GoSec analyzer doesn't report multi-line locations
Summary
When running the gosec analyzers on our projects, if multiple lines are reported by the scanner, they seem to be completely ignored by the analyzer. In turn, we don't have the complete location in reported vulnerabilities, which can be an issue with large files (~1K LOC).
Steps to reproduce
- Clone the Gitaly project
- run the analyzer in the project directory:
docker run \
--interactive --tty --rm \
--volume "$PWD":/tmp/app \
--env CI_PROJECT_DIR=/tmp/app \
registry.gitlab.com/gitlab-org/security-products/analyzers/gosec:2 /analyze run
- Check out the results:
[...]
{
"id": "da3435544605aae78a0ead51b59ffb4cdf91bb5ada6455aa8087a9149e5d38ee",
"category": "sast",
"name": "Improper Certificate Validation",
"message": "TLS MinVersion too low.",
"description": "The software does not validate, or incorrectly validates, a certificate.",
"cve": "internal/testhelper/testserver.go:834-838:833: \t\t}\n834: \t\ttlsCfg = \u0026tls.Config{\n835: \t\t\tClientCAs: certPool,\n836: \t\t\tClientAuth: tls.RequireAndVerifyClientCert,\n837: \t\t\tCertificates: []tls.Certificate{serverCert},\n838: \t\t}\n839: \t}\n:CWE-295",
"severity": "High",
"confidence": "High",
"scanner": {
"id": "gosec",
"name": "Gosec"
},
"location": {
"file": "internal/testhelper/testserver.go"
},
"identifiers": [
{
"type": "gosec_rule_id",
"name": "Gosec Rule ID G402",
"value": "G402"
},
{
"type": "CWE",
"name": "CWE-295",
"value": "295",
"url": "https://cwe.mitre.org/data/definitions/295.html"
}
]
},
[...]
the location
is only:
"location": {
"file": "internal/testhelper/testserver.go"
},
Example Project
See above.
What is the current bug behavior?
Only a file name
What is the expected correct behavior?
Filename with line of code, or even better, a range of lines.
Possible fixes
The scanner is reporting the right data:
{
"severity": "HIGH",
"confidence": "HIGH",
"cwe": {
"ID": "295",
"URL": "https://cwe.mitre.org/data/definitions/295.html"
},
"rule_id": "G402",
"details": "TLS MinVersion too low.",
"file": "/tmp/app/internal/testhelper/testserver.go",
"code": "833: \t\t}\n834: \t\ttlsCfg = \u0026tls.Config{\n835: \t\t\tClientCAs: certPool,\n836: \t\t\tClientAuth: tls.RequireAndVerifyClientCert,\n837: \t\t\tCertificates: []tls.Certificate{serverCert},\n838: \t\t}\n839: \t}\n",
"line": "834-838", <=== HERE
"column": "13"
},
we need to extract this data and fill start_line
and end_line
correctly in the report.
/cc @twoodham @tmccaslin