From 594e5d48c9bd1c916b253622596db2002390e783417de33d686a9a2b65d6c42a Mon Sep 17 00:00:00 2001 From: Jeff Kowalczyk Date: Thu, 19 Sep 2024 00:10:02 +0000 Subject: [PATCH] - Update to version 2.21.3: * Update gosec version to v2.21.3 in github action (#1227) * Populate the fixes only when autofix is not empty (#1226) * chore(deps): update all dependencies (#1223) * G115 Struct Attribute Checks (#1221) OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/gosec?expand=0&rev=35 --- .gitattributes | 23 ++ .gitignore | 1 + _service | 22 ++ _servicedata | 4 + gosec-2.20.0.obscpio | 3 + gosec-2.21.2.obscpio | 3 + gosec-2.21.3.obscpio | 3 + gosec.changes | 485 +++++++++++++++++++++++++++++++++++++++++++ gosec.obsinfo | 4 + gosec.spec | 61 ++++++ vendor.tar.gz | 3 + 11 files changed, 612 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 gosec-2.20.0.obscpio create mode 100644 gosec-2.21.2.obscpio create mode 100644 gosec-2.21.3.obscpio create mode 100644 gosec.changes create mode 100644 gosec.obsinfo create mode 100644 gosec.spec create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..2a3568a --- /dev/null +++ b/_service @@ -0,0 +1,22 @@ + + + + gosec + https://github.com/securego/gosec.git + git + v2.21.3 + @PARENT_TAG@ + v(.*) + \1 + enable + + + + + *.tar + xz + + + gz + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..c5f40e8 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/securego/gosec.git + a83689867d8e15cac0f94c1b55979c45df8f69d6 \ No newline at end of file diff --git a/gosec-2.20.0.obscpio b/gosec-2.20.0.obscpio new file mode 100644 index 0000000..dc9ce6b --- /dev/null +++ b/gosec-2.20.0.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7078eb954f6862de1a0777dd13bb05b588d135dea2914a0ca6db1ffeff93fee4 +size 643084 diff --git a/gosec-2.21.2.obscpio b/gosec-2.21.2.obscpio new file mode 100644 index 0000000..326a955 --- /dev/null +++ b/gosec-2.21.2.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6b10defe29bea117bc3aba36079f8354ba7a299a29ec580ffc41af0f3dcb3a1f +size 770572 diff --git a/gosec-2.21.3.obscpio b/gosec-2.21.3.obscpio new file mode 100644 index 0000000..56035e3 --- /dev/null +++ b/gosec-2.21.3.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:16214750aee3054b9ce383a087bf331ae5ab69b2d84d83adb659e0bea7f60410 +size 773132 diff --git a/gosec.changes b/gosec.changes new file mode 100644 index 0000000..4dc1bdf --- /dev/null +++ b/gosec.changes @@ -0,0 +1,485 @@ +------------------------------------------------------------------- +Wed Sep 18 18:34:55 UTC 2024 - felix.niederwanger@suse.de + +- Update to version 2.21.3: + * Update gosec version to v2.21.3 in github action (#1227) + * Populate the fixes only when autofix is not empty (#1226) + * chore(deps): update all dependencies (#1223) + * G115 Struct Attribute Checks (#1221) + +------------------------------------------------------------------- +Tue Sep 10 07:42:28 UTC 2024 - felix.niederwanger@suse.de + +- Update to version 2.21.2: + * Update the github action to v2.21.2 (#1218) + * Update the SARIF schema URL (#1217) + * Update go version to 1.23.1 and 1.22.7 (#1216) + * chore(deps): update all dependencies (#1215) + * Update gosec version to v2.21.1 in github action (#1213) + * Rollback the SARIF version to 2.1 since github doesn't support 2.2 (#1210) + * Update gosec in github action to v2.21.0 (#1208) + * Update cosign version to v2.4.0 in release github workflow (#1207) + * Improvement the int conversion overflow logic to handle bound checks (#1194) + * fix: G602 support for nested conditionals with bounds check (#1201) + * Update go.mod to sue go 1.22.0 toolchain + * chore(deps): update all dependencies + * Make variable name more clear + * Make variable names more explicity and reduce duplications + * Fix formatting + * Refactor to reduce some fuctions and variable names + * Pass the value argument directly since is an interface + * Added suggested changes + * Added another test case in order to increase code coverage + * Removed function parameter which is always the same + * Formatting problems(CI was not passing) + * Updated analyzer to use new way of initialization + * Migrated the rule to the analyzers folder + * Refractored code a little bit + * Added new rule G407(hardcoded IV/nonce) + * Fix conversion overflow false positive when using ParseUint + * Add a build step to measure the scan perfomance + * Fix conversion overflow false positives when they are checked or pre-determined + * Update go.mod + * chore(deps): update all dependencies + * Fix false positive in conversion overflow check from uint8/int8 type + * Disable staticcheck SA1019 rule + * Update the golangci linters + * Add more test to cover more use cases for G115 rule + * Allow excluding analyzers globally (#1180) + * Update to Go 1.23.0 (#1183) + * chore(deps): update all dependencies (#1182) + * Read the AI API key also from an environment variable (#1181) + * Add support to generate auto fixes using LLM (AI) (#1177) + * chore(deps): update all dependencies + * chore(deps): update all dependencies + * chore(deps): update all dependencies + * chore(deps): update dependency babel-standalone to v7.24.10 + * Resolve underlying type to detect overflows in type aliases + * chore(deps): update dependency babel-standalone to v7.24.8 + * Fix multifile ignores + * Add -enable-audit cli flag + * Update to go 1.22.5 and 1.21.12 + * chore(deps): update all dependencies + * Added more rules + * Fixed coverage workflow + * Fixed CI workflow + * Minor changes + * Split the G401 rule into two separate ones + * Updated G401 corresponding CWE + * chore(deps): update docker/build-push-action action to v6 + * Update to go versions to 1.21.11 and 1.22.4 + * chore(deps): update all dependencies + * Fix nosec when applied to a block + * Add more types to templates rule + * Map the G115 rule to an CWE ID + * chore(deps): update all dependencies + * Update README with G115 rule description + * Remove deprecated megacheck linter from golangci + * Format imports + * Update .gitignore + * Add a new rule to detect integer overflow on integer types conversion + * feat: add env var to override the Go version detection + * Use the proper logic when disabling the go module version + * Update the README with some details related to Go version used by the rules + * Add an environment varialbe which disables the parsing of Go version from module file + * chore(deps): update module github.com/onsi/ginkgo/v2 to v2.17.3 + +------------------------------------------------------------------- +Thu May 16 08:20:50 UTC 2024 - felix.niederwanger@suse.de + +- Update to version 2.20.0: + * Update docker image in action to v2.20.0 + * Catch os.ModePerm permissions in os.WriteFile + * Add a unit test to detect the false negative in rule G306 for os.ModePerm permissions + * Add filepath.EvalSymlinks to clean functions in rule G304 + * chore(deps): update all dependencies + * Update Go to version 2.22.3 in CI and release + * chore(deps): update module golang.org/x/text to v0.15.0 + * chore(deps): update all dependencies + * chore(deps): update module github.com/onsi/gomega to v1.33.0 + * Update to go 1.22.2 + * chore(deps): update all dependencies + * chore(deps): update module github.com/onsi/ginkgo/v2 to v2.17.1 + * chore(deps): update all dependencies + * fix(helpers/goversion): get from go.mod + * chore: fix function name + * chore(deps): update all dependencies + * Format the imports using the gci tool + * Fixup: delete unused variable + * Fix test: update test to comply with the spec of generated sources + * Refactor: use standard function to check if a file is generated + * Fix lint warnings + * Add support for math/rand/v2 added in Go 1.22 + * Skip the G601 tests for Go version 1.22 + * Update go version to 1.22.1 and 1.21.8 + * Ignore 'implicit memory aliasing' rule for Go 1.22+ + * chore(deps): update all dependencies + * chore(deps): update module golang.org/x/tools to v0.18.0 + * fix(hardcoded): remove duplicated `Stripe API Key` + +------------------------------------------------------------------- +Tue Feb 13 07:48:54 UTC 2024 - felix.niederwanger@suse.de + +- Update to version 2.19.0: + * Update gosec version to v2.19.0 in the Github action + * Update CI to go version 1.22 + * chore(deps): update all dependencies + * chore(deps): update all dependencies + * chore(deps): update all dependencies + * chore(deps): update all dependencies + * chore(deps): update all dependencies + * chore(deps): update dependency babel-standalone to v7.23.7 + * chore(deps): update module golang.org/x/crypto to v0.17.0 [security] + * chore(deps): update all dependencies + * chore(deps): update actions/setup-go action to v5 + * Fix lint warnings by properly formatting the files + * chore: Refactor Sample Code to Separate Files + * Update go version to 1.21.5 and 1.20.12 (#1084) + * chore(deps): update all dependencies (#1080) + * Ignore the issues from generated files when using the analysis framework (#1079) + * Update README with upload-sarif v2 (#1078) + * chore(deps): update dependency babel-standalone to v7.23.4 + +------------------------------------------------------------------- +Sat Nov 25 19:22:09 UTC 2023 - Dirk Müller + +- update to 2.18.2: + * Disable dot-imports in revive linter + * Run the gosec with data race detector active during + tests + * Fix data race in the analyzer + * Fix test that checks the overriden nosec directive + * Clean global state in flgs tests + * Format the file + * Update README with details which describe the current + of #nosec + * Ensure the ignores are parsed before analysing the + package + +------------------------------------------------------------------- +Sat Nov 25 19:19:43 UTC 2023 - dmueller@suse.com + +- Update to version 2.18.2: + * Added ppc64le support + * chore(deps): update all dependencies + * Ensure ignores are handled properly for multi-line issues + * Update Go to version 1.21.4 and 1.20.11 + * chore(deps): update module golang.org/x/text to v0.14.0 + * chore(deps): update all dependencies + * Remove the hardcoded GOOS value when building the Linux binary to enable support for container image for ARM + * Avoid allocations with `(*regexp.Regexp).MatchString` + * Fix some typos + * Update local installation instructions by removing the details for Go 1.16 + +------------------------------------------------------------------- +Tue Oct 17 14:29:50 UTC 2023 - felix.niederwanger@suse.de + +- Update to version 2.18.1: + * chore(deps): update all dependencies + * Update gosec to version 2.18.1 in the action + * Update cosign version to v2.2.0 + * Refactor how ignored issues are tracked + * Restrict the maximum depth when tracking the slice bounds + * Handle empty ssa results + * Handle gracefully any panic that occurs when building the SSA representation of a package + * Fix typo + * Handle new function when getting the call info in case is overriden + * Bump golang.org/x/net from 0.16.0 to 0.17.0 (#1037) + * Update to Go 1.21.3 and 1.20.10 (#1035) + * Update the list of unsafe functions detected by the unsafe rule (#1033) + +------------------------------------------------------------------- +Mon Oct 9 13:23:33 UTC 2023 - Jeff Kowalczyk + +- Packaging improvements: + * Summary and Description clarify the purpose of this CLI tool + * Use Group: Development/Languages/Go instead of Other + * Drop BuildRequires: golang-packaging. The recommended Go + toolchain dependency is BuildRequires: golang(API) >= 1.x or + optionally the metapackage BuildRequires: go + * Drop Requires: golang-packaging. The original macros for file + movements into GOPATH are obsolete with Go modules. Macro + go_nostrip is no longer needed with current binutils and Go. + * Remove %%{go_nostrip} macro which is no longer recommended + +------------------------------------------------------------------- +Mon Oct 09 09:02:02 UTC 2023 - felix.niederwanger@suse.com + +- Update to version 2.18.0: + * Update the action to use gosec version v2.18.0 (#1029) + * Use a step ID in github release action to get the digest of the image (#1028) + * Update to go version 1.21.2 and 1.20.9 (#1027) + * chore(deps): update all dependencies (#1026) + * Enable gochecknoinits; fix lint issues; use consts for some vars (#1022) + * Fix typos in struct fields, comments, and docs (#1023) + * chore(deps): update all dependencies + * Fix lint warning + * Add a new rule which detects when a file is created with os.Create but the configured permissions are less than 0666 + * Fix lint warnings + * Update ginkgo to latest version + * Redesign and reimplement the slice out of bounds check using SSA code representation + * docs: add reMarkable to users list + * chore(deps): update all dependencies + * Drop support for go 1.19.x since go team doesn't ship anymore security fixes for it + * Update to latest go version + * chore(deps): update all dependencies (#1011) + * Fix hardcoded_credentials rule to only match on more specific