend the insecure random rule with more insecure random functions
af699f6 Exclude .git directory from scan (#485)
6202b38 Update all dependencies (#484)
6a130d5 Update the link pointing to issues to CWE mapping to use the master version (#483)
826db1c Fix the build tags propagation
7da9248 Change the issue test to verify that a multi-line finding contains a line range
7aedcc5 Remove print line from tests
30e93bf Improve the SQL strings concat rules to handle multiple string concatenation
68bce94 Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context
32be4a5 Make sure all rules are mapped to CWE numbers
8630c43 Add null pointer check in G601
1418b85 ondisk -> onDisk
b2cfc5d USERS.md type in the title fixed.
425b8f9 Display a sponsor button in the repository
0714a1e Update the users file with some more projects and companies
1b915dd Set up a gosec's users list
668512f Update bad_defer.go
v2.3.0
Changelog
ee3146e Rule which detects aliasing of values in RangeStmt
8662624 Update the build badge to ge the status from GitHub workflow
a5db4e1 Run mod tidy to clean up the dependencies
fb44007 Enhance the hardcoded credentials rule to check the equality and non-equality of strings
a2a40de Update the README with an example to configure the hard-coded credentials rule
802292c Fix the configuration parsing for hardcoded credentials
c58f356 Set the default color on only for text format
1a113d6 Turn the color always on when the text format is set
c4417de Use the latest color package to get the color working with tmux
656691b feature(formatter/text): Add color option on text format (#460)
51e4317 Automate the release process using a GitHub workflow
341059e Update the GitHub action name to be more desriptive
3b6c3f1 Update README with some instruction how to run gosec as a GitHub action
08202fe Add a GitHub action to run gosec
c6e10af Handle properly the gosec module version v2
e946c8c Update all dependencies
e030aa4 Remove the go 1.14 version from github action
ee176ff Fix the job names in the Github workflow
cabccc7 Add to GitHub workflow some jobs for go1.13 and go1.12
a111777 Change the GitHub workflow to use only the latest Go version
722acb6 Change the GitHub workflow to run the builds only on ubuntu-latest platform
5284f34 Change the GitHub workflow to use an action which install Go using a Go version from the matrix
8de5fb6 Migrate the build to GitHub Actions
7da9f46 Fix the call list info to handle selector expressions
cf25904 Fix the subproc rule to handle correctly the CommandContext check
f97f861 Update the subproc rule to detect the syscall.ForkExec and syscall.StartProces calls
c998389 re-generate install.sh with latest godownloader (#446)
7525fe4 Rule for defering methods which return errors (#441)
a2ac0bf Update all dependencies (#445)
a305f10 Fileperms (#442)
00363ed remove support for go 1.11 (#444)
d13bb6d Update all dependencies
v2.2.0
Changelog
17df5b3 Fix typos
3e069e7 Fix the errors rule whitelist to work on types methods
459e2d3 Modify rule for integer overflow to have more acurate results (#434)
a4d7b36 Add G110(Potential DoS vulnerability via decompression bomb)
3d5c97b Add a test sample for Cgo files
81e8278 Add the Cgo files to the analysed files and ingonre all non-Go files
a1969e2 Handle all errors in the formatter tests (#431)
9cb83e1 Add a rule which detects when there is potential integer overflow (#422)
f43a957 Check for both default and alternative nosec tags (#426)
79fbf3a Add golint format to output format (#428)
57c3788 Update all dependencies (#427)
5d61373 fix(docker) gcc and libc-dev required bindings
cb4f343 Update all dependencies (#417)
df484bf cmd/tlsconfig: remove support for deprecated tls.VersionSSL30 (#412)
b4c76d4 Update all dependencies (#410)
99170e0 Update the README with some details about the CWE mapping (#407)
53be8dd Add CWE rule mappings (#405)
v2.1.0
Changelog
28c1128 Add more tests to improve the coverage of resolve
d78f026 Format import to make codecov happy
50e1fe2 Improve the SSRF rule to report an issue for package scoped variables
