Skip to content

Report for Golang errors #284

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Feb 26, 2019
Merged

Report for Golang errors #284

merged 4 commits into from
Feb 26, 2019

Conversation

MVrachev
Copy link
Contributor

@MVrachev MVrachev commented Feb 25, 2019
edited
Loading

Right now if you use Gosec to scan invalid go file and if you report the result in a text, JSON, CSV or another file format you will always receive 0 issues.
The reason for that is that Gosec can't parse the AST of invalid go files and thus will not report anything.

The real problem here is that the user will never know about the issue if he generates the output in a file.

I fix this problem in this patch and I added those Golang errors in the output.
Now when there are Golang errors found Gosec will exit with code 1.

Signed-off-by: Martin Vrachev [email protected]

@MVrachev
Copy link
Contributor Author

MVrachev commented Feb 25, 2019
edited
Loading

Here is how the output when there are Golang issues + other vulnerable looks:

text:
image

JSON:
image

@MVrachev
Report for Golang errors
d92962c 
Right now if you use Gosec to scan invalid go file and if you report the result in a text, JSON, CSV or another file format you will always receive 0 issues.
The reason for that is that Gosec can't parse the AST of invalid go files and thus will not report anything.

The real problem here is that the user will never know about the issue if he generates the output in a file.

I fix this problem in this patch and I added those Golang errors in the output.

Signed-off-by: Martin Vrachev <[email protected]>
@codecov-io
Copy link

codecov-io commented Feb 25, 2019
edited
Loading

Codecov Report

Merging #284 into master will increase coverage by 0.45%.
The diff coverage is 65.62%.

Impacted file tree graph

@@            Coverage Diff            @@
##           master    #284      +/-   ##
=========================================
+ Coverage   55.84%   56.3%   +0.45%     
=========================================
  Files           8       9       +1     
  Lines         462     492      +30     
=========================================
+ Hits          258     277      +19     
- Misses        182     188       +6     
- Partials       22      27       +5
Impacted Files Coverage Δ
errors.go 63.63% <63.63%> (ø)
analyzer.go 82.4% <66.66%> (-3.45%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9cdfec4...759baed. Read the comment docs.

@MVrachev
Add comment for the map
9b01bbe 
Signed-off-by: Martin Vrachev <[email protected]>
@MVrachev
Change a little the format
7730404 
Signed-off-by: Martin Vrachev <[email protected]>
houndci-bot
houndci-bot reviewed Feb 25, 2019
View reviewed changes
analyzer_test.go Outdated
_, _, golangErrors := analyzer.Report()
keys := make([]string, len(golangErrors))
i := 0
for key, _ := range golangErrors {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should omit 2nd value from range; this loop is equivalent to for key := range ...

@MVrachev
Add unit test + error struct changes
759baed 
I added unit tests where I give an invalid file to Gosec.

Also, I realized that is more logical if the line and the column attributes in the errors struct are integers.

Signed-off-by: Martin Vrachev <[email protected]>
gcmurphy
gcmurphy approved these changes Feb 26, 2019
View reviewed changes
Copy link
Member

@gcmurphy gcmurphy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great. Thanks!

@gcmurphy gcmurphy merged commit 62b5195 into securego:master Feb 26, 2019
@happypork
Copy link

Great idea! But I wonder I get a bunch of errors from standard library files like:
/usr/local/go/src/runtime/mem_linux.go:21:6: sysAlloc redeclared in this block
/usr/local/go/src/runtime/mem_aix.go:14:6: other declaration of sysAlloc

... and many more lying in GOROOT.

Do I have to exclude them?

@MVrachev
Copy link
Contributor Author

MVrachev commented Mar 5, 2019
edited
Loading

Hi, do you mean that you want to exclude those errors in the red box:
image

or do you mean that you want to ignore our report for Golang errors as shown here in the green box:
image

@happypork
Copy link

Red box :)

@MVrachev
Copy link
Contributor Author

MVrachev commented Mar 5, 2019

Yes, you are right. That's something annoying from the golang parser library.
There is no solution until now how to silence those errors.

I will try to look at this as soon as I can.

@JulesDT JulesDT mentioned this pull request Mar 18, 2019
Merged
@gcmurphy gcmurphy mentioned this pull request Jun 14, 2019
Closed
@MVrachev MVrachev deleted the report-errors branch June 19, 2019 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gcmurphy gcmurphy gcmurphy approved these changes

+1 more reviewer

@houndci-bot houndci-bot houndci-bot left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@MVrachev @codecov-io @happypork @gcmurphy @houndci-bot