add presentation and docs dir

.gitignore

@@ -0,0 +1,3 @@
+build/
+data/
+bin/

README.md

@@ -143,4 +143,28 @@ bash scripts/run.sh
 Добавить нового пользователя: 
 ```
 ./build/release/add_user -username test -password 1234
-```
+```
+
+# SAST анализ
+
+## Настройка окружения
+
+```bash
+bash scripts/config_sast.sh
+```
+
+## Запуск анализа
+
+Человекочитаемые результаты (txt формат файлов):
+
+```bash
+bash scripts/run_sast.sh
+```
+
+Вывод в формате sarif:
+
+```bash
+bash scripts run_sast_sarif.sh
+```
+
+Результаты анализа в sast_results (3 утилиты для SAST).

go.mod

@@ -1,9 +1,13 @@
 module linux-auth
 
-go 1.23.0
+go 1.24.0
+
+toolchain go1.24.4
 
 require (
 	github.com/mattn/go-sqlite3 v1.14.33
 	github.com/pelletier/go-toml/v2 v2.2.4
 	golang.org/x/term v0.38.0
 )
+
+require golang.org/x/sys v0.39.0 // indirect

go.sum

@@ -4,9 +4,5 @@ github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
 golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
-golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
 golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
-golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY=
-golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww=

sast_results/bearer.txt

@@ -0,0 +1,70 @@
+
+
+Security Report
+
+=====================================
+
+Rules: 
+https://docs.bearer.com/reference/rules [v0.48.4]
+
+Language  Default Rules  Custom Rules  Files  
+Go        72             0             8      
+
+
+HIGH: Unsanitized user input in file path [CWE-73]
+https://docs.bearer.com/reference/rules/go_gosec_filesystem_filereadtaint
+To ignore this finding, run: bearer ignore add 690cb9207bb6cb72edd1002fae0a0fa3_0
+
+File: internal/config/config.go:41
+
+ 41 	data, err := os.ReadFile(path)
+
+LOW: Leakage of information in logger message [CWE-532]
+https://docs.bearer.com/reference/rules/go_lang_logger_leak
+To ignore this finding, run: bearer ignore add 219087ffdfad090e6436320f68eae990_0
+
+File: cmd/add_user/main.go:33
+
+ 33 		log.Fatalf("Ошибка инициализации БД: %v\n", err)
+
+LOW: Leakage of information in logger message [CWE-532]
+https://docs.bearer.com/reference/rules/go_lang_logger_leak
+To ignore this finding, run: bearer ignore add 219087ffdfad090e6436320f68eae990_1
+
+File: cmd/add_user/main.go:41
+
+ 41 		log.Fatalf("Не удалось создать пользователя %s: %v\n", *username, err)
+
+LOW: Leakage of information in logger message [CWE-532]
+https://docs.bearer.com/reference/rules/go_lang_logger_leak
+To ignore this finding, run: bearer ignore add 533ab12ca2b781f58bc69e81cb601ad6_0
+
+File: cmd/authapp/main.go:33
+
+ 33 		log.Fatalf("Ошибка загрузки конфигурации: %v\n", err)
+
+LOW: Leakage of information in logger message [CWE-532]
+https://docs.bearer.com/reference/rules/go_lang_logger_leak
+To ignore this finding, run: bearer ignore add 533ab12ca2b781f58bc69e81cb601ad6_1
+
+File: cmd/authapp/main.go:43
+
+ 43 		log.Fatalf("Ошибка инициализации БД: %v\n", err)
+
+LOW: Leakage of information in logger message [CWE-532]
+https://docs.bearer.com/reference/rules/go_lang_logger_leak