07770ae Add a test for composite literals when trying to resolve an AST tree node
f413f14 Handle the ValueSpec when trying to resolve an AST tree node
c1970ff Handle the ValueSpec when trying to resolve an AST tree node
ea9faae Update the Go version to 1.13 in the Dockerfile (#403)
186dec7 Convert the global settings to correct type when reading them from file (#399)
e680875 Replace the deprecated load mode with more specific flags are recommended in the packages docs (#400)
ad375d3 Update golang.org/x/tools commit hash to 7c411de (#389)
607f240 reconfigure rennoavate bot (#395)
832d7bb Update README with CII Best Practicies badge
29341f6 Fix the rule G108/pporf to handle the case when the pporf import has not name
b504783 Change unit tests to check for one thing (#381)
7dbc65b Update golang.org/x/tools commit hash to 3ac2a5b (#387)
f3bd9fb Update golang.org/x/tools commit hash to 0f9bb8f
c6ac709 Update golang.org/x/net commit hash to aa69164
7a6460d Update golang.org/x/crypto commit hash to 9ee001b
d8f249a Update README with rule G108
9cee24c Add a rule which detects when pprof endpoint is automatically exposed
73fbc9b Update golang.org/x/net commit hash to 1a5e07d
124da07 Update golang.org/x/tools commit hash to 5eefd05 (#378)
915e9ee Update golang.org/x/sys commit hash to b4ddaad (#374)
e7b3ae9 Clarify and add new unit tests for rule G107 (#376)
f90efff Update golang.org/x/tools commit hash to 2dc213d (#375)
90e9759 Update golang.org/x/net commit hash to c858923 (#373)
709ed1b Change rule G204 to be less restrictive (#339)
98749b7 Update golang.org/x/net commit hash to 24e19bd (#372)
d8f6c4f Update golang.org/x/sys commit hash to c3b328c (#371)
3204194 Update golang.org/x/tools commit hash to 92af9d6 (#370)
140048b Update golang.org/x/sys commit hash to 7ad0cfa
a65402b Update golang.org/x/tools commit hash to 6bfd74c (#365)
b9c4c66 Expose analyzer API (#366)
29fddff turn on automerge for rennovate bot
bee7b5a Update golang.org/x/crypto commit hash to 227b76d (#363)
069c31f Update golang.org/x/tools commit hash to 16c5e0f (#362)
3e65f8f Update golang.org/x/sys commit hash to bbd1755 (#361)
f5d5e20 Update golang.org/x/tools commit hash to dd2b5c8 (#360)
a1c9c76 Remove the unused code to increase the test coverage
338b50d Remove rule G105 which detects the use of math/big#Int.Exp
43e3664 Build the tls config generator only with Go versions compatible with Go 1.12
81b6dc8 Regenerate the TLS configuration based on latest Mozilla's recommended ciphers
76ce9f0 Update to config struct to unmarshal the mozilla server-side TLS conf version 5
e050355 Update the TLS config generator to handle TLS version 1.3
c0510fc Update golang.org/x/tools commit hash to 0673112 (#359)
a57a033 Update golang.org/x/sys commit hash to f460065 (#356)
8063751 Update golang.org/x/crypto commit hash to 094676d (#355)
7851918 Add support to exclude arbitrary folders from scanning (#353)
1c35be8 Add renovate.json (#354)
fde1f82 Update the tag format in the release steps (#348)
992f173 Update README file with a note on dependencies (#351)
e442cf3 Add Go 1.13 to the tested version in the travis build file (#350)
4ecbe32 Update go modules to latest compatible version and removed unused dependencies (#349)
8932f70 Add flag to handle '#nosec' alternative (#346)
4b59c94 Prevent null pointer exception in Sonarqube (#334)
39f7e7b Display filtered number of issues instead of total in stats
e28a56a Merge pull request #330 from ccojocar/fix-whitelist-G104
63b44b6 Add some more tests to make codecov happy
1412357 Add some documentation for G104 whitelist configuration Signed-off-by: Cosmin Cojocar cosmin.cojocar@gmx.ch
f344524 Fix the whitelist on G104 rule and add a test
78a4949 Load rules on each code sample in order to reconfigure them
ed9934f Refactor the rules tests to be able to configure the analyzer config per test sample
36a82ea Merge pull request #328 from ccojocar/fix-sonarqute-report
020479a Support multiple root paths when generating the Sonarqube report
46e55b9 Fix the file path in the Sonarqube report
04dc713 One approach for fixing the false positive identified in #325.
