Extract the issue in its own package

Author: ccojocar

Makefile

@@ -87,4 +87,7 @@ image-push: image
 	docker push $(IMAGE_REPO)/$(BIN):$(GIT_TAG)
 	docker push $(IMAGE_REPO)/$(BIN):latest
 
-.PHONY: test build clean release image image-push
+tlsconfig:
+	go generate ./...
+	
+.PHONY: test build clean release image image-push tlsconfig

analyzer.go

@@ -32,6 +32,7 @@ import (
 	"sync"
 
 	"github.com/securego/gosec/v2/analyzers"
+	"github.com/securego/gosec/v2/issue"
 	"golang.org/x/tools/go/analysis"
 	"golang.org/x/tools/go/analysis/passes/buildssa"
 	"golang.org/x/tools/go/packages"
@@ -68,10 +69,21 @@ type Context struct {
 	Root         *ast.File
 	Imports      *ImportTracker
 	Config       Config
-	Ignores      []map[string][]SuppressionInfo
+	Ignores      []map[string][]issue.SuppressionInfo
 	PassedValues map[string]interface{}
 }
 
+// getFileAtNodePos returns the file at the node position in the file set available in the context.
+func (ctx *Context) GetFileAtNodePos(node ast.Node) *token.File {
+	return ctx.FileSet.File(node.Pos())
+}
+
+// NewIssue creates a new issue
+func (ctx *Context) NewIssue(node ast.Node, ruleID, desc string,
+	severity, confidence issue.Score) *issue.Issue {
+	return issue.New(ctx.GetFileAtNodePos(node), node, ruleID, desc, severity, confidence)
+}
+
 // Metrics used when reporting information about a scanning run.
 type Metrics struct {
 	NumFiles int `json:"files"`
@@ -88,7 +100,7 @@ type Analyzer struct {
 	context           *Context
 	config            Config
 	logger            *log.Logger
-	issues            []*Issue
+	issues            []*issue.Issue
 	stats             *Metrics
 	errors            map[string][]Error // keys are file paths; values are the golang errors in those files
 	tests             bool
@@ -99,13 +111,6 @@ type Analyzer struct {
 	analyzerList      []*analysis.Analyzer
 }
 
-// SuppressionInfo object is to record the kind and the justification that used
-// to suppress violations.
-type SuppressionInfo struct {
-	Kind          string `json:"kind"`
-	Justification string `json:"justification"`
-}
-
 // NewAnalyzer builds a new analyzer.
 func NewAnalyzer(conf Config, tests bool, excludeGenerated bool, trackSuppressions bool, concurrency int, logger *log.Logger) *Analyzer {
 	ignoreNoSec := false
@@ -126,7 +131,7 @@ func NewAnalyzer(conf Config, tests bool, excludeGenerated bool, trackSuppressio
 		context:           &Context{},
 		config:            conf,
 		logger:            logger,
-		issues:            make([]*Issue, 0, 16),
+		issues:            make([]*issue.Issue, 0, 16),
 		stats:             &Metrics{},
 		errors:            make(map[string][]Error),
 		tests:             tests,
@@ -371,8 +376,8 @@ func (gosec *Analyzer) CheckAnalyzers(pkg *packages.Package) {
 			continue
 		}
 		if result != nil {
-			if issue, ok := result.(*analyzers.Issue); ok {
-				gosec.updateIssues(toGosecIssue(issue), false, []SuppressionInfo{})
+			if aissue, ok := result.(*analyzers.Issue); ok {
+				gosec.updateIssues(toGosecIssue(aissue), false, []issue.SuppressionInfo{})
 			}
 		}
 	}
@@ -439,7 +444,7 @@ func (gosec *Analyzer) AppendError(file string, err error) {
 }
 
 // ignore a node (and sub-tree) if it is tagged with a nosec tag comment
-func (gosec *Analyzer) ignore(n ast.Node) map[string]SuppressionInfo {
+func (gosec *Analyzer) ignore(n ast.Node) map[string]issue.SuppressionInfo {
 	if groups, ok := gosec.context.Comments[n]; ok && !gosec.ignoreNosec {
 
