Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package gosec for openSUSE:Factory checked in at 2023-10-18 21:25:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gosec (Old) and /work/SRC/openSUSE:Factory/.gosec.new.31755 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gosec" Wed Oct 18 21:25:30 2023 rev:12 rq:1118372 version:2.18.1 Changes: -------- --- /work/SRC/openSUSE:Factory/gosec/gosec.changes 2023-10-10 21:00:41.318927451 +0200 +++ /work/SRC/openSUSE:Factory/.gosec.new.31755/gosec.changes 2023-10-18 21:25:37.216506064 +0200 @@ -1,0 +2,17 @@ +Tue Oct 17 14:29:50 UTC 2023 - [email protected] + +- Update to version 2.18.1: + * chore(deps): update all dependencies + * Update gosec to version 2.18.1 in the action + * Update cosign version to v2.2.0 + * Refactor how ignored issues are tracked + * Restrict the maximum depth when tracking the slice bounds + * Handle empty ssa results + * Handle gracefully any panic that occurs when building the SSA representation of a package + * Fix typo + * Handle new function when getting the call info in case is overriden + * Bump golang.org/x/net from 0.16.0 to 0.17.0 (#1037) + * Update to Go 1.21.3 and 1.20.10 (#1035) + * Update the list of unsafe functions detected by the unsafe rule (#1033) + +------------------------------------------------------------------- Old: ---- gosec-2.18.0.obscpio New: ---- gosec-2.18.1.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gosec.spec ++++++ --- /var/tmp/diff_new_pack.zHqHV1/_old 2023-10-18 21:25:39.568591267 +0200 +++ /var/tmp/diff_new_pack.zHqHV1/_new 2023-10-18 21:25:39.568591267 +0200 @@ -17,7 +17,7 @@ Name: gosec -Version: 2.18.0 +Version: 2.18.1 Release: 0 Summary: CLI tool to scan the Go AST and SSA code representations for security problems License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.zHqHV1/_old 2023-10-18 21:25:39.600592426 +0200 +++ /var/tmp/diff_new_pack.zHqHV1/_new 2023-10-18 21:25:39.604592571 +0200 @@ -3,7 +3,7 @@ <param name="filename">gosec</param> <param name="url">https://github.com/securego/gosec.git</param> <param name="scm">git</param> - <param name="version">v2.18.0</param> + <param name="version">v2.18.1</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="versionrewrite-replacement">\1</param> ++++++ gosec-2.18.0.obscpio -> gosec-2.18.1.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.18.0/.github/workflows/ci.yml new/gosec-2.18.1/.github/workflows/ci.yml --- old/gosec-2.18.0/.github/workflows/ci.yml 2023-10-09 10:37:52.000000000 +0200 +++ new/gosec-2.18.1/.github/workflows/ci.yml 2023-10-16 09:29:43.000000000 +0200 @@ -10,7 +10,7 @@ test: strategy: matrix: - version: [{go: '1.20.9', golangci: 'latest'}, {go: '1.21.2', golangci: 'latest'}] + version: [{go: '1.20.10', golangci: 'latest'}, {go: '1.21.3', golangci: 'latest'}] runs-on: ubuntu-latest env: GO111MODULE: on @@ -46,7 +46,7 @@ - name: Setup go uses: actions/setup-go@v4 with: - go-version: '1.21.2' + go-version: '1.21.3' - name: Checkout Source uses: actions/checkout@v4 - uses: actions/cache@v3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.18.0/.github/workflows/release.yml new/gosec-2.18.1/.github/workflows/release.yml --- old/gosec-2.18.0/.github/workflows/release.yml 2023-10-09 10:37:52.000000000 +0200 +++ new/gosec-2.18.1/.github/workflows/release.yml 2023-10-16 09:29:43.000000000 +0200 @@ -17,11 +17,11 @@ - name: Set up Go uses: actions/setup-go@v4 with: - go-version: '1.21.2' + go-version: '1.21.3' - name: Install Cosign uses: sigstore/cosign-installer@v3 with: - cosign-release: 'v2.1.1' + cosign-release: 'v2.2.0' - name: Store Cosign private key in a file run: 'echo "$COSIGN_KEY" > /tmp/cosign.key' shell: bash diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.18.0/action.yml new/gosec-2.18.1/action.yml --- old/gosec-2.18.0/action.yml 2023-10-09 10:37:52.000000000 +0200 +++ new/gosec-2.18.1/action.yml 2023-10-16 09:29:43.000000000 +0200 @@ -10,7 +10,7 @@ runs: using: 'docker' - image: 'docker://securego/gosec:2.18.0' + image: 'docker://securego/gosec:2.18.1' args: - ${{ inputs.args }} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.18.0/analyzer.go new/gosec-2.18.1/analyzer.go --- old/gosec-2.18.0/analyzer.go 2023-10-09 10:37:52.000000000 +0200 +++ new/gosec-2.18.1/analyzer.go 2023-10-16 09:29:43.000000000 +0200 @@ -57,6 +57,12 @@ var generatedCodePattern = regexp.MustCompile(`^// Code generated .