196edd3 Add checksum clarification in README
0ebfa2f Rework analyzer unit test to pass the go tip version (#318)
9d9098f print version string (#317)
ee80733 Add a flag to filter issues by confidence (#316)
2.0.0
Changelog
29cec13 Fix formatting in README, remove prerequisite and reworked the Makefile tests goals (#313)
b68ac76 Fix formatting
3e69a8c Append the package load errors to analyser's errors
aac9b00 Refactor properly the package error parsing and cover all test cases
625718d Refactor the test for Go build errors
3af4ae9 Fix some lint warnings
bac6f0f Add tests for an empty package without any test file
76b2c12 Add a test to cover the processing of empty packages
b04c1ce Fix error parsing from package
92b3644 Fix error parsing when the loaded package is empty
48e3932 Remove tests case from import tracker
25b5a1a Add tests to cover the import tracker from file
5ef2bee Track only the import from the file which is checked
f1ea7f6 Add tests for analyser test pacakge check
6e5135f Update README with some instructions to enable the tests and vendor folder scanning
b49c953 Add a flag which allows to scan also the tests files
f1d49a6 Remove unused code
ed2e0aa Update local install command in README file
4dfaf0a Refactor the analyzer to process one package at the time
adcfe94 Fix test for helpers
5ae5266 Add some tests that covers the helper function which list the package paths
e419eb8 Exclude correctly the vendor folder from the scanned packages
85eb8a5 Scan the go packages path recursively starting from a root folder
8522199 Improve logging in the analyser
ea16ff1 Remove GOPATH check to allow running gosec outside of GOPATH
6c174a6 Update README file
7935fd8 Rework the Dockerfile for Go modules
806908a Remove the dep tool installation from travis CI
950e84c Handle errors to fix lint warnings
ee73b9e Remove dep and Use only Go modules to manage dependencies
85d1808 Go modules support for 1.12 (#297)
eaba99d fix comment.
4cd14f9 remove panic
66e7c8d Extract to a constant
1b28d32 fix sonarIssues struct
8eab50e update README.md to add support of sonarqube.
989eb3f Update Hound errors
ddfe54d Add sonarqube output
c5e6c4a fix no-fail flag logic
2bd007e Update README
8b27d1c Update go version to 1.11.5 in the docker file
9cd538f Fix README typo
1.3.0
Changelog
62b5195 Report for Golang errors (#284)
9cdfec4 Change test
8048b15 Add more badges in the README file
e2752bc revert to default GOPATH if necessary (#279)
04ce7ba add a no-fail flag
a966ff7 Fix -conf example in README.md
b662615 Fix typo
5d33e6e Update the README with some details about the configuration file
f87af5f Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274)
14ed63d Do not flag the unhandled errors which are explicitly ignored
12400f9 Update README with the code coverage batch
72e95e8 Geneate and upload the test coverage report to codecove.io
24e3094 Extend the bind rule to handle the case when the net.Listen address in provided from a const
9b32fca Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call
f14f17f Add a helper function which extracts the string parameters values of a call expression
1.2.0
Changelog
2695567 Build the code sample for string builder only fron Go 1.10 onwards
ae82798 Fix the WriteSring test by handling the error
adb4222 whitelist strings.Builder method in rule G104
9b966a4 add test case for strings.Builder G104 whitelist inclusion
4180994 Make G201 ignore CallExpr with no args (#262)
443f84f Fix golint link (#263)
3116b07 Fix typos in comments and rulelist (#256)
e0a150b Merge pull request #254 from kishaningithub/253
97bc137 Add CI Installation steps and correct markdown lint errors
8c09a83 Add install.sh script
d032909 Merge pull request #251 from NeverOddOrEven/fix-html-template
027dc2b This fixes the html template when using '-fmt=html' - resolves HTML escaping issues within the template - resolves reference issues to reportInfo struct i.e. issues -> Issues, metrics -> Stats
f9b4187 Merge pull request #249 from andrewhsu/go
1ecd47e bump Dockerfile golang from 1.10 to 1.11
2cc6838 Merge pull request #248 from ccojocar/code-samples-multiple-files
64d58c2 Refactor the test code sample to support multiple files per sample
d3f1980 Fix false positives for SQL string concatenation with constants from another file (#247)
5f98926 Refactor Dockerfile (#245)
7f6509a Update README.md (#246)
762ff3a Allow quoted strings to be used to format SQL queries (#240)
ec32ce6 Support Go 1.11 (#239)
145f1a0 Removed wrapping feature (#238)
419c929 G107 - SSRF (#236)
63b25c1 Fix typo in README (#235)
7fd9446 update to G304 which adds binary expressions and file joining (#233)