go.mod: update golangci-lint to v1.37

author: Dmitry Vyukov <dvyukov@google.com> 2021-02-22 20:37:25 +0100
committer: Dmitry Vyukov <dvyukov@google.com> 2021-02-22 21:02:12 +0100
commit: fcc6d71be2c3ce7d9305c04fc2e87af554571bac (patch)
tree: b01dbb3d1e2988e28ea158d2d543d603ec0b9569 /vendor/github.com/securego/gosec/v2/rules
parent: 8f23c528ad5a943b9ffec5dcaf332fd0f614006e (diff)
5 files changed, 42 insertions, 11 deletions
diff --git a/vendor/github.com/securego/gosec/v2/rules/archive.go b/vendor/github.com/securego/gosec/v2/rules/archive.go
index ca7a46e0b..92c7e4481 100644
--- a/vendor/github.com/securego/gosec/v2/rules/archive.go
+++ b/vendor/github.com/securego/gosec/v2/rules/archive.go
@@ -9,15 +9,15 @@ import (
 
 type archive struct {
 	gosec.MetaData
-	calls   gosec.CallList
-	argType string
+	calls    gosec.CallList
+	argTypes []string
 }
 
 func (a *archive) ID() string {
 	return a.MetaData.ID
 }
 
-// Match inspects AST nodes to determine if the filepath.Joins uses any argument derived from type zip.File
+// Match inspects AST nodes to determine if the filepath.Joins uses any argument derived from type zip.File or tar.Header
 func (a *archive) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
 	if node := a.calls.ContainsPkgCallExpr(n, c, false); node != nil {
 		for _, arg := range node.Args {
@@ -35,26 +35,31 @@ func (a *archive) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
 				}
 			}
 
-			if argType != nil && argType.String() == a.argType {
-				return gosec.NewIssue(c, n, a.ID(), a.What, a.Severity, a.Confidence), nil
+			if argType != nil {
+				for _, t := range a.argTypes {
+					if argType.String() == t {
+						return gosec.NewIssue(c, n, a.ID(), a.What, a.Severity, a.Confidence), nil
+					}
+				}
 			}
 		}
 	}
 	return nil, nil
 }
 
-// NewArchive creates a new rule which detects the file traversal when extracting zip archives
+// NewArchive creates a new rule which detects the file traversal when extracting zip/tar archives
 func NewArchive(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
 	calls := gosec.NewCallList()
 	calls.Add("path/filepath", "Join")
+	calls.Add("path", "Join")
 	return &archive{
-		calls:   calls,
-		argType: "*archive/zip.File",
+		calls:    calls,
+		argTypes: []string{"*archive/zip.File", "*archive/tar.Header"},
 		MetaData: gosec.MetaData{
 			ID:         id,
 			Severity:   gosec.Medium,
 			Confidence: gosec.High,
-			What:       "File traversal when extracting zip archive",
+			What:       "File traversal when extracting zip/tar archive",
 		},
 	}, []ast.Node{(*ast.CallExpr)(nil)}
 }
diff --git a/vendor/github.com/securego/gosec/v2/rules/decompression-bomb.go b/vendor/github.com/securego/gosec/v2/rules/decompression-bomb.go
index bfc589763..02256faa9 100644
--- a/vendor/github.com/securego/gosec/v2/rules/decompression-bomb.go
+++ b/vendor/github.com/securego/gosec/v2/rules/decompression-bomb.go
@@ -95,6 +95,7 @@ func NewDecompressionBombCheck(id string, conf gosec.Config) (gosec.Rule, []ast.
 
 	copyCalls := gosec.NewCallList()
 	copyCalls.Add("io", "Copy")
+	copyCalls.Add("io", "CopyBuffer")
 
 	return &decompressionBombCheck{
 		MetaData: gosec.MetaData{
diff --git a/vendor/github.com/securego/gosec/v2/rules/readfile.go b/vendor/github.com/securego/gosec/v2/rules/readfile.go
index 459b4ad2f..072b016e2 100644
--- a/vendor/github.com/securego/gosec/v2/rules/readfile.go
+++ b/vendor/github.com/securego/gosec/v2/rules/readfile.go
@@ -25,6 +25,7 @@ type readfile struct {
 	gosec.MetaData
 	gosec.CallList
 	pathJoin gosec.CallList
+	clean    gosec.CallList
 }
 
