analyzers

package
v2.24.7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 1, 2026 License: Apache-2.0 Imports: 20 Imported by: 7

Documentation

Index

Constants

View Source 
const MaxDepth = 20

MaxDepth defines the maximum recursion depth for SSA analysis to avoid infinite loops and memory exhaustion.

Variables

View Source 
var (
	SQLInjectionRule = taint.RuleInfo{
		ID:          "G701",
		Description: "SQL injection via string concatenation",
		Severity:    "HIGH",
		CWE:         "CWE-89",
	}

	CommandInjectionRule = taint.RuleInfo{
		ID:          "G702",
		Description: "Command injection via user input",
		Severity:    "CRITICAL",
		CWE:         "CWE-78",
	}

	PathTraversalRule = taint.RuleInfo{
		ID:          "G703",
		Description: "Path traversal via user input",
		Severity:    "HIGH",
		CWE:         "CWE-22",
	}

	SSRFRule = taint.RuleInfo{
		ID:          "G704",
		Description: "SSRF via user-controlled URL",
		Severity:    "HIGH",
		CWE:         "CWE-918",
	}

	XSSRule = taint.RuleInfo{
		ID:          "G705",
		Description: "XSS via unescaped user input",
		Severity:    "MEDIUM",
		CWE:         "CWE-79",
	}

	LogInjectionRule = taint.RuleInfo{
		ID:          "G706",
		Description: "Log injection via user input",
		Severity:    "LOW",
		CWE:         "CWE-117",
	}

	SMTPInjectionRule = taint.RuleInfo{
		ID:          "G707",
		Description: "SMTP command/header injection via user input",
		Severity:    "HIGH",
		CWE:         "CWE-93",
	}
)

Taint analysis rule definitions

View Source 
var (
	ErrNoSSAResult    = ssautil.ErrNoSSAResult
	ErrInvalidSSAType = ssautil.ErrInvalidSSAType
)

Error aliases for backward compatibility

Functions

func BuildCallerMap added in v2.23.0 

func BuildCallerMap(funcs []*ssa.Function, callerMap map[string][]*ssa.Call)

BuildCallerMap builds a map of function names to their call sites BuildCallerMap fills the provided map with all calls found in the given functions.

func BuildDefaultAnalyzers 

func BuildDefaultAnalyzers() []*analysis.Analyzer

BuildDefaultAnalyzers returns the default list of analyzers

func CommandInjection added in v2.23.0 

func CommandInjection() taint.Config

CommandInjection returns a configuration for detecting command injection vulnerabilities.

func ComputeSliceNewCap added in v2.23.0 

func ComputeSliceNewCap(l, h, maxIdx, oldCap int) int

ComputeSliceNewCap determines the new capacity of a slice based on the slicing operation. l, h, maxIdx are the extracted low, high, and max indices. oldCap is the capacity of the original slice. It handles both 2-index ([:]) and 3-index ([: :]) slice expressions.

func DefaultTaintAnalyzers added in v2.23.0 

func DefaultTaintAnalyzers() []*analysis.Analyzer

DefaultTaintAnalyzers returns all predefined taint analysis analyzers.

func ExplicitValsInRange added in v2.23.0 

func ExplicitValsInRange(pos []uint, neg []int, dstInt IntTypeInfo) bool

ExplicitValsInRange checks if any of the explicit positive or negative values are within the range of the destination type.

func GetBufferLen added in v2.23.0 

func GetBufferLen(val ssa.Value) int64

GetBufferLen attempts to find the constant length of a buffer/slice/array

func GetConstantInt64 added in v2.23.0 

func GetConstantInt64(v ssa.Value) (int64, bool)

GetConstantInt64 extracts a constant int64 value from an ssa.Value

func GetConstantUint64 added in v2.23.0 

func GetConstantUint64(v ssa.Value) (uint64, bool)

GetConstantUint64 extracts a constant uint64 value from an ssa.Value

func GetDominators added in v2.23.0 

func GetDominators(block *ssa.BasicBlock) []*ssa.BasicBlock

GetDominators returns a list of dominator blocks for the given block, in order from root to the block.

func GetSliceBounds added in v2.23.0 

func GetSliceBounds(s *ssa.Slice) (int, int, int)

GetSliceBounds extracts low, high, and max indices from a slice instruction

func GetSliceRange added in v2.23.0 

func GetSliceRange(s *ssa.Slice) (int64, int64)

GetSliceRange extracts low and high indices as int64. High is returned as -1 if it's missing (extends to the end).

func IsConstantInTypeRange added in v2.23.0 

func IsConstantInTypeRange(constVal *ssa.Const, dstInt IntTypeInfo) bool

isConstantInRange checks if a constant value fits within the range of the destination type.

