gosec icon indicating copy to clipboard operation
gosec copied to clipboard

Published 20 hours ago verified publisher icon securego

Could not find the documentation on "How to write the config file"

Open NishikaDeSilva opened this issue 4 years ago • 7 comments

Summary

I want to exclude false-positives using the config file in GoSec. I understand that this can be done by giving the option -config . However, there is no proper detailed documentation on the syntax of writing this file.

Is there any documentation other than readme on this? If not can you please make a detailed document?

NishikaDeSilva avatar Oct 28 '20 07:10 NishikaDeSilva

We have some documentation on this website https://securego.io/docs/rules/rule-intro.html, which is stored in this repository https://github.com/securego/securego.github.io but the config part is not covered.

Happy to accept a pull request if you are willing to contribute. Please just reach out to me on slack if you need any help.

ccojocar avatar Nov 02 '20 08:11 ccojocar

@ccojocar what needs to be done for the documentation ? keen to help out for this ticket.

nanikjava avatar Aug 20 '21 12:08 nanikjava

@nanikjava You can try to add some documentation for configuration keys in https://github.com/securego/securego.github.io. These are some places to check in the code where the configuration is parsed:

  • https://github.com/securego/gosec/blob/fd5472caaf3f10ec3991466caf593456771cf059/cmd/gosec/main.go#L163
  • https://github.com/securego/gosec/blob/master/config.go
  • https://github.com/securego/gosec/blob/master/config_test.go

It would be also nice to add in the docs a sample file for configuration.

ccojocar avatar Aug 20 '21 15:08 ccojocar

@ccojocar Going through the above mentioned code found that the complete JSON file will look like this

{
  "global": {
    "nosec": true,
    "audit" : "enabled",
    "show-ignored" : true,
    "#nosec" : "#falsePositive"
  }
}

Is this correct ?

nanikjava avatar Aug 21 '21 13:08 nanikjava

I think there are a few more config flags. For instance each rule can be enabled/disabled.

You can search trough the code to find all invocations of

func (c Config) Get(section string) (interface{}, error)

and

func (c Config) GetGlobal(option GlobalOption) (string, error)

ccojocar avatar Aug 22 '21 16:08 ccojocar

Went through the code as you suggested found the following for Set(..) and Get(..) (both inside config_test.go)

		It("should be possible to save configuration to file", func() {
			configuration.Set("G101", map[string]string{
				"mode": "strict",
			})

			buffer := bytes.NewBuffer([]byte{})
			nbytes, err := configuration.WriteTo(buffer)
			Expect(int(nbytes)).ShouldNot(BeZero())
			Expect(err).ShouldNot(HaveOccurred())
			Expect(buffer.String()).Should(Equal(`{"G101":{"mode":"strict"},"global":{}}`))
		})
	})

	Context("when configuring rules", func() {
		It("should be possible to get configuration for a rule", func() {
			settings := map[string]string{
				"ciphers": "AES256-GCM",
			}
			configuration.Set("G101", settings)

			retrieved, err := configuration.Get("G101")
			Expect(err).ShouldNot(HaveOccurred())
			Expect(retrieved).Should(HaveKeyWithValue("ciphers", "AES256-GCM"))
			Expect(retrieved).ShouldNot(HaveKey("foobar"))
		})
	})

Is this what you referring to ?

nanikjava avatar Aug 24 '21 12:08 nanikjava

Yeah, some rules have specific settings (e.g. hardcoded credentials).

ccojocar avatar Aug 25 '21 15:08 ccojocar