From c97c816133b42257d0bcf1ee4bd178bb2a7a2b9e Mon Sep 17 00:00:00 2001 From: Taras Madan Date: Tue, 10 Sep 2024 12:16:33 +0200 Subject: vendor: update --- .../securego/gosec/v2/rules/blocklist.go | 14 ++++++ .../securego/gosec/v2/rules/fileperms.go | 14 +++++- .../gosec/v2/rules/hardcoded_credentials.go | 4 -- .../securego/gosec/v2/rules/implicit_aliasing.go | 6 +++ vendor/github.com/securego/gosec/v2/rules/rand.go | 24 +++++---- .../github.com/securego/gosec/v2/rules/readfile.go | 1 + .../github.com/securego/gosec/v2/rules/rulelist.go | 6 ++- .../securego/gosec/v2/rules/templates.go | 3 ++ .../securego/gosec/v2/rules/weakcrypto.go | 14 +++--- .../securego/gosec/v2/rules/weakcryptohash.go | 55 +++++++++++++++++++++ .../gosec/v2/rules/weakdepricatedcryptohash.go | 57 ++++++++++++++++++++++ 11 files changed, 174 insertions(+), 24 deletions(-) create mode 100644 vendor/github.com/securego/gosec/v2/rules/weakcryptohash.go create mode 100644 vendor/github.com/securego/gosec/v2/rules/weakdepricatedcryptohash.go (limited to 'vendor/github.com/securego/gosec/v2/rules') diff --git a/vendor/github.com/securego/gosec/v2/rules/blocklist.go b/vendor/github.com/securego/gosec/v2/rules/blocklist.go index 5e03cf7a0..a4376b19a 100644 --- a/vendor/github.com/securego/gosec/v2/rules/blocklist.go +++ b/vendor/github.com/securego/gosec/v2/rules/blocklist.go @@ -93,3 +93,17 @@ func NewBlocklistedImportSHA1(id string, conf gosec.Config) (gosec.Rule, []ast.N "crypto/sha1": "Blocklisted import crypto/sha1: weak cryptographic primitive", }) } + +// NewBlocklistedImportMD4 fails if MD4 is imported +func NewBlocklistedImportMD4(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { + return NewBlocklistedImports(id, conf, map[string]string{ + "golang.org/x/crypto/md4": "Blocklisted import golang.org/x/crypto/md4: deprecated and weak cryptographic primitive", + }) +} + +// NewBlocklistedImportRIPEMD160 fails if RIPEMD160 is imported +func NewBlocklistedImportRIPEMD160(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { + return NewBlocklistedImports(id, conf, map[string]string{ + "golang.org/x/crypto/ripemd160": "Blocklisted import golang.org/x/crypto/ripemd160: deprecated and weak cryptographic primitive", + }) +} diff --git a/vendor/github.com/securego/gosec/v2/rules/fileperms.go b/vendor/github.com/securego/gosec/v2/rules/fileperms.go index 5311f74c6..eb1fa2eee 100644 --- a/vendor/github.com/securego/gosec/v2/rules/fileperms.go +++ b/vendor/github.com/securego/gosec/v2/rules/fileperms.go @@ -61,7 +61,7 @@ func (r *filePermissions) Match(n ast.Node, c *gosec.Context) (*issue.Issue, err for _, pkg := range r.pkgs { if callexpr, matched := gosec.MatchCallByPackage(n, c, pkg, r.calls...); matched { modeArg := callexpr.Args[len(callexpr.Args)-1] - if mode, err := gosec.GetInt(modeArg); err == nil && !modeIsSubset(mode, r.mode) { + if mode, err := gosec.GetInt(modeArg); err == nil && !modeIsSubset(mode, r.mode) || isOsPerm(modeArg) { return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil } } @@ -69,6 +69,18 @@ func (r *filePermissions) Match(n ast.Node, c *gosec.Context) (*issue.Issue, err return nil, nil } +// isOsPerm check if the provide ast node contains a os.PermMode symbol +func isOsPerm(n ast.Node) bool { + if node, ok := n.(*ast.SelectorExpr); ok { + if identX, ok := node.X.