func IsFullSlice added in v2.23.0 

func IsFullSlice(sl *ssa.Slice, bufferLen int64) bool

IsFullSlice checks if the slice operation covers the entire buffer.

func IsRangeCheck added in v2.23.0 

func IsRangeCheck(v ssa.Value, x ssa.Value) bool

IsRangeCheck determines if an instruction is part of a range check for a value.

func IsSubSlice added in v2.23.0 

func IsSubSlice(sub, super *ssa.Slice) bool

IsSubSlice checks if the 'sub' slice is contained within the 'super' slice.

func LogInjection added in v2.23.0 

func LogInjection() taint.Config

LogInjection returns a configuration for detecting log injection vulnerabilities.

func PathTraversal added in v2.23.0 

func PathTraversal() taint.Config

PathTraversal returns a configuration for detecting path traversal vulnerabilities.

func SMTPInjection added in v2.24.0 

func SMTPInjection() taint.Config

SMTPInjection returns a configuration for detecting SMTP command/header injection vulnerabilities.

func SQLInjection added in v2.23.0 

func SQLInjection() taint.Config

SQLInjection returns a configuration for detecting SQL injection vulnerabilities.

func SSRF added in v2.23.0 

func SSRF() taint.Config

SSRF returns a configuration for detecting Server-Side Request Forgery vulnerabilities.

func TraverseSSA added in v2.23.0 

func TraverseSSA(funcs []*ssa.Function, visitor func(block *ssa.BasicBlock, instr ssa.Instruction))

TraverseSSA visits every instruction in the provided functions using the visitor callback.

func XSS added in v2.23.0 

func XSS() taint.Config

XSS returns a configuration for detecting Cross-Site Scripting vulnerabilities.

Types

type AnalyzerBuilder added in v2.21.0 

type AnalyzerBuilder func(id string, description string) *analysis.Analyzer

AnalyzerBuilder is used to register an analyzer definition with the analyzer

type AnalyzerDefinition added in v2.21.0 

type AnalyzerDefinition struct {
	ID          string
	Description string
	Create      AnalyzerBuilder
}

AnalyzerDefinition contains the description of an analyzer and a mechanism to create it.

type AnalyzerFilter added in v2.21.0 

type AnalyzerFilter func(string) bool

AnalyzerFilter can be used to include or exclude an analyzer depending on the return value of the function

func NewAnalyzerFilter added in v2.21.0 

func NewAnalyzerFilter(action bool, analyzerIDs ...string) AnalyzerFilter

NewAnalyzerFilter is a closure that will include/exclude the analyzer ID's based on the supplied boolean value (false means don't remove, true means exclude).

type AnalyzerList added in v2.21.0 

type AnalyzerList struct {
	Analyzers          map[string]AnalyzerDefinition
	AnalyzerSuppressed map[string]bool
}

AnalyzerList contains a mapping of analyzer ID's to analyzer definitions and a mapping of analyzer ID's to whether analyzers are suppressed.

func Generate added in v2.21.0 

func Generate(trackSuppressions bool, filters ...AnalyzerFilter) *AnalyzerList

Generate the list of analyzers to use

func (*AnalyzerList) AnalyzersInfo added in v2.21.0 

func (al *AnalyzerList) AnalyzersInfo() (map[string]AnalyzerDefinition, map[string]bool)

AnalyzersInfo returns all the create methods and the analyzer suppressed map for a given list

type AnalyzerSet added in v2.21.0 

type AnalyzerSet struct {
	Analyzers             []*analysis.Analyzer
	AnalyzerSuppressedMap map[string]bool
}

func NewAnalyzerSet added in v2.21.0 

func NewAnalyzerSet() *AnalyzerSet

NewAnalyzerSet constructs a new AnalyzerSet

func (*AnalyzerSet) IsSuppressed added in v2.21.0 

func (a *AnalyzerSet) IsSuppressed(ruleID string) bool

IsSuppressed will return whether the Analyzer is suppressed.

func (*AnalyzerSet) Register added in v2.21.0 

func (a *AnalyzerSet) Register(analyzer *analysis.Analyzer, isSuppressed bool)

Register adds a trigger for the supplied analyzer

type BaseAnalyzerState added in v2.23.0 

type BaseAnalyzerState struct {
	Pass         *analysis.Pass
	Analyzer     *RangeAnalyzer
	Visited      map[ssa.Value]bool
	FuncMap      map[*ssa.Function]bool // General purpose function set
	BlockMap     map[*ssa.BasicBlock]bool
	ClosureCache map[ssa.Value]bool
	Depth        int
}

BaseAnalyzerState provides a shared state for Gosec analyzers, encapsulating common fields and reusable objects to reduce allocations.

