Merge pull request #32 from codacy/bump-gosec-2.22.7

DMarinhoCodacy · web-flow · commit ee4f15e7d9bc · 2025-07-30T09:27:30.000+01:00
TCE-1226 Bump Gosec 2.22.7
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -1,7 +1,7 @@
 version: 2.1
 
 orbs:
-  codacy: codacy/base@10.2.2
+  codacy: codacy/base@12.2.0
 
 workflows:
   version: 2
@@ -12,12 +12,16 @@ workflows:
       - codacy/sbt:
           name: populate_cache
           persist_to_workspace: true
-          cmd: sbt "set scalafmtUseIvy in ThisBuild := false;update"
+          cmd: |
+            sbt "clean;
+                 scalafmtCheckAll;
+                 Test / scalafmtCheck;
+                 scalafmtCheck;"
           requires:
             - codacy/checkout_and_version
       - codacy/sbt:
           name: check_fmt
-          cmd: sbt "scalafmt::test;test:scalafmt::test;sbt:scalafmt::test"
+          cmd: sbt test:scalafmt scalafmt scalafmtSbt
           requires:
             - populate_cache
       - codacy/sbt:
diff --git a/.gitignore b/.gitignore
@@ -9,3 +9,9 @@ target/
 .DS_Store
 *.iml
 .codacy-coverage
+
+
+#Ignore vscode AI rules
+.github/copilot-instructions.md
+
+.vscode
diff --git a/Dockerfile b/Dockerfile
@@ -1,12 +1,12 @@
-FROM golang:1.18.10-alpine3.17 as builder
+FROM golang:1.23-alpine3.22 as builder
 
 COPY doc-generation /doc-generation
 
 WORKDIR /doc-generation
 RUN mkdir -p /docs/description
 RUN go run main.go -docFolder=../docs
 
-FROM alpine:3.17.3
+FROM alpine:3.22
 
 COPY --from=builder /docs /docs
 COPY docs/tool-description.md /docs/
diff --git a/build.sbt b/build.sbt
@@ -1,6 +1,6 @@
-val scalaVersionNumber = "2.13.1"
+val scalaVersionNumber = "2.13.16"
 val circeVersion = "0.12.3"
-val graalVersion = "21.2.0"
+val graalVersion = "22.3.3"
 
 lazy val root = (project in file("."))
   .enablePlugins(JavaAppPackaging)
@@ -12,11 +12,11 @@ lazy val root = (project in file("."))
     scalaVersion := scalaVersionNumber,
     test in assembly := {},
     libraryDependencies ++= Seq(
-      "com.codacy" %% "codacy-analysis-cli-model" % "2.2.0",
+      "com.codacy" %% "codacy-analysis-cli-model" % "5.2.1",
       "io.circe" %% "circe-core" % circeVersion,
       "io.circe" %% "circe-parser" % circeVersion,
-      "com.github.scopt" %% "scopt" % "3.7.1",
-      "org.scalatest" %% "scalatest" % "3.1.0" % Test
+      "com.github.scopt" %% "scopt" % "4.1.0",
+      "org.scalatest" %% "scalatest" % "3.2.19" % Test
     ),
     graalVMNativeImageGraalVersion := Some(graalVersion),
     graalVMNativeImageOptions ++= Seq(
diff --git a/doc-generation/go.mod b/doc-generation/go.mod
@@ -1,16 +1,22 @@
 module github.com/codacy/gosec-doc-generator
 
-go 1.18
+go 1.23.0
+
+toolchain go1.24.5
 
 require (
-	github.com/codacy/codacy-engine-golang-seed v1.0.1-0.20230412094526-1a71ba69afe3
-	github.com/securego/gosec/v2 v2.15.0
-	golang.org/x/mod v0.10.0
+	github.com/codacy/codacy-engine-golang-seed/v6 v6.4.0
+	github.com/securego/gosec/v2 v2.22.7
+	golang.org/x/mod v0.26.0
 )
 
 require (
-	github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354 // indirect
-	github.com/sirupsen/logrus v1.9.0 // indirect
-	golang.org/x/sys v0.4.0 // indirect
-	golang.org/x/tools v0.5.0 // indirect
+	github.com/CycloneDX/cyclonedx-go v0.9.2 // indirect
+	github.com/ccojocar/zxcvbn-go v1.0.4 // indirect
+	github.com/samber/lo v1.51.0 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	golang.org/x/sync v0.16.0 // indirect
+	golang.org/x/sys v0.34.0 // indirect
+	golang.org/x/text v0.27.0 // indirect
+	golang.org/x/tools v0.35.0 // indirect
 )
diff --git a/doc-generation/go.sum b/doc-generation/go.sum
diff --git a/doc-generation/main.go b/doc-generation/main.go
@@ -11,7 +11,7 @@ import (
 	"sort"
 	"strings"
 
-	codacy "github.com/codacy/codacy-engine-golang-seed"
+	codacy "github.com/codacy/codacy-engine-golang-seed/v6"
 	"golang.org/x/mod/modfile"
 
 	"github.com/securego/gosec/v2/rules"
@@ -57,7 +57,7 @@ func gosecVersion() (string, error) {
 	goModFilename := "go.mod"
 	gosecDependency := "github.com/securego/gosec/v2"
 
-	goMod, err := ioutil.ReadFile(goModFilename)
+	goMod, err := os.ReadFile(goModFilename)
 	if err != nil {
 		return "", err
 	}
@@ -90,9 +90,10 @@ func toCodacyPatterns(rules []rules.RuleDefinition) []codacy.Pattern {
 
 	for _, value := range rules {
 		codacyPatterns = append(codacyPatterns, codacy.Pattern{
-			PatternID: value.ID,
-			Category:  "Security",
-			Level:     "Error",
+			ID:       value.ID,
+			Category: "Security",
+			Level:    "Error",
+			ScanType: "SAST",
 		})
 	}
 	return codacyPatterns
@@ -122,7 +123,7 @@ func createPatternsJSONFile(patterns []codacy.Pattern, toolVersion string) error
 	tool := codacy.ToolDefinition{
 		Name:     toolName,
 		Version:  toolVersion,
-		Patterns: patterns,
+		Patterns: &patterns,
 	}
 
