- added gosec workflow

- resolved issues flagged by gosec
Threagile · Jan 31, 2024 · 6e23605 · 6e23605
1 parent ac5b4c4
commit 6e23605
Show file tree

Hide file tree

Showing 16 changed files with 86 additions and 44 deletions.
diff --git a/.github/workflows/gosec-analysis.yml b/.github/workflows/gosec-analysis.yml
@@ -0,0 +1,24 @@
+name: Security Static Analysis
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [master]
+  schedule:
+    - cron: '0 0 1 * *'
+
+jobs:
+  analyze:
+    name: GoSec
+    runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v4
+      - name: Run Gosec
+        uses: securego/gosec@master
+        with:
+          args: ./...
diff --git a/Makefile b/Makefile
@@ -20,21 +20,22 @@ GO		= env GO111MODULE=on go
 MKDIR	= mkdir -p
 CP		= cp -r
 RM		= rm -rf
+GOSEC	= /opt/homebrew/bin/gosec
 
 # Targets
-.phony: all run_tests install clean uninstall
+.phony: all prep run_tests clean tidy install uninstall gosec
 
 default: all
 
+all: prep run_tests $(addprefix bin/,$(BIN))
+
 prep:
 	@# env GO111MODULE=on go mod vendor
 	$(MKDIR) bin
 
 run_tests:
 	$(GO) test ./...
 
-all: prep run_tests $(addprefix bin/,$(BIN))
-
 clean:
 	$(RM) bin vendor
 
@@ -56,6 +57,9 @@ uninstall:
 	$(RM) $(addprefix $(BIN_DIR)/,$(BIN))
 	$(RM) $(ASSET_DIR)
 
+gosec:
+	$(GOSEC) ./...
+
 bin/raa_calc: cmd/raa/main.go
 	$(GO) build $(GOFLAGS) -o $@ $<
 

diff --git a/cmd/raa_dummy/main.go b/cmd/raa_dummy/main.go
@@ -2,12 +2,14 @@ package main
 
 import (
 	"bufio"
+	"crypto/rand"
 	"encoding/json"
 	"fmt"
 	"github.com/threagile/threagile/pkg/security/types"
 	"io"
-	"math/rand"
+	"math/big"
 	"os"
+	"time"
 )
 
 // JUST A DUMMY TO HAVE AN ALTERNATIVE PLUGIN TO USE/TEST
@@ -44,7 +46,11 @@ func main() {
 
 func CalculateRAA(input *types.ParsedModel) string {
 	for techAssetID, techAsset := range input.TechnicalAssets {
-		techAsset.RAA = float64(rand.Intn(100))
+		nBig, randError := rand.Int(rand.Reader, big.NewInt(100))
+		if randError != nil {
+			nBig.SetInt64(time.Now().UnixMilli())
+		}
+		techAsset.RAA = float64(nBig.Int64())
 		fmt.Println("Using dummy RAA random calculation (just to test the usage of other shared object files as plugins)")
 		input.TechnicalAssets[techAssetID] = techAsset
 	}

diff --git a/internal/threagile/about.go b/internal/threagile/about.go
@@ -43,7 +43,7 @@ func (what *Threagile) initAbout() *Threagile {
 				cmd.Printf("weird app folder %v", appDir)
 				return errors.New("weird app folder")
 			}
-			content, err := os.ReadFile(filepath.Join(appDir, "LICENSE.txt"))
+			content, err := os.ReadFile(filepath.Clean(filepath.Join(appDir, "LICENSE.txt")))
 			if err != nil {
 				cmd.Printf("Unable to read license file: %v", err)
 				return err

diff --git a/pkg/common/config.go b/pkg/common/config.go
@@ -118,7 +118,7 @@ func (c *Config) Load(configFilename string) error {
 		return nil
 	}
 
-	data, readError := os.ReadFile(configFilename)
+	data, readError := os.ReadFile(filepath.Clean(configFilename))
 	if readError != nil {
 		return readError
 	}

diff --git a/pkg/examples/examples.go b/pkg/examples/examples.go
@@ -59,13 +59,13 @@ func copyFile(src, dst string) (int64, error) {
 		return 0, fmt.Errorf("%s is not a regular file", src)
 	}
 