* DO NOT EDIT\.$`) +// ignoreLocation keeps the location of an ignored rule +type ignoreLocation struct { + file string + line string +} + // The Context is populated with data parsed from the source code as it is scanned. // It is passed through to all rule functions as they are called. Rules may use // this data in conjunction with the encountered AST node. @@ -69,7 +75,7 @@ Root *ast.File Imports *ImportTracker Config Config - Ignores []map[string][]issue.SuppressionInfo + Ignores map[ignoreLocation]map[string][]issue.SuppressionInfo PassedValues map[string]interface{} } @@ -282,7 +288,7 @@ return pkgs, nil } -// CheckRules runs analysis on the given package +// CheckRules runs analysis on the given package. func (gosec *Analyzer) CheckRules(pkg *packages.Package) { gosec.logger.Println("Checking package:", pkg.Name) for _, file := range pkg.Syntax { @@ -318,31 +324,14 @@ } } -// CheckAnalyzers runs analyzers on a given package +// CheckAnalyzers runs analyzers on a given package. func (gosec *Analyzer) CheckAnalyzers(pkg *packages.Package) { - ssaPass := &analysis.Pass{ - Analyzer: buildssa.Analyzer, - Fset: pkg.Fset, - Files: pkg.Syntax, - OtherFiles: pkg.OtherFiles, - IgnoredFiles: pkg.IgnoredFiles, - Pkg: pkg.Types, - TypesInfo: pkg.TypesInfo, - TypesSizes: pkg.TypesSizes, - ResultOf: nil, - Report: nil, - ImportObjectFact: nil, - ExportObjectFact: nil, - ImportPackageFact: nil, - ExportPackageFact: nil, - AllObjectFacts: nil, - AllPackageFacts: nil, - } - ssaResult, err := ssaPass.Analyzer.Run(ssaPass) - if err != nil { - gosec.logger.Printf("Error running SSA analyser on package %q: %s", pkg.Name, err) + ssaResult, err := gosec.buildSSA(pkg) + if err != nil || ssaResult == nil { + gosec.logger.Printf("Error building the SSA representation of the package %q: %s", pkg.Name, err) return } + resultMap := map[*analysis.Analyzer]interface{}{ buildssa.Analyzer: &analyzers.SSAAnalyzerResult{ Config: gosec.Config(), @@ -377,13 +366,42 @@ if result != nil { if passIssues, ok := result.([]*issue.Issue); ok { for _, iss := range passIssues { - gosec.updateIssues(iss, false, []issue.SuppressionInfo{}) + gosec.updateIssues(iss) } } } } } +// buildSSA runs the SSA pass which builds the SSA representation of the package. It handles gracefully any panic. +func (gosec *Analyzer) buildSSA(pkg *packages.Package) (interface{}, error) { + defer func() { + if r := recover(); r != nil { + gosec.logger.Printf("Panic when running SSA analyser on package: %s", pkg.Name) + } + }() + ssaPass := &analysis.Pass{ + Analyzer: buildssa.Analyzer, + Fset: pkg.Fset, + Files: pkg.Syntax, + OtherFiles: pkg.OtherFiles, + IgnoredFiles: pkg.IgnoredFiles, + Pkg: pkg.Types, + TypesInfo: pkg.TypesInfo, + TypesSizes: pkg.TypesSizes, + ResultOf: nil, + Report: nil, + ImportObjectFact: nil, + ExportObjectFact: nil, + ImportPackageFact: nil, + ExportPackageFact: nil, + AllObjectFacts: nil, + AllPackageFacts: nil, + } + + return ssaPass.Analyzer.Run(ssaPass) +} + func isGeneratedFile(file *ast.File) bool { for _, comment := range file.Comments { for _, row := range comment.List { @@ -509,10 +527,8 @@ // Visit runs the gosec visitor logic over an AST created by parsing go code. // Rule methods added with AddRule will be invoked as necessary. func (gosec *Analyzer) Visit(n ast.Node) ast.Visitor { - ignores, ok := gosec.updateIgnoredRules(n) - if !ok { - return gosec - } + // Update any potentially ignored rules at the node location + gosec.updateIgnoredRules(n) // Using ast.File instead of ast.ImportSpec, so that we can track all imports at once. switch i := n.(type) { @@ -521,56 +537,55 @@ } for _, rule := range gosec.ruleset.RegisteredFor(n) { - suppressions, ignored := gosec.updateSuppressions(rule.ID(), ignores) issue, err := rule.Match(n, gosec.context) if err != nil { file, line := GetLocation(n, gosec.context) file = path.Base(file) gosec.logger.Printf("Rule error: %v => %s (%s:%d)\n", reflect.TypeOf(rule), err, file, line) } - gosec.updateIssues(issue, ignored, suppressions) + gosec.updateIssues(issue) } return gosec } -func (gosec *Analyzer) updateIgnoredRules(n ast.Node) (map[string][]issue.SuppressionInfo, bool) { - if n == nil { - if len(gosec.context.Ignores) > 0 { - gosec.context.Ignores = gosec.context.Ignores[1:] - } - return nil, false - } - // Get any new rule exclusions. +func (gosec *Analyzer) updateIgnoredRules(n ast.Node) { ignoredRules := gosec.ignore(n) - - // Now create the union of exclusions. - ignores := map[string][]issue.SuppressionInfo{} - if len(gosec.context.Ignores) > 0 { - for k, v := range gosec.context.Ignores[0] { - ignores[k] = v + if len(ignoredRules) > 0 { + if gosec.context.Ignores == nil { + gosec.context.Ignores = make(map[ignoreLocation]map[string][]issue.SuppressionInfo) + } + line := issue.GetLine(gosec.context.FileSet.File(n.Pos()), n) + ignoreLocation := ignoreLocation{ + file: gosec.context.FileSet.File(n.Pos()).Name(), + line: line, + } + current, ok := gosec.context.Ignores[ignoreLocation] + if !ok { + current = map[string][]issue.SuppressionInfo{} + } + for r, s := range ignoredRules { + if current[r] == nil { + current[r] = []issue.SuppressionInfo{} + } + current[r] = append(current[r], s) } + gosec.context.Ignores[ignoreLocation] = current } +} - for ruleID, suppression := range ignoredRules { - ignores[ruleID] = append(ignores[ruleID], suppression) +func (gosec *Analyzer) getSuppressionsAtLineInFile(file string, line string, id string) ([]issue.SuppressionInfo, bool) { + ignores, ok := gosec.context.Ignores[ignoreLocation{file: file, line: line}] + if !ok { + ignores = make(map[string][]issue.SuppressionInfo) } - // Push the new set onto the stack. - gosec.context.Ignores = append([]map[string][]issue.SuppressionInfo{ignores}, gosec.context.Ignores...) - - return ignores, true -} - -func (gosec *Analyzer) updateSuppressions(id string, ignores map[string][]issue.SuppressionInfo) ([]issue.SuppressionInfo, bool) { - // Check if all rules are ignored. + // Check if the rule was specifically suppressed at this location. generalSuppressions, generalIgnored := ignores[aliasOfAllRules] - // Check if the specific rule is ignored ruleSuppressions, ruleIgnored := ignores[id] - ignored := generalIgnored || ruleIgnored suppressions := append(generalSuppressions, ruleSuppressions...) - // Track external suppressions. + // Track external suppressions of this rule. if gosec.ruleset.IsRuleSuppressed(id) { ignored = true suppressions = append(suppressions, issue.SuppressionInfo{ @@ -581,8 +596,9 @@ return suppressions, ignored } -func (gosec *Analyzer) updateIssues(issue *issue.Issue, ignored bool, suppressions []issue.SuppressionInfo) { +func (gosec *Analyzer) updateIssues(issue *issue.Issue) { if issue != nil { + suppressions, ignored := gosec.getSuppressionsAtLineInFile(issue.File, issue.Line, issue.RuleID) if gosec.showIgnored { issue.NoSec = ignored } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.18.0/analyzer_test.go new/gosec-2.18.1/analyzer_test.go --- old/gosec-2.18.0/analyzer_test.go 2023-10-09 10:37:52.000000000 +0200 +++ new/gosec-2.18.1/analyzer_test.go 2023-10-16 09:29:43.000000000 +0200 @@ -743,25 +743,6 @@ Expect(issues[0].Suppressions[0].Justification).To(Equal("")) }) - It("should track multiple suppressions if the violation is suppressed by both #nosec and #nosec RuleList", func() { - sample := testutils.SampleCodeG101[0] - source := sample.Code[0] - analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G101")).RulesInfo()) - - nosecPackage := testutils.NewTestPackage() - defer nosecPackage.Close() - nosecSource := strings.Replace(source, "}", "} //#nosec G101 -- Justification", 1) - nosecSource = strings.Replace(nosecSource, "func", "//#nosec\nfunc", 1) - nosecPackage.AddFile("pwd.go", nosecSource) - err := nosecPackage.Build() - Expect(err).ShouldNot(HaveOccurred()) - err = analyzer.Process(buildTags, nosecPackage.Path) - Expect(err).ShouldNot(HaveOccurred()) - issues, _, _ := analyzer.Report() - Expect(issues).To(HaveLen(sample.Errors)) - Expect(issues[0].Suppressions).To(HaveLen(2)) - }) - It("should not report an error if the rule is not included", func() { sample := testutils.SampleCodeG101[0] source := sample.Code[0] @@ -807,7 +788,7 @@ nosecPackage := testutils.NewTestPackage() defer nosecPackage.Close() - nosecSource := strings.Replace(source, "}", "} //#nosec G101 -- Justification", 1) + nosecSource := strings.Replace(source, "password := \"f62e5bcda4fae4f82370da0c6f20697b8f8447ef\"", "password := \"f62e5bcda4fae4f82370da0c6f20697b8f8447ef\" //#nosec G101 -- Justification", 