A static analysis tool intended to check for potential security issues. New tests will be added soon. Special thanks to NCC Group Plc.
This is a static analysis tool written in Go for Go code. It will find security and some correctness issues that may have a security implication. The tool will attempt to complete as many tests as possible even if incomplete or unresolved source is scanned.
To compile the tool, be sure to have the Go compiler first. You will need to install dependencies for the time being. Consider downloading a binary release instead.
- Use
Go buildfor a local binary - Use
Go installto compile and install in Go Path
For now, all tests are run.
Glasgo directory1, directory2
or
Glasgo file1.go, file2.go
or, when source files are outside of the Go path or the tool can't find them:
Glasgo -source directory1
verbose flag prints all warnings and error messages
Glasgo -verbose directory1
Test files, those with suffix _test.go, are not checked by default by GlasGo. To include them use the test flag.
Glasgo -test directory1
Note: The tool does not run on both directories and individual files
tbd
error- errors ignoredcloser- no file.Close() method called in function with file.Open()insecureCrypto- insecure cryptographic primitivesinsecureRand- insecurely generated random numbersintToStr- integer to string conversion without calling strconvreadAll- ioutil.ReadAll calledtextTemp- checks if HTTP methods and template/text are in usehardcoded- looks for hardcoded credentialsbind- checks if listener bound to all interfacesTLSConfig- checks for insecure TLS configurationexec- checks for use of os/exec packageunsafe- checks for use of unsafe packagesql- checks for non constant strings used in database query methods.
see the wiki
Initial wave of tests have been uploaded and checked on test data
More tests to come
- add tests
- document tests
- document design choices