cleanups

Author: joreiche

go.mod

@@ -9,16 +9,19 @@ require (
 	github.com/jung-kurt/gofpdf v1.16.2
 	github.com/mattn/go-shellwords v1.0.12
 	github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de
-	github.com/shopspring/decimal v1.3.1
+	github.com/shopspring/decimal v1.4.0
 	github.com/spf13/pflag v1.0.5
 	github.com/wcharczuk/go-chart v2.0.1+incompatible
 	github.com/xuri/excelize/v2 v2.8.1
-	golang.org/x/crypto v0.21.0
+	golang.org/x/crypto v0.22.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
+	github.com/bytedance/sonic/loader v0.1.1 // indirect
 	github.com/chenzhuoyu/base64x v0.0.0-20230717121745-296ad89f973d // indirect
+	github.com/cloudwego/base64x v0.1.3 // indirect
+	github.com/cloudwego/iasm v0.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/gin-contrib/sse v0.1.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
@@ -36,29 +39,29 @@ require (
 	github.com/richardlehane/mscfb v1.0.4 // indirect
 	github.com/richardlehane/msoleps v1.0.3 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
-	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/sys v0.19.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 )
 
 require (
 	github.com/akedrou/textdiff v0.0.0-20230423230343-2ebdcebdccc1
 	github.com/blend/go-sdk v1.20220411.3 // indirect
-	github.com/bytedance/sonic v1.11.3 // indirect
+	github.com/bytedance/sonic v1.11.5 // indirect
 	github.com/chenzhuoyu/iasm v0.9.1 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
 	github.com/go-playground/validator/v10 v10.19.0 // indirect
 	github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.7 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.1 // indirect
 	github.com/phpdave11/gofpdi v1.0.13 // indirect
 	github.com/spf13/cobra v1.8.0
 	github.com/stretchr/testify v1.9.0
 	github.com/ugorji/go/codec v1.2.12 // indirect
-	github.com/xuri/efp v0.0.0-20231025114914-d1ff6096ae53 // indirect
+	github.com/xuri/efp v0.0.0-20240408161823-9ad904a10d6d // indirect
 	github.com/xuri/nfp v0.0.0-20240318013403-ab9948c2c4a7 // indirect
 	golang.org/x/arch v0.7.0 // indirect
 	golang.org/x/image v0.15.0 // indirect
-	golang.org/x/net v0.23.0 // indirect
+	golang.org/x/net v0.24.0 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect
 )

