Skip to content

Commit

Permalink
gosec: filter issues according to the severity and confidence (#2295)
Browse files Browse the repository at this point in the history
  • Loading branch information
rleungx authored Oct 27, 2021
1 parent f500e4c commit cc262bb
Show file tree
Hide file tree
Showing 5 changed files with 77 additions and 0 deletions.
4 changes: 4 additions & 0 deletions .golangci.example.yml
Original file line number Diff line number Diff line change
Expand Up @@ -371,6 +371,10 @@ linters-settings:
- G204
# Exclude generated files
exclude-generated: true
# Filter out the issues with a lower severity than the given value. Valid options are: low, medium, high.
severity: "low"
# Filter out the issues with a lower confidence than the given value. Valid options are: low, medium, high.
confidence: "low"
# To specify the configuration of rules.
# The configuration of rules is not fully documented by gosec:
# https://github.com/securego/gosec#configuration
Expand Down
2 changes: 2 additions & 0 deletions pkg/config/linters_settings.go
Original file line number Diff line number Diff line change
Expand Up @@ -297,6 +297,8 @@ type GoModGuardSettings struct {
type GoSecSettings struct {
Includes []string
Excludes []string
Severity string
Confidence string
ExcludeGenerated bool `mapstructure:"exclude-generated"`
Config map[string]interface{} `mapstructure:"config"`
}
Expand Down
36 changes: 36 additions & 0 deletions pkg/golinters/gosec.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"strings"
"sync"

"github.com/pkg/errors"
"github.com/securego/gosec/v2"
"github.com/securego/gosec/v2/rules"
"golang.org/x/tools/go/analysis"
Expand Down Expand Up @@ -68,7 +69,16 @@ func NewGosec(settings *config.GoSecSettings) *goanalysis.Linter {
if len(issues) == 0 {
return nil, nil
}
severity, err := convertToScore(settings.Severity)
if err != nil {
lintCtx.Log.Warnf("The provided severity %v", err)
}

confidence, err := convertToScore(settings.Confidence)
if err != nil {
lintCtx.Log.Warnf("The provided confidence %v", err)
}
issues = filterIssues(issues, severity, confidence)
res := make([]goanalysis.Issue, 0, len(issues))
for _, i := range issues {
text := fmt.Sprintf("%s: %s", i.RuleID, i.What) // TODO: use severity and confidence
Expand Down Expand Up @@ -126,3 +136,29 @@ func gosecRuleFilters(includes, excludes []string) []rules.RuleFilter {

return filters
}

// code borrowed from https://github.com/securego/gosec/blob/69213955dacfd560562e780f723486ef1ca6d486/cmd/gosec/main.go#L250-L262
func convertToScore(str string) (gosec.Score, error) {
str = strings.ToLower(str)
switch str {
case "", "low":
return gosec.Low, nil
case "medium":
return gosec.Medium, nil
case "high":
return gosec.High, nil
default:
return gosec.Low, errors.Errorf("'%s' is invalid, use low instead. Valid options: low, medium, high", str)
}
}

// code borrowed from https://github.com/securego/gosec/blob/69213955dacfd560562e780f723486ef1ca6d486/cmd/gosec/main.go#L264-L276
func filterIssues(issues []*gosec.Issue, severity, confidence gosec.Score) []*gosec.Issue {
res := make([]*gosec.Issue, 0)
for _, issue := range issues {
if issue.Severity >= severity && issue.Confidence >= confidence {
res = append(res, issue)
}
}
return res
}
4 changes: 4 additions & 0 deletions test/testdata/configs/gosec_severity_confidence.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
linters-settings:
gosec:
severity: "medium"
confidence: "medium"
31 changes: 31 additions & 0 deletions test/testdata/gosec_severity_confidence.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
//args: -Egosec
//config_path: testdata/configs/gosec_severity_confidence.yml
package testdata

import (
"fmt"
"io/ioutil"
"net/http"
)

var url string = "https://www.abcdefghijk.com"

func gosecVariableURL() {
resp, err := http.Get(url) // ERROR "G107: Potential HTTP request made with variable url"
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
panic(err)
}
fmt.Printf("%s", body)
}

func gosecHardcodedCredentials() {
username := "admin"
var password = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef"

fmt.Println("Doing something with: ", username, password)
}

0 comments on commit cc262bb

Please sign in to comment.