func NewBaseState added in v2.23.0 

func NewBaseState(pass *analysis.Pass) *BaseAnalyzerState

NewBaseState creates a new BaseAnalyzerState with pooled maps.

func (*BaseAnalyzerState) Release added in v2.23.0 

func (s *BaseAnalyzerState) Release()

Release returns the pooled maps and analyzer to their pools.

func (*BaseAnalyzerState) Reset added in v2.23.0 

func (s *BaseAnalyzerState) Reset()

Reset clears the caches and maps for reuse within an analyzer run.

func (*BaseAnalyzerState) ResolveFuncs added in v2.23.0 

func (s *BaseAnalyzerState) ResolveFuncs(val ssa.Value, funcs *[]*ssa.Function)

ResolveFuncs resolves a value to a list of possible functions (e.g., closures, phi nodes). It reuses the state's ClosureCache to avoid cycles and redundant work.

type ByteRange added in v2.23.0 

type ByteRange struct {
	Low  int64
	High int64
}

ByteRange represents a range [Low, High)

type IntTypeInfo added in v2.23.0 

type IntTypeInfo struct {
	Signed bool
	Size   int
	Min    int64
	Max    uint64
}

IntTypeInfo represents integer type properties

func GetIntTypeInfo added in v2.23.0 

func GetIntTypeInfo(t types.Type) (IntTypeInfo, error)

GetIntTypeInfo extracts properties of an integer type.

type RangeAction added in v2.23.0 

type RangeAction struct {
	Instr  ssa.Instruction
	Range  ByteRange
	IsSafe bool // true = Read (Dynamic), false = Write/Alloc (Hardcoded)
}

RangeAction represents a read/write action on a byte range.

type RangeAnalyzer added in v2.23.0 

type RangeAnalyzer struct {
	RangeCache     map[rangeCacheKey]*rangeResult
	ResultPool     []*rangeResult
	Depth          int
	BlockMap       map[*ssa.BasicBlock]bool
	ValueMap       map[ssa.Value]bool
	ByteRangeCache map[ssa.Value]ByteRange
	BufferLenCache map[ssa.Value]int64
	// contains filtered or unexported fields
}

func NewRangeAnalyzer added in v2.23.0 

func NewRangeAnalyzer() *RangeAnalyzer

NewRangeAnalyzer acquires a RangeAnalyzer from the pool.

func (*RangeAnalyzer) BufferedLen added in v2.23.0 

func (ra *RangeAnalyzer) BufferedLen(val ssa.Value) int64

BufferedLen attempts to find the constant length of a buffer/slice/array, using cache if available.

func (*RangeAnalyzer) ComputeRange added in v2.23.0 

func (ra *RangeAnalyzer) ComputeRange(v ssa.Value, block *ssa.BasicBlock) *rangeResult

func (*RangeAnalyzer) IsNonNegative added in v2.23.0 

func (ra *RangeAnalyzer) IsNonNegative(v ssa.Value) bool

func (*RangeAnalyzer) IsReachable added in v2.23.0 

func (ra *RangeAnalyzer) IsReachable(start, target *ssa.BasicBlock, exclude ...*ssa.BasicBlock) bool

IsReachable returns true if there is a path from the start block to the target block in the CFG. It uses iterative stack-based traversal and the RangeAnalyzer's BlockMap to avoid allocations. An optional exclude block can be provided to prevent traversal through it (used to avoid loop back edges).

func (*RangeAnalyzer) Precedes added in v2.23.0 

func (ra *RangeAnalyzer) Precedes(a, b ssa.Instruction) bool

Precedes returns true if instruction a is executed before instruction b. It assumes both instructions belong to the same function.

func (*RangeAnalyzer) Release added in v2.23.0 

func (ra *RangeAnalyzer) Release()

Release returns the RangeAnalyzer to the pool after clearing its caches.

func (*RangeAnalyzer) ResetCache added in v2.23.0 

func (ra *RangeAnalyzer) ResetCache()

func (*RangeAnalyzer) ResolveByteRange added in v2.23.0 

func (ra *RangeAnalyzer) ResolveByteRange(val ssa.Value) (ByteRange, bool)

ResolveByteRange determines the absolute byte range of 'val' relative to its underlying root allocation by recursively resolving slice offsets and indices.

func (*RangeAnalyzer) ResolveRange added in v2.23.0 

func (ra *RangeAnalyzer) ResolveRange(v ssa.Value, block *ssa.BasicBlock) *rangeResult

ResolveRange combines definition-based range analysis (computeRange) with dominator-based constraints (If blocks) to determine the full range of a value.

type SSAAnalyzerResult 

type SSAAnalyzerResult = ssautil.SSAAnalyzerResult

SSAAnalyzerResult is a type alias for the shared SSA result type

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.