Add support for #excluding specific rules

Author: jonmcclintock

core/analyzer.go

@@ -25,6 +25,7 @@ import (
 	"os"
 	"path"
 	"reflect"
+	"regexp"
 	"strings"
 )
 
@@ -54,10 +55,12 @@ type Context struct {
 	Root     *ast.File
 	Config   map[string]interface{}
 	Imports  *ImportInfo
+	Ignores  []map[string]bool
 }
 
 // The Rule interface used by all rules supported by GAS.
 type Rule interface {
+	ID() string
 	Match(ast.Node, *Context) (*Issue, error)
 }
 
@@ -93,7 +96,7 @@ func NewAnalyzer(conf map[string]interface{}, logger *log.Logger) Analyzer {
 	a := Analyzer{
 		ignoreNosec: conf["ignoreNosec"].(bool),
 		ruleset:     make(RuleSet),
-		context:     &Context{nil, nil, nil, nil, nil, nil, nil},
+		context:     &Context{nil, nil, nil, nil, nil, nil, nil, nil},
 		logger:      logger,
 		Issues:      make([]*Issue, 0, 16),
 		Stats:       &Metrics{0, 0, 0, 0},
@@ -180,56 +183,98 @@ func (gas *Analyzer) ProcessSource(filename string, source string) error {
 }
 
 // ignore a node (and sub-tree) if it is tagged with a "#nosec" comment
-func (gas *Analyzer) ignore(n ast.Node) bool {
+func (gas *Analyzer) ignore(n ast.Node) ([]string, bool) {
 	if groups, ok := gas.context.Comments[n]; ok && !gas.ignoreNosec {
 		for _, group := range groups {
 			if strings.Contains(group.Text(), "#nosec") {
+				return nil, true
+			}
+
+			if strings.Contains(group.Text(), "#exclude") {
 				gas.Stats.NumNosec++
-				return true
+
+				// Pull out the specific rules that are listed to be ignored.
+				re := regexp.MustCompile("!(G\\d{3})")
+				matches := re.FindAllStringSubmatch(group.Text(), -1)
+
+				// Find the rule IDs to ignore.
+				ignores := make([]string, 0)
+				for _, v := range matches {
+					ignores = append(ignores, v[1])
+				}
+				return ignores, false
 			}
 		}
 	}
-	return false
+	return nil, false
 }
 
 // Visit runs the GAS visitor logic over an AST created by parsing go code.
 // Rule methods added with AddRule will be invoked as necessary.
 func (gas *Analyzer) Visit(n ast.Node) ast.Visitor {
-	if !gas.ignore(n) {
-
-		// Track aliased and initialization imports
-		if imported, ok := n.(*ast.ImportSpec); ok {
-			path := strings.Trim(imported.Path.Value, `"`)
-			if imported.Name != nil {
-				if imported.Name.Name == "_" {
-					// Initialization import
-					gas.context.Imports.InitOnly[path] = true
-				} else {
-					// Aliased import
-					gas.context.Imports.Aliased[path] = imported.Name.Name
-				}
-			}
-			// unsafe is not included in Package.Imports()
-			if path == "unsafe" {
-				gas.context.Imports.Imported[path] = path
+	// If we've reached the end of this branch, pop off the ignores stack.
+	if n == nil {
+		if len(gas.context.Ignores) > 0 {
+			gas.context.Ignores = gas.context.Ignores[1:]
+		}
+		return gas
+	}
+
+	// Get any new rule exclusions.
+	ignoredRules, ignoreAll := gas.ignore(n)
+	if ignoreAll {
+		return nil
+	}
+
+	// Now create the union of exclusions.
+	ignores := make(map[string]bool, 0)
+	if len(gas.context.Ignores) > 0 {
+		for k, v := range gas.context.Ignores[0] {
+			ignores[k] = v
+		}
+	}
+
+	for _, v := range ignoredRules {
+		ignores[v] = true
+	}
+
+	// Push the new set onto the stack.
+	gas.context.Ignores = append([]map[string]bool{ignores}, gas.context.Ignores...)
+
+	// Track aliased and initialization imports
+	if imported, ok := n.(*ast.ImportSpec); ok {
+		path := strings.Trim(imported.Path.Value, `"`)
+		if imported.Name != nil {
+			if imported.Name.Name == "_" {
+				// Initialization import
+				gas.context.Imports.InitOnly[path] = true
+			} else {
+				// Aliased import
+				gas.context.Imports.Aliased[path] = imported.Name.Name
 			}
 		}
+		// unsafe is not included in Package.Imports()
+		if path == "unsafe" {
+			gas.context.Imports.Imported[path] = path
+		}
+	}
 