-	source, err := os.Open(src)
+	source, err := os.Open(filepath.Clean(src))
 	if err != nil {
 		return 0, err
 	}
 	defer func() { _ = source.Close() }()
 
-	destination, err := os.Create(dst)
+	destination, err := os.Create(filepath.Clean(dst))
 	if err != nil {
 		return 0, err
 	}

diff --git a/pkg/input/model.go b/pkg/input/model.go
@@ -67,7 +67,7 @@ func (model *Model) Defaults() *Model {
 }
 
 func (model *Model) Load(inputFilename string) error {
-	modelYaml, readError := os.ReadFile(inputFilename)
+	modelYaml, readError := os.ReadFile(filepath.Clean(inputFilename))
 	if readError != nil {
 		log.Fatal("Unable to read model file: ", readError)
 	}
@@ -88,7 +88,7 @@ func (model *Model) Load(inputFilename string) error {
 }
 
 func (model *Model) Merge(dir string, includeFilename string) error {
-	modelYaml, readError := os.ReadFile(filepath.Join(dir, includeFilename))
+	modelYaml, readError := os.ReadFile(filepath.Clean(filepath.Join(dir, includeFilename)))
 	if readError != nil {
 		return fmt.Errorf("unable to read model file: %v", readError)
 	}

diff --git a/pkg/macros/macros.go b/pkg/macros/macros.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"path/filepath"
 	"strconv"
 	"strings"
 
@@ -288,13 +289,13 @@ func copyFile(src, dst string) (int64, error) {
 		return 0, fmt.Errorf("%s is not a regular file", src)
 	}
 
-	source, err := os.Open(src)
+	source, err := os.Open(filepath.Clean(src))
 	if err != nil {
 		return 0, err
 	}
 	defer func() { _ = source.Close() }()
 
-	destination, err := os.Create(dst)
+	destination, err := os.Create(filepath.Clean(dst))
 	if err != nil {
 		return 0, err
 	}

diff --git a/pkg/model/runner.go b/pkg/model/runner.go
@@ -42,7 +42,7 @@ func (p *runner) Run(in any, out any, parameters ...string) error {
 		Out:        out,
 	}
 
-	plugin := exec.Command(p.Filename, p.Parameters...)
+	plugin := exec.Command(p.Filename, p.Parameters...) // #nosec G204
 	stdin, stdinError := plugin.StdinPipe()
 	if stdinError != nil {
 		return stdinError

diff --git a/pkg/report/graphviz.go b/pkg/report/graphviz.go
@@ -259,7 +259,7 @@ func WriteDataFlowDiagramGraphvizDOT(parsedModel *types.ParsedModel,
 	//fmt.Println(dotContent.String())
 
 	// Write the DOT file
-	file, err := os.Create(diagramFilenameDOT)
+	file, err := os.Create(filepath.Clean(diagramFilenameDOT))
 	if err != nil {
 		return nil, fmt.Errorf("Error creating %s: %v", diagramFilenameDOT, err)
 	}
@@ -292,14 +292,14 @@ func GenerateDataFlowDiagramGraphvizImage(dotFile *os.File, targetDir string,
 	if err != nil {
 		return fmt.Errorf("Error reading %s: %v", dotFile.Name(), err)
 	}
-	err = os.WriteFile(tmpFileDOT.Name(), inputDOT, 0644)
+	err = os.WriteFile(tmpFileDOT.Name(), inputDOT, 0600)
 	if err != nil {
 		return fmt.Errorf("Error creating %s: %v", tmpFileDOT.Name(), err)
 	}
 