patterns (#1009) + * chore(deps): update all dependencies (#1008) + * Exclude maps from slince bounce check rule (#1006) + * Ignore struct pointers in G601 (#1003) + * Update gosec image version to 2.17.0 in the Github action (#1002) +- Packaging improvements: + * Use BuildRequires: golang(API) >= 1.20 instead of go >= 1.20. + The go metapackage points to a single go version that + increments at a date TBD after each go1.x major release. The + expression golang(API) is available immediately upon each go1.x + major release and is stable for expressing the minimum version + or a temporarily pinned version. + +------------------------------------------------------------------- +Thu Aug 17 12:57:28 UTC 2023 - Felix Niederwanger felix.niederwanger@suse.com + +- Update to version 2.17.0: + * Update cosign to version v2.1.1 (#1000) + * Enable go 1.21.0 in the CI build (#998) + * chore(deps): update all dependencies (#997) + * Update to go version 1.20.7 and 1.19.12 (#993) + * chore(deps): update all dependencies (#992) + * chore(deps): update module github.com/onsi/gomega to v1.27.10 (#991) + * fix: correctly identify infixed concats as potential SQL injections (#987) + * chore(deps): update all dependencies (#989) + * Add a new flag terse to show only the results and summary (#986) + * Switch to a maintained fork of zxcvbn module (#984) + +------------------------------------------------------------------- +Fri Aug 4 08:27:41 UTC 2023 - Felix Niederwanger + +- Require go 1.20 + +------------------------------------------------------------------- +Tue May 23 09:10:04 UTC 2023 - Felix Niederwanger + +- Update to version 2.16.0 + +* Update cosign to latest version in release Github action +* chore(deps): update all dependencies +* Update go version in build and release scripts +* chore(deps): update all dependencies +* Update Go version to 1.20.3 +* chore(deps): update all dependencies +* Fix for Dockerfile smell DL3059 +* README: upgrade GitHub action in examples +* enable ginkgolinter linter +* chore(deps): update all dependencies +* correct gci linter +* remove deprecated linters +* increase timeout to 5m +* chore(deps): update all dependencies +* Use the latest version +* Fix some linting warnings +* Fix lint warning +* Bump the go versions and golanci +* chore(deps): update all dependencies +* Check nil pointer when variable is declared in a different file +* fix dead link to issue.go in README.md +* Remove rule G307 which checks when an error is not handled when a file or socket connection is closed +* Fix rule index reference into sarif report +* Bump golang.org/x/net from 0.6.0 to 0.7.0 +* Format file +* Use the gosec issue in the go analysers +* Fix file formatting +* Update Go version in CI builds +* Fix method name in the comment +* Extract the issue in its own package +* Add support for Go analysis framework and SSA code representation +* chore(deps): update all dependencies +* Remove the version form ci github action +* Pin github action to latest release version 2.15.0 +* Revert the image tag in github action until a working solution is found +* Fix version interpolation in github action image +* Add gosec version as an input parameter to GitHub action +* Update release build script + +------------------------------------------------------------------- +Mon Feb 6 15:09:19 UTC 2023 - Felix Niederwanger + +* Update to version 2.15.0 + +- Fix dependencies after renovate update +- chore(deps): update all dependencies (#922) +- Update to Go 1.20 and fix unit tests (#923) +- Update Go to latest version (#920) +- Update hardcoded_credentials.go fix: adaper equal expr which const value at left (#917) +- Fix github latest URL (#918) +- Fix github release url (#916) +- chore(deps): update module github.com/onsi/ginkgo/v2 to v2.7.0 (#914) +- Update Go version in CI script (#913) +- Track back when a file path was sanitized with filepath.Clean (#912) +- Fix the TLS config rule when parsing the settings from a variable (#911) +- Fix build after updating the dependencies (#910) +- chore(deps): update all dependencies (#909) +- Fix dependencies after renovate update (#907) +- chore(deps): update all dependencies (#906) +- Update slack badge and link (#905) +- Auto-detect TLS MinVersion integer base (#903) +- Adding s390x support (#902) +- chore(deps): update