-		if val, ok := gas.ruleset[reflect.TypeOf(n)]; ok {
-			for _, rule := range val {
-				ret, err := rule.Match(n, gas.context)
-				if err != nil {
-					file, line := GetLocation(n, gas.context)
-					file = path.Base(file)
-					gas.logger.Printf("Rule error: %v => %s (%s:%d)\n", reflect.TypeOf(rule), err, file, line)
-				}
-				if ret != nil {
-					gas.Issues = append(gas.Issues, ret)
-					gas.Stats.NumFound++
-				}
+	if val, ok := gas.ruleset[reflect.TypeOf(n)]; ok {
+		for _, rule := range val {
+			if _, ok := ignores[rule.ID()]; ok {
+				continue
+			}
+			ret, err := rule.Match(n, gas.context)
+			if err != nil {
+				file, line := GetLocation(n, gas.context)
+				file = path.Base(file)
+				gas.logger.Printf("Rule error: %v => %s (%s:%d)\n", reflect.TypeOf(rule), err, file, line)
+			}
+			if ret != nil {
+				gas.Issues = append(gas.Issues, ret)
+				gas.Stats.NumFound++
 			}
 		}
-		return gas
 	}
-	return nil
+	return gas
 }

core/call_list_test.go

@@ -11,6 +11,10 @@ type callListRule struct {
 	matched  int
 }
 
+func (r *callListRule) ID() string {
+	return r.MetaData.ID
+}
+
 func (r *callListRule) Match(n ast.Node, c *Context) (gi *Issue, err error) {
 	if r.callList.ContainsCallExpr(n, c) {
 		r.matched += 1
@@ -25,6 +29,7 @@ func TestCallListContainsCallExpr(t *testing.T) {
 	calls.AddAll("bytes.Buffer", "Write", "WriteTo")
 	rule := &callListRule{
 		MetaData: MetaData{
+			ID:         "TEST",
 			Severity:   Low,
 			Confidence: Low,
 			What:       "A dummy rule",

core/helpers_test.go

@@ -16,6 +16,10 @@ type dummyRule struct {
 	matched        int
 }
 
+func (r *dummyRule) ID() string {
+	return r.MetaData.ID
+}
+
 func (r *dummyRule) Match(n ast.Node, c *Context) (gi *Issue, err error) {
 	if callexpr, matched := r.callback(n, c, r.pkgOrType, r.funcsOrMethods...); matched {
 		r.matched += 1

core/issue.go

@@ -42,6 +42,7 @@ type Issue struct {
 // MetaData is embedded in all GAS rules. The Severity, Confidence and What message
 // will be passed tbhrough to reported issues.
 type MetaData struct {
+	ID         string
 	Severity   Score
 	Confidence Score
 	What       string

rulelist.go

@@ -22,43 +22,49 @@ import (
 )
 
 type RuleInfo struct {
+	id          string
 	description string
-	build       func(map[string]interface{}) (gas.Rule, []ast.Node)
+	build       func(string, map[string]interface{}) (gas.Rule, []ast.Node)
 }
 
 // GetFullRuleList get the full list of all rules available to GAS
 func GetFullRuleList() map[string]RuleInfo {
-	return map[string]RuleInfo{
+	rules := []RuleInfo{
 		// misc
-		"G101": RuleInfo{"Look for hardcoded credentials", rules.NewHardcodedCredentials},
-		"G102": RuleInfo{"Bind to all interfaces", rules.NewBindsToAllNetworkInterfaces},
-		"G103": RuleInfo{"Audit the use of unsafe block", rules.NewUsingUnsafe},
-		"G104": RuleInfo{"Audit errors not checked", rules.NewNoErrorCheck},
-		"G105": RuleInfo{"Audit the use of big.Exp function", rules.NewUsingBigExp},
+		RuleInfo{"G101", "Look for hardcoded credentials", rules.NewHardcodedCredentials},
+		RuleInfo{"G102", "Bind to all interfaces", rules.NewBindsToAllNetworkInterfaces},
+		RuleInfo{"G103", "Audit the use of unsafe block", rules.NewUsingUnsafe},
+		RuleInfo{"G104", "Audit errors not checked", rules.NewNoErrorCheck},
+		RuleInfo{"G105", "Audit the use of big.Exp function", rules.NewUsingBigExp},
 
