Add flag to handle '#nosec' alternative (#346)

Krlier · ccojocar · commit 8932f702cecb · 2019-09-04T10:20:43.000+02:00
* Add logic to check for a #nosec alternative

* Add NoSecAlternative as a new global variable

* Add nosec-tag flag
diff --git a/analyzer.go b/analyzer.go
@@ -251,8 +251,15 @@ func (gosec *Analyzer) AppendError(file string, err error) {
 // ignore a node (and sub-tree) if it is tagged with a "#nosec" comment
 func (gosec *Analyzer) ignore(n ast.Node) ([]string, bool) {
 	if groups, ok := gosec.context.Comments[n]; ok && !gosec.ignoreNosec {
+
+		// Checks if an alternative for #nosec is set and, if not, uses the default.
+		noSecAlternative, err := gosec.config.GetGlobal(NoSecAlternative)
+		if err != nil {
+			noSecAlternative = "#nosec"
+		}
+
 		for _, group := range groups {
-			if strings.Contains(group.Text(), "#nosec") {
+			if strings.Contains(group.Text(), noSecAlternative) {
 				gosec.stats.NumNosec++
 
 				// Pull out the specific rules that are listed to be ignored.
diff --git a/analyzer_test.go b/analyzer_test.go
@@ -265,6 +265,54 @@ var _ = Describe("Analyzer", func() {
 
 		})
 
+		It("should be possible to change the default #nosec directive to another one", func() {
+			// Rule for MD5 weak crypto usage
+			sample := testutils.SampleCodeG401[0]
+			source := sample.Code[0]
+
+			// overwrite nosec option
+			nosecIgnoreConfig := gosec.NewConfig()
+			nosecIgnoreConfig.SetGlobal(gosec.NoSecAlternative, "#falsePositive")
+			customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig, tests, logger)
+			customAnalyzer.LoadRules(rules.Generate(rules.NewRuleFilter(false, "G401")).Builders())
+
+			nosecPackage := testutils.NewTestPackage()
+			defer nosecPackage.Close()
+			nosecSource := strings.Replace(source, "h := md5.New()", "h := md5.New() // #falsePositive", 1)
+			nosecPackage.AddFile("md5.go", nosecSource)
+			err := nosecPackage.Build()
+			Expect(err).ShouldNot(HaveOccurred())
+			err = customAnalyzer.Process(buildTags, nosecPackage.Path)
+			Expect(err).ShouldNot(HaveOccurred())
+			nosecIssues, _, _ := customAnalyzer.Report()
+			Expect(nosecIssues).Should(HaveLen(0))
+
+		})
+
+		It("should not ignore vulnerabilities", func() {
+			// Rule for MD5 weak crypto usage
+			sample := testutils.SampleCodeG401[0]
+			source := sample.Code[0]
+
+			// overwrite nosec option
+			nosecIgnoreConfig := gosec.NewConfig()
+			nosecIgnoreConfig.SetGlobal(gosec.NoSecAlternative, "#falsePositive")
+			customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig, tests, logger)
+			customAnalyzer.LoadRules(rules.Generate(rules.NewRuleFilter(false, "G401")).Builders())
+
+			nosecPackage := testutils.NewTestPackage()
+			defer nosecPackage.Close()
+			nosecSource := strings.Replace(source, "h := md5.New()", "h := md5.New() // #nosec", 1)
+			nosecPackage.AddFile("md5.go", nosecSource)
+			err := nosecPackage.Build()
+			Expect(err).ShouldNot(HaveOccurred())
+			err = customAnalyzer.Process(buildTags, nosecPackage.Path)
+			Expect(err).ShouldNot(HaveOccurred())
+			nosecIssues, _, _ := customAnalyzer.Report()
+			Expect(nosecIssues).Should(HaveLen(sample.Errors))
+
+		})
+
 		It("should be able to analyze Go test package", func() {
 			customAnalyzer := gosec.NewAnalyzer(nil, true, logger)
 			customAnalyzer.LoadRules(rules.Generate().Builders())
diff --git a/cmd/gosec/main.go b/cmd/gosec/main.go
@@ -65,6 +65,9 @@ var (
 	// format output
 	flagFormat = flag.String("fmt", "text", "Set output format. Valid options are: json, yaml, csv, junit-xml, html, sonarqube, or text")
 
+	// #nosec alternative tag
+	flagAlternativeNoSec = flag.String("nosec-tag", "", "Set an alternative string for #nosec. Some examples: #dontanalyze, #falsepositive")
+
 	// output file
 	flagOutput = flag.String("out", "", "Set output file for results")
 
@@ -148,6 +151,9 @@ func loadConfig(configFile string) (gosec.Config, error) {
 	if *flagIgnoreNoSec {
 		config.SetGlobal(gosec.Nosec, "true")
 	}
+	if *flagAlternativeNoSec != "" {
+		config.SetGlobal(gosec.NoSecAlternative, *flagAlternativeNoSec)
+	}
 	return config, nil
 }
 
diff --git a/config.go b/config.go
@@ -22,6 +22,8 @@ const (
 	Nosec GlobalOption = "nosec"
 	// Audit global option which indicates that gosec runs in audit mode
 	Audit GlobalOption = "audit"
+	// NoSecAlternative global option alternative for #nosec directive
+	NoSecAlternative GlobalOption = "#nosec"
 )
 
 // Config is used to provide configuration and customization to each of the rules.

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,8 @@ const (`
`22`	`22`	`Nosec GlobalOption = "nosec"`
`23`	`23`	`// Audit global option which indicates that gosec runs in audit mode`
`24`	`24`	`Audit GlobalOption = "audit"`
	`25`	`+ // NoSecAlternative global option alternative for #nosec directive`
	`26`	`+ NoSecAlternative GlobalOption = "#nosec"`
`25`	`27`	`)`
`26`	`28`
`27`	`29`	`// Config is used to provide configuration and customization to each of the rules.`