# All the general options of Argot live here options: project-root: "../../" # This file is in Tools/src reports-dir: "logs/argot" coverage-filter: "amazon-ssm-agent" # in case coverage data is used, only generate coverage for the amazon-ssm-agent log-level: 3 # Log level: DEBUG report-paths: true # print paths on stdout analysis-options: unsafe-max-depth: 15 max-alarms: 30 pointer-config: # The following function's effect on aliasing is ignored; it creates too many false positives. # Otherwise they may cause most error values to be aliased. unsafe-no-effect-functions: - fmt.Errorf - log.Errorf targets: - name: "amazon-ssm-agent-unix" files: ["core/agent.go", "core/agent_unix.go", "core/agent_parser.go"] - name: "amazon-ssm-agent-windows" files: ["core/agent.go", "core/agent_windows.go", "core/agent_parser.go"] platform: "windows" - name: "agent-worker-unix" files: ["agent/agent.go", "agent/agent_unix.go", "agent/agent_parser.go"] - name: "agent-worker-windows" files: ["agent/agent.go", "agent/agent_windows.go", "agent/agent_parser.go"] platform: "windows" - name: "updater-unix" files: ["agent/update/updater/updater.go", "agent/update/updater/updater_unix.go"] - name: "ssm-cli" files: ["agent/cli-main/cli-main.go"] - name: "ssm-document-worker" files: ["agent/framework/processor/executer/outofproc/worker/main.go"] - name: "ssm-session-logger" # Do not use, but keep here until looger is fully removed files: ["agent/session/logging/main.go"] - name: "ssm-session-worker" files: ["agent/framework/processor/executer/outofproc/sessionworker/main.go"] - name: "ssm-setup-cli" files: ["agent/setupcli/setupcli.go"] dataflow-problems: summarize-on-demand: true field-sensitive-funcs: [".*"] user-specs: - "Tools/src/specifications/agent-specs.json" - "Tools/src/specifications/sdk-specs.json" - "Tools/src/specifications/std-specs.json" # The taint tracking problems taint-tracking: - tag: "credential-logging" description: "Checking that credentials don't get logged." targets: - amazon-ssm-agent-unix - amazon-ssm-agent-windows - agent-worker-unix - agent-worker-windows - updater-unix - ssm-cli - ssm-document-worker - ssm-session-worker - ssm-setup-cli severity: "HIGH" # Credentials should never get logged. unsafe-skip-bound-labels: true sources: - package: ".*" method: "RemoteRetrieve" - package: "credentials" method: "Get" sinks: - context: "amazon-ssm-agent" method: "^(Log|Error|Warn|Debug|Info|Print).*" - package: "github.com/aws/amazon-ssm-agent/agent/session/controlchannel" method: "SendMessage" sanitizers: # Signing using the credentials doesn't taint the signed data by definition! - package: ".*signer/v4" method: "Sign" - package: ".*signer/v4" method: "signWithBody" - package: ".*ec2roleprovider" method: "^GetInstanceRegion$" filters: - type: "^error" - type: "^int" - package: "log" type: "T" - tag: "ssm-parameter-logging" description: "Checking that SSM parameters don't get logged." targets: - amazon-ssm-agent-unix - amazon-ssm-agent-windows - agent-worker-unix - agent-worker-windows - updater-unix - ssm-cli - ssm-document-worker - ssm-session-worker - ssm-setup-cli unsafe-skip-bound-labels: true sources: - package: "github.com/aws/amazon-ssm-agent/agent/ssm/ssmparameterresolver" method: "getParametersFromSsmParameterStore" # where the parameters are retrieved sinks: - context: "amazon-ssm-agent" method: "^(Log|Error|Warn|Debug|Info|Print).*" sanitizers: - package: "ssmparameterresolver" method: "(GetName|GetType)" # Allow logging the type and name of the parameter filters: - type: "^error" # Error shouldn't contain data from parameter since fmt.Errorf is a sink - type: "^int" # Allow logging integers derived from data (counts. length,..) - package: "log" # Don't track the log itself type: "T" # Slicing problems are backwards data flow problems: the tool tracks data backwards from a backtrace point, # and the trace generated forms a "slice" of the program that explains how the data was generated. slicing: - tag: "must-compile-must-be-const" description: "Checking that regexp.MustCompile arguments are statically defined to avoid panics." override-analysis-options: unsafe-max-depth: 5 # if we need more than 5 calls to get to the const, it's a red flag! targets: - amazon-ssm-agent-unix - amazon-ssm-agent-windows - agent-worker-unix - agent-worker-windows - updater-unix - ssm-cli - ssm-document-worker - ssm-session-worker - ssm-setup-cli must-be-static: true backtracepoints: - package: "regexp" method: "^MustCompile$" syntactic-problems: cond-checks: - tag: "resource-check-availability" description: "Agent must check resource availability before performing changes" targets: - amazon-ssm-agent-unix - amazon-ssm-agent-windows - agent-worker-unix - agent-worker-windows - updater-unix - ssm-cli - ssm-document-worker - ssm-session-worker - ssm-setup-cli call: - method: DownloadUpdater$ - method: DownloadManifest context: .*plugins/updatessmagent.* # only check calls in this package preconditions: # disk space must be sufficient, and calling the function must not return an error - precondition: ["IsDiskSpaceSufficientForUpdate(...)#0", "!(IsDiskSpaceSufficientForUpdate(...)#1 != nil:error)"] # Check that the tls config field MinVersion is always set to TLS 1.2 struct-inits: - tag: "init-tls-v12" description: "Check that the tls.Config is initialized with TLS 1.2" targets: - amazon-ssm-agent-unix - amazon-ssm-agent-windows - agent-worker-unix - agent-worker-windows - updater-unix - ssm-cli - ssm-document-worker - ssm-session-worker - ssm-setup-cli struct: type: "crypto/tls.Config" fields-set: - field: "MinVersion" value: package: "crypto/tls" const: "VersionTLS12" # filter dependency false-positives filters: - package: ".*github.com/aws/aws-sdk-go.*" method: ".*" - package: ".*github.com/go-git.*" method: ".*" - package: ".*github.com/gorilla.*" method: ".*" - tag: "check-http-redirect" struct: type: "net/http.Client" targets: - amazon-ssm-agent-unix - amazon-ssm-agent-windows - agent-worker-unix - agent-worker-windows - updater-unix - ssm-cli - ssm-document-worker - ssm-session-worker - ssm-setup-cli fields-set: - field: "CheckRedirect" value: package: "github.com/aws/amazon-ssm-agent/agent/network" method: "DisableHTTPDowngrade" # filter dependency false-positives filters: - package: ".*github.com/google.*" method: ".*" - package: ".*github.com/go-git.*" method: ".*" # Based on the comment in this function, the below 2 functions are used for http calls too. Hence, it is allowlisted - package: ".*github.com/aws/amazon-ssm-agent/agent/fileutil/artifact" method: "httpDownload" - package: ".*github.com/aws/amazon-ssm-agent/agent/plugins/downloadcontent/httpresource" method: "NewHTTPResource" - package: "golang.org/x/oauth2" method: "NewClient" must-reinit: - package: "golang.org/x/oauth2" method: "NewClient"