all dependencies (#904) +- chore(deps): update all dependencies (#898) +- Additional types for bad defer check (#897) +- chore(deps): update all dependencies (#894) +- chore(deps): update all dependencies (#892) +- Update Go version in CI scripts (#889) +- chore(deps): update all dependencies (#888) +- Allow to override build date with SOURCE_DATE_EPOCH (#887) +- chore(deps): update all dependencies (#886) +- chore(deps): update all dependencies (#884) +- fileperms: bitwise permission comparison (#883) + +------------------------------------------------------------------- +Mon Dec 12 19:31:05 UTC 2022 - Felix Niederwanger + +- Switch OBS source service from tar_scm to obs_scm. + * Embed version info with go build arg GIT_TAG="v%{version}" + * _service obs_scm switch from tar_scm + * _service obs_scm switch param revision (branch) to version (tag) + * _service tar set to buildtime + * _service recompress set to buildtime + * _service recompress change tar compression from gz to xz + +------------------------------------------------------------------- +Mon Oct 17 13:45:23 UTC 2022 - Felix Niederwanger + +* Update to versin 2.14.0 + +- Pin release build to Go version 1.19.2 (#882) +- Refactor to support duplicate imports with different aliases (#865) +- chore(deps): update all dependencies (#881) +- go.mod: ginkgo/v2 v2.3.1, golang.org/x/text v0.3.8, update go versions (#880) +- Update Go version to 1.19 in the makefile (#876) +- chore(deps): update all dependencies (#875) +- Add CWE-676 to cwe mapping (#874) +- chore(deps): update all dependencies (#872) +- Add a way to use private repositories on GitHub (#869) +- chore(deps): update all dependencies (#868) +- Check go version when installing govulncheck +- Check go version when running govulncheck +- Add vulncheck to the test steps +- chore(deps): update all dependencies +- Fix false positives for G404 with aliased packages +- chore(deps): update all dependencies +- chore(deps): update all dependencies +- fix: add a CWE ID mapping to rule G114 +- chore(deps): update golang.org/x/crypto digest to bc19a97 + +------------------------------------------------------------------- +Mon Aug 22 08:47:01 UTC 2022 - Felix Niederwanger + +* Update to version 2.13.1 + +- fix: make sure that nil Cwe pointer is handled when getting the CWE ID +- test: remove white spaces from template +- fix: handle nil CWE pointer in text template + +* Update to version 2.13.0 + +- chore(deps): update dependency babel-standalone to v7 +- chore: update module go to 1.19 +- chore: fix lint warnings +- chore: add support for Go 1.19 +- fix: parsing of the Go version (#844) +- Detect use of net/http functions that have no support for setting timeouts (#842) +- Refactor SQL rules for better extensibility (#841) +- chore(deps): update module golang.org/x/tools to v0.1.12 (#840) +- Fix lint warning +- Check the suppressed issues when generating the exit code +- Fix for G402. Check package path instead of package name (#838) +- fix G204 bugs (#835) +- Phase out support for Go 1.16 since is not supported anymore by Go team (#837) +- chore(deps): update all dependencies (#836) +- chore(deps): update dependency highlight.js to v11.6.0 (#830) +- fix: filepaths with git anywhere in them being erroneously excluded (#828) +- Fix wrong location for G109 (#829) +- chore(deps): update golang.org/x/crypto digest to 0559593 (#826) +- fix ReadTimeout for G112 rule +- Pin cosign-installer to v2 (#824) + +* Update to version 2.12.0 + +- chore(deps): update all dependencies (#822) +- Add check for usage of Rat.SetString in math/big with an overflow error (#819) +- Remove additional --update for apk in Dockerfile (#818) +- Update x/tools to pick up fix for golang/go#51629 (#817) +- chore(deps): update all dependencies (#816) +- chore(deps): update all dependencies (#812) +- chore(deps): update all dependencies (#811) +- Add new rule for Slowloris Attack +- Fix the dependencies after renovate upate (#806) +- chore(deps): update all dependencies (#805) +- Update the description message of template rule (#803) +- Fix typo in ReadMe (#802) +- Fix build after renovate update (#800) +- Fix use rule IDs to retrieve the rule config +- chore(deps): update all dependencies (#796) + + +------------------------------------------------------------------- +Tue