 		// Checks if an alternative for #nosec is set and, if not, uses the default.
@@ -476,13 +481,13 @@ func (gosec *Analyzer) ignore(n ast.Node) map[string]SuppressionInfo {
 				re := regexp.MustCompile(`(G\d{3})`)
 				matches := re.FindAllStringSubmatch(directive, -1)
 
-				suppression := SuppressionInfo{
+				suppression := issue.SuppressionInfo{
 					Kind:          "inSource",
 					Justification: justification,
 				}
 
 				// Find the rule IDs to ignore.
-				ignores := make(map[string]SuppressionInfo)
+				ignores := make(map[string]issue.SuppressionInfo)
 				for _, v := range matches {
 					ignores[v[1]] = suppression
 				}
@@ -525,7 +530,7 @@ func (gosec *Analyzer) Visit(n ast.Node) ast.Visitor {
 	return gosec
 }
 
-func (gosec *Analyzer) updateIgnoredRules(n ast.Node) (map[string][]SuppressionInfo, bool) {
+func (gosec *Analyzer) updateIgnoredRules(n ast.Node) (map[string][]issue.SuppressionInfo, bool) {
 	if n == nil {
 		if len(gosec.context.Ignores) > 0 {
 			gosec.context.Ignores = gosec.context.Ignores[1:]
@@ -536,7 +541,7 @@ func (gosec *Analyzer) updateIgnoredRules(n ast.Node) (map[string][]SuppressionI
 	ignoredRules := gosec.ignore(n)
 
 	// Now create the union of exclusions.
-	ignores := map[string][]SuppressionInfo{}
+	ignores := map[string][]issue.SuppressionInfo{}
 	if len(gosec.context.Ignores) > 0 {
 		for k, v := range gosec.context.Ignores[0] {
 			ignores[k] = v
@@ -548,12 +553,12 @@ func (gosec *Analyzer) updateIgnoredRules(n ast.Node) (map[string][]SuppressionI
 	}
 
 	// Push the new set onto the stack.
-	gosec.context.Ignores = append([]map[string][]SuppressionInfo{ignores}, gosec.context.Ignores...)
+	gosec.context.Ignores = append([]map[string][]issue.SuppressionInfo{ignores}, gosec.context.Ignores...)
 
 	return ignores, true
 }
 
-func (gosec *Analyzer) updateSuppressions(id string, ignores map[string][]SuppressionInfo) ([]SuppressionInfo, bool) {
+func (gosec *Analyzer) updateSuppressions(id string, ignores map[string][]issue.SuppressionInfo) ([]issue.SuppressionInfo, bool) {
 	// Check if all rules are ignored.
 	generalSuppressions, generalIgnored := ignores[aliasOfAllRules]
 	// Check if the specific rule is ignored
@@ -565,15 +570,15 @@ func (gosec *Analyzer) updateSuppressions(id string, ignores map[string][]Suppre
 	// Track external suppressions.
 	if gosec.ruleset.IsRuleSuppressed(id) {
 		ignored = true
-		suppressions = append(suppressions, SuppressionInfo{
+		suppressions = append(suppressions, issue.SuppressionInfo{
 			Kind:          "external",
 			Justification: externalSuppressionJustification,
 		})
 	}
 	return suppressions, ignored
 }
 
-func (gosec *Analyzer) updateIssues(issue *Issue, ignored bool, suppressions []SuppressionInfo) {
+func (gosec *Analyzer) updateIssues(issue *issue.Issue, ignored bool, suppressions []issue.SuppressionInfo) {
 	if issue != nil {
 		if gosec.showIgnored {
 			issue.NoSec = ignored
@@ -590,27 +595,27 @@ func (gosec *Analyzer) updateIssues(issue *Issue, ignored bool, suppressions []S
 	}
 }
 
