From cc262bbac9b3f504fca4b34c3e659d65e3de3515 Mon Sep 17 00:00:00 2001
From: Ryan Leung <rleungx@gmail.com>
Date: Thu, 28 Oct 2021 06:49:02 +0800
Subject: [PATCH] gosec: filter issues according to the severity and confidence
 (#2295)

---
 .golangci.example.yml                         |  4 +++
 pkg/config/linters_settings.go                |  2 ++
 pkg/golinters/gosec.go                        | 36 +++++++++++++++++++
 .../configs/gosec_severity_confidence.yml     |  4 +++
 test/testdata/gosec_severity_confidence.go    | 31 ++++++++++++++++
 5 files changed, 77 insertions(+)
 create mode 100644 test/testdata/configs/gosec_severity_confidence.yml
 create mode 100644 test/testdata/gosec_severity_confidence.go

diff --git a/.golangci.example.yml b/.golangci.example.yml
index 6de50ae8438d..c7023375ea0a 100644
--- a/.golangci.example.yml
+++ b/.golangci.example.yml
@@ -371,6 +371,10 @@ linters-settings:
       - G204
     # Exclude generated files
     exclude-generated: true
+    # Filter out the issues with a lower severity than the given value. Valid options are: low, medium, high.
+    severity: "low"
+    # Filter out the issues with a lower confidence than the given value. Valid options are: low, medium, high.
+    confidence: "low"
     # To specify the configuration of rules.
     # The configuration of rules is not fully documented by gosec:
     # https://github.com/securego/gosec#configuration
diff --git a/pkg/config/linters_settings.go b/pkg/config/linters_settings.go
index 8950cee4a309..840b283fec13 100644
--- a/pkg/config/linters_settings.go
+++ b/pkg/config/linters_settings.go
@@ -297,6 +297,8 @@ type GoModGuardSettings struct {
 type GoSecSettings struct {
 	Includes         []string
 	Excludes         []string
+	Severity         string
+	Confidence       string
 	ExcludeGenerated bool                   `mapstructure:"exclude-generated"`
 	Config           map[string]interface{} `mapstructure:"config"`
 }
diff --git a/pkg/golinters/gosec.go b/pkg/golinters/gosec.go
index 32d73847994c..85a2a6e0b878 100644
--- a/pkg/golinters/gosec.go
+++ b/pkg/golinters/gosec.go
@@ -9,6 +9,7 @@ import (
 	"strings"
 	"sync"
 
+	"github.com/pkg/errors"
 	"github.com/securego/gosec/v2"
 	"github.com/securego/gosec/v2/rules"
 	"golang.org/x/tools/go/analysis"
@@ -68,7 +69,16 @@ func NewGosec(settings *config.GoSecSettings) *goanalysis.Linter {
 			if len(issues) == 0 {
 				return nil, nil
 			}
+			severity, err := convertToScore(settings.Severity)
+			if err != nil {
+				lintCtx.Log.Warnf("The provided severity %v", err)
+			}
 
+			confidence, err := convertToScore(settings.Confidence)
+			if err != nil {
+				lintCtx.Log.Warnf("The provided confidence %v", err)
+			}
+			issues = filterIssues(issues, severity, confidence)
 			res := make([]goanalysis.Issue, 0, len(issues))
 			for _, i := range issues {
 				text := fmt.Sprintf("%s: %s", i.RuleID, i.What) // TODO: use severity and confidence
@@ -126,3 +136,29 @@ func gosecRuleFilters(includes, excludes []string) []rules.RuleFilter {
 
 	return filters
 }
+
+// code borrowed from https://github.com/securego/gosec/blob/69213955dacfd560562e780f723486ef1ca6d486/cmd/gosec/main.go#L250-L262
+func convertToScore(str string) (gosec.Score, error) {
+	str = strings.ToLower(str)
+	switch str {
+	case "", "low":
+		return gosec.Low, nil
+	case "medium":
+		return gosec.Medium, nil
+	case "high":
+		return gosec.High, nil
+	default:
+		return gosec.Low, errors.Errorf("'%s' is invalid, use low instead. Valid options: low, medium, high", str)
+	}
+}
+
+// code borrowed from https://github.com/securego/gosec/blob/69213955dacfd560562e780f723486ef1ca6d486/cmd/gosec/main.go#L264-L276
+func filterIssues(issues []*gosec.Issue, severity, confidence gosec.Score) []*gosec.Issue {
+	res := make([]*gosec.Issue, 0)
+	for _, issue := range issues {
+		if issue.Severity >= severity && issue.Confidence >= confidence {
+			res = append(res, issue)
+		}
+	}
+	return res
+}
diff --git a/test/testdata/configs/gosec_severity_confidence.yml b/test/testdata/configs/gosec_severity_confidence.yml
new file mode 100644
index 000000000000..b813870a17fe
--- /dev/null
+++ b/test/testdata/configs/gosec_severity_confidence.yml
@@ -0,0 +1,4 @@
+linters-settings:
+  gosec:
+    severity: "medium"
+    confidence: "medium"
diff --git a/test/testdata/gosec_severity_confidence.go b/test/testdata/gosec_severity_confidence.go
new file mode 100644
index 000000000000..1bf2bd3a69c8
--- /dev/null
+++ b/test/testdata/gosec_severity_confidence.go
@@ -0,0 +1,31 @@
+//args: -Egosec
+//config_path: testdata/configs/gosec_severity_confidence.yml
+package testdata
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net/http"
+)
+
+var url string = "https://www.abcdefghijk.com"
+
+func gosecVariableURL() {
+	resp, err := http.Get(url) // ERROR "G107: Potential HTTP request made with variable url"
+	if err != nil {
+		panic(err)
+	}
+	defer resp.Body.Close()
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		panic(err)
+	}
+	fmt.Printf("%s", body)
+}
+
+func gosecHardcodedCredentials() {
+	username := "admin"
+	var password = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef"
+
+	fmt.Println("Doing something with: ", username, password)
+}