(*ast.Ident); ok { + if identX.Name == "os" && node.Sel != nil && node.Sel.Name == "ModePerm" { + return true + } + } + } + return false +} + // NewWritePerms creates a rule to detect file Writes with bad permissions. func NewWritePerms(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { mode := getConfiguredMode(conf, id, 0o600) diff --git a/vendor/github.com/securego/gosec/v2/rules/hardcoded_credentials.go b/vendor/github.com/securego/gosec/v2/rules/hardcoded_credentials.go index ed1fb947d..c10d18b30 100644 --- a/vendor/github.com/securego/gosec/v2/rules/hardcoded_credentials.go +++ b/vendor/github.com/securego/gosec/v2/rules/hardcoded_credentials.go @@ -153,10 +153,6 @@ var secretsPatterns = [...]secretPattern{ name: "Stripe API Key", regexp: regexp.MustCompile(`sk_live_[0-9a-zA-Z]{24}`), }, - { - name: "Stripe API Key", - regexp: regexp.MustCompile(`sk_live_[0-9a-zA-Z]{24}`), - }, { name: "Stripe Restricted API Key", regexp: regexp.MustCompile(`rk_live_[0-9a-zA-Z]{24}`), diff --git a/vendor/github.com/securego/gosec/v2/rules/implicit_aliasing.go b/vendor/github.com/securego/gosec/v2/rules/implicit_aliasing.go index a7eabb20b..75de4ed8c 100644 --- a/vendor/github.com/securego/gosec/v2/rules/implicit_aliasing.go +++ b/vendor/github.com/securego/gosec/v2/rules/implicit_aliasing.go @@ -47,6 +47,12 @@ func doGetIdentExpr(expr ast.Expr, hasSelector bool) (*ast.Ident, bool) { } func (r *implicitAliasing) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) { + // This rule does not apply for Go 1.22, see https://tip.golang.org/doc/go1.22#language. + major, minor, _ := gosec.GoVersion() + if major >= 1 && minor >= 22 { + return nil, nil + } + switch node := n.(type) { case *ast.RangeStmt: // When presented with a range statement, get the underlying Object bound to diff --git a/vendor/github.com/securego/gosec/v2/rules/rand.go b/vendor/github.com/securego/gosec/v2/rules/rand.go index 4491fd928..fe34ca9c3 100644 --- a/vendor/github.com/securego/gosec/v2/rules/rand.go +++ b/vendor/github.com/securego/gosec/v2/rules/rand.go @@ -23,8 +23,7 @@ import ( type weakRand struct { issue.MetaData - funcNames []string - packagePath string + blocklist map[string][]string } func (w *weakRand) ID() string { @@ -32,8 +31,8 @@ func (w *weakRand) ID() string { } func (w *weakRand) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) { - for _, funcName := range w.funcNames { - if _, matched := gosec.MatchCallByPackage(n, c, w.packagePath, funcName); matched { + for pkg, funcs := range w.blocklist { + if _, matched := gosec.MatchCallByPackage(n, c, pkg, funcs...); matched { return c.NewIssue(n, w.ID(), w.What, w.Severity, w.Confidence), nil } } @@ -43,17 +42,22 @@ func (w *weakRand) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) { // NewWeakRandCheck detects the use of random number generator that isn't cryptographically secure func NewWeakRandCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { + calls := make(map[string][]string) + calls["math/rand"] = []string{ + "New", "Read", "Float32", "Float64", "Int", "Int31", "Int31n", + "Int63", "Int63n", "Intn", "NormFloat64", "Uint32", "Uint64", + } + calls["math/rand/v2"] = []string{ + "New", "Float32", "Float64", "Int", "Int32", "Int32N", + "Int64", "Int64N", "IntN", "N", "NormFloat64", "Uint32", "Uint32N", "Uint64", "Uint64N", "UintN", + } return &weakRand{ - funcNames: []string{ - "New", "Read", "Float32", "Float64", "Int", "Int31", - "Int31n", "Int63", "Int63n", "Intn", "NormalFloat64", "Uint32", "Uint64", - }, - packagePath: "math/rand", + blocklist: calls, MetaData: issue.MetaData{ ID: id, Severity: issue.High, Confidence: issue.Medium, - What: "Use of weak random number generator (math/rand instead of crypto/rand)", + What: "Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand)", }, }, []ast.Node{(*ast.CallExpr)(nil)} } diff --git a/vendor/github.com/securego/gosec/v2/rules/readfile.go b/vendor/github.com/securego/gosec/v2/rules/readfile.go index 7ef4bbad1..da6b9c965 100644 --- a/vendor/github.com/securego/gosec/v2/rules/readfile.go +++ b/vendor/github.com/securego/gosec/v2/rules/readfile.go @@ -143,6 +143,7 @@ func NewReadFile(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { rule.pathJoin.Add("path", "Join") rule.clean.Add("path/filepath", "Clean") rule.clean.Add("path/filepath", "Rel") + rule.clean.Add("path/filepath", "EvalSymlinks") rule.Add("io/ioutil", "ReadFile") rule.Add("os", "ReadFile") rule.Add("os", "Open") diff --git a/vendor/github.com/securego/gosec/v2/rules/rulelist.go b/vendor/github.com/securego/gosec/v2/rules/rulelist.go index f9ca4f52c..13f29f71a 100644 --- a/vendor/github.com/securego/gosec/v2/rules/rulelist.go +++ b/vendor/github.com/securego/gosec/v2/rules/rulelist.go @@ -94,10 +94,12 @@ func Generate(trackSuppressions bool, filters ...RuleFilter) RuleList { {"G307", "Poor file permissions used when creating a file with os.Create", NewOsCreatePerms}, // crypto - {"G401", "Detect the usage of DES, RC4, MD5 or SHA1", NewUsesWeakCryptography}, + {"G401", "Detect the usage of MD5 or SHA1", NewUsesWeakCryptographyHash}, {"G402", "Look for bad TLS connection settings", NewIntermediateTLSCheck}, {"G403", "Ensure minimum RSA key length of 2048 bits", NewWeakKeyStrength}, {"G404", "Insecure random number source (rand)", NewWeakRandCheck}, + {"G405", "Detect the usage of DES or RC4", NewUsesWeakCryptographyEncryption}, + {"G406", "Detect the usage of deprecated MD4 or RIPEMD160", NewUsesWeakDeprecatedCryptographyHash}, // blocklist {"G501", "Import blocklist: crypto/md5", NewBlocklistedImportMD5}, @@ -105,6 +107,8 @@ func Generate(trackSuppressions bool, filters ...RuleFilter) RuleList { {"G503", "Import blocklist: crypto/rc4", NewBlocklistedImportRC4}, {"G504", "Import blocklist: net/http/cgi", NewBlocklistedImportCGI}, {"G505", "Import blocklist: crypto/sha1", NewBlocklistedImportSHA1}, + {"G506", "Import blocklist: golang.org/x/crypto/md4", NewBlocklistedImportMD4}, + {"G507", "Import blocklist: golang.org/x/crypto/ripemd160", NewBlocklistedImportRIPEMD160}, // memory safety {"G601", "Implicit memory aliasing in RangeStmt", NewImplicitAliasing}, diff --git a/vendor/github.com/securego/gosec/v2/rules/templates.go b/vendor/github.com/securego/gosec/v2/rules/templates.go index 728766f45..3d5f9a977 100644 --- a/vendor/github.com/securego/gosec/v2/rules/templates.go +++ b/vendor/github.com/securego/gosec/v2/rules/templates.go @@ -45,9 +45,12 @@ func (t *templateCheck) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error // find use of templates where HTML/JS escaping is not being used func NewTemplateCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { calls := gosec.NewCallList() + calls.Add("html/template", "CSS") calls.Add("html/template", "HTML") calls.Add("html/template", "HTMLAttr") calls.Add("html/template", "JS") + calls.Add("html/template", "JSStr") + calls.Add("html/template", "Srcset") calls.Add("html/template", "URL") return &templateCheck{ calls: calls, diff --git a/vendor/github.com/securego/gosec/v2/rules/weakcrypto.go b/vendor/github.com/securego/gosec/v2/rules/weakcrypto.go index 4f2ab11d1..143f67d4e 100644 --- a/vendor/github.com/securego/gosec/v2/rules/weakcrypto.go +++ b/vendor/github.com/securego/gosec/v2/rules/weakcrypto.go @@ -21,16 +21,16 @@ import ( "github.com/securego/gosec/v2/issue" ) -type usesWeakCryptography struct { +type usesWeakCryptographyEncryption struct { issue.MetaData blocklist map[string][]string } -func (r *usesWeakCryptography) ID() string { +func (r *usesWeakCryptographyEncryption) ID() string { return r.MetaData.ID } -func (r *usesWeakCryptography) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) { +func (r *usesWeakCryptographyEncryption) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) { for pkg, funcs := range r.blocklist { if _, matched := gosec.MatchCallByPackage(n, c, pkg, funcs...); matched { return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil @@ -39,14 +39,12 @@ func (r *usesWeakCryptography) Match(n ast.Node, c *gosec.Context) (*issue.Issue return nil, nil } -// NewUsesWeakCryptography detects uses of des.