 	// exec
 
-	cmd := exec.Command("dot", "-Tpng", tmpFileDOT.Name(), "-o", tmpFilePNG.Name())
+	cmd := exec.Command("dot", "-Tpng", tmpFileDOT.Name(), "-o", tmpFilePNG.Name()) // #nosec G204
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 	err = cmd.Run()
@@ -311,7 +311,7 @@ func GenerateDataFlowDiagramGraphvizImage(dotFile *os.File, targetDir string,
 	if err != nil {
 		return fmt.Errorf("Error copying into resulting file %s: %v", tmpFilePNG.Name(), err)
 	}
-	err = os.WriteFile(filepath.Join(targetDir, dataFlowDiagramFilenamePNG), inputPNG, 0644)
+	err = os.WriteFile(filepath.Join(targetDir, dataFlowDiagramFilenamePNG), inputPNG, 0600)
 	if err != nil {
 		return fmt.Errorf("Error creating %s: %v", filepath.Join(targetDir, dataFlowDiagramFilenamePNG), err)
 	}
@@ -446,7 +446,7 @@ func WriteDataAssetDiagramGraphvizDOT(parsedModel *types.ParsedModel, diagramFil
 	dotContent.WriteString("}")
 
 	// Write the DOT file
-	file, err := os.Create(diagramFilenameDOT)
+	file, err := os.Create(filepath.Clean(diagramFilenameDOT))
 	if err != nil {
 		return nil, fmt.Errorf("Error creating %s: %v", diagramFilenameDOT, err)
 	}
@@ -567,13 +567,13 @@ func GenerateDataAssetDiagramGraphvizImage(dotFile *os.File, targetDir string,
 	if err != nil {
 		return fmt.Errorf("Error reading %s: %v", dotFile.Name(), err)
 	}
-	err = os.WriteFile(tmpFileDOT.Name(), inputDOT, 0644)
+	err = os.WriteFile(tmpFileDOT.Name(), inputDOT, 0600)
 	if err != nil {
 		return fmt.Errorf("Error creating %s: %v", tmpFileDOT.Name(), err)
 	}
 
 	// exec
-	cmd := exec.Command("dot", "-Tpng", tmpFileDOT.Name(), "-o", tmpFilePNG.Name())
+	cmd := exec.Command("dot", "-Tpng", tmpFileDOT.Name(), "-o", tmpFilePNG.Name()) // #nosec G204
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 	err = cmd.Run()
@@ -585,7 +585,7 @@ func GenerateDataAssetDiagramGraphvizImage(dotFile *os.File, targetDir string,
 	if err != nil {
 		return fmt.Errorf("Error copying into resulting file %s: %v", tmpFilePNG.Name(), err)
 	}
-	err = os.WriteFile(filepath.Join(targetDir, dataAssetDiagramFilenamePNG), inputPNG, 0644)
+	err = os.WriteFile(filepath.Join(targetDir, dataAssetDiagramFilenamePNG), inputPNG, 0600)
 	if err != nil {
 		return fmt.Errorf("Error creating %s: %v", filepath.Join(targetDir, dataAssetDiagramFilenamePNG), err)
 	}

diff --git a/pkg/report/json.go b/pkg/report/json.go
@@ -22,7 +22,7 @@ func WriteRisksJSON(parsedModel *types.ParsedModel, filename string) error {
 	if err != nil {
 		return fmt.Errorf("failed to marshal risks to JSON: %w", err)
 	}
-	err = os.WriteFile(filename, jsonBytes, 0644)
+	err = os.WriteFile(filename, jsonBytes, 0600)
 	if err != nil {
 		return fmt.Errorf("failed to write risks to JSON file: %w", err)
 	}
@@ -36,7 +36,7 @@ func WriteTechnicalAssetsJSON(parsedModel *types.ParsedModel, filename string) e
 	if err != nil {
 		return fmt.Errorf("failed to marshal technical assets to JSON: %w", err)
 	}
-	err = os.WriteFile(filename, jsonBytes, 0644)
+	err = os.WriteFile(filename, jsonBytes, 0600)
 	if err != nil {
 		return fmt.Errorf("failed to write technical assets to JSON file: %w", err)
 	}
@@ -48,7 +48,7 @@ func WriteStatsJSON(parsedModel *types.ParsedModel, filename string) error {
 	if err != nil {
 		return fmt.Errorf("failed to marshal stats to JSON: %w", err)
 	}
-	err = os.WriteFile(filename, jsonBytes, 0644)
+	err = os.WriteFile(filename, jsonBytes, 0600)
 	if err != nil {
 		return fmt.Errorf("failed to write stats to JSON file: %w", err)
 	}

diff --git a/pkg/report/report.go b/pkg/report/report.go
@@ -1172,8 +1172,8 @@ func (r *pdfReporter) createRiskMitigationStatus(parsedModel *types.ParsedModel,
 			},
 		}
 
