glasgo

command module

v0.9.1 Latest Latest Go to latest Published: Feb 11, 2019 License: BSD-3-Clause Imports: 23 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/ttarvis/glasgo

Links

Open Source Insights

README ¶

Glasgo Static Analysis Tool

A static analysis tool intended to check for potential security issues. New tests will be added soon. Special thanks to NCC Group Plc.

Project

This is a static analysis tool written in Go for Go code. It will find security and some correctness issues that may have a security implication. The tool will attempt to complete as many tests as possible even if incomplete or unresolved source is scanned.

Compiling

To compile the tool, be sure to have the Go compiler first. You will need to install dependencies for the time being. Consider downloading a binary release instead.

Use Go build for a local binary
Use Go install to compile and install in Go Path

Using the tool

For now, all tests are run.

Glasgo directory1, directory2

or

Glasgo file1.go, file2.go

or, when source files are outside of the Go path or the tool can't find them:

Glasgo -source directory1

verbose flag prints all warnings and error messages

Glasgo -verbose directory1

Test files, those with suffix _test.go, are not checked by default by GlasGo. To include them use the test flag.

Glasgo -test directory1

Note: The tool does not run on both directories and individual files

Architecture

tbd

Tests

error - errors ignored
closer - no file.Close() method called in function with file.Open()
insecureCrypto - insecure cryptographic primitives
insecureRand - insecurely generated random numbers
intToStr - integer to string conversion without calling strconv
readAll - ioutil.ReadAll called
textTemp - checks if HTTP methods and template/text are in use
hardcoded - looks for hardcoded credentials
bind - checks if listener bound to all interfaces
TLSConfig - checks for insecure TLS configuration
exec - checks for use of os/exec package
unsafe - checks for use of unsafe package
sql - checks for non constant strings used in database query methods.

Design Choices

see the wiki

Updates

Initial wave of tests have been uploaded and checked on test data

More tests to come

to do

add tests
document tests
document design choices

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL