Release/v2.4.0 #514
Merged
Release/v2.4.0 #514
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
wiliansilvazup
commented
Aug 9, 2021
wiliansilvazup
commented
- Removing some unnecessary paths ignored by horusec (Removing some unnecessary paths ignored by horusec #502)
- Removing duplicated issues (bugfix/yarn-audit #501)
- Feature/output txt (Feature/output txt #496)
- Builds binaries for platforms and draft a GitHub release (Builds binaries for platforms and draft a GitHub release #503)
- Move tfsec formatter to conform to architectural standards (Move HCL formatter folder structure #508)
- Feature/trivy (Feature/trivy #504)
- Tests: refactor end-to-end tests (tests: refactor end-to-end tests #505)
- Javascript rules improve (Javascript rules improve #506)
- Remove unused constant (Remove unused constant #511)
- Tests: fix expected vulnerabities on Javascript (tests: fix expected vulnerabities on Javascript #512)
- Add Checkov as HCL analyzer (Add Checkov as HCL analyzer #510)
- Normalize interfaces to follow Go standards (normalize interfaces to follow Go standards #509)
* Removing some unnecessary paths ignored by horusec Signed-off-by: nathanmartinszup <nathan.martins@zup.com.br> * Fixing unity test Signed-off-by: nathanmartinszup <nathan.martins@zup.com.br> * Fixing error in build workflow Signed-off-by: nathanmartinszup <nathan.martins@zup.com.br> * Fixing error in build workflow Signed-off-by: nathanmartinszup <nathan.martins@zup.com.br>
Signed-off-by: nathanmartinszup <nathan.martins@zup.com.br>
* fix data-races when running analysis (#477) * fix possible wrong path concat on windows * enable data race detection on make test * fix data-races when running analysis Previously when we start an analysis of language/tool we controlled the state of execution using the monitor package, but many objects use the same instance of monitor doing updates and reads concurrent resulting in possible data races. This commit drops the monitor package and replace to use the `sync.WaitGroup` to control the state of go routines. An improvement was also made to control the timeout of analysis using `time.After` function to receive the channel when timeout occurred or close the `done` channel when analysis finish. An mutex was added on Service to avoid data races when adding errors on Analysis. * improvement on Swift rules description (#479) * feature/dependency-check (#478) * Adding owasp dependency check formatter * Adding tests and fixing lint * Adding flag to enable owasp dependency check * Fixing pipeline errors * Fixing some errors * Updating devkit version * Feature/dotnet cli (#480) * Adding dotnet cli dependency check * Fixing lint errors * Adding lisence header * Improving security code scan * Adding validation to not found solution in scs, adding license headers * Adding code in security code scan * Updating csharp example with vulnerable dependencies, adding validation to failed build in security code scan * Fixing some errors * Adding code, line and filepath in dotnet cli. Fixing some errors * Updating horusec json * Fixing commit authors issues * Fixing some issues found during tests * Adding validation to dotnetcli output * Fixing lint error * Fixing lint errors * Fixing lint error * Updating horusec config json * Updating go modules and adding missing unity test * Fixing error to remove .horusec * [skip ci] Update versioning file * avoid time.Sleep to log analysis timeout status (#482) Previously, to warn the user that the analysis is still running, we used time.Sleep to print how much time is left for the timeout, however, if the analysis has already been completed, we still need to wait for the end of time.Sleep to finish the analysis. This change removes time.Sleep and uses time.Tick to print the message, so, if the analysis is finished before the next retry, we do not lock the analysis with time.Sleep. * Feature/nancy (#483) * Adding nancy dependency check for go * Adding nancy unity tests * Adding vulnerable dependencies in go example project * Fixing errors found during tests * Fixing unity tests and pipeline errors * Updating devkit version * Fixing pipeline errors * Updating go dockerfile to use nancy binary from github * Fixing go sum * Updating config json * Adding option to txt output * Adding option to txt output Signed-off-by: nathanmartinszup <nathan.martins@zup.com.br> Co-authored-by: matheusalcantarazup <84723211+matheusalcantarazup@users.noreply.github.com> Co-authored-by: wilian <wilian.silva@zup.com.br> Co-authored-by: Nathan Tavares Nascimento <nathan.nascimento@zup.com.br>
* Adding goreleaser config * Removing goreleaser deprecation * Ignoring dist folder * Customise to follow the current build pattern * Run GoReleaser on new tag * Using ldflags to set version information * Generates SHA-256 checksums * Add the copyright header * Ignoring dist folder Co-authored-by: Nathan Tavares Nascimento <nathan.nascimento@zup.com.br>
* fix data-races when running analysis (#477) * fix possible wrong path concat on windows * enable data race detection on make test * fix data-races when running analysis Previously when we start an analysis of language/tool we controlled the state of execution using the monitor package, but many objects use the same instance of monitor doing updates and reads concurrent resulting in possible data races. This commit drops the monitor package and replace to use the `sync.WaitGroup` to control the state of go routines. An improvement was also made to control the timeout of analysis using `time.After` function to receive the channel when timeout occurred or close the `done` channel when analysis finish. An mutex was added on Service to avoid data races when adding errors on Analysis. * improvement on Swift rules description (#479) * feature/dependency-check (#478) * Adding owasp dependency check formatter * Adding tests and fixing lint * Adding flag to enable owasp dependency check * Fixing pipeline errors * Fixing some errors * Updating devkit version * Feature/dotnet cli (#480) * Adding dotnet cli dependency check * Fixing lint errors * Adding lisence header * Improving security code scan * Adding validation to not found solution in scs, adding license headers * Adding code in security code scan * Updating csharp example with vulnerable dependencies, adding validation to failed build in security code scan * Fixing some errors * Adding code, line and filepath in dotnet cli. Fixing some errors * Updating horusec json * Fixing commit authors issues * Fixing some issues found during tests * Adding validation to dotnetcli output * Fixing lint error * Fixing lint errors * Fixing lint error * Updating horusec config json * Updating go modules and adding missing unity test * Fixing error to remove .horusec * [skip ci] Update versioning file * avoid time.Sleep to log analysis timeout status (#482) Previously, to warn the user that the analysis is still running, we used time.Sleep to print how much time is left for the timeout, however, if the analysis has already been completed, we still need to wait for the end of time.Sleep to finish the analysis. This change removes time.Sleep and uses time.Tick to print the message, so, if the analysis is finished before the next retry, we do not lock the analysis with time.Sleep. * Feature/nancy (#483) * Adding nancy dependency check for go * Adding nancy unity tests * Adding vulnerable dependencies in go example project * Fixing errors found during tests * Fixing unity tests and pipeline errors * Updating devkit version * Fixing pipeline errors * Updating go dockerfile to use nancy binary from github * Add set log file to global command Signed-off-by: Ian Cardoso <ian.cardoso@zup.com.br> Signed-off-by: Ian Cardoso <ian.cardoso@zup.com.br> * Add set log file to global command Signed-off-by: Ian Cardoso <ian.cardoso@zup.com.br> Signed-off-by: Ian Cardoso <ian.cardoso@zup.com.br> * remove ctrl v error Signed-off-by: Ian Cardoso <ian.cardoso@zup.com.br> * refactor cyclomatic function Signed-off-by: Ian Cardoso <ian.cardoso@zup.com.br> * Fixing lint errors Signed-off-by: nathanmartinszup <nathan.martins@zup.com.br> * fix tests Signed-off-by: Ian Cardoso <ian.cardoso@zup.com.br> * Add LogOutput Tests Signed-off-by: Ian Cardoso <ian.cardoso@zup.com.br> * Fix tests Signed-off-by: Ian Cardoso <ian.cardoso@zup.com.br> * altering fileName creation to use filepath.Join Signed-off-by: Ian Cardoso <ian.cardoso@zup.com.br> * removing comments from tests Signed-off-by: Ian Cardoso <ian.cardoso@zup.com.br> * Change logpath flage name to log-file-path and refactor on logSetOutput * Adding more tests and system call interface Signed-off-by: Ian Cardoso <ian.cardoso@zup.com.br> * Save work Signed-off-by: Ian Cardoso <ian.cardoso@zup.com.br> * fix viper config Signed-off-by: Ian Cardoso <ian.cardoso@zup.com.br> * Add trivy as new tool to generic analyzers Signed-off-by: Ian Cardoso <ian.cardoso@zup.com.br> * Att gomod and add setSystemCall * Add license to trivy files * Fix tools to ignore from merge commit error Co-authored-by: matheusalcantarazup <84723211+matheusalcantarazup@users.noreply.github.com> Co-authored-by: nathanmartinszup <63246935+nathanmartinszup@users.noreply.github.com> Co-authored-by: wilian <wilian.silva@zup.com.br> Co-authored-by: nathanmartinszup <nathan.martins@zup.com.br>
* tests: refactor end-to-end tests This commit refactor the end-to-end tests to assert for equal vulnerabilities instead for assert that vulnerabilities is greater than 0. This commit also refactor the tests to use table tests for more readability and avoid duplicated code. Co-authored-by: Matheus Alcantara <matheus.alcantara@zup.com.br> * ci: upgrade Go version of e2e to 1.16 Co-authored-by: Matheus Alcantara <matheus.alcantara@zup.com.br>
* Added .redirect unsafy and improve readFile rule Signed-off-by: lucas.bruno <lucas.bruno@zup.com.br> * Rule: No render content from request * Fixing rule no render content from request descripton * Rule: No write content from request on HTML Signed-off-by: lucas.bruno <lucas.bruno@zup.com.br> * Change severity of content from request rules * Rule: Stack trace exposure * Export rule expose stack trace for using * Rule: Insecure download of executable file * Fixing test
* removes constant MsgInfoConfigFilePath at Info Signed-off-by: Otavio Santana <otaviopolianasantana@gmail.com> * removes MsgWarnToolsToIgnoreDeprecated constant at warn.go Signed-off-by: Otavio Santana <otaviopolianasantana@gmail.com>
* Add Checkov as HCL Scanning tool * Add Checkov to config file * Fix output parsing * Update go mod dependencies * Fix linter errors * Fix go test for single framework
This commit refactor the declarations of interfaces to follow Go standards for good pratices. Interfaces should be declarad on the consumer side, so this commit move all interfaces declared on implementation side to consumer side. For more about interfaces and Go standards read: https://github.com/golang/go/wiki/CodeReviewComments#interfaces Co-authored-by: Matheus Alcantara <matheus.alcantara@zup.com.br> Co-authored-by: wilian <wilian.silva@zup.com.br>
wiliansilvazup
requested review from
lucasbrunozup,
lucasgarciazup,
nathanmartinszup,
nathannascimentozup and
tiagoangelozup
as code owners
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.