Merge pull request #67 from coinbase/2.5.1-patch

2.5.1 patch
coinbase · Jun 10, 2019 · d010b75 · d010b75
2 parents 69273ee + d6ae187
commit d010b75
Show file tree

Hide file tree

Showing 10 changed files with 54 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -65,7 +65,7 @@ Example CircleCI `config.yml`:
 version: 2.1
 
 orbs:
-  salus: federacy/salus@2.5.0
+  salus: federacy/salus@2.5.1
 
 workflows:
   main:

diff --git a/docs/scanners/gosec.md b/docs/scanners/gosec.md
@@ -0,0 +1,8 @@
+# [Gosec](https://github.com/securego/gosec)
+
+The [Gosec Scanner](https://github.com/securego/gosec) is a static analysis tool that finds vulnerabilities in Go projects using the Go AST. Gosec supports Go modules as of Gosec 2.0.0.
+
+
+## Configuration
+
+We plan on supporting setting options via a global config file; however, this has not been implemented yet.
diff --git a/integrations/circleci/README.md b/integrations/circleci/README.md
@@ -4,7 +4,7 @@
 
 | attribute | description | default | options |
 | --------- | ----------- | ------- | ------- |
-| salus_executor | CircleCI executor to use that specifies Salus environment | `coinbase/salus:2.5.0` | See [executor reference](https://circleci.com/docs/2.0/configuration-reference/#executors-requires-version-21)|
+| salus_executor | CircleCI executor to use that specifies Salus environment | `coinbase/salus:2.5.1` | See [executor reference](https://circleci.com/docs/2.0/configuration-reference/#executors-requires-version-21)|
 | active_scanners | Scanners to run | all | Brakeman, PatternSearch, BundleAudit, NPMAudit |
 | enforced_scanners | Scanners that block builds | all | Brakeman, PatternSearch, BundleAudit, NPMAudit |
 | report_uri | Where to send Salus reports | file://../salus-report.json | Any URI |
@@ -24,7 +24,7 @@ Note: active_scanners and enforced_scanners must be yaml formatted for Salus con
 version: 2.1
 
 orbs:
-  salus: federacy/salus@2.5.0
+  salus: federacy/salus@2.5.1
 
 workflows:
   main:
@@ -38,7 +38,7 @@ workflows:
 version: 2.1
 
 orbs:
-  salus: federacy/salus@2.5.0
+  salus: federacy/salus@2.5.1
 
 workflows:
   main:
@@ -53,7 +53,7 @@ workflows:
 version: 2.1
 
 orbs:
-  salus: federacy/salus@2.5.0
+  salus: federacy/salus@2.5.1
 
 workflows:
   main:
@@ -68,7 +68,7 @@ workflows:
 ```
 version: 2.1
 orbs:
-  salus: federacy/salus@2.5.0
+  salus: federacy/salus@2.5.1
 executors:
   salus_latest:
     docker:

diff --git a/lib/salus.rb b/lib/salus.rb
@@ -19,7 +19,7 @@
 require 'salus/processor'
 
 module Salus
-  VERSION = '2.5.0'.freeze
+  VERSION = '2.5.1'.freeze
   DEFAULT_REPO_PATH = './repo'.freeze # This is inside the docker container at /home/repo.
 
   SafeYAML::OPTIONS[:default_mode] = :safe

diff --git a/lib/salus/scanners/gosec.rb b/lib/salus/scanners/gosec.rb
@@ -9,7 +9,17 @@ def run
       # Shell Instructions:
       #   - -fmt=json for JSON output
       #   - gosec can scan go modules as of 2.0.0.
-      shell_return = run_shell("gosec -fmt=json #{@repository.path_to_repo}")
+      shell_return = Dir.chdir(@repository.path_to_repo) { run_shell("gosec -fmt=json ./...") }
+
+      # This produces no JSON output so must be checked before parsing stdout
+      if shell_return.stdout.blank? && shell_return.stderr.include?('No packages found')
+        report_error(
+          '0 lines of code were scanned',
+          status: shell_return.status
+        )
+        report_stderr(shell_return.stderr)
+        return report_failure
+      end
 
       shell_return_json = JSON.parse(shell_return.stdout)
       lines_scanned = shell_return_json['Stats']['lines']  # number of lines scanned

diff --git a/spec/fixtures/gosec/recursive_vulnerable_goapp/src/hello.go b/spec/fixtures/gosec/recursive_vulnerable_goapp/src/hello.go
@@ -0,0 +1,10 @@
+package main
+
+import (
+	"fmt"
+)
+
+func main() {
+	password := "hhend77dyyydbh&^psNSSZ)JSM--_%"
+	fmt.Println("hello, from the vulnerable app" + password)
+}
diff --git a/spec/fixtures/integration/expected_report.json b/spec/fixtures/integration/expected_report.json
@@ -1,5 +1,5 @@
 {
-  "version": "2.5.0",
+  "version": "2.5.1",
   "passed": true,
   "running_time": 0.0,
   "scans": {

diff --git a/spec/fixtures/processor/local_uri/expected_report.json b/spec/fixtures/processor/local_uri/expected_report.json
@@ -1,5 +1,5 @@
 {
-  "version": "2.5.0",
+  "version": "2.5.1",
   "passed": true,
   "running_time": 0.0,
   "scans": {

diff --git a/spec/fixtures/processor/remote_uri/expected_report.json b/spec/fixtures/processor/remote_uri/expected_report.json
@@ -1,5 +1,5 @@
 {
-  "version": "2.5.0",
+  "version": "2.5.1",
   "passed": true,
   "running_time": 0.0,
   "scans": {

diff --git a/spec/lib/salus/scanners/gosec_spec.rb b/spec/lib/salus/scanners/gosec_spec.rb
@@ -18,7 +18,7 @@
         expect(
           info[:stderr]
         ).to include(
-          'blank_repository' # debug information
+          'No packages found' # debug information
         )
         expect(
           errors[:message]
@@ -40,6 +40,20 @@
       end
     end
 
+    context 'go project with vulnerabilities in a nested folder' do
+      let(:repo) { Salus::Repo.new('spec/fixtures/gosec/recursive_vulnerable_goapp') }
+
+      it 'should record failure and record the STDOUT from gosec' do
+        expect(scanner.report.passed?).to eq(false)
+
+        info = scanner.report.to_h.fetch(:info)
+        logs = scanner.report.to_h.fetch(:logs)
+        expect(info[:stdout]).not_to be_nil
+        expect(info[:stdout]).not_to be_empty
+        expect(logs).to include('Potential hardcoded credentials')
+      end
+    end
+
     context 'go project with no known vulnerabilities' do
       let(:repo) { Salus::Repo.new('spec/fixtures/gosec/safe_goapp') }