Releases: securego/gosec
v2.9.5
v2.9.4
v2.9.3
v2.9.2
Changelog
e57efa8 Fix a panic in suproc rule when the declaration of the variable is not available in the AST (#728)
ff17c30 Use go embed for templates (#725)
3eba7b8 add openssh to docker image (#719)
55c6cea Fix crash when parsing the TLS min version value (#724)
40fa36d G303: catch with os.WriteFile, add os.Create test case (#718)
873ac24 chore(deps): update all dependencies (#722)
f1f0056 Spelling fixes (#717)
0680c75 chore(deps): update all dependencies (#716)
79c8b79 use a better naming for the variable (#715)
v2.9.1
v2.8.1
Changelog
3f800cc Fix the unit tests (#652)
df10b65 Fix gosimple lint warning (#651)
731d0d5 Results must always be present in the SARIF report (#650)
3c230ac errors.go: add Hash.Write() to the white list. (#648)
e72b1e5 Use of vars instead of func
c81cff0 Update all dependencies (#646)
3ff0a2c Fixes #644 (#645)
e3dffd6 Update renovate configuration
aa35eb5 Delete renovate.json (#642)
3b1b77e add onboarding (#640)
03360ba Update renovate configuration
8a8dbec Tidy up the dependencies (#637)
3a4d09b Update all dependencies (#635)
6cde6b3 Disable cache in golangci job (#636)
1256f16 Fix lint and fail on error in the ci build
dbb9811 Add crypto and lint to the tools modules
244adc6 Update the github ci action to use cache and matrix strategy
df1249d Update install.sh with more installation options
af27673 Update README.md
v2.8.0
Changelog
9fc8e20 Add favicon for HTML template (#628)
91dae7f Update the design of HTML report
e72f54e Fix HTML template and display the gosec version
c3f25b8 fix html report tag styling (#623)
433a674 show nosec in html report summary (#621)
d040f07 Handle gosec version in SARIF report
51f7411 Add arm64 support (#618)
e7ac882 Update go version to 1.16 (#616)
3a9a6ad Sarif provide Snippet with Issue.Code
1325319 Create dependabot.yml (#614)
d8cfcd6 Allow the user to enable/disable colorisation of the text report in the stdout
a8b633f Adding stdout and verbose flags and refactor how the report is saved
103c429 Enable golangcli and improve testing for formatters
4df7f1c Fix typos, Go Report link and Gofmt
f4ea33d Update how the test coverage is generated
c4f5932 Refactor : Replace Cwe with cwe.Weakness
ddfa253 Define a report package with core and per format sub-packages
cc83d4c Generate the SARIF types, handle taxonomies and separate responsibilities
0fa5d0b Fix the go modules after updating to get the tests passing (#605)
3763953 Migrate sonar types in a dedicated package (#604)
b519743 chore(deps): update all dependencies (#599)
569328e Fix typos (#594)
0695fa0 Add -u
to local install instructions (#595)
7f2308b Tidy up the moduels after updating (#593)
f21b0b8 chore(deps): update all dependencies (#592)
148e608 Adding KICS to USERS.md (#590)
v2.7.0
Changelog
27a5ffb Quiet warnings about integer truncation (#586)
bf2cd23 Update all dependencies (#585)
01ee764 Fix typo in USERS.md (#583)
9c047e3 Add support for Go 1.16 in the CI and release workflows (#581)
1fce461 fix: WriteParams rule to work also with golang 1.16 (#577)
dcbcc4d Use a more generic path for sonarqube import path (#573)
2777e50 Update README with a note which describes how to import a SonarQube report (#572)
897c203 Reset the state of TLS rule after each version check (#570)
6c57ae1 Fix sarif formatting issues (#565)
b6524ce Update all dependencies
v2.6.1
v2.5.0
Changelog
a4746e1 Update all dependencies (#533)
6bd6e4b Use $(go env GOPATH) that works even when GOPATH is not set
aef335a Fix typo in README.md
0ce48a5 Reproducible junit report (#529)
868556b Update README with the correct path to tlsconfig command
13519fd Update the tls configuration generate to handle also the NSS alternative names
e351067 Update all dependencies
166e4f5 Update README file with some more details required to run successfully a scan with the docker image
f5cc32a Update the Go version to 1.15 in the Makefile
ea0fa28 Update the Github go action version to 1.6.0
feea8bb Fix the action tag
6688a97 Fix the github action for Go 1.15
7234349 Add Go 1.15 to the supported version and phase out the Go 1.12
a3895d5 Fix typo in README file
17c9555 Incorrect local installation instructions for v2
f13b8bc Add also filepath.Rel as a sanitization method for input argument in the G304 rule
047729a Fix the rule G304 to handle the case when the input is cleaned as a variable assignment
b60ddc2 feat: adds support for path.Join and for tar archives in G305