1) nosecPackage.AddFile("pwd.go", nosecSource) err := nosecPackage.Build() Expect(err).ShouldNot(HaveOccurred()) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.18.0/analyzers/slice_bounds.go new/gosec-2.18.1/analyzers/slice_bounds.go --- old/gosec-2.18.0/analyzers/slice_bounds.go 2023-10-09 10:37:52.000000000 +0200 +++ new/gosec-2.18.1/analyzers/slice_bounds.go 2023-10-16 09:29:43.000000000 +0200 @@ -38,6 +38,8 @@ upperBounded ) +const maxDepth = 20 + func newSliceBoundsAnalyzer(id string, description string) *analysis.Analyzer { return &analysis.Analyzer{ Name: id, @@ -75,7 +77,7 @@ l, h := extractSliceBounds(slice) newCap := computeSliceNewCap(l, h, sliceCap) violations := []ssa.Instruction{} - trackSliceBounds(newCap, slice, &violations, ifs) + trackSliceBounds(0, newCap, slice, &violations, ifs) for _, s := range violations { switch s := s.(type) { case *ssa.Slice: @@ -155,7 +157,11 @@ return nil, nil } -func trackSliceBounds(sliceCap int, slice ssa.Node, violations *[]ssa.Instruction, ifs map[ssa.If]*ssa.BinOp) { +func trackSliceBounds(depth int, sliceCap int, slice ssa.Node, violations *[]ssa.Instruction, ifs map[ssa.If]*ssa.BinOp) { + if depth == maxDepth { + return + } + depth++ if violations == nil { violations = &[]ssa.Instruction{} } @@ -164,12 +170,12 @@ for _, refinstr := range *referrers { switch refinstr := refinstr.(type) { case *ssa.Slice: - checkAllSlicesBounds(sliceCap, refinstr, violations, ifs) + checkAllSlicesBounds(depth, sliceCap, refinstr, violations, ifs) switch refinstr.X.(type) { case *ssa.Alloc, *ssa.Parameter: l, h := extractSliceBounds(refinstr) newCap := computeSliceNewCap(l, h, sliceCap) - trackSliceBounds(newCap, refinstr, violations, ifs) + trackSliceBounds(depth, newCap, refinstr, violations, ifs) } case *ssa.IndexAddr: indexValue, err := extractIntValue(refinstr.Index.String()) @@ -189,7 +195,7 @@ if fn, ok := refinstr.Call.Value.(*ssa.Function); ok { if len(fn.Params) > parPos && parPos > -1 { param := fn.Params[parPos] - trackSliceBounds(sliceCap, param, violations, ifs) + trackSliceBounds(depth, sliceCap, param, violations, ifs) } } } @@ -198,7 +204,11 @@ } } -func checkAllSlicesBounds(sliceCap int, slice *ssa.Slice, violations *[]ssa.Instruction, ifs map[ssa.If]*ssa.BinOp) { +func checkAllSlicesBounds(depth int, sliceCap int, slice *ssa.Slice, violations *[]ssa.Instruction, ifs map[ssa.If]*ssa.BinOp) { + if depth == maxDepth { + return + } + depth++ if violations == nil { violations = &[]ssa.Instruction{} } @@ -210,7 +220,7 @@ case *ssa.Alloc, *ssa.Parameter, *ssa.Slice: l, h := extractSliceBounds(slice) newCap := computeSliceNewCap(l, h, sliceCap) - trackSliceBounds(newCap, slice, violations, ifs) + trackSliceBounds(depth, newCap, slice, violations, ifs) } references := slice.Referrers() @@ -220,12 +230,12 @@ for _, ref := range *references { switch s := ref.(type) { case *ssa.Slice: - checkAllSlicesBounds(sliceCap, s, violations, ifs) + checkAllSlicesBounds(depth, sliceCap, s, violations, ifs) switch s.X.(type) { case *ssa.Alloc, *ssa.Parameter: l, h := extractSliceBounds(s) newCap := computeSliceNewCap(l, h, sliceCap) - trackSliceBounds(newCap, s, violations, ifs) + trackSliceBounds(depth, newCap, s, violations, ifs) } } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.18.0/cmd/tlsconfig/tlsconfig.go new/gosec-2.18.1/cmd/tlsconfig/tlsconfig.go --- old/gosec-2.18.0/cmd/tlsconfig/tlsconfig.go 2023-10-09 10:37:52.000000000 +0200 +++ new/gosec-2.18.1/cmd/tlsconfig/tlsconfig.go 2023-10-16 09:29:43.000000000 +0200 @@ -187,7 +187,7 @@ } outputPath := filepath.Join(dir, *outputFile) - if err := os.WriteFile(outputPath, src, 0o644); err != nil { + if err := os.WriteFile(outputPath, src, 0o644); err != nil /*#nosec G306*/ { log.Fatalf("Writing output: %s", err) - } //#nosec G306 + } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.18.0/go.mod new/gosec-2.18.1/go.mod --- old/gosec-2.18.0/go.mod 2023-10-09 10:37:52.000000000 +0200 +++ new/gosec-2.18.1/go.mod 2023-10-16 09:29:43.000000000 +0200 @@ -6,7 +6,7 @@ github.com/gookit/color v1.5.4 github.com/lib/pq v1.10.9 github.com/mozilla/tls-observatory v0.0.0-20210609171429-7bc42856d2e5 - github.com/onsi/ginkgo/v2 v2.12.1 + github.com/onsi/ginkgo/v2 v2.13.0 github.com/onsi/gomega v1.28.0 golang.org/x/crypto v0.14.0 golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 @@ -22,7 +22,7 @@ github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 // indirect github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect golang.org/x/mod v0.13.0 // indirect - golang.org/x/net v0.16.0 // indirect + golang.org/x/net v0.17.0 // indirect golang.org/x/sys v0.13.0 // indirect ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.18.0/go.sum new/gosec-2.18.1/go.sum --- old/gosec-2.18.0/go.sum 2023-10-09 10:37:52.000000000 +0200 +++ new/gosec-2.18.1/go.sum 2023-10-16 09:29:43.000000000 +0200 @@ -263,8 +263,8 @@ github.com/olekukonko/tablewriter v0.0.2/go.mod h1:rSAaSIOAGT9odnlyGlUfAJaoc5w2fSBUmeGDbRWPxyQ= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo/v2 v2.12.1 h1:uHNEO1RP2SpuZApSkel9nEh1/Mu+hmQe7Q+Pepg5OYA= -github.com/onsi/ginkgo/v2 v2.12.1/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= +github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4= +github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.28.0 h1:i2rg/p9n/UqIDAMFUJ6qIUUMcsqOuUHgbpbu235Vr1c= github.com/onsi/gomega v1.28.0/go.mod h1:A1H2JE76sI14WIP57LMKj7FVfCHx3g3BcZVjJG8bjX8= @@ -434,8 +434,8 @@ golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.16.0 h1:7eBu7KsSvFDtSXUIDbh3aqlK4DPsZ1rByC8PFfBThos= -golang.org/x/net v0.16.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= +golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.18.0/helpers.go new/gosec-2.18.1/helpers.go --- old/gosec-2.18.0/helpers.go 2023-10-09 10:37:52.000000000 +0200 +++ new/gosec-2.18.1/helpers.go 2023-10-16 09:29:43.000000000 +0200 @@ -183,7 +183,7 @@ case *ast.CallExpr: switch call := expr.Fun.(type) { case *ast.Ident: - if call.Name == "new" { + if call.Name == "new" && len(expr.Args) > 0 { t := ctx.Info.TypeOf(expr.Args[0]) if t != nil { return t.String(), fn.Sel.Name, nil diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.18.0/helpers_test.go new/gosec-2.18.1/helpers_test.go --- old/gosec-2.18.0/helpers_test.go 2023-10-09 10:37:52.000000000 +0200 +++ new/gosec-2.18.1/helpers_test.go 2023-10-16 09:29:43.000000000 +0200 @@ -251,6 +251,38 @@ Expect(result).Should(HaveKeyWithValue("fmt", "Println")) }) + + It("should return the type and call name when built-in new function is overridden", func() { + pkg := testutils.NewTestPackage() + defer pkg.Close() + pkg.AddFile("main.go", ` + package main + + type S struct{ F int } + + func (f S) Fun() {} + + func new() S { return S{} } + + func main() { + new().Fun() + } + `) + ctx := pkg.CreateContext("main.go") + result := map[string]string{} + visitor := testutils.NewMockVisitor() + visitor.Context = ctx + visitor.Callback = func(n ast.Node, ctx *gosec.Context) bool { + typeName, call, err := gosec.GetCallInfo(n, ctx) + if err == nil { + result[typeName] = call + } + return true + } + ast.Walk(visitor, ctx.Root) + + Expect(result).Should(HaveKeyWithValue("main", "new")) + }) }) Context("when getting binary expression operands", func() { It("should return all operands of a binary expression", func() { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.18.0/issue/issue.go new/gosec-2.18.1/issue/issue.go --- old/gosec-2.18.0/issue/issue.go 2023-10-09 10:37:52.000000000 +0200 +++ new/gosec-2.18.1/issue/issue.go 2023-10-16 09:29:43.000000000 +0200 @@ -178,11 +178,7 @@ // New creates a new Issue func New(fobj *token.File, node ast.Node, ruleID, desc string, severity, confidence Score) *Issue { name := fobj.Name() - start, end := fobj.Line(node.Pos()), fobj.Line(node.End()) - line := strconv.Itoa(start) - if start != end { - line = fmt.Sprintf("%d-%d", start, end) - } + line := GetLine(fobj, node) col := strconv.Itoa(fobj.Position(node.Pos()).Column) var code string @@ -217,3 +213,13 @@ i.Suppressions = suppressions return i } + +// GetLine returns the line number of a given ast.Node +func GetLine(fobj *token.File, node ast.Node) string { + start, end := fobj.Line(node.Pos()), fobj.Line(node.End()) + line := strconv.Itoa(start) + if start != end { + line = fmt.Sprintf("%d-%d", start, end) + } + return line +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.18.0/report/html/template.html new/gosec-2.18.1/report/html/template.html --- old/gosec-2.18.0/report/html/template.html 2023-10-09 10:37:52.000000000 +0200 +++ new/gosec-2.18.1/report/html/template.html 2023-10-16 09:29:43.000000000 +0200 @@ -10,7 +10,7 @@ <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.9.0/languages/go.min.js"; integrity="sha512-wsnZc3vH14xwbbaoAwkar86729DTpz6wx48ABISfmaKLZwP/lm8d7Z+Hmr9JKobAENs0qO/cGounL7LUEg10Pg==" crossorigin="anonymous"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/react/15.7.0/react.min.js"; integrity="sha512-+TFn1Gqbwx/qgwW3NU1/YtFYTfHGeD1e/8YfJZzkb6TFEZP4SUwp1Az9DMeWh3qC0F+YPKXbV3YclMUwBTvO3g==" crossorigin="anonymous"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/react/15.6.1/react-dom.min.js"; integrity="sha512-8C49ZG/SaQnWaUgCHTU1o8uIQNYE6R8me38SwF26g2Q0byEXF4Jlvm+T/JAMHMeTBiEVPslSZRv9Xt4AV0pfmw==" crossorigin="anonymous"></script> - <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/babel-standalone/7.23.1/babel.min.js"; integrity="sha512-u4kBSh4ZjkKAjSITNuaN/dj9JvyZMymSPr+NWMZ9poDTvob+WOrHfrwoCQdJ3UvksfkC9ebuhUzqBsuEjRN3jA==" crossorigin="anonymous"></script> + <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/babel-standalone/7.23.2/babel.min.js"; integrity="sha512-ND11pbmp3M3Wldj90In1EUlHIt8T7O6FykizQ/yXrFjHtpX+D0SX+/IVeLjqAV91r/Lavq4BpWJIC0nUtw5Kvw==" crossorigin="anonymous"></script> <style> .field-label { min-width: 80px; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.18.0/rules/unsafe.go new/gosec-2.18.1/rules/unsafe.go --- old/gosec-2.18.0/rules/unsafe.go 2023-10-09 10:37:52.000000000 +0200 +++ new/gosec-2.18.1/rules/unsafe.go 2023-10-16 09:29:43.000000000 +0200 @@ -43,7 +43,7 @@ func NewUsingUnsafe(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { return &usingUnsafe{ pkg: "unsafe", - calls: []string{"Alignof", "Offsetof", "Sizeof", "Pointer"}, + calls: []string{"Pointer", "String", "StringData", "Slice", "SliceData"}, MetaData: issue.MetaData{ ID: id, What: "Use of unsafe calls should be audited", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.18.0/testutils/pkg.go new/gosec-2.18.1/testutils/pkg.go --- old/gosec-2.18.0/testutils/pkg.go 2023-10-09 10:37:52.000000000 +0200 +++ new/gosec-2.18.1/testutils/pkg.go 2023-10-16 09:29:43.000000000 +0200 @@ -53,9 +53,9 @@ return nil } for filename, content := range p.Files { - if e := os.WriteFile(filename, []byte(content), 0o644); e != nil { + if e := os.WriteFile(filename, []byte(content), 0o644); e != nil /* #nosec G306 */ { return e - } //#nosec G306 + } } p.onDisk = true return nil diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.18.0/testutils/source.go new/gosec-2.18.1/testutils/source.go --- old/gosec-2.18.0/testutils/source.go 2023-10-09 10:37:52.000000000 +0200 +++ new/gosec-2.18.1/testutils/source.go 2023-10-16 09:29:43.000000000 +0200 @@ -436,16 +436,49 @@ func (Fake) Good() {} func main() { - unsafeM := Fake{} - unsafeM.Good() - intArray := [...]int{1, 2} - fmt.Printf("\nintArray: %v\n", intArray) - intPtr := &intArray[0] - fmt.Printf("\nintPtr=%p, *intPtr=%d.\n", intPtr, *intPtr) - addressHolder := uintptr(unsafe.Pointer(intPtr)) + unsafe.Sizeof(intArray[0]) - intPtr = (*int)(unsafe.Pointer(addressHolder)) - fmt.Printf("\nintPtr=%p, *intPtr=%d.\n\n", intPtr, *intPtr) -}`}, 3, gosec.NewConfig()}, + unsafeM := Fake{} + unsafeM.Good() + intArray := [...]int{1, 2} + fmt.Printf("\nintArray: %v\n", intArray) + intPtr := &intArray[0] + fmt.Printf("\nintPtr=%p, *intPtr=%d.\n", intPtr, *intPtr) + addressHolder := uintptr(unsafe.Pointer(intPtr)) + intPtr = (*int)(unsafe.Pointer(addressHolder)) + fmt.Printf("\nintPtr=%p, *intPtr=%d.\n\n", intPtr, *intPtr) +}`}, 2, gosec.NewConfig()}, + {[]string{` +package main + +import ( + "fmt" + "unsafe" +) + +func main() { + chars := [...]byte{1, 2} + charsPtr := &chars[0] + str := unsafe.String(charsPtr, len(chars)) + fmt.Printf("%s\n", str) + ptr := unsafe.StringData(str) + fmt.Printf("ptr: %p\n", ptr) + +}`}, 2, gosec.NewConfig()}, + {[]string{` +package main + +import ( + "fmt" + "unsafe" +) + +func main() { + chars := [...]byte{1, 2} + charsPtr := &chars[0] + slice := unsafe.Slice(charsPtr, len(chars)) + fmt.Printf("%v\n", slice) + ptr := unsafe.SliceData(slice) + fmt.Printf("ptr: %p\n", ptr) +}`}, 2, gosec.NewConfig()}, } // SampleCodeG104 finds errors that aren't being handled ++++++ gosec.obsinfo ++++++ --- /var/tmp/diff_new_pack.zHqHV1/_old 2023-10-18 21:25:39.772598657 +0200 +++ /var/tmp/diff_new_pack.zHqHV1/_new 2023-10-18 21:25:39.772598657 +0200 @@ -1,5 +1,5 @@ name: gosec -version: 2.18.0 -mtime: 1696840672 -commit: 3952187ea76579f7b405e90336a90a56114a4119 +version: 2.18.1 +mtime: 1697441383 +commit: 7846db034c76684c31634ede659a92e5b3ffe2cc ++++++ vendor.