-func toGosecIssue(issue *analyzers.Issue) *Issue {
-	return &Issue{
-		File:       issue.File,
-		Line:       issue.Line,
-		Col:        issue.Col,
-		RuleID:     issue.AnalyzerID,
-		What:       issue.What,
-		Confidence: Score(issue.Confidence),
-		Severity:   Score(issue.Severity),
+func toGosecIssue(aissue *analyzers.Issue) *issue.Issue {
+	return &issue.Issue{
+		File:       aissue.File,
+		Line:       aissue.Line,
+		Col:        aissue.Col,
+		RuleID:     aissue.AnalyzerID,
+		What:       aissue.What,
+		Confidence: issue.Score(aissue.Confidence),
+		Severity:   issue.Score(aissue.Severity),
 	}
 }
 
 // Report returns the current issues discovered and the metrics about the scan
-func (gosec *Analyzer) Report() ([]*Issue, *Metrics, map[string][]Error) {
+func (gosec *Analyzer) Report() ([]*issue.Issue, *Metrics, map[string][]Error) {
 	return gosec.issues, gosec.stats, gosec.errors
 }
 
 // Reset clears state such as context, issues and metrics from the configured analyzer
 func (gosec *Analyzer) Reset() {
 	gosec.context = &Context{}
-	gosec.issues = make([]*Issue, 0, 16)
+	gosec.issues = make([]*issue.Issue, 0, 16)
 	gosec.stats = &Metrics{}
 	gosec.ruleset = NewRuleSet()
 }

cmd/gosec/main.go

@@ -26,6 +26,7 @@ import (
 
 	"github.com/securego/gosec/v2"
 	"github.com/securego/gosec/v2/cmd/vflag"
+	"github.com/securego/gosec/v2/issue"
 	"github.com/securego/gosec/v2/report"
 	"github.com/securego/gosec/v2/rules"
 )
@@ -265,22 +266,22 @@ func saveReport(filename, format string, rootPaths []string, reportInfo *gosec.R
 	return nil
 }
 
-func convertToScore(value string) (gosec.Score, error) {
+func convertToScore(value string) (issue.Score, error) {
 	value = strings.ToLower(value)
 	switch value {
 	case "low":
-		return gosec.Low, nil
+		return issue.Low, nil
 	case "medium":
-		return gosec.Medium, nil
+		return issue.Medium, nil
 	case "high":
-		return gosec.High, nil
+		return issue.High, nil
 	default:
-		return gosec.Low, fmt.Errorf("provided value '%s' not valid. Valid options: low, medium, high", value)
+		return issue.Low, fmt.Errorf("provided value '%s' not valid. Valid options: low, medium, high", value)
 	}
 }
 
-func filterIssues(issues []*gosec.Issue, severity gosec.Score, confidence gosec.Score) ([]*gosec.Issue, int) {
-	result := make([]*gosec.Issue, 0)
+func filterIssues(issues []*issue.Issue, severity issue.Score, confidence issue.Score) ([]*issue.Issue, int) {
+	result := make([]*issue.Issue, 0)
 	trueIssues := 0
 	for _, issue := range issues {
 		if issue.Severity >= severity && issue.Confidence >= confidence {
@@ -293,7 +294,7 @@ func filterIssues(issues []*gosec.Issue, severity gosec.Score, confidence gosec.
 	return result, trueIssues
 }
 
-func exit(issues []*gosec.Issue, errors map[string][]gosec.Error, noFail bool) {
+func exit(issues []*issue.Issue, errors map[string][]gosec.Error, noFail bool) {
 	nsi := 0
 	for _, issue := range issues {
 		if len(issue.Suppressions) == 0 {

cmd/gosec/sort_issues.go

@@ -5,7 +5,7 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/securego/gosec/v2"
+	"github.com/securego/gosec/v2/issue"
 )
 
 // handle ranges
@@ -14,7 +14,7 @@ func extractLineNumber(s string) int {
 	return lineNumber
 }
 
-type sortBySeverity []*gosec.Issue
+type sortBySeverity []*issue.Issue
 
 func (s sortBySeverity) Len() int { return len(s) }
 
@@ -34,6 +34,6 @@ func (s sortBySeverity) Less(i, j int) bool {
 func (s sortBySeverity) Swap(i, j int) { s[i], s[j] = s[j], s[i] }
 
