From 0905b54329291add508f4d195e9035e7ab875800 Mon Sep 17 00:00:00 2001 From: Ryan Leung Date: Mon, 18 Oct 2021 16:49:58 +0800 Subject: [PATCH 1/3] filter issues according to the severity and confidence Signed-off-by: Ryan Leung --- .golangci.example.yml | 4 ++++ pkg/config/linters_settings.go | 2 ++ pkg/golinters/gosec.go | 34 +++++++++++++++++++++++++++++++++ test/testdata/configs/gosec.yml | 2 ++ 4 files changed, 42 insertions(+) diff --git a/.golangci.example.yml b/.golangci.example.yml index 836947d5631a..80518f72a95a 100644 --- a/.golangci.example.yml +++ b/.golangci.example.yml @@ -371,6 +371,10 @@ linters-settings: - G204 # Exclude generated files exclude-generated: true + # Filter out the issues with a lower severity than the given value. Valid options are: low, medium, high. + serveity: "high" + # Filter out the issues with a lower confidence than the given value. Valid options are: low, medium, high. + confidence: "medium" # To specify the configuration of rules. # The configuration of rules is not fully documented by gosec: # https://github.com/securego/gosec#configuration diff --git a/pkg/config/linters_settings.go b/pkg/config/linters_settings.go index 04ddb054521e..7ce6f8c969ce 100644 --- a/pkg/config/linters_settings.go +++ b/pkg/config/linters_settings.go @@ -296,6 +296,8 @@ type GoModGuardSettings struct { type GoSecSettings struct { Includes []string Excludes []string + Severity string + Confidence string ExcludeGenerated bool `mapstructure:"exclude-generated"` Config map[string]interface{} `mapstructure:"config"` } diff --git a/pkg/golinters/gosec.go b/pkg/golinters/gosec.go index 32d73847994c..cbb2acc7e169 100644 --- a/pkg/golinters/gosec.go +++ b/pkg/golinters/gosec.go @@ -9,6 +9,7 @@ import ( "strings" "sync" + "github.com/pkg/errors" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/rules" "golang.org/x/tools/go/analysis" @@ -68,7 +69,16 @@ func NewGosec(settings *config.GoSecSettings) *goanalysis.Linter { if len(issues) == 0 { return nil, nil } + severity, err := convertToScore(settings.Severity) + if err != nil { + lintCtx.Log.Warnf("Provided severity %s, use low instead. Valid options: low, medium, high", err) + } + confidence, err := convertToScore(settings.Confidence) + if err != nil { + lintCtx.Log.Warnf("Provided string %s, use low instead. Valid options: low, medium, high", err) + } + issues = filterIssues(issues, severity, confidence) res := make([]goanalysis.Issue, 0, len(issues)) for _, i := range issues { text := fmt.Sprintf("%s: %s", i.RuleID, i.What) // TODO: use severity and confidence @@ -126,3 +136,27 @@ func gosecRuleFilters(includes, excludes []string) []rules.RuleFilter { return filters } + +func convertToScore(str string) (gosec.Score, error) { + str = strings.ToLower(str) + switch str { + case "", "low": + return gosec.Low, nil + case "medium": + return gosec.Medium, nil + case "high": + return gosec.High, nil + default: + return gosec.Low, errors.Errorf("'%s' not valid", str) + } +} + +func filterIssues(issues []*gosec.Issue, severity, confidence gosec.Score) []*gosec.Issue { + res := make([]*gosec.Issue, 0) + for _, issue := range issues { + if issue.Severity >= severity && issue.Confidence >= confidence { + res = append(res, issue) + } + } + return res +} diff --git a/test/testdata/configs/gosec.yml b/test/testdata/configs/gosec.yml index 41ea1cea5a51..a634559bbc2c 100644 --- a/test/testdata/configs/gosec.yml +++ b/test/testdata/configs/gosec.yml @@ -3,6 +3,8 @@ linters-settings: includes: - G306 - G101 + serveity: "low" + confidence: "low" config: G306: "0666" G101: From de31a37c19d960b535e9b8d16ea204ec36aa5104 Mon Sep 17 00:00:00 2001 From: Ryan Leung Date: Tue, 19 Oct 2021 10:16:02 +0800 Subject: [PATCH 2/3] address comments Signed-off-by: Ryan Leung --- .golangci.example.yml | 2 +- pkg/golinters/gosec.go | 6 ++++-- test/testdata/configs/gosec.yml | 2 -- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.golangci.example.yml b/.golangci.example.yml index 80518f72a95a..597c235b5703 100644 --- a/.golangci.example.yml +++ b/.golangci.example.yml @@ -372,7 +372,7 @@ linters-settings: # Exclude generated files exclude-generated: true # Filter out the issues with a lower severity than the given value. Valid options are: low, medium, high. - serveity: "high" + severity: "high" # Filter out the issues with a lower confidence than the given value. Valid options are: low, medium, high. confidence: "medium" # To specify the configuration of rules. diff --git a/pkg/golinters/gosec.go b/pkg/golinters/gosec.go index cbb2acc7e169..6b535217f62c 100644 --- a/pkg/golinters/gosec.go +++ b/pkg/golinters/gosec.go @@ -71,12 +71,12 @@ func NewGosec(settings *config.GoSecSettings) *goanalysis.Linter { } severity, err := convertToScore(settings.Severity) if err != nil { - lintCtx.Log.Warnf("Provided severity %s, use low instead. Valid options: low, medium, high", err) + lintCtx.Log.Warnf("The provided severity %q is invalid, use low instead. Valid options: low, medium, high", err) } confidence, err := convertToScore(settings.Confidence) if err != nil { - lintCtx.Log.Warnf("Provided string %s, use low instead. Valid options: low, medium, high", err) + lintCtx.Log.Warnf("The provided confidence %q is invalid, use low instead. Valid options: low, medium, high", err) } issues = filterIssues(issues, severity, confidence) res := make([]goanalysis.Issue, 0, len(issues)) @@ -137,6 +137,7 @@ func gosecRuleFilters(includes, excludes []string) []rules.RuleFilter { return filters } +// code borrowed from https://github.com/securego/gosec/blob/69213955dacfd560562e780f723486ef1ca6d486/cmd/gosec/main.go#L250-L262 func convertToScore(str string) (gosec.Score, error) { str = strings.ToLower(str) switch str { @@ -151,6 +152,7 @@ func convertToScore(str string) (gosec.Score, error) { } } +// code borrowed from https://github.com/securego/gosec/blob/69213955dacfd560562e780f723486ef1ca6d486/cmd/gosec/main.go#L264-L276 func filterIssues(issues []*gosec.Issue, severity, confidence gosec.Score) []*gosec.Issue { res := make([]*gosec.Issue, 0) for _, issue := range issues { diff --git a/test/testdata/configs/gosec.yml b/test/testdata/configs/gosec.yml index a634559bbc2c..41ea1cea5a51 100644 --- a/test/testdata/configs/gosec.yml +++ b/test/testdata/configs/gosec.yml @@ -3,8 +3,6 @@ linters-settings: includes: - G306 - G101 - serveity: "low" - confidence: "low" config: G306: "0666" G101: From ddad3170d865352b107457275cd9551608c71bfd Mon Sep 17 00:00:00 2001 From: Ryan Leung Date: Tue, 19 Oct 2021 13:17:13 +0800 Subject: [PATCH 3/3] add tests for severity and confidence Signed-off-by: Ryan Leung --- .golangci.example.yml | 4 +-- pkg/golinters/gosec.go | 6 ++-- .../configs/gosec_severity_confidence.yml | 4 +++ test/testdata/gosec_severity_confidence.go | 31 +++++++++++++++++++ 4 files changed, 40 insertions(+), 5 deletions(-) create mode 100644 test/testdata/configs/gosec_severity_confidence.yml create mode 100644 test/testdata/gosec_severity_confidence.go diff --git a/.golangci.example.yml b/.golangci.example.yml index 597c235b5703..40de706ce73c 100644 --- a/.golangci.example.yml +++ b/.golangci.example.yml @@ -372,9 +372,9 @@ linters-settings: # Exclude generated files exclude-generated: true # Filter out the issues with a lower severity than the given value. Valid options are: low, medium, high. - severity: "high" + severity: "low" # Filter out the issues with a lower confidence than the given value. Valid options are: low, medium, high. - confidence: "medium" + confidence: "low" # To specify the configuration of rules. # The configuration of rules is not fully documented by gosec: # https://github.com/securego/gosec#configuration diff --git a/pkg/golinters/gosec.go b/pkg/golinters/gosec.go index 6b535217f62c..85a2a6e0b878 100644 --- a/pkg/golinters/gosec.go +++ b/pkg/golinters/gosec.go @@ -71,12 +71,12 @@ func NewGosec(settings *config.GoSecSettings) *goanalysis.Linter { } severity, err := convertToScore(settings.Severity) if err != nil { - lintCtx.Log.Warnf("The provided severity %q is invalid, use low instead. Valid options: low, medium, high", err) + lintCtx.Log.Warnf("The provided severity %v", err) } confidence, err := convertToScore(settings.Confidence) if err != nil { - lintCtx.Log.Warnf("The provided confidence %q is invalid, use low instead. Valid options: low, medium, high", err) + lintCtx.Log.Warnf("The provided confidence %v", err) } issues = filterIssues(issues, severity, confidence) res := make([]goanalysis.Issue, 0, len(issues)) @@ -148,7 +148,7 @@ func convertToScore(str string) (gosec.Score, error) { case "high": return gosec.High, nil default: - return gosec.Low, errors.Errorf("'%s' not valid", str) + return gosec.Low, errors.Errorf("'%s' is invalid, use low instead. Valid options: low, medium, high", str) } } diff --git a/test/testdata/configs/gosec_severity_confidence.yml b/test/testdata/configs/gosec_severity_confidence.yml new file mode 100644 index 000000000000..b813870a17fe --- /dev/null +++ b/test/testdata/configs/gosec_severity_confidence.yml @@ -0,0 +1,4 @@ +linters-settings: + gosec: + severity: "medium" + confidence: "medium" diff --git a/test/testdata/gosec_severity_confidence.go b/test/testdata/gosec_severity_confidence.go new file mode 100644 index 000000000000..1bf2bd3a69c8 --- /dev/null +++ b/test/testdata/gosec_severity_confidence.go @@ -0,0 +1,31 @@ +//args: -Egosec +//config_path: testdata/configs/gosec_severity_confidence.yml +package testdata + +import ( + "fmt" + "io/ioutil" + "net/http" +) + +var url string = "https://www.abcdefghijk.com" + +func gosecVariableURL() { + resp, err := http.Get(url) // ERROR "G107: Potential HTTP request made with variable url" + if err != nil { + panic(err) + } + defer resp.Body.Close() + body, err := ioutil.ReadAll(resp.Body) + if err != nil { + panic(err) + } + fmt.Printf("%s", body) +} + +func gosecHardcodedCredentials() { + username := "admin" + var password = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" + + fmt.Println("Doing something with: ", username, password) +}