gosec
gosec copied to clipboard
securego
Refactor to support duplicate imports with different aliases
The existing code assumed imports to be either imported, or imported with an alias. Badly formatted files may have duplicate imports for a package, using different aliases.
This patch refactors the code, and;
Introduces a new GetImportedNames function, which returns all name(s) and
aliase(s) for a package, which effectively combines GetAliasedName and
GetImportedName, but adding support for duplicate imports.
The old GetAliasedName and GetImportedName functions have been rewritten to
use the new function and marked deprecated, but could be removed if there are no
external consumers.
With this patch, the linter is able to detect issues in files such as;
package main
import (
crand "crypto/rand"
"math/big"
"math/rand"
rand2 "math/rand"
rand3 "math/rand"
)
func main() {
_, _ = crand.Int(crand.Reader, big.NewInt(int64(2))) // good
_ = rand.Intn(2) // bad
_ = rand2.Intn(2) // bad
_ = rand3.Intn(2) // bad
}
Before this patch, only a single issue would be detected:
gosec --quiet .
[main.go:14] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
13:
> 14: _ = rand.Intn(2) // bad
15: _ = rand2.Intn(2) // bad
With this patch, all issues are identified:
gosec --quiet .
[main.go:16] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
15: _ = rand2.Intn(2) // bad
> 16: _ = rand3.Intn(2) // bad
17: }
[main.go:15] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
14: _ = rand.Intn(2) // bad
> 15: _ = rand2.Intn(2) // bad
16: _ = rand3.Intn(2) // bad
[main.go:14] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
13:
> 14: _ = rand.Intn(2) // bad
15: _ = rand2.Intn(2) // bad
Alright, this needs some work; have a false positive on
package main
import (
"crypto/rand"
mrand "math/rand"
)
func main() {
good, _ := rand.Read(nil)
println(good)
bad := mrand.Int31()
println(bad)
}
@ccojocar I think I fixed it, but looks like CI is failing due to older Go versions being installed, and an outdated module; I opened https://github.com/securego/gosec/pull/880 to fix / work around that, and temporarily rebased this PR on top of that (will rebase once the other PR is merged)
Codecov Report
Base: 73.89% // Head: 74.19% // Increases project coverage by +0.30% :tada:
Coverage data is based on head (
98158f4) compared to base (6cd9e62). Patch coverage: 88.88% of modified lines in pull request are covered.
Additional details and impacted files
@@ Coverage Diff @@
## master #865 +/- ##
==========================================
+ Coverage 73.89% 74.19% +0.30%
==========================================
Files 51 51
Lines 3195 3186 -9
==========================================
+ Hits 2361 2364 +3
+ Misses 763 752 -11
+ Partials 71 70 -1
| Impacted Files | Coverage Ξ | |
|---|---|---|
| analyzer.go | 89.40% <ΓΈ> (-0.04%) |
:arrow_down: |
| import_tracker.go | 75.60% <82.60%> (+9.98%) |
:arrow_up: |
| helpers.go | 43.18% <100.00%> (+0.42%) |
:arrow_up: |
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.
:umbrella: View full report at Codecov.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.
Working on some last changes; perhaps it's better after all to handle imports at the File level, otherwise we're calling it for every Node; let me push those changes π