-		r.embedPieChart(pieChartRemainingRiskSeverity, 15.0, 216, tempFolder)
-		r.embedPieChart(pieChartRemainingRisksByFunction, 110.0, 216, tempFolder)
+		_ = r.embedPieChart(pieChartRemainingRiskSeverity, 15.0, 216, tempFolder)
+		_ = r.embedPieChart(pieChartRemainingRisksByFunction, 110.0, 216, tempFolder)
 
 		r.pdf.SetFont("Helvetica", "B", fontSizeBody)
 		r.pdf.Ln(8)

diff --git a/pkg/server/execute.go b/pkg/server/execute.go
@@ -132,7 +132,7 @@ func (s *server) execute(ginContext *gin.Context, dryRun bool) (yamlContent []by
 		s.doItViaRuntimeCall(yamlFile, tmpOutputDir, true, true, true, true, true, true, true, true, dpi)
 	}
 
-	yamlContent, err = os.ReadFile(yamlFile)
+	yamlContent, err = os.ReadFile(filepath.Clean(yamlFile))
 	if err != nil {
 		handleErrorInServiceCall(err, ginContext)
 		return yamlContent, false
@@ -214,7 +214,8 @@ func (s *server) doItViaRuntimeCall(modelFile string, outputDir string,
 	if nameError != nil {
 		panic(nameError)
 	}
-	cmd = exec.Command(self, args...)
+
+	cmd = exec.Command(self, args...) // #nosec G204
 	out, err := cmd.CombinedOutput()
 	if err != nil {
 		panic(errors.New(string(out)))

diff --git a/pkg/server/model.go b/pkg/server/model.go
@@ -994,7 +994,7 @@ func (s *server) readModel(ginContext *gin.Context, modelUUID string, key []byte
 		return modelInputResult, yamlText, false
 	}
 
-	fileBytes, err := os.ReadFile(filepath.Join(modelFolder, s.config.InputFile))
+	fileBytes, err := os.ReadFile(filepath.Clean(filepath.Join(modelFolder, s.config.InputFile)))
 	if err != nil {
 		log.Println(err)
 		ginContext.JSON(http.StatusInternalServerError, gin.H{
@@ -1264,7 +1264,7 @@ func (s *server) writeModelYAML(ginContext *gin.Context, yaml string, key []byte
 			return false
 		}
 	}
-	f, err := os.Create(filepath.Join(modelFolder, s.config.InputFile))
+	f, err := os.Create(filepath.Clean(filepath.Join(modelFolder, s.config.InputFile)))
 	if err != nil {
 		log.Println(err)
 		ginContext.JSON(http.StatusInternalServerError, gin.H{
@@ -1303,7 +1303,7 @@ func (s *server) backupModelToHistory(modelFolder string, changeReasonForHistory
 			return err
 		}
 	}
-	inputModel, err := os.ReadFile(filepath.Join(modelFolder, s.config.InputFile))
+	inputModel, err := os.ReadFile(filepath.Clean(filepath.Join(modelFolder, s.config.InputFile)))
 	if err != nil {
 		return err
 	}