* md5.* or rc4.* -func NewUsesWeakCryptography(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { +// NewUsesWeakCryptographyEncryption detects uses of des.*, rc4.* +func NewUsesWeakCryptographyEncryption(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { calls := make(map[string][]string) calls["crypto/des"] = []string{"NewCipher", "NewTripleDESCipher"} - calls["crypto/md5"] = []string{"New", "Sum"} - calls["crypto/sha1"] = []string{"New", "Sum"} calls["crypto/rc4"] = []string{"NewCipher"} - rule := &usesWeakCryptography{ + rule := &usesWeakCryptographyEncryption{ blocklist: calls, MetaData: issue.MetaData{ ID: id, diff --git a/vendor/github.com/securego/gosec/v2/rules/weakcryptohash.go b/vendor/github.com/securego/gosec/v2/rules/weakcryptohash.go new file mode 100644 index 000000000..298555de1 --- /dev/null +++ b/vendor/github.com/securego/gosec/v2/rules/weakcryptohash.go @@ -0,0 +1,55 @@ +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package rules + +import ( + "go/ast" + + "github.com/securego/gosec/v2" + "github.com/securego/gosec/v2/issue" +) + +type usesWeakCryptographyHash struct { + issue.MetaData + blocklist map[string][]string +} + +func (r *usesWeakCryptographyHash) ID() string { + return r.MetaData.ID +} + +func (r *usesWeakCryptographyHash) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) { + for pkg, funcs := range r.blocklist { + if _, matched := gosec.MatchCallByPackage(n, c, pkg, funcs...); matched { + return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil + } + } + return nil, nil +} + +// NewUsesWeakCryptographyHash detects uses of md5.*, sha1.* +func NewUsesWeakCryptographyHash(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { + calls := make(map[string][]string) + calls["crypto/md5"] = []string{"New", "Sum"} + calls["crypto/sha1"] = []string{"New", "Sum"} + rule := &usesWeakCryptographyHash{ + blocklist: calls, + MetaData: issue.MetaData{ + ID: id, + Severity: issue.Medium, + Confidence: issue.High, + What: "Use of weak cryptographic primitive", + }, + } + return rule, []ast.Node{(*ast.CallExpr)(nil)} +} diff --git a/vendor/github.com/securego/gosec/v2/rules/weakdepricatedcryptohash.go b/vendor/github.com/securego/gosec/v2/rules/weakdepricatedcryptohash.go new file mode 100644 index 000000000..68297355c --- /dev/null +++ b/vendor/github.com/securego/gosec/v2/rules/weakdepricatedcryptohash.go @@ -0,0 +1,57 @@ +// (c) Copyright 2024 Mercedes-Benz Tech Innovation GmbH +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package rules + +import ( + "go/ast" + + "github.com/securego/gosec/v2" + "github.com/securego/gosec/v2/issue" +) + +type usesWeakDeprecatedCryptographyHash struct { + issue.MetaData + blocklist map[string][]string +} + +func (r *usesWeakDeprecatedCryptographyHash) ID() string { + return r.MetaData.ID +} + +func (r *usesWeakDeprecatedCryptographyHash) Match(n ast.Node, c *gosec.Context) (*issue.Issue, error) { + for pkg, funcs := range r.blocklist { + if _, matched := gosec.MatchCallByPackage(n, c, pkg, funcs...); matched { + return c.NewIssue(n, r.ID(), r.What, r.Severity, r.Confidence), nil + } + } + return nil, nil +} + +// NewUsesWeakCryptographyHash detects uses of md4.New, ripemd160.New +func NewUsesWeakDeprecatedCryptographyHash(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { + calls := make(map[string][]string) + calls["golang.org/x/crypto/md4"] = []string{"New"} + calls["golang.org/x/crypto/ripemd160"] = []string{"New"} + rule := &usesWeakDeprecatedCryptographyHash{ + blocklist: calls, + MetaData: issue.MetaData{ + ID: id, + Severity: issue.Medium, + Confidence: issue.High, + What: "Use of deprecated weak cryptographic primitive", + }, + } + return rule, []ast.Node{(*ast.CallExpr)(nil)} +} -- cgit mrf-deployment