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md new/vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md --- old/vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md 2023-10-09 11:02:04.000000000 +0200 +++ new/vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md 2023-10-17 16:29:51.000000000 +0200 @@ -1,3 +1,9 @@ +## 2.13.0 + +### Features + +Add PreviewSpect() to enable programmatic preview access to the suite report (fixes #1225) + ## 2.12.1 ### Fixes diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/github.com/onsi/ginkgo/v2/core_dsl.go new/vendor/github.com/onsi/ginkgo/v2/core_dsl.go --- old/vendor/github.com/onsi/ginkgo/v2/core_dsl.go 2023-10-09 11:02:04.000000000 +0200 +++ new/vendor/github.com/onsi/ginkgo/v2/core_dsl.go 2023-10-17 16:29:51.000000000 +0200 @@ -248,31 +248,13 @@ exitIfErr(types.GinkgoErrors.RerunningSuite()) } suiteDidRun = true - - suiteLabels := Labels{} - configErrors := []error{} - for _, arg := range args { - switch arg := arg.(type) { - case types.SuiteConfig: - suiteConfig = arg - case types.ReporterConfig: - reporterConfig = arg - case Labels: - suiteLabels = append(suiteLabels, arg...) - default: - configErrors = append(configErrors, types.GinkgoErrors.UnknownTypePassedToRunSpecs(arg)) - } + err := global.PushClone() + if err != nil { + exitIfErr(err) } - exitIfErrors(configErrors) + defer global.PopClone() - configErrors = types.VetConfig(flagSet, suiteConfig, reporterConfig) - if len(configErrors) > 0 { - fmt.Fprintf(formatter.ColorableStdErr, formatter.F("{{red}}Ginkgo detected configuration issues:{{/}}\n")) - for _, err := range configErrors { - fmt.Fprintf(formatter.ColorableStdErr, err.Error()) - } - os.Exit(1) - } + suiteLabels := extractSuiteConfiguration(args) var reporter reporters.Reporter if suiteConfig.ParallelTotal == 1 { @@ -308,9 +290,8 @@ registerReportAfterSuiteNodeForAutogeneratedReports(reporterConfig) } - err := global.Suite.BuildTree() + err = global.Suite.BuildTree() exitIfErr(err) - suitePath, err := os.Getwd() exitIfErr(err) suitePath, err = filepath.Abs(suitePath) @@ -335,6 +316,69 @@ return passed } +func extractSuiteConfiguration(args []interface{}) Labels { + suiteLabels := Labels{} + configErrors := []error{} + for _, arg := range args { + switch arg := arg.(type) { + case types.SuiteConfig: + suiteConfig = arg + case types.ReporterConfig: + reporterConfig = arg + case Labels: + suiteLabels = append(suiteLabels, arg...) + default: + configErrors = append(configErrors, types.GinkgoErrors.UnknownTypePassedToRunSpecs(arg)) + } + } + exitIfErrors(configErrors) + + configErrors = types.VetConfig(flagSet, suiteConfig, reporterConfig) + if len(configErrors) > 0 { + fmt.Fprintf(formatter.ColorableStdErr, formatter.F("{{red}}Ginkgo detected configuration issues:{{/}}\n")) + for _, err := range configErrors { + fmt.Fprintf(formatter.ColorableStdErr, err.Error()) + } + os.Exit(1) + } + + return suiteLabels +} + +/* +PreviewSpecs walks the testing tree and produces a report without actually invoking the specs. +See http://onsi.github.io/ginkgo/#previewing-specs for more information. +*/ +func PreviewSpecs(description string, args ...any) Report { + err := global.PushClone() + if err != nil { + exitIfErr(err) + } + defer global.PopClone() + + suiteLabels := extractSuiteConfiguration(args) + priorDryRun, priorParallelTotal, priorParallelProcess := suiteConfig.DryRun, suiteConfig.ParallelTotal, suiteConfig.ParallelProcess + suiteConfig.DryRun, suiteConfig.ParallelTotal, suiteConfig.ParallelProcess = true, 1, 1 + defer func() { + suiteConfig.DryRun, suiteConfig.ParallelTotal, suiteConfig.ParallelProcess = priorDryRun, priorParallelTotal, priorParallelProcess + }() + reporter := reporters.NoopReporter{} + outputInterceptor = internal.NoopOutputInterceptor{} + client = nil + writer := GinkgoWriter.