OS: macOS Big Sur (11.5.1) GoKart Version: 0.1.0 Config: default Target: github.com/spiffe/spire

Decided to give this a whirl against github.com/spiffe/spire but unfortunately hit a panic.

$ go install github.com/praetorian-inc/gokart@latest
go: downloading github.com/praetorian-inc/gokart v0.1.0
go: downloading github.com/lithammer/dedent v1.1.0
go: downloading github.com/owenrumney/go-sarif v1.0.11
go: downloading github.com/segmentio/fasthash v1.0.3
go: downloading golang.org/x/tools v0.1.2
go: downloading github.com/zclconf/go-cty v1.8.4
$ git clone https://github.com/spiffe/spire
$ cd spire
$ gokart scan .
Using default analyzers config found at "~/.gokart/analyzers.yml".
No existing analyzers.yml file found - writing default to ~/.gokart/analyzers.yml

Revving engines VRMMM VRMMM
3...2...1...Go!
panic: runtime error: index out of range [0] with length 0

goroutine 1 [running]:
github.com/praetorian-inc/gokart/util.OutputFinding(0xc001acaf60, 0x2f, 0xc005a53e80, 0x7a, 0xc00205b680, 0x4a, 0x48, 0xc001acaf90, 0x28, 0x0, ...)
	/redacted/go/pkg/mod/github.com/praetorian-inc/[email protected]/util/finding.go:54 +0x116f
github.com/praetorian-inc/gokart/analyzers.Scan(0xc000074330, 0x1, 0x1)
	/redacted/go/pkg/mod/github.com/praetorian-inc/[email protected]/analyzers/scan.go:128 +0x5bd
github.com/praetorian-inc/gokart/cmd.glob..func1(0x16dcd00, 0xc000074330, 0x1, 0x1)
	/redacted/go/pkg/mod/github.com/praetorian-inc/[email protected]/cmd/scan.go:53 +0x1ca
github.com/spf13/cobra.(*Command).execute(0x16dcd00, 0xc000074300, 0x1, 0x1, 0x16dcd00, 0xc000074300)
	/redacted/go/pkg/mod/github.com/spf13/[email protected]/command.go:860 +0x2c2
github.com/spf13/cobra.(*Command).ExecuteC(0x16dca80, 0xc000000180, 0xc00016df78, 0x1006a25)
	/redacted/go/pkg/mod/github.com/spf13/[email protected]/command.go:974 +0x375
github.com/spf13/cobra.(*Command).Execute(...)
	/redacted/go/pkg/mod/github.com/spf13/[email protected]/command.go:902
github.com/praetorian-inc/gokart/cmd.Execute(...)
	/redacted/go/pkg/mod/github.com/praetorian-inc/[email protected]/cmd/root.go:61
main.main()
	/redacted/go/pkg/mod/github.com/praetorian-inc/[email protected]/main.go:38 +0x32

Changed the way the config is loaded to use defined structs instead of nested maps of interface{}. Now, the config is loaded into a struct during initialization and the values are referenced by the struct fields as appropriate. This refrains from reading and parsing the config file twice (once when loading the default sources and again when loading any analyzers.

Additionally, this change adds a length check to fix the panic shown in https://github.com/praetorian-inc/gokart/issues/2

By passing the boolean argument --exitCode/-x to the scan cmd, a non-nil exit code will be returned on potential vulnerabilities findings.

• Fix taken from @jessesomerville's PR at https://github.com/praetorian-inc/gokart/pull/5/

Added -r or --remoteModule flag to support cloning a gomodule from a remote source and scanning.

Made change from panic() to log.Fatal() to address https://github.com/praetorian-inc/gokart/issues/10

Removed several of the os.* sources that were producing FPs such as https://github.com/praetorian-inc/gokart/issues/12

os.OpenFile os.Readdirnames os.Readdir os.FileMode os.FileInfo

will not ever contain user-controllable data and thus can be safely removed.

• Adding the -o/--output flag for specifying a file path to write findings output to.
• Small refactoring to consolidate all findings output generation/processing into a single function in scan.go
• There is no default output file, it must be specified if this flag is used.
• ONLY redirects finding output - any stdout output that is not finding associated will not be written.

do you think it makes sense to post a gokart docker image in github packages? I really like the idea of ​​this type of tool that I can use docker run praetorian-inc/gokart scan ...

I even have something very similar here https://github.com/renanpalmeira/docker-protobufs/pkgs/container/protobuf

on a daily basis I end up using it like this:

docker run --rm \
    --name my-protos \
    -u $(id -u):$(id -u) \
    -v `pwd`:/code \
    ghcr.io/renanpalmeira/protobuf:latest \
        --proto_path=/code/protos \
        --go_out=plugins=grpc,paths=source_relative:/code/protos/gen \
        /code/protos/*.proto

hey hey do you have any plans to create a gokart action for us to use in github actions?

I'm testing the gokart, I'm finding it really cool and I'd like to add it to github actions for an action very similar to gosec because of this the my question

thanks 😊

Especially for the SARIF format.

Added a new flag -r or --remoteModule which allows you to specify a remote module for analysis.

gokart scan -r github.com/praetorian-inc/gokart

Also added a new file gokart/cmd/scan_test.go which implements some very basic tests for the scan functionality. This should serve as a solid foundation as we add more features and modify the ability/way we specify modules to scan.

Hi!

To ease the use of this tool in automated systems such as CI/CD, and enable an optional failure mode on possible vulnerability findings, I suggest to implement a new boolean argument such as in #9 .

With a non-nil exit code the CI/CD can stop pipelines and jobs easily when a potential vulnerability is found.

bulid gokart for sonarqube plugin

I noticed that gokart supports checking for command injection. Another related thing is when injecting command-line parameters allows you to inject parameters that get interpreted as options. Some options change the behaviour of commands in suboptimal ways, but some options to some commands can result in arbitrary code execution. The canonical paper about this type of attack is Back To The Future: Unix Wildcards Gone Wild by Leon Juranic of DefenseCode. It would be great if gokart could support detecting option injection.

Version 0.1.0.

package foo

import (
	"io/ioutil"
	"log"
	"os"
	"path/filepath"
)

func output(name string) error {
	f, err := os.Open(name)
	if err != nil {
		return err
	}
	f.Write([]byte("foo"))
	defer f.Close()

	g, err := os.OpenFile("foo", os.O_RDWR|os.O_CREATE|os.O_EXCL, 0600)
	if err != nil {
		return err
	}
	g.Write([]byte("foo"))
	return g.Close()
}

func Foo() (err error) {
	tmpdir, err := ioutil.TempDir("", "foo")
	if err != nil {
		return err
	}
	defer func() {
		if rerr := os.RemoveAll(tmpdir); rerr != nil {
			log.Println(err)
			err = rerr
			return
		}
	}()

	filename := filepath.Join(tmpdir, "foo.tmp")

	return output(filename)
}

gives output

$ gokart scan
Using default analyzers config found at "~/.gokart/analyzers.yml".

Revving engines VRMMM VRMMM
3...2...1...Go!

(Path Traversal) Danger: possible path traversal injection detected

/home/stevie/gokart/foo.go:11
Vulnerable Function: [ output(...) error ]
      10:	func output(name string) error {
    > 11:		f, err := os.Open(name)
      12:		if err != nil {

/home/stevie/gokart/foo.go:18
Source of Untrusted Input: [ output(...) error ]
      17:	
    > 18:		g, err := os.OpenFile("foo", os.O_RDWR|os.O_CREATE|os.O_EXCL, 0600)
      19:		if err != nil {
------------------------------------------------------------------------------

Race Complete! Analysis took 146.430242ms and 63 Go files were scanned (including imported packages)
GoKart found 1 potentially vulnerable functions

Clearly, the line flagged as untrusted input is unrelated to name. If I remove the defer statement from Foo, no path traversal issue is detected.

Would it be possible to compare gokart with CodeQL, at least on some ballpark figure? For instance, can gokart detect problems with int conversions between different sizes, et cetera? For instance, CodeQL is very helpful at catching such things.

And finally, the obvious question: does gokart detect race conditions?

If go is not installed scan panics. Not a usual scenario.

alexandre@localhost:~> gokart scan
Using default analyzers config found at "~/.gokart/analyzers.yml".
No existing analyzers.yml file found - writing default to ~/.gokart/analyzers.yml

Revving engines VRMMM VRMMM
3...2...1...Go!
panic: err: go command required, not found: exec: "go": executable file not found in $PATH: stderr: 

goroutine 1 [running]:
github.com/praetorian-inc/gokart/analyzers.Scan(0xc000035f80, 0x1, 0x1)
	/home/abuild/rpmbuild/BUILD/gokart-0.1.0/analyzers/scan.go:97 +0x135f
github.com/praetorian-inc/gokart/cmd.glob..func1(0x55a77c40cc20, 0xc000035f80, 0x1, 0x1)
	/home/abuild/rpmbuild/BUILD/gokart-0.1.0/cmd/scan.go:53 +0x1ca
github.com/spf13/cobra.(*Command).execute(0x55a77c40cc20, 0x55a77c43fa00, 0x0, 0x0, 0x55a77c40cc20, 0x55a77c43fa00)
	/home/abuild/rpmbuild/BUILD/gokart-0.1.0/vendor/github.com/spf13/cobra/command.go:860 +0x2c2
github.com/spf13/cobra.(*Command).ExecuteC(0x55a77c40c9a0, 0xc000000180, 0xc00013bf78, 0x55a77bb9efc5)
	/home/abuild/rpmbuild/BUILD/gokart-0.1.0/vendor/github.com/spf13/cobra/command.go:974 +0x375
github.com/spf13/cobra.(*Command).Execute(...)
	/home/abuild/rpmbuild/BUILD/gokart-0.1.0/vendor/github.com/spf13/cobra/command.go:902
github.com/praetorian-inc/gokart/cmd.Execute(...)
	/home/abuild/rpmbuild/BUILD/gokart-0.1.0/cmd/root.go:61
main.main()
	/home/abuild/rpmbuild/BUILD/gokart-0.1.0/main.go:38 +0x34

Perhaps log.Fatal would make more sense in here as the analysis failed for some reason, I don't think anyone is going to recover from here.