Merge branch 'master' into patternmatch-additional-options

Dockerfile

@@ -42,20 +42,25 @@ RUN curl -SLO "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-
   && npm install -g npm@$NPM_VERSION                                                        \
   && npm install -g yarn@$YARN_VERSION
 
-### GO - required for sift
-ENV GOLANG_VERSION 1.8.3
+### GO - required for sift and gosec
+ENV GO111MODULE on
+ENV GOLANG_VERSION 1.12.4
 ENV GOLANG_DOWNLOAD_URL https://golang.org/dl/go$GOLANG_VERSION.linux-amd64.tar.gz
-ENV GOLANG_DOWNLOAD_SHA256 1862f4c3d3907e59b04a757cfda0ea7aa9ef39274af99a784f5be843c80c6772
+ENV GOLANG_DOWNLOAD_SHA256 d7d1f1f88ddfe55840712dc1747f37a790cbcaa448f6c9cf51bbe10aa65442f5
+ENV SIFT_VERSION v0.9.0
+ENV GOSEC_VERSION 2.0.0
 
 RUN curl -fsSL "$GOLANG_DOWNLOAD_URL" -o golang.tar.gz \
   && echo "$GOLANG_DOWNLOAD_SHA256  golang.tar.gz" | sha256sum -c - \
   && tar -C /usr/local -xzf golang.tar.gz \
-  && rm golang.tar.gz
+  && rm golang.tar.gz \
+  && mv /usr/local/go/bin/go /usr/bin/
 
-ENV GOPATH /go
-ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
+RUN go get github.com/svent/sift@$SIFT_VERSION \
+  && mv /root/go/bin/sift /usr/bin/
 
-RUN mkdir -p "$GOPATH/src" "$GOPATH/bin"
+RUN go get github.com/securego/gosec/cmd/gosec@$GOSEC_VERSION \
+  && mv /root/go/bin/gosec /usr/bin/
 
 ### Salus
 
@@ -78,19 +83,6 @@ RUN yarn
 # prime the bundler-audit CVE DB
 RUN bundle exec bundle-audit update
 
-# More powerful grep alternative - https://sift-tool.org/
-# Used in PatternSearch scanner.
-RUN go get github.com/svent/sift
-
-# Install gosec, static code vulnerability checker
-RUN go get -d github.com/securego/gosec/cmd/gosec/...
-# The commit hashes to gosec tag 1.2.0
-RUN cd $GOPATH/src/github.com/securego/gosec/ && git checkout 2695567487c0f23a8f152b9740571d9a0f08f243 && cd /home
-RUN go get github.com/securego/gosec/cmd/gosec/...
-
-# Make repo directory to copy go project into when running gosec
-RUN mkdir -p $GOPATH/src/repo
-
 # copy salus code
 COPY bin /home/bin
 COPY lib /home/lib

Dockerfile.tests

@@ -9,10 +9,6 @@ FROM salus-local
 
 COPY spec /home/spec
 
-# Make $GOPATH directories and copy specs into it to run gosec against spec repos
-RUN mkdir -p $GOPATH/src/repo/spec
-COPY spec $GOPATH/src/repo/spec
-
 RUN bundle install --with test
 
 ENTRYPOINT ["bundle", "exec", "rspec", "--format", "documentation", "spec/"]

README.md

@@ -15,17 +15,27 @@
 Salus, named after the [Roman goddess of protection](https://en.wikipedia.org/wiki/Salus), is a tool for coordinating the execution of security scanners. You can run Salus on a repository via the Docker daemon and it will determine which scanners are relevant, run them and provide the output. Most scanners are other mature open source projects which we include directly in the container.
 
 ```sh
-# Always run Salus from the root of your repository.
+# Navigate to the root directory of the project you want to run Salus on
 cd /path/to/repo
 
-# One line command to run Salus locally with default configuration.
+# Run the following line while in the root directory (No edits necessary)
 docker run --rm -t -v $(pwd):/home/repo coinbase/salus
 ```
 
 Salus is particularly useful for CI/CD pipelines because it becomes a centralized place to coordinate scanning across a large fleet of repositories. Typically, scanners are configured at the repository level for each project. This means that when making org wide changes to how the scanners are run, each repository must be updated. Instead, you can update Salus and all builds will instantly inherit the change.
 
 Salus supports powerful configuration that allows for global defaults and local tweaks. Finally, Salus can report metrics on each repository, such as what packages are included or what concerns exist. These reports can be centrally evaluated in your infrastructure to allow for scalable security tracking.
 
+## Using Salus in your Repo
+
+For your given CI, update the config file to run salus. In circle, it will look like this: 
+
+```sh
+docker run --rm -t -v $(pwd):/home/repo coinbase/salus
+```
+
+coinbase/salus pulls the docker image
+
 ## Supported Scanners
 
 - [BundleAudit](docs/scanners/bundle_audit.md) - Execution of [bundle-audit](https://github.com/rubysec/bundler-audit), looks for CVEs in ruby gem dependencies.
@@ -40,8 +50,20 @@ Salus also parses dependency files and reports on what libraries and version are
 - Python
 - Go
 
+Sometimes it's necessary to whitelist certain CVEs that Salus detects. The [docs/scanners directory](docs/scanners) explains how to do so for each scanner that Salus supports.
+
 If you would like to build customer scanners or support more languages that are not currenclty supported, you can use [this method of building custom Salus images](docs/custom_salus.md).
 
+## Using Salus in your Repo
+
+For your given CI, update the config file to run salus. In circle, it will look like this: 
+
+```sh
+docker run --rm -t -v $(pwd):/home/repo coinbase/salus
+```
+
+coinbase/salus pulls the docker image
+
 ## [Detailed Documentation](docs)
 
 ## 👷‍♂️ Development

lib/salus/scanners/gosec.rb

@@ -1,4 +1,5 @@
 require 'salus/scanners/base'
+require 'json'
 # Gosec scanner check Go for insecure coding patters.
 # https://github.com/securego/gosec
 
@@ -7,26 +8,30 @@ class Gosec < Base
     def run
       # Shell Instructions:
       #   - -fmt=json for JSON output
-      #   - gosec only successfully scans repos within $GOPATH, we
-      #     recurssively copy project into a gopath
-      run_shell("cp -R /home/repo /go/src")
-      shell_return = if ENV['RUNNING_SALUS_TESTS'] == "true"
-                       # specify path as there are many go projects inside of /repo
-                       run_shell("gosec -fmt=json /go/src/repo/#{@repository.path_to_repo}")
-                     else
-                       run_shell("gosec -fmt=json /go/src/repo/...")
-                     end
+      #   - gosec can scan go modules as of 2.0.0.
+      shell_return = run_shell("gosec -fmt=json #{@repository.path_to_repo}")
+
+      shell_return_json = JSON.parse(shell_return.stdout)
+      lines_scanned = shell_return_json['Stats']['lines']  # number of lines scanned
+      golang_errors = shell_return_json['Golang errors']   # a hash of compile errors
+      found_issues = shell_return_json['Issues'] # a list of found issues
 
       # Gosec's Logging Behavior:
       #   - no vulns found - status 0, logs to STDERR and STDOUT
       #   - vulns found    - status 1, logs to STDERR and STDOUT
       #   - build error    - status 1, logs to STDERR only
-      return report_success if shell_return.success?
+      return report_success if shell_return.success? && lines_scanned.positive?
 
       report_failure
-      if shell_return.status == 1 && !shell_return.stdout.blank? && shell_return.stderr
+      if shell_return.status == 1 && (!golang_errors.empty? || !found_issues.empty?)
         report_stdout(shell_return.stdout)
         log(shell_return.stdout)
+      elsif lines_scanned.zero?
+        report_error(
+          "0 lines of code were scanned",
+          status: shell_return.status
+        )
+        report_stderr(shell_return.stderr)
       else
         report_error(
           "gosec exited with build error: #{shell_return.stderr}",

spec/fixtures/gosec/malformed_goapp/hello.go

@@ -0,0 +1,9 @@
+package main
+
+import (
+	"fmt"
+)
+
+func main() {
+	fmt.Pintl("this has a typo")
+}

spec/lib/salus/scanners/gosec_spec.rb

@@ -18,11 +18,11 @@
         expect(
           info[:stderr]
         ).to include(
-          'no buildable Go source files in /go/src/repo/spec/fixtures/blank_repository'
+          'blank_repository' # debug information
         )
         expect(
           errors[:message]
-        ).to include('gosec exited with build error')
+        ).to include('0 lines of code were scanned')
       end
     end
 
@@ -47,6 +47,20 @@
         expect(scanner.report.passed?).to eq(true)
       end
     end
+
+    context 'go project with malformed go' do
+      let(:repo) { Salus::Repo.new('spec/fixtures/gosec/malformed_goapp') }
+
+      it 'should report a failing scan' do
+        expect(scanner.report.passed?).to eq(false)
+
+        info = scanner.report.to_h.fetch(:info)
+        logs = scanner.report.to_h.fetch(:logs)
+
+        expect(info[:stdout]).to include('Golang errors', 'Pintl not declared by package fmt')
+        expect(logs).to include('Golang errors', 'Pintl not declared by package fmt')
+      end
+    end
   end
 
   describe '#should_run?' do