go.sum

@@ -7,6 +7,11 @@ github.com/bytedance/sonic v1.5.0/go.mod h1:ED5hyg4y6t3/9Ku1R6dU/4KyJ48DZ4jPhfY1
 github.com/bytedance/sonic v1.10.0-rc/go.mod h1:ElCzW+ufi8qKqNW0FY314xriJhyJhuoJ3gFZdAHF7NM=
 github.com/bytedance/sonic v1.11.3 h1:jRN+yEjakWh8aK5FzrciUHG8OFXK+4/KrAX/ysEtHAA=
 github.com/bytedance/sonic v1.11.3/go.mod h1:iZcSUejdk5aukTND/Eu/ivjQuEL0Cu9/rf50Hi0u/g4=
+github.com/bytedance/sonic v1.11.5 h1:G00FYjjqll5iQ1PYXynbg/hyzqBqavH8Mo9/oTopd9k=
+github.com/bytedance/sonic v1.11.5/go.mod h1:X2PC2giUdj/Cv2lliWFLk6c/DUQok5rViJSemeB0wDw=
+github.com/bytedance/sonic/loader v0.1.0/go.mod h1:UmRT+IRTGKz/DAkzcEGzyVqQFJ7H9BqwBO3pm9H/+HY=
+github.com/bytedance/sonic/loader v0.1.1 h1:c+e5Pt1k/cy5wMveRDyk2X4B9hF4g7an8N3zCYjJFNM=
+github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
 github.com/chenzhuoyu/base64x v0.0.0-20211019084208-fb5309c8db06/go.mod h1:DH46F32mSOjUmXrMHnKwZdA8wcEefY7UVqBKYGjpdQY=
 github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311/go.mod h1:b583jCggY9gE99b6G5LEC39OIiVsWj+R97kbl5odCEk=
 github.com/chenzhuoyu/base64x v0.0.0-20230717121745-296ad89f973d h1:77cEq6EriyTZ0g/qfRdp61a3Uu/AWrgIq2s0ClJV1g0=
@@ -20,6 +25,10 @@ github.com/chzyer/readline v1.5.1 h1:upd/6fQk4src78LMRzh5vItIt361/o4uq553V8B5sGI
 github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObkaSkeBlk=
 github.com/chzyer/test v1.0.0 h1:p3BQDXSxOhOG0P9z6/hGnII4LGiEPOYBhs8asl/fC04=
 github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8=
+github.com/cloudwego/base64x v0.1.3 h1:b5J/l8xolB7dyDTTmhJP2oTs5LdrjyrUFuNxdfq5hAg=
+github.com/cloudwego/base64x v0.1.3/go.mod h1:1+1K5BUHIQzyapgpF7LwvOGAEDicKtt1umPV+aN8pi8=
+github.com/cloudwego/iasm v0.2.0 h1:1KNIy1I1H9hNNFEEH3DVnI4UujN+1zjpuk6gwHLTssg=
+github.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQPiEFhY=
 github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -74,6 +83,8 @@ github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de h1:D5x39vF5KCwKQaw+OC9
 github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de/go.mod h1:kJun4WP5gFuHZgRjZUWWuH1DTxCtxbHDOIJsudS8jzY=
 github.com/pelletier/go-toml/v2 v2.2.0 h1:QLgLl2yMN7N+ruc31VynXs1vhMZa7CeHHejIeBAsoHo=
 github.com/pelletier/go-toml/v2 v2.2.0/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs=
+github.com/pelletier/go-toml/v2 v2.2.1 h1:9TA9+T8+8CUCO2+WYnDLCgrYi9+omqKXyjDtosvtEhg=
+github.com/pelletier/go-toml/v2 v2.2.1/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs=
 github.com/phpdave11/gofpdi v1.0.7/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI=
 github.com/phpdave11/gofpdi v1.0.13 h1:o61duiW8M9sMlkVXWlvP92sZJtGKENvW3VExs6dZukQ=
 github.com/phpdave11/gofpdi v1.0.13/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI=
@@ -91,6 +102,8 @@ github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQD
 github.com/ruudk/golang-pdf417 v0.0.0-20181029194003-1af4ab5afa58/go.mod h1:6lfFZQK844Gfx8o5WFuvpxWRwnSoipWe/p622j1v06w=
 github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8=
 github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
+github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
+github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
 github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
 github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
@@ -116,6 +129,8 @@ github.com/wcharczuk/go-chart v2.0.1+incompatible h1:0pz39ZAycJFF7ju/1mepnk26RLV
 github.com/wcharczuk/go-chart v2.0.1+incompatible/go.mod h1:PF5tmL4EIx/7Wf+hEkpCqYi5He4u90sw+0+6FhrryuE=
 github.com/xuri/efp v0.0.0-20231025114914-d1ff6096ae53 h1:Chd9DkqERQQuHpXjR/HSV1jLZA6uaoiwwH3vSuF3IW0=
 github.com/xuri/efp v0.0.0-20231025114914-d1ff6096ae53/go.mod h1:ybY/Jr0T0GTCnYjKqmdwxyxn2BQf2RcQIIvex5QldPI=
+github.com/xuri/efp v0.0.0-20240408161823-9ad904a10d6d h1:llb0neMWDQe87IzJLS4Ci7psK/lVsjIS2otl+1WyRyY=
+github.com/xuri/efp v0.0.0-20240408161823-9ad904a10d6d/go.mod h1:ybY/Jr0T0GTCnYjKqmdwxyxn2BQf2RcQIIvex5QldPI=
 github.com/xuri/excelize/v2 v2.8.1 h1:pZLMEwK8ep+CLIUWpWmvW8IWE/yxqG0I1xcN6cVMGuQ=
 github.com/xuri/excelize/v2 v2.8.1/go.mod h1:oli1E4C3Pa5RXg1TBXn4ENCXDV5JUMlBluUhG7c+CEE=
 github.com/xuri/nfp v0.0.0-20240318013403-ab9948c2c4a7 h1:hPVCafDV85blFTabnqKgNhDCkJX25eik94Si9cTER4A=
@@ -125,16 +140,22 @@ golang.org/x/arch v0.7.0 h1:pskyeJh/3AmoQ8CPE95vxHLqp1G1GfGNXTmcl9NEKTc=
 golang.org/x/arch v0.7.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
 golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
+golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
 golang.org/x/image v0.0.0-20190910094157-69e4b8554b2a/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/image v0.15.0 h1:kOELfmgrmJlw4Cdb7g/QGuB3CvDrXbqEIww/pNtNBm8=
 golang.org/x/image v0.15.0/go.mod h1:HUYqC05R2ZcZ3ejNQsIHQDQiwWM4JBqmm6MKANTp4LE=
 golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
 golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w=
+golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
 golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
+golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=