(*internal.Writer) + + err = global.Suite.BuildTree() + exitIfErr(err) + suitePath, err := os.Getwd() + exitIfErr(err) + suitePath, err = filepath.Abs(suitePath) + exitIfErr(err) + + global.Suite.Run(description, suiteLabels, suitePath, global.Failer, reporter, writer, outputInterceptor, interrupt_handler.NewInterruptHandler(client), client, internal.RegisterForProgressSignal, suiteConfig) + + return global.Suite.GetPreviewReport() +} + /* Skip instructs Ginkgo to skip the current spec diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/github.com/onsi/ginkgo/v2/internal/global/init.go new/vendor/github.com/onsi/ginkgo/v2/internal/global/init.go --- old/vendor/github.com/onsi/ginkgo/v2/internal/global/init.go 2023-10-09 11:02:04.000000000 +0200 +++ new/vendor/github.com/onsi/ginkgo/v2/internal/global/init.go 2023-10-17 16:29:51.000000000 +0200 @@ -6,6 +6,7 @@ var Suite *internal.Suite var Failer *internal.Failer +var backupSuite *internal.Suite func init() { InitializeGlobals() @@ -15,3 +16,13 @@ Failer = internal.NewFailer() Suite = internal.NewSuite() } + +func PushClone() error { + var err error + backupSuite, err = Suite.Clone() + return err +} + +func PopClone() { + Suite = backupSuite +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/github.com/onsi/ginkgo/v2/internal/node.go new/vendor/github.com/onsi/ginkgo/v2/internal/node.go --- old/vendor/github.com/onsi/ginkgo/v2/internal/node.go 2023-10-09 11:02:04.000000000 +0200 +++ new/vendor/github.com/onsi/ginkgo/v2/internal/node.go 2023-10-17 16:29:51.000000000 +0200 @@ -597,6 +597,12 @@ /* Nodes */ type Nodes []Node +func (n Nodes) Clone() Nodes { + nodes := make(Nodes, len(n)) + copy(nodes, n) + return nodes +} + func (n Nodes) CopyAppend(nodes ...Node) Nodes { numN := len(n) out := make(Nodes, numN+len(nodes)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/github.com/onsi/ginkgo/v2/internal/suite.go new/vendor/github.com/onsi/ginkgo/v2/internal/suite.go --- old/vendor/github.com/onsi/ginkgo/v2/internal/suite.go 2023-10-09 11:02:04.000000000 +0200 +++ new/vendor/github.com/onsi/ginkgo/v2/internal/suite.go 2023-10-17 16:29:51.000000000 +0200 @@ -77,6 +77,20 @@ } } +func (suite *Suite) Clone() (*Suite, error) { + if suite.phase != PhaseBuildTopLevel { + return nil, fmt.Errorf("cnanot clone suite after tree has been built") + } + return &Suite{ + tree: &TreeNode{}, + phase: PhaseBuildTopLevel, + ProgressReporterManager: NewProgressReporterManager(), + topLevelContainers: suite.topLevelContainers.Clone(), + suiteNodes: suite.suiteNodes.Clone(), + selectiveLock: &sync.Mutex{}, + }, nil +} + func (suite *Suite) BuildTree() error { // During PhaseBuildTopLevel, the top level containers are stored in suite.topLevelCotainers and entered // We now enter PhaseBuildTree where these top level containers are entered and added to the spec tree @@ -328,6 +342,16 @@ return report } +// Only valid in the preview context. In general suite.report only includes +// the specs run by _this_ node - it is only at the end of the suite that +// the parallel reports are aggregated. However in the preview context we run +// in series and +func (suite *Suite) GetPreviewReport() types.Report { + suite.selectiveLock.Lock() + defer suite.selectiveLock.Unlock() + return suite.report +} + func (suite *Suite) AddReportEntry(entry ReportEntry) error { if suite.phase != PhaseRun { return types.GinkgoErrors.AddReportEntryNotDuringRunPhase(entry.Location) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/github.com/onsi/ginkgo/v2/types/version.go new/vendor/github.com/onsi/ginkgo/v2/types/version.go --- old/vendor/github.com/onsi/ginkgo/v2/types/version.go 2023-10-09 11:02:04.000000000 +0200 +++ new/vendor/github.com/onsi/ginkgo/v2/types/version.go 2023-10-17 16:29:51.000000000 +0200 @@ -1,3 +1,3 @@ package types -const VERSION = "2.12.1" +const VERSION = "2.13.0" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/modules.txt new/vendor/modules.txt --- old/vendor/modules.txt 2023-10-09 11:02:04.000000000 +0200 +++ new/vendor/modules.txt 2023-10-17 16:29:51.000000000 +0200 @@ -40,7 +40,7 @@ # github.com/mozilla/tls-observatory v0.0.0-20210609171429-7bc42856d2e5 ## explicit; go 1.15 github.com/mozilla/tls-observatory/constants -# github.com/onsi/ginkgo/v2 v2.12.1 +# github.com/onsi/ginkgo/v2 v2.13.0 ## explicit; go 1.18 github.com/onsi/ginkgo/v2 github.com/onsi/ginkgo/v2/config @@ -94,7 +94,7 @@ # golang.org/x/mod v0.13.0 ## explicit; go 1.18 golang.org/x/mod/semver -# golang.org/x/net v0.16.0 +# golang.org/x/net v0.17.0 ## explicit; go 1.17 golang.org/x/net/context golang.org/x/net/html