+To ignore this finding, run: bearer ignore add 448b1db1ab73e2474723c4d659611644_0
+
+File: cmd/init_users/main.go:18
+
+ 18 		log.Fatalf("Ошибка инициализации БД: %v\n", err)
+=====================================
+
+72 checks, 6 findings
+
+CRITICAL: 0
+HIGH: 1 (CWE-73)
+MEDIUM: 0
+LOW: 5 (CWE-532)
+WARNING: 0
+

sast_results/golangci-lint.sarif

@@ -0,0 +1 @@
+{"version":"2.1.0","$schema":"https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.6.json","runs":[{"tool":{"driver":{"name":"golangci-lint"}},"results":[{"ruleId":"staticcheck","level":"error","message":{"text":"QF1003: could use tagged switch on resp"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"internal/ui/console.go","index":0},"region":{"startLine":62,"startColumn":3}}}]}]}]}

sast_results/golangci-lint.txt

@@ -0,0 +1,5 @@
+internal/ui/console.go:62:3: QF1003: could use tagged switch on resp (staticcheck)
+		if resp == "y" || resp == "yes" {
+		^
+1 issues:
+* staticcheck: 1

sast_results/gosec.sarif

@@ -0,0 +1,148 @@
+{
+	"runs": [
+		{
+			"results": [
+				{
+					"fixes": [
+						{
+							"artifactChanges": [
+								{
+									"artifactLocation": {
+										"description": {
+											"text": "File requiring changes"
+										}
+									},
+									"replacements": [
+										{
+											"deletedRegion": {
+												"endColumn": 1,
+												"endLine": 1,
+												"startColumn": 1,
+												"startLine": 1
+											}
+										}
+									]
+								}
+							],
+							"description": {
+								"markdown": "Consider using os.Root to scope file access under a fixed root (Go \u003e=1.24). Prefer root.Open/root.Stat over os.Open/os.Stat to prevent directory traversal.",
+								"text": "Consider using os.Root to scope file access under a fixed root (Go \u003e=1.24). Prefer root.Open/root.Stat over os.Open/os.Stat to prevent directory traversal."
+							}
+						}
+					],
+					"level": "error",
+					"locations": [
+						{
+							"physicalLocation": {
+								"artifactLocation": {
+									"uri": "internal/config/config.go"
+								},
+								"region": {
+									"endColumn": 15,
+									"endLine": 41,
+									"snippet": {
+										"text": "data, err := os.ReadFile(path)"
+									},
+									"sourceLanguage": "go",
+									"startColumn": 15,
+									"startLine": 41
+								}
+							}
+						}
+					],
+					"message": {
+						"text": "Potential file inclusion via variable"
+					},
+					"ruleId": "G304"
+				}
+			],
+			"taxonomies": [
+				{
+					"downloadUri": "https://cwe.mitre.org/data/xml/cwec_v4.4.xml.zip",
+					"guid": "f2856fc0-85b7-373f-83e7-6f8582243547",
+					"informationUri": "https://cwe.mitre.org/data/published/cwe_v4.4.pdf/",
+					"isComprehensive": true,
+					"language": "en",
+					"minimumRequiredLocalizedDataSemanticVersion": "4.4",
+					"name": "CWE",
+					"organization": "MITRE",
+					"releaseDateUtc": "2021-03-15",
+					"shortDescription": {
+						"text": "The MITRE Common Weakness Enumeration"
+					},
+					"taxa": [
+						{
+							"fullDescription": {
+								"text": "The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory."
+							},
+							"guid": "3e718404-88bc-3f17-883e-e85e74078a76",
+							"helpUri": "https://cwe.mitre.org/data/definitions/22.html",
+							"id": "22",
+							"shortDescription": {
+								"text": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+							}
+						}
+					],
+					"version": "4.4"
+				}
+			],
+			"tool": {
+				"driver": {
+					"guid": "8b518d5f-906d-39f9-894b-d327b1a421c5",
+					"informationUri": "https://github.com/securego/gosec/",
+					"name": "gosec",
+					"rules": [
+						{
+							"defaultConfiguration": {
+								"level": "error"
+							},
+							"fullDescription": {
+								"text": "Potential file inclusion via variable"
+							},
+							"help": {
+								"text": "Potential file inclusion via variable\nSeverity: MEDIUM\nConfidence: HIGH\n"
+							},
+							"id": "G304",
+							"name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
+							"properties": {
+								"precision": "high",
+								"tags": [
+									"security",
+									"MEDIUM"
+								]
+							},
+							"relationships": [
+								{
+									"kinds": [
+										"superset"
+									],
+									"target": {
+										"guid": "3e718404-88bc-3f17-883e-e85e74078a76",
+										"id": "22",
+										"toolComponent": {
+											"guid": "f2856fc0-85b7-373f-83e7-6f8582243547",
+											"name": "CWE"
+										}
+									}
+								}
+							],
+							"shortDescription": {
+								"text": "Potential file inclusion via variable"
+							}
+						}
+					],
+					"semanticVersion": "2.24.7",
+					"supportedTaxonomies": [
+						{
+							"guid": "f2856fc0-85b7-373f-83e7-6f8582243547",
+							"name": "CWE"
+						}
+					],
+					"version": "2.24.7"
+				}
+			}
+		}
+	],
+	"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
+	"version": "2.1.0"
+}

sast_results/gosec.txt

@@ -0,0 +1,17 @@
+Results:
+
+
+[/home/vovuas/linux-auth/internal/config/config.go:41] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
+    40: func Load(path string) (*Config, error) {
+  > 41: 	data, err := os.ReadFile(path)
+    42: 	if err != nil {
+
+Autofix: Consider using os.Root to scope file access under a fixed root (Go >=1.24). Prefer root.Open/root.Stat over os.Open/os.Stat to prevent directory traversal.
+
+Summary:
+  Gosec  : 2.24.7
+  Files  : 8
+  Lines  : 545
+  Nosec  : 0
+  Issues : 1
+

scripts/config.sh

@@ -9,7 +9,10 @@ sudo apt update
 echo "Установка Go, GCC и SQLite..."
 sudo apt install -y golang gcc sqlite3 libsqlite3-dev ca-certificates
 
+echo "Создание директории для хранения БД"
+mkdir -p data
+
 echo "Установка Go модулей..."
 go mod tidy
 
-echo "Среда готова."
+echo "Среда готова."

scripts/config_sast.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+# --------------------------------------
+# Настройка SAST анализаторов
+# --------------------------------------
+
+echo "Установка curl"
+sudo apt update
+sudo apt install -y curl
+
+echo "Создание директории для результатов анализа"
+mkdir -p sast_results
+
+echo "Установка bearer"
+curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | sh
+
+echo "Установка golangci-lint"
+curl -sSfL https://golangci-lint.run/install.sh | sh -s v2.11.2
+
+echo "Установка gosec"
+mkdir -p bin
+cd bin
+curl -L -o gosec.tar.gz https://github.com/securego/gosec/releases/download/v2.24.7/gosec_2.24.7_linux_amd64.tar.gz
+mkdir -p gosec_download
+tar -xzf gosec.tar.gz -C gosec_download
+mv gosec_download/gosec .
+rm -f gosec.tar.gz
+rm -rf gosec_download
+chmod +x ./gosec
+
+echo "Бинарники анализаторов установлены в ./bin"

scripts/run_sast.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+# --------------------------------------
+# Запуск SAST анализа
+# --------------------------------------
+
+echo "Запуск bearer"
+./bin/bearer scan --output sast_results/bearer.txt .
+
+echo "Запуск golangci-lint"
+./bin/golangci-lint run > sast_results/golangci-lint.txt
+
+echo "Запуск gosec"
+./bin/gosec -out sast_results/gosec.txt ./...
+
+echo "Анализ завершён, результаты в sast_results"

scripts/run_sast_sarif.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+# --------------------------------------
+# Запуск SAST анализа
+# --------------------------------------
+
+echo "Запуск bearer"
+./bin/bearer scan --format sarif --output sast_results/bearer.sarif .
+
+echo "Запуск golangci-lint"
+./bin/golangci-lint run --output.sarif.path sast_results/golangci-lint.sarif
+
+echo "Запуск gosec"
+./bin/gosec -fmt sarif -out sast_results/gosec.sarif ./...
+
+echo "Анализ завершён, результаты в sast_results"