Reset the state of TLS rule after each version check (#570)

ccojocar · web-flow · commit 897c203e6217 · 2021-02-11T10:52:16.000+01:00
Signed-off-by: Cosmin Cojocar &lt;ccojocar@cloudbees.com&gt;
diff --git a/go.sum b/go.sum
@@ -369,6 +369,7 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad h1:DN0cp81fZ3njFcrLCytUHRSUkqBjfTo4Tx9RJTWs0EY=
 golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
diff --git a/rules/tls.go b/rules/tls.go
@@ -146,6 +146,11 @@ func (t *insecureConfigTLS) checkVersion(n ast.Node, c *gosec.Context) *gosec.Is
 	return nil
 }
 
+func (t *insecureConfigTLS) resetVersion() {
+	t.actualMaxVersion = 0
+	t.actualMinVersion = 0
+}
+
 func (t *insecureConfigTLS) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
 	if complit, ok := n.(*ast.CompositeLit); ok && complit.Type != nil {
 		actualType := c.Info.TypeOf(complit.Type)
@@ -158,7 +163,9 @@ func (t *insecureConfigTLS) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, e
 					}
 				}
 			}
-			return t.checkVersion(complit, c), nil
+			issue := t.checkVersion(complit, c)
+			t.resetVersion()
+			return issue, nil
 		}
 	}
 	return nil, nil
diff --git a/testutils/source.go b/testutils/source.go
@@ -2057,7 +2057,24 @@ func main() {
 	if err != nil {
 		fmt.Println(err)
 	}
-}`}, 0, gosec.NewConfig()}}
+}`}, 0, gosec.NewConfig()}, {[]string{`
+package p0
+
+import "crypto/tls"
+
+func TlsConfig0() *tls.Config {
+	var v uint16 = 0
+	return &tls.Config{MinVersion: v}
+}
+`, `
+package p0
+
+import "crypto/tls"
+
+func TlsConfig1() *tls.Config {
+   return &tls.Config{MinVersion: 0x0304}
+}
+`}, 1, gosec.NewConfig()}}
 
 	// SampleCodeG403 - weak key strength
 	SampleCodeG403 = []CodeSample{

Original file line number	Diff line number	Diff line change
`@@ -146,6 +146,11 @@ func (t insecureConfigTLS) checkVersion(n ast.Node, c gosec.Context) *gosec.Is`
`146`	`146`	`return nil`
`147`	`147`	`}`
`148`	`148`
	`149`	`+func (t *insecureConfigTLS) resetVersion() {`
	`150`	`+ t.actualMaxVersion = 0`
	`151`	`+ t.actualMinVersion = 0`
	`152`	`+}`
	`153`	`+`
`149`	`154`	`func (t insecureConfigTLS) Match(n ast.Node, c gosec.Context) (*gosec.Issue, error) {`
`150`	`155`	`if complit, ok := n.(*ast.CompositeLit); ok && complit.Type != nil {`
`151`	`156`	`actualType := c.Info.TypeOf(complit.Type)`
`@@ -158,7 +163,9 @@ func (t insecureConfigTLS) Match(n ast.Node, c gosec.Context) (*gosec.Issue, e`
`158`	`163`	`}`
`159`	`164`	`}`
`160`	`165`	`}`
`161`		`- return t.checkVersion(complit, c), nil`
	`166`	`+ issue := t.checkVersion(complit, c)`
	`167`	`+ t.resetVersion()`
	`168`	`+ return issue, nil`
`162`	`169`	`}`
`163`	`170`	`}`
`164`	`171`	`return nil, nil`