 // sortIssues sorts the issues by severity in descending order
-func sortIssues(issues []*gosec.Issue) {
+func sortIssues(issues []*issue.Issue) {
 	sort.Sort(sortBySeverity(issues))
 }

cmd/gosec/sort_issues_test.go

@@ -5,22 +5,22 @@ import (
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
-	"github.com/securego/gosec/v2"
+	"github.com/securego/gosec/v2/issue"
 )
 
-var defaultIssue = gosec.Issue{
+var defaultIssue = issue.Issue{
 	File:       "/home/src/project/test.go",
 	Line:       "1",
 	Col:        "1",
 	RuleID:     "ruleID",
 	What:       "test",
-	Confidence: gosec.High,
-	Severity:   gosec.High,
+	Confidence: issue.High,
+	Severity:   issue.High,
 	Code:       "1: testcode",
-	Cwe:        gosec.GetCweByRule("G101"),
+	Cwe:        issue.GetCweByRule("G101"),
 }
 
-func createIssue() gosec.Issue {
+func createIssue() issue.Issue {
 	return defaultIssue
 }
 
@@ -29,8 +29,8 @@ func TestRules(t *testing.T) {
 	RunSpecs(t, "Sort issues Suite")
 }
 
-func firstIsGreater(less, greater *gosec.Issue) {
-	slice := []*gosec.Issue{less, greater}
+func firstIsGreater(less, greater *issue.Issue) {
+	slice := []*issue.Issue{less, greater}
 
 	sortIssues(slice)
 
@@ -40,9 +40,9 @@ func firstIsGreater(less, greater *gosec.Issue) {
 var _ = Describe("Sorting by Severity", func() {
 	It("sorts by severity", func() {
 		less := createIssue()
-		less.Severity = gosec.Low
+		less.Severity = issue.Low
 		greater := createIssue()
-		less.Severity = gosec.High
+		less.Severity = issue.High
 		firstIsGreater(&less, &greater)
 	})
 

cmd/tlsconfig/header_template.go

@@ -9,5 +9,6 @@ import (
 	"go/ast"
 
 	"github.com/securego/gosec/v2"
+	"github.com/securego/gosec/v2/issue"
 )
 `))

cmd/tlsconfig/rule_template.go

@@ -7,7 +7,7 @@ var generatedRuleTmpl = template.Must(template.New("generated").Parse(`
 // DO NOT EDIT - generated by tlsconfig tool
 func New{{.Name}}TLSCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
 	return &insecureConfigTLS{
-                MetaData: gosec.MetaData{ID: id},
+                MetaData: issue.MetaData{ID: id},
 		requiredType: "crypto/tls.Config",
 		MinVersion:   {{ .MinVersion }},
 		MaxVersion:   {{ .MaxVersion }},

issue.go renamed to issue/issue.go

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package gosec
+package issue
 
 import (
 	"bufio"
@@ -105,8 +105,15 @@ type Issue struct {
 	Suppressions []SuppressionInfo `json:"suppressions"` // Suppression info of the issue
 }
 
+// SuppressionInfo object is to record the kind and the justification that used
+// to suppress violations.
+type SuppressionInfo struct {
+	Kind          string `json:"kind"`
+	Justification string `json:"justification"`
+}
+
 // FileLocation point out the file path and line number in file
-func (i Issue) FileLocation() string {
+func (i *Issue) FileLocation() string {
 	return fmt.Sprintf("%s:%s", i.File, i.Line)
 }
 
@@ -171,9 +178,8 @@ func codeSnippetEndLine(node ast.Node, fobj *token.File) int64 {
 	return e + SnippetOffset
 }
 
-// NewIssue creates a new Issue
-func NewIssue(ctx *Context, node ast.Node, ruleID, desc string, severity Score, confidence Score) *Issue {
-	fobj := ctx.FileSet.File(node.Pos())
+// New creates a new Issue
+func New(fobj *token.File, node ast.Node, ruleID, desc string, severity, confidence Score) *Issue {
 	name := fobj.Name()
 	start, end := fobj.Line(node.Pos()), fobj.Line(node.End())
 	line := strconv.Itoa(start)