 	toolAsJSON, err := json.MarshalIndent(tool, "", "  ")
diff --git a/docs/description/G307.md b/docs/description/G307.md
@@ -1,2 +1,2 @@
 ## G307
-Unsafe defer call of a method returning an error
+Poor file permissions used when creating a file with os.Create
diff --git a/docs/description/G401.md b/docs/description/G401.md
@@ -1,2 +1,2 @@
 ## G401
-Detect the usage of DES, RC4, MD5 or SHA1
+Detect the usage of MD5 or SHA1
diff --git a/docs/description/G405.md b/docs/description/G405.md
@@ -0,0 +1,2 @@
+## G405
+Detect the usage of DES or RC4
diff --git a/docs/description/G406.md b/docs/description/G406.md
@@ -0,0 +1,2 @@
+## G406
+Detect the usage of deprecated MD4 or RIPEMD160
diff --git a/docs/description/G506.md b/docs/description/G506.md
@@ -0,0 +1,2 @@
+## G506
+Import blocklist: golang.org/x/crypto/md4
diff --git a/docs/description/G507.md b/docs/description/G507.md
@@ -0,0 +1,2 @@
+## G507
+Import blocklist: golang.org/x/crypto/ripemd160
diff --git a/docs/description/description.json b/docs/description/description.json
@@ -54,11 +54,6 @@
     "title": "G112",
     "description": "Detect ReadHeaderTimeout not configured as a potential risk"
   },
-  {
-    "patternId": "G113",
-    "title": "G113",
-    "description": "Usage of Rat.SetString in math/big with an overflow"
-  },
   {
     "patternId": "G114",
     "title": "G114",
@@ -117,12 +112,12 @@
   {
     "patternId": "G307",
     "title": "G307",
-    "description": "Unsafe defer call of a method returning an error"
+    "description": "Poor file permissions used when creating a file with os.Create"
   },
   {
     "patternId": "G401",
     "title": "G401",
-    "description": "Detect the usage of DES, RC4, MD5 or SHA1"
+    "description": "Detect the usage of MD5 or SHA1"
   },
   {
     "patternId": "G402",
@@ -139,6 +134,16 @@
     "title": "G404",
     "description": "Insecure random number source (rand)"
   },
+  {
+    "patternId": "G405",
+    "title": "G405",
+    "description": "Detect the usage of DES or RC4"
+  },
+  {
+    "patternId": "G406",
+    "title": "G406",
+    "description": "Detect the usage of deprecated MD4 or RIPEMD160"
+  },
   {
     "patternId": "G501",
     "title": "G501",
@@ -164,6 +169,16 @@
     "title": "G505",
     "description": "Import blocklist: crypto/sha1"
   },
+  {
+    "patternId": "G506",
+    "title": "G506",
+    "description": "Import blocklist: golang.org/x/crypto/md4"
+  },
+  {
+    "patternId": "G507",
+    "title": "G507",
+    "description": "Import blocklist: golang.org/x/crypto/ripemd160"
+  },
   {
     "patternId": "G601",
     "title": "G601",
@@ -224,11 +239,6 @@
     "title": "G112",
     "description": "Detect ReadHeaderTimeout not configured as a potential risk"
   },
-  {
-    "patternId": "G113",
-    "title": "G113",
-    "description": "Usage of Rat.SetString in math/big with an overflow"
-  },
   {
     "patternId": "G114",
     "title": "G114",
@@ -287,12 +297,12 @@
   {
     "patternId": "G307",
     "title": "G307",
-    "description": "Unsafe defer call of a method returning an error"
+    "description": "Poor file permissions used when creating a file with os.Create"
   },
   {
     "patternId": "G401",
     "title": "G401",
-    "description": "Detect the usage of DES, RC4, MD5 or SHA1"
+    "description": "Detect the usage of MD5 or SHA1"
   },
   {
     "patternId": "G402",
@@ -309,6 +319,16 @@
     "title": "G404",
     "description": "Insecure random number source (rand)"
   },
+  {
+    "patternId": "G405",
+    "title": "G405",
+    "description": "Detect the usage of DES or RC4"
+  },
+  {
+    "patternId": "G406",
+    "title": "G406",
+    "description": "Detect the usage of deprecated MD4 or RIPEMD160"
+  },
   {
     "patternId": "G501",
     "title": "G501",
@@ -334,6 +354,16 @@
     "title": "G505",
     "description": "Import blocklist: crypto/sha1"
   },
+  {
+    "patternId": "G506",
+    "title": "G506",
+    "description": "Import blocklist: golang.org/x/crypto/md4"
+  },
+  {
+    "patternId": "G507",
+    "title": "G507",
+    "description": "Import blocklist: golang.org/x/crypto/ripemd160"
+  },
   {
     "patternId": "G601",
     "title": "G601",
diff --git a/docs/patterns.json b/docs/patterns.json
diff --git a/project/build.properties b/project/build.properties
diff --git a/project/plugins.sbt b/project/plugins.sbt

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`## G307`
`2`		`-Unsafe defer call of a method returning an error`
	`2`	`+Poor file permissions used when creating a file with os.Create`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`## G401`
`2`		`-Detect the usage of DES, RC4, MD5 or SHA1`
	`2`	`+Detect the usage of MD5 or SHA1`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+## G405`
	`2`	`+Detect the usage of DES or RC4`