 		// injection
-		"G201": RuleInfo{"SQL query construction using format string", rules.NewSqlStrFormat},
-		"G202": RuleInfo{"SQL query construction using string concatenation", rules.NewSqlStrConcat},
-		"G203": RuleInfo{"Use of unescaped data in HTML templates", rules.NewTemplateCheck},
-		"G204": RuleInfo{"Audit use of command execution", rules.NewSubproc},
+		RuleInfo{"G201", "SQL query construction using format string", rules.NewSqlStrFormat},
+		RuleInfo{"G202", "SQL query construction using string concatenation", rules.NewSqlStrConcat},
+		RuleInfo{"G203", "Use of unescaped data in HTML templates", rules.NewTemplateCheck},
+		RuleInfo{"G204", "Audit use of command execution", rules.NewSubproc},
 
 		// filesystem
-		"G301": RuleInfo{"Poor file permissions used when creating a directory", rules.NewMkdirPerms},
-		"G302": RuleInfo{"Poor file permisions used when creation file or using chmod", rules.NewFilePerms},
-		"G303": RuleInfo{"Creating tempfile using a predictable path", rules.NewBadTempFile},
+		RuleInfo{"G301", "Poor file permissions used when creating a directory", rules.NewMkdirPerms},
+		RuleInfo{"G302", "Poor file permisions used when creation file or using chmod", rules.NewFilePerms},
+		RuleInfo{"G303", "Creating tempfile using a predictable path", rules.NewBadTempFile},
 
 		// crypto
-		"G401": RuleInfo{"Detect the usage of DES, RC4, or MD5", rules.NewUsesWeakCryptography},
-		"G402": RuleInfo{"Look for bad TLS connection settings", rules.NewIntermediateTlsCheck},
-		"G403": RuleInfo{"Ensure minimum RSA key length of 2048 bits", rules.NewWeakKeyStrength},
-		"G404": RuleInfo{"Insecure random number source (rand)", rules.NewWeakRandCheck},
+		RuleInfo{"G401", "Detect the usage of DES, RC4, or MD5", rules.NewUsesWeakCryptography},
+		RuleInfo{"G402", "Look for bad TLS connection settings", rules.NewIntermediateTlsCheck},
+		RuleInfo{"G403", "Ensure minimum RSA key length of 2048 bits", rules.NewWeakKeyStrength},
+		RuleInfo{"G404", "Insecure random number source (rand)", rules.NewWeakRandCheck},
 
 		// blacklist
-		"G501": RuleInfo{"Import blacklist: crypto/md5", rules.NewBlacklist_crypto_md5},
-		"G502": RuleInfo{"Import blacklist: crypto/des", rules.NewBlacklist_crypto_des},
-		"G503": RuleInfo{"Import blacklist: crypto/rc4", rules.NewBlacklist_crypto_rc4},
-		"G504": RuleInfo{"Import blacklist: net/http/cgi", rules.NewBlacklist_net_http_cgi},
+		RuleInfo{"G501", "Import blacklist: crypto/md5", rules.NewBlacklist_crypto_md5},
+		RuleInfo{"G502", "Import blacklist: crypto/des", rules.NewBlacklist_crypto_des},
+		RuleInfo{"G503", "Import blacklist: crypto/rc4", rules.NewBlacklist_crypto_rc4},
+		RuleInfo{"G504", "Import blacklist: net/http/cgi", rules.NewBlacklist_net_http_cgi},
 	}
+	ruleMap := make(map[string]RuleInfo)
+	for _, v := range rules {
+		ruleMap[v.id] = v
+	}
+	return ruleMap
 }
 
 func AddRules(analyzer *gas.Analyzer, conf map[string]interface{}) {
@@ -85,7 +91,7 @@ func AddRules(analyzer *gas.Analyzer, conf map[string]interface{}) {
 		delete(all, v)
 	}
 