pkg/common/config.go

@@ -147,13 +147,13 @@ func (c *Config) Load(configFilename string) error {
 	values := make(map[string]any)
 	parseError := json.Unmarshal(data, &values)
 	if parseError != nil {
-		return fmt.Errorf("failed to parse config file %q: %v", configFilename, parseError)
+		return fmt.Errorf("failed to parse config file %q: %w", configFilename, parseError)
 	}
 
 	var config Config
 	unmarshalError := json.Unmarshal(data, &config)
 	if unmarshalError != nil {
-		return fmt.Errorf("failed to parse config file %q: %v", configFilename, unmarshalError)
+		return fmt.Errorf("failed to parse config file %q: %w", configFilename, unmarshalError)
 	}
 
 	c.Merge(config, values)
@@ -162,13 +162,13 @@ func (c *Config) Load(configFilename string) error {
 	c.TempFolder = c.CleanPath(c.TempFolder)
 	tempDirError := os.MkdirAll(c.TempFolder, 0700)
 	if tempDirError != nil {
-		errorList = append(errorList, fmt.Errorf("failed to create temp dir %q: %v", c.TempFolder, tempDirError))
+		errorList = append(errorList, fmt.Errorf("failed to create temp dir %q: %w", c.TempFolder, tempDirError))
 	}
 
 	c.OutputFolder = c.CleanPath(c.OutputFolder)
 	outDirError := os.MkdirAll(c.OutputFolder, 0700)
 	if outDirError != nil {
-		errorList = append(errorList, fmt.Errorf("failed to create output dir %q: %v", c.OutputFolder, outDirError))
+		errorList = append(errorList, fmt.Errorf("failed to create output dir %q: %w", c.OutputFolder, outDirError))
 	}
 
 	c.AppFolder = c.CleanPath(c.AppFolder)

pkg/script/risk-rule.go

@@ -1,7 +1,6 @@
 package script
 
 import (
-	"embed"
 	"fmt"
 	"github.com/threagile/threagile/pkg/input"
 	"github.com/threagile/threagile/pkg/security/types"
@@ -84,7 +83,7 @@ func (what *RiskRule) GenerateRisks(parsedModel *types.Model) ([]*types.Risk, er
 	return newRisks, nil
 }
 
-func (what *RiskRule) Load(fileSystem embed.FS, path string, entry fs.DirEntry) error {
+func (what *RiskRule) Load(fileSystem fs.FS, path string, entry fs.DirEntry) error {
 	if entry.IsDir() {
 		return nil
 	}
@@ -97,9 +96,10 @@ func (what *RiskRule) Load(fileSystem embed.FS, path string, entry fs.DirEntry)
 	return nil
 }
 
