Fix for G402. Check package path instead of package name (#838)

Author: timonomsk

helpers.go

@@ -39,7 +39,10 @@ import (
 func MatchCallByPackage(n ast.Node, c *Context, pkg string, names ...string) (*ast.CallExpr, bool) {
 	importedName, found := GetImportedName(pkg, c)
 	if !found {
-		return nil, false
+		importedName, found = GetAliasedName(pkg, c)
+		if !found {
+			return nil, false
+		}
 	}
 
 	if callExpr, ok := n.(*ast.CallExpr); ok {
@@ -245,7 +248,7 @@ func GetBinaryExprOperands(be *ast.BinaryExpr) []ast.Node {
 }
 
 // GetImportedName returns the name used for the package within the
-// code. It will resolve aliases and ignores initialization only imports.
+// code. It will ignore initialization only imports.
 func GetImportedName(path string, ctx *Context) (string, bool) {
 	importName, imported := ctx.Imports.Imported[path]
 	if !imported {
@@ -256,20 +259,39 @@ func GetImportedName(path string, ctx *Context) (string, bool) {
 		return "", false
 	}
 
-	if alias, ok := ctx.Imports.Aliased[path]; ok {
-		importName = alias
+	return importName, true
+}
+
+// GetAliasedName returns the aliased name used for the package within the
+// code. It will ignore initialization only imports.
+func GetAliasedName(path string, ctx *Context) (string, bool) {
+	importName, imported := ctx.Imports.Aliased[path]
+	if !imported {
+		return "", false
 	}
+
+	if _, initonly := ctx.Imports.InitOnly[path]; initonly {
+		return "", false
+	}
+
 	return importName, true
 }
 
 // GetImportPath resolves the full import path of an identifier based on
-// the imports in the current context.
+// the imports in the current context(including aliases).
 func GetImportPath(name string, ctx *Context) (string, bool) {
 	for path := range ctx.Imports.Imported {
 		if imported, ok := GetImportedName(path, ctx); ok && imported == name {
 			return path, true
 		}
 	}
+
+	for path := range ctx.Imports.Aliased {
+		if imported, ok := GetAliasedName(path, ctx); ok && imported == name {
+			return path, true
+		}
+	}
+
 	return "", false
 }
 

rules/tls.go

@@ -122,8 +122,10 @@ func (t *insecureConfigTLS) processTLSConfVal(n *ast.KeyValueExpr, c *gosec.Cont
 				t.actualMinVersion = ival
 			} else {
 				if se, ok := n.Value.(*ast.SelectorExpr); ok {
-					if pkg, ok := se.X.(*ast.Ident); ok && pkg.Name == "tls" {
-						t.actualMinVersion = t.mapVersion(se.Sel.Name)
+					if pkg, ok := se.X.(*ast.Ident); ok {
+						if ip, ok := gosec.GetImportPath(pkg.Name, c); ok && ip == "crypto/tls" {
+							t.actualMinVersion = t.mapVersion(se.Sel.Name)
+						}
 					}
 				}
 			}
@@ -133,8 +135,10 @@ func (t *insecureConfigTLS) processTLSConfVal(n *ast.KeyValueExpr, c *gosec.Cont
 				t.actualMaxVersion = ival
 			} else {
 				if se, ok := n.Value.(*ast.SelectorExpr); ok {
-					if pkg, ok := se.X.(*ast.Ident); ok && pkg.Name == "tls" {
-						t.actualMaxVersion = t.mapVersion(se.Sel.Name)
+					if pkg, ok := se.X.(*ast.Ident); ok {
+						if ip, ok := gosec.GetImportPath(pkg.Name, c); ok && ip == "crypto/tls" {
+							t.actualMaxVersion = t.mapVersion(se.Sel.Name)
+						}
 					}
 				}
 			}

testutils/source.go

@@ -3008,6 +3008,19 @@ package main
 import "crypto/tls"
 
 const MinVer = tls.VersionTLS13
+`}, 0, gosec.NewConfig()},
+		{[]string{`
+package main
+
+import (
+	"crypto/tls"
+	cryptotls "crypto/tls"
+)
+
+func main() {
+	_ = tls.Config{MinVersion: tls.VersionTLS12}
+	_ = cryptotls.Config{MinVersion: cryptotls.VersionTLS12}
+}
 `}, 0, gosec.NewConfig()},
 	}