-	for _, v := range all {
-		analyzer.AddRule(v.build(conf))
+	for k, v := range all {
+		analyzer.AddRule(v.build(k, conf))
 	}
 }

rules/big.go

@@ -15,8 +15,9 @@
 package rules
 
 import (
-	gas "github.com/GoASTScanner/gas/core"
 	"go/ast"
+
+	gas "github.com/GoASTScanner/gas/core"
 )
 
 type UsingBigExp struct {
@@ -25,17 +26,22 @@ type UsingBigExp struct {
 	calls []string
 }
 
+func (r *UsingBigExp) ID() string {
+	return r.MetaData.ID
+}
+
 func (r *UsingBigExp) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err error) {
 	if _, matched := gas.MatchCallByType(n, c, r.pkg, r.calls...); matched {
 		return gas.NewIssue(c, n, r.What, r.Severity, r.Confidence), nil
 	}
 	return nil, nil
 }
-func NewUsingBigExp(conf map[string]interface{}) (gas.Rule, []ast.Node) {
+func NewUsingBigExp(id string, conf map[string]interface{}) (gas.Rule, []ast.Node) {
 	return &UsingBigExp{
 		pkg:   "*math/big.Int",
 		calls: []string{"Exp"},
 		MetaData: gas.MetaData{
+			ID:         id,
 			What:       "Use of math/big.Int.Exp function should be audited for modulus == 0",
 			Severity:   gas.Low,
 			Confidence: gas.High,

rules/big_test.go

@@ -23,7 +23,7 @@ import (
 func TestBigExp(t *testing.T) {
 	config := map[string]interface{}{"ignoreNosec": false}
 	analyzer := gas.NewAnalyzer(config, nil)
-	analyzer.AddRule(NewUsingBigExp(config))
+	analyzer.AddRule(NewUsingBigExp("TEST", config))
 
 	issues := gasTestRunner(`
         package main

rules/bind.go

@@ -28,6 +28,10 @@ type BindsToAllNetworkInterfaces struct {
 	pattern *regexp.Regexp
 }
 
+func (r *BindsToAllNetworkInterfaces) ID() string {
+	return r.MetaData.ID
+}
+
 func (r *BindsToAllNetworkInterfaces) Match(n ast.Node, c *gas.Context) (gi *gas.Issue, err error) {
 	if node := gas.MatchCall(n, r.call); node != nil {
 		if arg, err := gas.GetString(node.Args[1]); err == nil {
@@ -39,11 +43,12 @@ func (r *BindsToAllNetworkInterfaces) Match(n ast.Node, c *gas.Context) (gi *gas
 	return
 }
 
-func NewBindsToAllNetworkInterfaces(conf map[string]interface{}) (gas.Rule, []ast.Node) {
+func NewBindsToAllNetworkInterfaces(id string, conf map[string]interface{}) (gas.Rule, []ast.Node) {
 	return &BindsToAllNetworkInterfaces{
 		call:    regexp.MustCompile(`^(net|tls)\.Listen$`),
 		pattern: regexp.MustCompile(`^(0.0.0.0|:).*$`),
 		MetaData: gas.MetaData{
+			ID:         id,
 			Severity:   gas.Medium,
 			Confidence: gas.High,
 			What:       "Binds to all network interfaces",

rules/bind_test.go

@@ -23,7 +23,7 @@ import (
 func TestBind0000(t *testing.T) {
 	config := map[string]interface{}{"ignoreNosec": false}
 	analyzer := gas.NewAnalyzer(config, nil)
-	analyzer.AddRule(NewBindsToAllNetworkInterfaces(config))
+	analyzer.AddRule(NewBindsToAllNetworkInterfaces("TEST", config))
 
 	issues := gasTestRunner(`
 		package main
@@ -45,7 +45,7 @@ func TestBind0000(t *testing.T) {
 func TestBindEmptyHost(t *testing.T) {
 	config := map[string]interface{}{"ignoreNosec": false}
 	analyzer := gas.NewAnalyzer(config, nil)
-	analyzer.AddRule(NewBindsToAllNetworkInterfaces(config))
+	analyzer.AddRule(NewBindsToAllNetworkInterfaces("TEST", config))
 
 	issues := gasTestRunner(`
 		package main