diff --git a/pkg/server/report.go b/pkg/server/report.go
@@ -108,42 +108,42 @@ func (s *server) streamResponse(ginContext *gin.Context, responseType responseTy
 			handleErrorInServiceCall(err, ginContext)
 			return
 		}
-		ginContext.File(filepath.Join(tmpOutputDir, s.config.DataFlowDiagramFilenamePNG))
+		ginContext.File(filepath.Clean(filepath.Join(tmpOutputDir, s.config.DataFlowDiagramFilenamePNG)))
 	} else if responseType == dataAssetDiagram {
 		s.doItViaRuntimeCall(tmpModelFile.Name(), tmpOutputDir, false, true, false, false, false, false, false, false, dpi)
 		if err != nil {
 			handleErrorInServiceCall(err, ginContext)
 			return
 		}
-		ginContext.File(filepath.Join(tmpOutputDir, s.config.DataAssetDiagramFilenamePNG))
+		ginContext.File(filepath.Clean(filepath.Join(tmpOutputDir, s.config.DataAssetDiagramFilenamePNG)))
 	} else if responseType == reportPDF {
 		s.doItViaRuntimeCall(tmpModelFile.Name(), tmpOutputDir, false, false, true, false, false, false, false, false, dpi)
 		if err != nil {
 			handleErrorInServiceCall(err, ginContext)
 			return
 		}
-		ginContext.FileAttachment(filepath.Join(tmpOutputDir, s.config.ReportFilename), s.config.ReportFilename)
+		ginContext.FileAttachment(filepath.Clean(filepath.Join(tmpOutputDir, s.config.ReportFilename)), s.config.ReportFilename)
 	} else if responseType == risksExcel {
 		s.doItViaRuntimeCall(tmpModelFile.Name(), tmpOutputDir, false, false, false, true, false, false, false, false, dpi)
 		if err != nil {
 			handleErrorInServiceCall(err, ginContext)
 			return
 		}
-		ginContext.FileAttachment(filepath.Join(tmpOutputDir, s.config.ExcelRisksFilename), s.config.ExcelRisksFilename)
+		ginContext.FileAttachment(filepath.Clean(filepath.Join(tmpOutputDir, s.config.ExcelRisksFilename)), s.config.ExcelRisksFilename)
 	} else if responseType == tagsExcel {
 		s.doItViaRuntimeCall(tmpModelFile.Name(), tmpOutputDir, false, false, false, false, true, false, false, false, dpi)
 		if err != nil {
 			handleErrorInServiceCall(err, ginContext)
 			return
 		}
-		ginContext.FileAttachment(filepath.Join(tmpOutputDir, s.config.ExcelTagsFilename), s.config.ExcelTagsFilename)
+		ginContext.FileAttachment(filepath.Clean(filepath.Join(tmpOutputDir, s.config.ExcelTagsFilename)), s.config.ExcelTagsFilename)
 	} else if responseType == risksJSON {
 		s.doItViaRuntimeCall(tmpModelFile.Name(), tmpOutputDir, false, false, false, false, false, true, false, false, dpi)
 		if err != nil {
 			handleErrorInServiceCall(err, ginContext)
 			return
 		}
-		jsonData, err := os.ReadFile(filepath.Join(tmpOutputDir, s.config.JsonRisksFilename))
+		jsonData, err := os.ReadFile(filepath.Clean(filepath.Join(tmpOutputDir, s.config.JsonRisksFilename)))
 		if err != nil {
 			handleErrorInServiceCall(err, ginContext)
 			return
@@ -155,7 +155,7 @@ func (s *server) streamResponse(ginContext *gin.Context, responseType responseTy
 			handleErrorInServiceCall(err, ginContext)
 			return
 		}
-		jsonData, err := os.ReadFile(filepath.Join(tmpOutputDir, s.config.JsonTechnicalAssetsFilename))
+		jsonData, err := os.ReadFile(filepath.Clean(filepath.Join(tmpOutputDir, s.config.JsonTechnicalAssetsFilename)))
 		if err != nil {
 			handleErrorInServiceCall(err, ginContext)
 			return
@@ -167,7 +167,7 @@ func (s *server) streamResponse(ginContext *gin.Context, responseType responseTy
 			handleErrorInServiceCall(err, ginContext)
 			return
 		}
-		jsonData, err := os.ReadFile(filepath.Join(tmpOutputDir, s.config.JsonStatsFilename))
+		jsonData, err := os.ReadFile(filepath.Clean(filepath.Join(tmpOutputDir, s.config.JsonStatsFilename)))
 		if err != nil {
 			handleErrorInServiceCall(err, ginContext)
 			return