673a139 Update all dependencies
110b62b Add io.CopyBuffer function to rule G110
6bcd89a Mark all lines of a multi-line finding
4d4e594 Add some comments
d1467ac Extend the code snippet included in the issue and refactored how the code snippet is printed
37d1af0 Expand the arguments to a list of strings when they are provided as a single string
59cbe00 Update all dependencies
ade81d3 Rename file for consistency
03f12f3 Change naming rule from blacklist to blocklist
3784ffe Fix panic when reading the version from debug info in Go 1.13
55d368f Improve the TLS version checking
ad1cb7e Make sure some version information is set when no version was injected into the binary
1d2c951 Extend the rule G304 with os.OpenFile and add a test to cover it
0c1a71b Add more tests samples to increase coverage
fe07fcf Fix unit test when checking a mix of good and bad random functions
6bbf8f9 Extend the insecure random rule with more insecure random functions
af699f6 Exclude .git directory from scan (#485)
6202b38 Update all dependencies (#484)
6a130d5 Update the link pointing to issues to CWE mapping to use the master version (#483)
826db1c Fix the build tags propagation
7da9248 Change the issue test to verify that a multi-line finding contains a line range
7aedcc5 Remove print line from tests
30e93bf Improve the SQL strings concat rules to handle multiple string concatenation
68bce94 Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context
32be4a5 Make sure all rules are mapped to CWE numbers
8630c43 Add null pointer check in G601
1418b85 ondisk -> onDisk
b2cfc5d USERS.md type in the title fixed.
425b8f9 Display a sponsor button in the repository
0714a1e Update the users file with some more projects and companies
1b915dd Set up a gosec's users list
668512f Update bad_defer.go
ee3146e Rule which detects aliasing of values in RangeStmt
8662624 Update the build badge to ge the status from GitHub workflow
a5db4e1 Run mod tidy to clean up the dependencies
fb44007 Enhance the hardcoded credentials rule to check the equality and non-equality of strings
a2a40de Update the README with an example to configure the hard-coded credentials rule
802292c Fix the configuration parsing for hardcoded credentials
c58f356 Set the default color on only for text format
1a113d6 Turn the color always on when the text format is set
c4417de Use the latest color package to get the color working with tmux
656691b feature(formatter/text): Add color option on text format (#460)
51e4317 Automate the release process using a GitHub workflow
341059e Update the GitHub action name to be more desriptive
3b6c3f1 Update README with some instruction how to run gosec as a GitHub action
08202fe Add a GitHub action to run gosec
c6e10af Handle properly the gosec module version v2
e946c8c Update all dependencies
e030aa4 Remove the go 1.14 version from github action
ee176ff Fix the job names in the Github workflow
cabccc7 Add to GitHub workflow some jobs for go1.13 and go1.12
a111777 Change the GitHub workflow to use only the latest Go version
722acb6 Change the GitHub workflow to run the builds only on ubuntu-latest platform
5284f34 Change the GitHub workflow to use an action which install Go using a Go version from the matrix
8de5fb6 Migrate the build to GitHub Actions
7da9f46 Fix the call list info to handle selector expressions
cf25904 Fix the subproc rule to handle correctly the CommandContext check
f97f861 Update the subproc rule to detect the syscall.ForkExec and syscall.StartProces calls
c998389 re-generate install.sh with latest godownloader (#446)
7525fe4 Rule for defering methods which return errors (#441)
a2ac0bf Update all dependencies (#445)
a305f10 Fileperms (#442)
00363ed remove support for go 1.11 (#444)
d13bb6d Update all dependencies
17df5b3 Fix typos
3e069e7 Fix the errors rule whitelist to work on types methods
459e2d3 Modify rule for integer overflow to have more acurate results (#434)
a4d7b36 Add G110(Potential DoS vulnerability via decompression bomb)
3d5c97b Add a test sample for Cgo files
81e8278 Add the Cgo files to the analysed files and ingonre all non-Go files
a1969e2 Handle all errors in the formatter tests (#431)
9cb83e1 Add a rule which detects when there is potential integer overflow (#422)
f43a957 Check for both default and alternative nosec tags (#426)
79fbf3a Add golint format to output format (#428)
57c3788 Update all dependencies (#427)
5d61373 fix(docker) gcc and libc-dev required bindings
cb4f343 Update all dependencies (#417)
df484bf cmd/tlsconfig: remove support for deprecated tls.VersionSSL30 (#412)
b4c76d4 Update all dependencies (#410)
99170e0 Update the README with some details about the CWE mapping (#407)
53be8dd Add CWE rule mappings (#405)
28c1128 Add more tests to improve the coverage of resolve
d78f026 Format import to make codecov happy
50e1fe2 Improve the SSRF rule to report an issue for package scoped variables
07770ae Add a test for composite literals when trying to resolve an AST tree node
f413f14 Handle the ValueSpec when trying to resolve an AST tree node
c1970ff Handle the ValueSpec when trying to resolve an AST tree node
ea9faae Update the Go version to 1.13 in the Dockerfile (#403)
186dec7 Convert the global settings to correct type when reading them from file (#399)
e680875 Replace the deprecated load mode with more specific flags are recommended in the packages docs (#400)
ad375d3 Update golang.org/x/tools commit hash to 7c411de (#389)
607f240 reconfigure rennoavate bot (#395)
832d7bb Update README with CII Best Practicies badge
29341f6 Fix the rule G108/pporf to handle the case when the pporf import has not name
b504783 Change unit tests to check for one thing (#381)
7dbc65b Update golang.org/x/tools commit hash to 3ac2a5b (#387)
f3bd9fb Update golang.org/x/tools commit hash to 0f9bb8f
c6ac709 Update golang.org/x/net commit hash to aa69164
7a6460d Update golang.org/x/crypto commit hash to 9ee001b
d8f249a Update README with rule G108
9cee24c Add a rule which detects when pprof endpoint is automatically exposed
73fbc9b Update golang.org/x/net commit hash to 1a5e07d
124da07 Update golang.org/x/tools commit hash to 5eefd05 (#378)
915e9ee Update golang.org/x/sys commit hash to b4ddaad (#374)
e7b3ae9 Clarify and add new unit tests for rule G107 (#376)
f90efff Update golang.org/x/tools commit hash to 2dc213d (#375)
90e9759 Update golang.org/x/net commit hash to c858923 (#373)
709ed1b Change rule G204 to be less restrictive (#339)
98749b7 Update golang.org/x/net commit hash to 24e19bd (#372)
d8f6c4f Update golang.org/x/sys commit hash to c3b328c (#371)
3204194 Update golang.org/x/tools commit hash to 92af9d6 (#370)
140048b Update golang.org/x/sys commit hash to 7ad0cfa
a65402b Update golang.org/x/tools commit hash to 6bfd74c (#365)
b9c4c66 Expose analyzer API (#366)
29fddff turn on automerge for rennovate bot
bee7b5a Update golang.org/x/crypto commit hash to 227b76d (#363)
069c31f Update golang.org/x/tools commit hash to 16c5e0f (#362)
3e65f8f Update golang.org/x/sys commit hash to bbd1755 (#361)
f5d5e20 Update golang.org/x/tools commit hash to dd2b5c8 (#360)
a1c9c76 Remove the unused code to increase the test coverage
338b50d Remove rule G105 which detects the use of math/big#Int.Exp
43e3664 Build the tls config generator only with Go versions compatible with Go 1.12
81b6dc8 Regenerate the TLS configuration based on latest Mozilla's recommended ciphers
76ce9f0 Update to config struct to unmarshal the mozilla server-side TLS conf version 5
e050355 Update the TLS config generator to handle TLS version 1.3
c0510fc Update golang.org/x/tools commit hash to 0673112 (#359)
a57a033 Update golang.org/x/sys commit hash to f460065 (#356)
8063751 Update golang.org/x/crypto commit hash to 094676d (#355)
7851918 Add support to exclude arbitrary folders from scanning (#353)
1c35be8 Add renovate.json (#354)
fde1f82 Update the tag format in the release steps (#348)
992f173 Update README file with a note on dependencies (#351)
e442cf3 Add Go 1.13 to the tested version in the travis build file (#350)
4ecbe32 Update go modules to latest compatible version and removed unused dependencies (#349)
8932f70 Add flag to handle '#nosec' alternative (#346)
4b59c94 Prevent null pointer exception in Sonarqube (#334)
39f7e7b Display filtered number of issues instead of total in stats
e28a56a Merge pull request #330 from ccojocar/fix-whitelist-G104
63b44b6 Add some more tests to make codecov happy
1412357 Add some documentation for G104 whitelist configuration Signed-off-by: Cosmin Cojocar [email protected]
f344524 Fix the whitelist on G104 rule and add a test
78a4949 Load rules on each code sample in order to reconfigure them
ed9934f Refactor the rules tests to be able to configure the analyzer config per test sample
36a82ea Merge pull request #328 from ccojocar/fix-sonarqute-report
020479a Support multiple root paths when generating th...