 // ID returns the identifier for this rule
@@ -56,6 +57,21 @@ func (r *readfile) isJoinFunc(n ast.Node, c *gosec.Context) bool {
 	return false
 }
 
+// isFilepathClean checks if there is a filepath.Clean before assigning to a variable
+func (r *readfile) isFilepathClean(n *ast.Ident, c *gosec.Context) bool {
+	if n.Obj.Kind != ast.Var {
+		return false
+	}
+	if node, ok := n.Obj.Decl.(*ast.AssignStmt); ok {
+		if call, ok := node.Rhs[0].(*ast.CallExpr); ok {
+			if clean := r.clean.ContainsPkgCallExpr(call, c, false); clean != nil {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 // Match inspects AST nodes to determine if the match the methods `os.Open` or `ioutil.ReadFile`
 func (r *readfile) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
 	if node := r.ContainsPkgCallExpr(n, c, false); node != nil {
@@ -77,7 +93,9 @@ func (r *readfile) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
 
 			if ident, ok := arg.(*ast.Ident); ok {
 				obj := c.Info.ObjectOf(ident)
-				if _, ok := obj.(*types.Var); ok && !gosec.TryResolve(ident, c) {
+				if _, ok := obj.(*types.Var); ok &&
+					!gosec.TryResolve(ident, c) &&
+					!r.isFilepathClean(ident, c) {
 					return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil
 				}
 			}
@@ -90,6 +108,7 @@ func (r *readfile) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
 func NewReadFile(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
 	rule := &readfile{
 		pathJoin: gosec.NewCallList(),
+		clean:    gosec.NewCallList(),
 		CallList: gosec.NewCallList(),
 		MetaData: gosec.MetaData{
 			ID:         id,
@@ -100,6 +119,8 @@ func NewReadFile(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
 	}
 	rule.pathJoin.Add("path/filepath", "Join")
 	rule.pathJoin.Add("path", "Join")
+	rule.clean.Add("path/filepath", "Clean")
+	rule.clean.Add("path/filepath", "Rel")
 	rule.Add("io/ioutil", "ReadFile")
 	rule.Add("os", "Open")
 	rule.Add("os", "OpenFile")
diff --git a/vendor/github.com/securego/gosec/v2/rules/tls.go b/vendor/github.com/securego/gosec/v2/rules/tls.go
index 554378f42..a013788e0 100644
--- a/vendor/github.com/securego/gosec/v2/rules/tls.go
+++ b/vendor/github.com/securego/gosec/v2/rules/tls.go
@@ -134,7 +134,7 @@ func (t *insecureConfigTLS) mapVersion(version string) int16 {
 
 func (t *insecureConfigTLS) checkVersion(n ast.Node, c *gosec.Context) *gosec.Issue {
 	if t.actualMaxVersion == 0 && t.actualMinVersion >= t.MinVersion {
-		// no warning is generated since the min version is grater than the secure min version
+		// no warning is generated since the min version is greater than the secure min version
 		return nil
 	}
 	if t.actualMinVersion < t.MinVersion {
diff --git a/vendor/github.com/securego/gosec/v2/rules/tls_config.go b/vendor/github.com/securego/gosec/v2/rules/tls_config.go
index ff4f3fe2e..5d68593d8 100644
--- a/vendor/github.com/securego/gosec/v2/rules/tls_config.go
+++ b/vendor/github.com/securego/gosec/v2/rules/tls_config.go
@@ -39,7 +39,9 @@ func NewIntermediateTLSCheck(id string, conf gosec.Config) (gosec.Rule, []ast.No
 			"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
 			"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
 			"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+			"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
 			"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+			"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
 			"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
 			"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
 		},
@@ -63,7 +65,9 @@ func NewOldTLSCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
 			"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
 			"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
 			"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+			"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
 			"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+			"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
 			"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
 			"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
 			"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
author	Dmitry Vyukov <dvyukov@google.com>	2021-02-22 20:37:25 +0100
committer	Dmitry Vyukov <dvyukov@google.com>	2021-02-22 21:02:12 +0100
commit	fcc6d71be2c3ce7d9305c04fc2e87af554571bac (patch)
tree	b01dbb3d1e2988e28ea158d2d543d603ec0b9569 /vendor/github.com/securego/gosec/v2/rules
parent	8f23c528ad5a943b9ffec5dcaf332fd0f614006e (diff)