feature: add rule for trojan source

[kfess]

Description

Add rule to detect Trojan Source attacks (CVE-2021-42574) using bidirectional Unicode control characters as G116.

The rule scans entire file content to detect dangerous bidirectional text control characters:

RLO (U+202E), LRI/RLI/FSI (U+2066/2067/2068), LRE/RLE (U+202A/202B), PDF (U+202C), LRO (U+202D), RLM/LRM (U+200F/200E)

References:

• https://trojansource.codes/trojan-source.pdf
• https://www.compart.com/en/unicode/U+200f
• https://www.compart.com/en/unicode/U+200e

Fixes

Issue: #1429

Comment

testutils/g116_samples.go uses #nosec because G116 scans entire file content (not just AST nodes but also comments). The test file contains actual bidirectional Unicode characters to verify detection works correctly. Without #nosec, gosec would flag its own test samples when running make test.

[ccojocar]

Does this perform well with large files?

I would use something like to make sure that we don't run out of memory and have performance issues:

file, err := os.Open("")
if err != nil {
    log.Fatal(err)
}
defer file.Close()
scanner := bufio.NewScanner(file)
for scanner.Scan() {
    line := scanner.Text()
    // Process line
}
if err := scanner.Err(); err != nil {
    log.Fatal(err)
}

[ccojocar]

Please can you rebase this pull request? Thanks

[kfess]

Thanks for the review.
I've updated the implementation to use bufio.Scanner instead of os.ReadFile for better memory efficiency.

I evaluated the memory efficiency with /usr/bin/time on a large project (kubernetes/kubernetes, 10,123 files):

/usr/bin/time -v go run ./cmd/gosec/ --include=G116 ../kubernetes/...

• Before (ReadFile): 342 MB
• After (Scanner): 194 MB

I also rebased the commits.

[ccojocar]

It seems that there are still some lint issues. PTAL thanks

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 89.18919% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.54%. Comparing base (1216c9b) to head (a94b325).
⚠️ Report is 142 commits behind head on master.

Files with missing lines	Patch %	Lines
rules/trojansource.go	88.88%	2 Missing and 2 partials ⚠️
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1431      +/-   ##
==========================================
- Coverage   68.49%   64.54%   -3.96%     
==========================================
  Files          75       78       +3     
  Lines        4384     4716     +332     
==========================================
+ Hits         3003     3044      +41     
- Misses       1233     1524     +291     
  Partials      148      148              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[kfess]

Sorry for the late response.
Thank you for fixing the linter error.

[kfess]

I forgot to add the new rule to the README. Should I open a PR for that?