github.com/google/go-safeweb@v0.0.0-20231219055052-64d8cfc90fbb/cmd/bancheck/doc.go (about) 1 // Copyright 2020 Google LLC 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // https://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // Package main contains the CLI used for detecting risky APIs. 16 // See https://pkg.go.dev/github.com/google/go-safeweb/safehttp#hdr-Restricting_Risky_APIs 17 // for a high level overview. 18 // 19 // # Overview 20 // 21 // Bancheck is a program that allows you to define risky APIs and check for their usage. 22 // It can be used as part of the CI/CD pipeline to avoid common pitfalls and prevent 23 // potentially vulnerable code from being deployed. Under the hood it uses the go/analysis 24 // package https://pkg.go.dev/golang.org/x/tools/go/analysis which provides all the tools that 25 // are needed for static code analysis. The tool resolves fully qualified function 26 // and import names and checks them against a config file that defines risky APIs. 27 // 28 // # Usage 29 // 30 // Apart from the standard https://pkg.go.dev/golang.org/x/tools/go/analysis#Analyzer flags 31 // the command requires a config flag where a list of config files should be provided. 32 // You can find a sample usage below. 33 // 34 // # Config 35 // 36 // Config lets you specify which APIs should be banned, explain why they are risky to use 37 // and allow a list of packages for which the check should be skipped. 38 // The structure of a config can be found in go-safeweb/cmd/bancheck/config/config.go. 39 // 40 // Note: It is possible to have colliding config files e.g. one config file bans a usage of 41 // an API but another one exempts it. The tool applies checks from each config file separately 42 // i.e. one warning will still be returned. 43 // 44 // Example config: 45 // 46 // { 47 // "functions": [ 48 // { 49 // "name": "fmt.Printf", 50 // "msg": "Banned by team A" 51 // } 52 // ], 53 // "imports": [ 54 // { 55 // "name": "fmt", 56 // "msg": "Banned by team A", 57 // "exemptions": [ 58 // { 59 // "justification": "#yolo", 60 // "allowedPkg": "main" 61 // } 62 // ] 63 // } 64 // ] 65 // } 66 // 67 // # Example 68 // 69 // The example below shows a simple use case where "fmt" package and "fmt.Printf" function were banned 70 // by two separate teams. 71 // 72 // main.go 73 // 74 // package main 75 // 76 // import "fmt" 77 // 78 // func main() { 79 // fmt.Printf("Hello") 80 // } 81 // 82 // config.json 83 // 84 // { 85 // "functions": [ 86 // { 87 // "name": "fmt.Printf", 88 // "msg": "Banned by team A" 89 // } 90 // ], 91 // "imports": [ 92 // { 93 // "name": "fmt", 94 // "msg": "Banned by team B" 95 // } 96 // ], 97 // } 98 // 99 // CLI usage 100 // 101 // $ ./bancheck -configs config.json main.go 102 // /go-safeweb/cmd/bancheck/test/main.go:3:8: Banned API found "fmt". Additional info: Banned by team B 103 // /go-safeweb/cmd/bancheck/test/main.go:6:6: Banned API found "fmt.Printf". Additional info: Banned by team A 104 package main