A CLI tool (and HTML viewer) for analyzing Go projects using callgraph to detect the usage of cryptographic algorithms from golang.org/x/crypto.
go mod tidy
go build -o fips-analyzeror
make allto populate bin/.
Analyze all packages in a directory:
./fips-analyzer -source /path/to/source/codeBuild the syntax tree from only files matching certain patterns (comma-separated):
./fips-analyzer -source /path/to/source/code -patterns main.go,foo.goBy default, all discovered init functions are loaded into the call graph. You can disable this with:
./fips-analyzer -source /path/to/source/code -init-all=falseTo include call tree information in the output (may increase computation time):
./fips-analyzer -source /path/to/source/code -call-treeYou can also control the maximum call tree depth (default: 10):
./fips-analyzer -source /path/to/source/code -call-tree -call-tree-depth 5Export results to a JSON file:
./fips-analyzer -source /path/to/source/code -output results.jsonNote
The JSON output can be dropped onto the report visualizer (just open the static html in a browser) for interactive exploration. You can click on any node in a call graph to filter to only call graphs which include that package.
Get detailed information about detected usages:
./fips-analyzer -source /path/to/source/code -verbose