Mar 22 08:10:13 UTC 2022 - Felix Niederwanger + +* Update to version 2.11.0 + +- Enable Go 1.18 in the ci and release workflows +- Fix the lint action after upgrade (#790) +- chore(deps): update all dependencies (#789) +- Add a recursive flag -r to skip specifying ./... path +- Adds directory traversal for Http.Dir("/") + +------------------------------------------------------------------- +Wed Mar 2 07:35:25 UTC 2022 - Felix Niederwanger + +* Update to version 2.10.0: + +- Extend the release action to sign the docker image and binary files with cosign (#781) +- feat: add concurrency option to parallelize package loading (#778) +- chore(deps): update all dependencies +- Process the code snippet before adding it to the SARIF report +- Updated sponsor link in README.md +- chore(deps): update golang.org/x/crypto commit hash to 30dcbda +- chore(deps): update all dependencies +- Use the CWE name as a name in the SARIF report +- chore(deps): update all dependencies (#771) +- Resolve the TLS min version when is declarted in the same package but in a different file +- Add a test for tls min version defined in a different file +- chore(deps): update all dependencies (#765) + +------------------------------------------------------------------- +Fri Jan 21 07:49:30 UTC 2022 - Felix Niederwanger + +* Update to version 2.9.6: + +- Add db.Exec and db.Prepare to the sql rule (#763) +- chore(deps): update golang.org/x/crypto commit hash to 5e0467b (#764) +- Add os.Create to the readfile rule (#761) +- Fix false negative for SQL injection when using DB.QueryRow.Scan() (#759) +- chore(deps): update dependency highlight.js to v11.4.0 (#758) +- Fix false negatives for SQL injection in multi-line queries +- Find G303 with filepath.Join'd temp dirs (#754) +- Find more tempdirs +- build(fmt): use [ instead of [[ (#751) +- Update to ginkgo v2 (#753) +- Fix #743 (#748) +- Handle nil when looking up a file by position into a package (#747) +- Add in the config file settings for exclude and include options +- chore(deps): update golang.org/x/crypto commit hash to e495a2d (#745) +- Track both #nosec and #nosec rulelist for one violation (#741) +- Add the sponsors section in the README file (#740) +- Remove space between // and #nosec in examples and internal use + +------------------------------------------------------------------- +Fri Jan 14 09:33:28 UTC 2022 - Felix Niederwanger + +- Add position-independent executable to compiler flags + +------------------------------------------------------------------- +Fri Jan 14 09:15:56 UTC 2022 - Felix Niederwanger + +- Add version 2.9.5 diff --git a/gosec.obsinfo b/gosec.obsinfo new file mode 100644 index 0000000..7b19259 --- /dev/null +++ b/gosec.obsinfo @@ -0,0 +1,4 @@ +name: gosec +version: 2.21.3 +mtime: 1726661447 +commit: a83689867d8e15cac0f94c1b55979c45df8f69d6 diff --git a/gosec.spec b/gosec.spec new file mode 100644 index 0000000..ab0ac91 --- /dev/null +++ b/gosec.spec @@ -0,0 +1,61 @@ +# +# spec file for package gosec +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: gosec +Version: 2.21.3 +Release: 0 +Summary: CLI tool to scan the Go AST and SSA code representations for security problems +License: Apache-2.0 +Group: Development/Languages/Go +URL: https://github.com/securego/gosec +Source: gosec-%{version}.tar.xz +Source1: vendor.tar.gz +BuildRequires: golang(API) >= 1.20 + +%description +CLI tool to inspect Go source code for security problems by scanning the +abstract syntax tree (AST) and static single-assignment (SSA) code +representations. + +%prep +%autosetup -D -a 1 + +%build +# Native linux build includes version tags but currently works only on x86_64 +%ifarch x86_64 +GOFLAGS="-buildmode=pie" GIT_TAG="v%{version}" make build-linux +%else +GOFLAGS="-buildmode=pie" GIT_TAG="v%{version}" make build +%endif + +%check +# check if binary is working +./gosec --version +make sec +# Not yet working because it wants to pull the latest ginkgo version from GitHub +#make test + +%install +install -Dm 755 gosec %{buildroot}/%{_bindir}/gosec + +%files +%license LICENSE.txt +%doc README.md +%{_bindir}/gosec + +%changelog diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..a5ab3d2 --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:672519a7143ddcdd618e3a4d25af9db33a787d44d3e4e7fabff7433ab521399b +size 6787054