-func (what *RiskRule) loadRiskRule(fileSystem embed.FS, filename string) error {
+func (what *RiskRule) loadRiskRule(fileSystem fs.FS, filename string) error {
 	scriptFilename := filepath.Clean(filename)
-	ruleData, ruleReadError := fileSystem.ReadFile(scriptFilename)
+
+	ruleData, ruleReadError := fs.ReadFile(fileSystem, scriptFilename)
 	if ruleReadError != nil {
 		return fmt.Errorf("error reading risk category: %w\n", ruleReadError)
 	}

pkg/security/risks/scripts/accidental-secret-leak.yaml

@@ -29,7 +29,6 @@ risk_assessment:
   The risk rating depends on the sensitivity of the technical asset itself and of the data assets processed.
 false_positives:
   Usually no false positives.
-is_built_in: true
 
 script:
   risk:

pkg/security/types/risk-category.go

@@ -3,24 +3,22 @@ package types
 import "strings"
 
 type RiskCategory struct {
-	ID                         string         `json:"id,omitempty" yaml:"id,omitempty"`
-	Title                      string         `json:"title,omitempty" yaml:"title,omitempty"`
-	Description                string         `json:"description,omitempty" yaml:"description,omitempty"`
-	Impact                     string         `json:"impact,omitempty" yaml:"impact,omitempty"`
-	ASVS                       string         `json:"asvs,omitempty" yaml:"asvs,omitempty"`
-	CheatSheet                 string         `json:"cheat_sheet,omitempty" yaml:"cheat_sheet,omitempty"`
-	Action                     string         `json:"action,omitempty" yaml:"action,omitempty"`
-	Mitigation                 string         `json:"mitigation,omitempty" yaml:"mitigation,omitempty"`
-	Check                      string         `json:"check,omitempty" yaml:"check,omitempty"`
-	Function                   RiskFunction   `json:"function,omitempty" yaml:"function,omitempty"`
-	STRIDE                     STRIDE         `json:"stride,omitempty" yaml:"stride,omitempty"`
-	DetectionLogic             string         `json:"detection_logic,omitempty" yaml:"detection_logic,omitempty"`
-	RiskAssessment             string         `json:"risk_assessment,omitempty" yaml:"risk_assessment,omitempty"`
-	FalsePositives             string         `json:"false_positives,omitempty" yaml:"false_positives,omitempty"`
-	ModelFailurePossibleReason bool           `json:"model_failure_possible_reason,omitempty" yaml:"model_failure_possible_reason,omitempty"`
-	CWE                        int            `json:"cwe,omitempty" yaml:"cwe,omitempty"`
-	IsBuiltIn                  bool           `json:"is_built_in,omitempty" yaml:"is_built_in,omitempty"`
-	Script                     map[string]any `json:"script,omitempty" yaml:"script,omitempty"`
+	ID                         string       `json:"id,omitempty" yaml:"id,omitempty"`
+	Title                      string       `json:"title,omitempty" yaml:"title,omitempty"`
+	Description                string       `json:"description,omitempty" yaml:"description,omitempty"`
+	Impact                     string       `json:"impact,omitempty" yaml:"impact,omitempty"`
+	ASVS                       string       `json:"asvs,omitempty" yaml:"asvs,omitempty"`
+	CheatSheet                 string       `json:"cheat_sheet,omitempty" yaml:"cheat_sheet,omitempty"`
+	Action                     string       `json:"action,omitempty" yaml:"action,omitempty"`
+	Mitigation                 string       `json:"mitigation,omitempty" yaml:"mitigation,omitempty"`
+	Check                      string       `json:"check,omitempty" yaml:"check,omitempty"`
+	Function                   RiskFunction `json:"function,omitempty" yaml:"function,omitempty"`
+	STRIDE                     STRIDE       `json:"stride,omitempty" yaml:"stride,omitempty"`
+	DetectionLogic             string       `json:"detection_logic,omitempty" yaml:"detection_logic,omitempty"`
+	RiskAssessment             string       `json:"risk_assessment,omitempty" yaml:"risk_assessment,omitempty"`
+	FalsePositives             string       `json:"false_positives,omitempty" yaml:"false_positives,omitempty"`
+	ModelFailurePossibleReason bool         `json:"model_failure_possible_reason,omitempty" yaml:"model_failure_possible_reason,omitempty"`
+	CWE                        int          `json:"cwe,omitempty" yaml:"cwe,omitempty"`
 }
 
 type RiskCategories []*RiskCategory

test/risk-category.yaml

@@ -29,7 +29,6 @@ risk_assessment:
   The risk rating depends on the sensitivity of the technical asset itself and of the data assets processed.
 false_positives:
   Usually no false positives.
-is_built_in: true
 
 script:
   risk: