Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package gosec for openSUSE:Factory checked
in at 2025-04-07 18:41:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/gosec (Old)
and /work/SRC/openSUSE:Factory/.gosec.new.1907 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gosec"
Mon Apr 7 18:41:51 2025 rev:22 rq:1267714 version:2.22.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/gosec/gosec.changes 2025-03-07
16:46:37.912609798 +0100
+++ /work/SRC/openSUSE:Factory/.gosec.new.1907/gosec.changes 2025-04-07
18:41:58.408943816 +0200
@@ -1,0 +2,14 @@
+Mon Apr 07 08:46:06 UTC 2025 - Felix Niederwanger <felix.niederwan...@suse.de>
+
+- Update to version 2.22.3:
+ * Update version in 'action.yml' to 2.22.3 (anticipating next version (#1332)
+ * Update go version to 1.24.2 and 1.23.8 (#1331)
+ * remove G113. It only affects old/unsupported versions of Go (#1328)
+ * chore(deps): update all dependencies (#1325)
+ * Add SSOJet (#1320)
+ * chore(deps): update all dependencies (#1319)
+ * Update the integrity sha for babel dependency in html report (#1316)
+ * Add support for `//gosec:disable` directive (#1314)
+ * chore(deps): update all dependencies (#1315)
+
+-------------------------------------------------------------------
Old:
----
gosec-2.22.2.obscpio
New:
----
gosec-2.22.3.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ gosec.spec ++++++
--- /var/tmp/diff_new_pack.K2l9hZ/_old 2025-04-07 18:41:59.012969265 +0200
+++ /var/tmp/diff_new_pack.K2l9hZ/_new 2025-04-07 18:41:59.016969433 +0200
@@ -17,7 +17,7 @@
Name: gosec
-Version: 2.22.2
+Version: 2.22.3
Release: 0
Summary: CLI tool to scan the Go AST and SSA code representations for
security problems
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.K2l9hZ/_old 2025-04-07 18:41:59.056971118 +0200
+++ /var/tmp/diff_new_pack.K2l9hZ/_new 2025-04-07 18:41:59.060971287 +0200
@@ -4,7 +4,7 @@
<param name="filename">gosec</param>
<param name="url">https://github.com/securego/gosec.git</param>
<param name="scm">git</param>
- <param name="version">v2.22.2</param>
+ <param name="version">v2.22.3</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="versionrewrite-pattern">v(.*)</param>
<param name="versionrewrite-replacement">\1</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.K2l9hZ/_old 2025-04-07 18:41:59.080972130 +0200
+++ /var/tmp/diff_new_pack.K2l9hZ/_new 2025-04-07 18:41:59.084972298 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/securego/gosec.git</param>
- <param
name="changesrevision">136f6c00402b11775d4f4a45d5a21e2f6dd99db2</param></service></servicedata>
+ <param
name="changesrevision">1d458c50e1a9aa6c0d414dfde3998d66cf2c4fc7</param></service></servicedata>
(No newline at EOF)
++++++ gosec-2.22.2.obscpio -> gosec-2.22.3.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.22.2/.github/workflows/ci.yml
new/gosec-2.22.3/.github/workflows/ci.yml
--- old/gosec-2.22.2/.github/workflows/ci.yml 2025-03-05 11:40:35.000000000
+0100
+++ new/gosec-2.22.3/.github/workflows/ci.yml 2025-04-04 10:36:07.000000000
+0200
@@ -10,7 +10,7 @@
test:
strategy:
matrix:
- version: [{go: '1.23.7', golangci: 'latest'}, {go: '1.24.1', golangci:
'latest'}]
+ version: [{go: '1.23.8', golangci: 'latest'}, {go: '1.24.2', golangci:
'latest'}]
runs-on: ubuntu-latest
env:
GO111MODULE: on
@@ -48,7 +48,7 @@
- name: Setup go
uses: actions/setup-go@v5
with:
- go-version: '1.24.1'
+ go-version: '1.24.2'
- name: Checkout Source
uses: actions/checkout@v4
- uses: actions/cache@v4
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.22.2/.github/workflows/release.yml
new/gosec-2.22.3/.github/workflows/release.yml
--- old/gosec-2.22.2/.github/workflows/release.yml 2025-03-05
11:40:35.000000000 +0100
+++ new/gosec-2.22.3/.github/workflows/release.yml 2025-04-04
10:36:07.000000000 +0200
@@ -17,7 +17,7 @@
- name: Set up Go
uses: actions/setup-go@v5
with:
- go-version: '1.24.1'
+ go-version: '1.24.2'
- name: Install Cosign
uses: sigstore/cosign-installer@v3
with:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.22.2/README.md new/gosec-2.22.3/README.md
--- old/gosec-2.22.2/README.md 2025-03-05 11:40:35.000000000 +0100
+++ new/gosec-2.22.3/README.md 2025-04-04 10:36:07.000000000 +0200
@@ -138,7 +138,6 @@
- G110: Potential DoS vulnerability via decompression bomb
- G111: Potential directory traversal
- G112: Potential slowloris attack
-- G113: Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772)
- G114: Use of net/http serve function that has no support for setting timeouts
- G115: Potential integer overflow when converting between integer types
- G201: SQL query construction using format string
@@ -172,6 +171,7 @@
### Retired rules
- G105: Audit the use of math/big.Int.Exp - [CVE is
fixed](https://github.com/golang/go/issues/15184)
+- G113: Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772).
This affected Go <1.16.14 and Go <1.17.7, which are no longer supported by
gosec.
- G307: Deferring a method which returns an error - causing more inconvenience
than fixing a security issue, despite the details from this [blog
post](https://www.joeshaw.org/dont-defer-close-on-writable-files/)
### Selecting rules
@@ -304,7 +304,13 @@
justification should be after the rule(s) to suppress and start with two or
more dashes, e.g: `//#nosec G101 G102 -- This is a false positive`
-In some cases you may also want to revisit places where `#nosec` annotations
+Alternatively, gosec also supports the `//gosec:disable` directive, which
functions similar to `#nosec`:
+
+```go
+//gosec:disable G101 -- This is a false positive
+```
+
+In some cases you may also want to revisit places where `#nosec` or
`//gosec:disable` annotations
have been used. To run the scanner and ignore any `#nosec` annotations you
can do the following:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.22.2/USERS.md new/gosec-2.22.3/USERS.md
--- old/gosec-2.22.2/USERS.md 2025-03-05 11:40:35.000000000 +0100
+++ new/gosec-2.22.3/USERS.md 2025-04-04 10:36:07.000000000 +0200
@@ -16,6 +16,7 @@
10. [Checkmarx](https://www.checkmarx.com/)
11. [SeatGeek](https://www.seatgeek.com/)
12. [reMarkable](https://remarkable.com)
+13. [SSOJet](https://ssojet.com)
## Projects
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.22.2/action.yml new/gosec-2.22.3/action.yml
--- old/gosec-2.22.2/action.yml 2025-03-05 11:40:35.000000000 +0100
+++ new/gosec-2.22.3/action.yml 2025-04-04 10:36:07.000000000 +0200
@@ -10,7 +10,7 @@
runs:
using: 'docker'
- image: 'docker://securego/gosec:2.22.1'
+ image: 'docker://securego/gosec:2.22.3'
args:
- ${{ inputs.args }}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.22.2/analyzer.go new/gosec-2.22.3/analyzer.go
--- old/gosec-2.22.2/analyzer.go 2025-03-05 11:40:35.000000000 +0100
+++ new/gosec-2.22.3/analyzer.go 2025-04-04 10:36:07.000000000 +0200
@@ -57,6 +57,8 @@
const aliasOfAllRules = "*"
+var directiveRegexp = regexp.MustCompile("^//gosec:disable(?: (.+))?$")
+
type ignore struct {
start int
end int
@@ -582,53 +584,77 @@
}
for _, group := range groups {
- comment := strings.TrimSpace(group.Text())
- foundDefaultTag := strings.HasPrefix(comment, noSecDefaultTag)
|| regexp.MustCompile("\n *"+noSecDefaultTag).MatchString(comment)
- foundAlternativeTag := strings.HasPrefix(comment,
noSecAlternativeTag) || regexp.MustCompile("\n
*"+noSecAlternativeTag).MatchString(comment)
-
- if foundDefaultTag || foundAlternativeTag {
- gosec.stats.NumNosec++
-
- // Discard what's in front of the nosec tag.
- if foundDefaultTag {
- comment = strings.SplitN(comment,
noSecDefaultTag, 2)[1]
- } else {
- comment = strings.SplitN(comment,
noSecAlternativeTag, 2)[1]
- }
+ found, args := findNoSecDirective(group, noSecDefaultTag,
noSecAlternativeTag)
+ if !found {
+ continue
+ }
- // Extract the directive and the justification.
- justification := ""
- commentParts :=
regexp.MustCompile(`-{2,}`).Split(comment, 2)
- directive := commentParts[0]
- if len(commentParts) > 1 {
- justification =
strings.TrimSpace(strings.TrimRight(commentParts[1], "\n"))
- }
+ gosec.stats.NumNosec++
- // Pull out the specific rules that are listed to be
ignored.
- re := regexp.MustCompile(`(G\d{3})`)
- matches := re.FindAllStringSubmatch(directive, -1)
-
- suppression := issue.SuppressionInfo{
- Kind: "inSource",
- Justification: justification,
- }
+ // Extract the directive and the justification.
+ justification := ""
+ commentParts := regexp.MustCompile(`-{2,}`).Split(args, 2)
+ directive := commentParts[0]
+ if len(commentParts) > 1 {
+ justification =
strings.TrimSpace(strings.TrimRight(commentParts[1], "\n"))
+ }
- // Find the rule IDs to ignore.
- ignores := make(map[string]issue.SuppressionInfo)
- for _, v := range matches {
- ignores[v[1]] = suppression
- }
+ // Pull out the specific rules that are listed to be ignored.
+ re := regexp.MustCompile(`(G\d{3})`)
+ matches := re.FindAllStringSubmatch(directive, -1)
- // If no specific rules were given, ignore everything.
- if len(matches) == 0 {
- ignores[aliasOfAllRules] = suppression
- }
- return ignores
+ suppression := issue.SuppressionInfo{
+ Kind: "inSource",
+ Justification: justification,
+ }
+
+ // Find the rule IDs to ignore.
+ ignores := make(map[string]issue.SuppressionInfo)
+ for _, v := range matches {
+ ignores[v[1]] = suppression
+ }
+
+ // If no specific rules were given, ignore everything.
+ if len(matches) == 0 {
+ ignores[aliasOfAllRules] = suppression
}
+ return ignores
}
return nil
}
+// findNoSecDirective checks if the comment group contains `#nosec` or
`//gosec:disable` directive.
+// If found, it returns true and the directive's arguments.
+func findNoSecDirective(group *ast.CommentGroup, noSecDefaultTag,
noSecAlternativeTag string) (bool, string) {
+ // Check if the comment grounp has a nosec comment.
+ for _, tag := range []string{noSecDefaultTag, noSecAlternativeTag} {
+ if found, args := findNoSecTag(group, tag); found {
+ return true, args
+ }
+ }
+
+ // Check if the comment group has a directive comment.
+ for _, c := range group.List {
+ match := directiveRegexp.FindStringSubmatch(c.Text)
+ if len(match) > 0 {
+ return true, match[0]
+ }
+ }
+
+ return false, ""
+}
+
+func findNoSecTag(group *ast.CommentGroup, tag string) (bool, string) {
+ comment := strings.TrimSpace(group.Text())
+
+ if strings.HasPrefix(comment, tag) || regexp.MustCompile("\n
*"+tag).MatchString(comment) {
+ // Discard what's in front of the nosec tag.
+ return true, strings.SplitN(comment, tag, 2)[1]
+ }
+
+ return false, ""
+}
+
// Visit runs the gosec visitor logic over an AST created by parsing go code.
// Rule methods added with AddRule will be invoked as necessary.
func (gosec *Analyzer) Visit(n ast.Node) ast.Visitor {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.22.2/analyzer_test.go
new/gosec-2.22.3/analyzer_test.go
--- old/gosec-2.22.2/analyzer_test.go 2025-03-05 11:40:35.000000000 +0100
+++ new/gosec-2.22.3/analyzer_test.go 2025-04-04 10:36:07.000000000 +0200
@@ -230,6 +230,23 @@
Expect(nosecIssues).Should(BeEmpty())
})
+ It("should not report errors when a disable directive is
present", func() {
+ sample := testutils.SampleCodeG401[0]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G401")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "h :=
md5.New()", "h := md5.New() //gosec:disable", 1)
+ nosecPackage.AddFile("md5.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ nosecIssues, _, _ := analyzer.Report()
+ Expect(nosecIssues).Should(BeEmpty())
+ })
+
It("should not report errors when a nosec line comment is
present", func() {
sample := testutils.SampleCodeG405[0]
source := sample.Code[0]
@@ -247,6 +264,23 @@
Expect(nosecIssues).Should(BeEmpty())
})
+ It("should not report errors when a disable directive is
present", func() {
+ sample := testutils.SampleCodeG405[0]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G405")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "c, e :=
des.NewCipher([]byte(\"mySecret\"))", "c, e :=
des.NewCipher([]byte(\"mySecret\")) //gosec:disable", 1)
+ nosecPackage.AddFile("cipher.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ nosecIssues, _, _ := analyzer.Report()
+ Expect(nosecIssues).Should(BeEmpty())
+ })
+
It("should not report errors when a nosec line comment is
present", func() {
sample := testutils.SampleCodeG406[0]
source := sample.Code[0]
@@ -264,6 +298,23 @@
Expect(nosecIssues).Should(BeEmpty())
})
+ It("should not report errors when a disable directive is
present", func() {
+ sample := testutils.SampleCodeG406[0]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G406")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "h :=
md4.New()", "h := md4.New() //gosec:disable", 1)
+ nosecPackage.AddFile("md4.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ nosecIssues, _, _ := analyzer.Report()
+ Expect(nosecIssues).Should(BeEmpty())
+ })
+
It("should not report errors when a nosec block comment is
present", func() {
sample := testutils.SampleCodeG401[0]
source := sample.Code[0]
@@ -334,6 +385,24 @@
})
It("should not report errors when an exclude comment is present
for the correct rule", func() {
+ // Rule for MD5 weak crypto usage
+ sample := testutils.SampleCodeG401[0]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G401")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "h :=
md5.New()", "h := md5.New() //gosec:disable G401", 1)
+ nosecPackage.AddFile("md5.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ nosecIssues, _, _ := analyzer.Report()
+ Expect(nosecIssues).Should(BeEmpty())
+ })
+
+ It("should not report errors when an exclude comment is present
for the correct rule", func() {
// Rule for DES weak crypto usage
sample := testutils.SampleCodeG405[0]
source := sample.Code[0]
@@ -352,6 +421,24 @@
})
It("should not report errors when an exclude comment is present
for the correct rule", func() {
+ // Rule for DES weak crypto usage
+ sample := testutils.SampleCodeG405[0]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G405")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "c, e :=
des.NewCipher([]byte(\"mySecret\"))", "c, e :=
des.NewCipher([]byte(\"mySecret\")) //gosec:disable G405", 1)
+ nosecPackage.AddFile("cipher.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ nosecIssues, _, _ := analyzer.Report()
+ Expect(nosecIssues).Should(BeEmpty())
+ })
+
+ It("should not report errors when an exclude comment is present
for the correct rule", func() {
// Rule for MD4 deprecated weak crypto usage
sample := testutils.SampleCodeG406[0]
source := sample.Code[0]
@@ -369,6 +456,24 @@
Expect(nosecIssues).Should(BeEmpty())
})
+ It("should not report errors when an exclude comment is present
for the correct rule", func() {
+ // Rule for MD4 deprecated weak crypto usage
+ sample := testutils.SampleCodeG406[0]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G406")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "h :=
md4.New()", "h := md4.New() //gosec:disable G406", 1)
+ nosecPackage.AddFile("md4.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ nosecIssues, _, _ := analyzer.Report()
+ Expect(nosecIssues).Should(BeEmpty())
+ })
+
It("should not report errors when a nosec block and line
comment are present", func() {
sample := testutils.SampleCodeG101[23]
source := sample.Code[0]
@@ -415,6 +520,52 @@
Expect(nosecIssues).Should(BeEmpty())
})
+ It("should not report errors when a disable directive block and
line comment are present", func() {
+ sample := testutils.SampleCodeG101[26]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G101")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecPackage.AddFile("g101.go", source)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ nosecIssues, _, _ := analyzer.Report()
+ Expect(nosecIssues).Should(BeEmpty())
+ })
+ It("should not report errors when only a disable directive
block is present", func() {
+ sample := testutils.SampleCodeG101[27]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G101")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecPackage.AddFile("g101.go", source)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ nosecIssues, _, _ := analyzer.Report()
+ Expect(nosecIssues).Should(BeEmpty())
+ })
+ It("should not report errors when a single line nosec is
present on a multi-line issue", func() {
+ sample := testutils.SampleCodeG112[4]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G112")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecPackage.AddFile("g112.go", source)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ nosecIssues, _, _ := analyzer.Report()
+ Expect(nosecIssues).Should(BeEmpty())
+ })
+
It("should report errors when an exclude comment is present for
a different rule", func() {
sample := testutils.SampleCodeG401[0]
source := sample.Code[0]
@@ -433,6 +584,23 @@
})
It("should report errors when an exclude comment is present for
a different rule", func() {
+ sample := testutils.SampleCodeG401[0]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G401")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "h :=
md5.New()", "h := md5.New() //gosec:disable G301", 1)
+ nosecPackage.AddFile("md5.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ nosecIssues, _, _ := analyzer.Report()
+ Expect(nosecIssues).Should(HaveLen(sample.Errors))
+ })
+
+ It("should report errors when an exclude comment is present for
a different rule", func() {
sample := testutils.SampleCodeG405[0]
source := sample.Code[0]
analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G405")).RulesInfo())
@@ -450,6 +618,23 @@
})
It("should report errors when an exclude comment is present for
a different rule", func() {
+ sample := testutils.SampleCodeG405[0]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G405")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "c, e :=
des.NewCipher([]byte(\"mySecret\"))", "c, e :=
des.NewCipher([]byte(\"mySecret\")) //gosec:disable G301", 1)
+ nosecPackage.AddFile("cipher.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ nosecIssues, _, _ := analyzer.Report()
+ Expect(nosecIssues).Should(HaveLen(sample.Errors))
+ })
+
+ It("should report errors when an exclude comment is present for
a different rule", func() {
sample := testutils.SampleCodeG406[0]
source := sample.Code[0]
analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G406")).RulesInfo())
@@ -466,6 +651,23 @@
Expect(nosecIssues).Should(HaveLen(sample.Errors))
})
+ It("should report errors when an exclude comment is present for
a different rule", func() {
+ sample := testutils.SampleCodeG406[0]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G406")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "h :=
md4.New()", "h := md4.New() //gosec:disable G301", 1)
+ nosecPackage.AddFile("md4.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ nosecIssues, _, _ := analyzer.Report()
+ Expect(nosecIssues).Should(HaveLen(sample.Errors))
+ })
+
It("should not report errors when an exclude comment is present
for multiple rules, including the correct rule", func() {
sample := testutils.SampleCodeG401[0]
source := sample.Code[0]
@@ -486,6 +688,25 @@
})
It("should not report errors when an exclude comment is present
for multiple rules, including the correct rule", func() {
+ sample := testutils.SampleCodeG401[0]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G401")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "h :=
md5.New()", "h := md5.New() //gosec:disable G301 G401", 1)
+ nosecPackage.AddFile("md5.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ nosecIssues, _, _ := analyzer.Report()
+ Expect(nosecIssues).Should(BeEmpty())
+ })
+
+ It("should not report errors when an exclude comment is present
for multiple rules, including the correct rule", func() {
sample := testutils.SampleCodeG405[0]
source := sample.Code[0]
analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G405")).RulesInfo())
@@ -505,6 +726,25 @@
})
It("should not report errors when an exclude comment is present
for multiple rules, including the correct rule", func() {
+ sample := testutils.SampleCodeG405[0]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G405")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "c, e :=
des.NewCipher([]byte(\"mySecret\"))", "c, e :=
des.NewCipher([]byte(\"mySecret\")) //gosec:disable G301 G405", 1)
+ nosecPackage.AddFile("cipher.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ nosecIssues, _, _ := analyzer.Report()
+ Expect(nosecIssues).Should(BeEmpty())
+ })
+
+ It("should not report errors when an exclude comment is present
for multiple rules, including the correct rule", func() {
sample := testutils.SampleCodeG406[0]
source := sample.Code[0]
analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G406")).RulesInfo())
@@ -523,6 +763,25 @@
Expect(nosecIssues).Should(BeEmpty())
})
+ It("should not report errors when an exclude comment is present
for multiple rules, including the correct rule", func() {
+ sample := testutils.SampleCodeG406[0]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G406")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "h :=
md4.New()", "h := md4.New() //gosec:disable G301 G406", 1)
+ nosecPackage.AddFile("md4.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ nosecIssues, _, _ := analyzer.Report()
+ Expect(nosecIssues).Should(BeEmpty())
+ })
+
It("should pass the build tags", func() {
sample := testutils.SampleCodeBuildTag[0]
source := sample.Code[0]
@@ -573,6 +832,29 @@
Expect(nosecIssues).Should(HaveLen(sample.Errors))
})
+ It("should be possible to overwrite disable directive, and
report issues", func() {
+ // Rule for MD5 weak crypto usage
+ sample := testutils.SampleCodeG401[0]
+ source := sample.Code[0]
+
+ // overwrite nosec option
+ nosecIgnoreConfig := gosec.NewConfig()
+ nosecIgnoreConfig.SetGlobal(gosec.Nosec, "true")
+ customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig,
tests, false, false, 1, logger)
+ customAnalyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G401")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "h :=
md5.New()", "h := md5.New() //gosec:disable", 1)
+ nosecPackage.AddFile("md5.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = customAnalyzer.Process(buildTags,
nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ nosecIssues, _, _ := customAnalyzer.Report()
+ Expect(nosecIssues).Should(HaveLen(sample.Errors))
+ })
+
It("should be possible to overwrite nosec comments, and report
issues", func() {
// Rule for DES weak crypto usage
sample := testutils.SampleCodeG405[0]
@@ -596,6 +878,29 @@
Expect(nosecIssues).Should(HaveLen(sample.Errors))
})
+ It("should be possible to overwrite disable directive comments,
and report issues", func() {
+ // Rule for DES weak crypto usage
+ sample := testutils.SampleCodeG405[0]
+ source := sample.Code[0]
+
+ // overwrite nosec option
+ nosecIgnoreConfig := gosec.NewConfig()
+ nosecIgnoreConfig.SetGlobal(gosec.Nosec, "true")
+ customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig,
tests, false, false, 1, logger)
+ customAnalyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G405")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "c, e :=
des.NewCipher([]byte(\"mySecret\"))", "c, e :=
des.NewCipher([]byte(\"mySecret\")) //gosec:disable", 1)
+ nosecPackage.AddFile("cipher.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = customAnalyzer.Process(buildTags,
nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ nosecIssues, _, _ := customAnalyzer.Report()
+ Expect(nosecIssues).Should(HaveLen(sample.Errors))
+ })
+
It("should be possible to overwrite nosec comments, and report
issues", func() {
// Rule for MD4 weak crypto usage
sample := testutils.SampleCodeG406[0]
@@ -619,6 +924,29 @@
Expect(nosecIssues).Should(HaveLen(sample.Errors))
})
+ It("should be possible to overwrite disable directive comments,
and report issues", func() {
+ // Rule for MD4 weak crypto usage
+ sample := testutils.SampleCodeG406[0]
+ source := sample.Code[0]
+
+ // overwrite nosec option
+ nosecIgnoreConfig := gosec.NewConfig()
+ nosecIgnoreConfig.SetGlobal(gosec.Nosec, "true")
+ customAnalyzer := gosec.NewAnalyzer(nosecIgnoreConfig,
tests, false, false, 1, logger)
+ customAnalyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G406")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "h :=
md4.New()", "h := md4.New() //gosec:disable", 1)
+ nosecPackage.AddFile("md4.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = customAnalyzer.Process(buildTags,
nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ nosecIssues, _, _ := customAnalyzer.Report()
+ Expect(nosecIssues).Should(HaveLen(sample.Errors))
+ })
+
It("should be possible to overwrite nosec comments, and report
issues but they should not be counted", func() {
// Rule for MD5 weak crypto usage
sample := testutils.SampleCodeG401[0]
@@ -714,6 +1042,23 @@
Expect(nosecIssues).Should(BeEmpty())
})
+ It("should not report errors when disable directive is in front
of a line", func() {
+ sample := testutils.SampleCodeG401[0]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G401")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "h :=
md5.New()", "//Some description\n//gosec:disable G401\nh := md5.New()", 1)
+ nosecPackage.AddFile("md5.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ nosecIssues, _, _ := analyzer.Report()
+ Expect(nosecIssues).Should(BeEmpty())
+ })
+
It("should not report errors when nosec tag is in front of a
line", func() {
sample := testutils.SampleCodeG405[0]
source := sample.Code[0]
@@ -731,6 +1076,23 @@
Expect(nosecIssues).Should(BeEmpty())
})
+ It("should not report errors when disable directive is in front
of a line", func() {
+ sample := testutils.SampleCodeG405[0]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G405")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "c, e :=
des.NewCipher([]byte(\"mySecret\"))", "//Some description\n//gosec:disable
G405\nc, e := des.NewCipher([]byte(\"mySecret\"))", 1)
+ nosecPackage.AddFile("cipher.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ nosecIssues, _, _ := analyzer.Report()
+ Expect(nosecIssues).Should(BeEmpty())
+ })
+
It("should not report errors when nosec tag is in front of a
line", func() {
sample := testutils.SampleCodeG406[0]
source := sample.Code[0]
@@ -748,6 +1110,23 @@
Expect(nosecIssues).Should(BeEmpty())
})
+ It("should not report errors when disable directive is in front
of a line", func() {
+ sample := testutils.SampleCodeG406[0]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G406")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "h :=
md4.New()", "//Some description\n//gosec:disable G406\nh := md4.New()", 1)
+ nosecPackage.AddFile("md4.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ nosecIssues, _, _ := analyzer.Report()
+ Expect(nosecIssues).Should(BeEmpty())
+ })
+
It("should report errors when nosec tag is not in front of a
line", func() {
sample := testutils.SampleCodeG401[0]
source := sample.Code[0]
@@ -867,6 +1246,23 @@
Expect(nosecIssues).Should(HaveLen(sample.Errors))
})
+ It("should report errors when there are disable directives
after a //gosec:disable WrongRuleList", func() {
+ sample := testutils.SampleCodeG401[0]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G401")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "h :=
md5.New()", "//gosec:disable G301\n//gosec:disable\nh := md5.New()", 1)
+ nosecPackage.AddFile("md5.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ nosecIssues, _, _ := analyzer.Report()
+ Expect(nosecIssues).Should(HaveLen(sample.Errors))
+ })
+
It("should report errors when there are nosec tags after a
#nosec WrongRuleList annotation", func() {
sample := testutils.SampleCodeG405[0]
source := sample.Code[0]
@@ -884,6 +1280,23 @@
Expect(nosecIssues).Should(HaveLen(sample.Errors))
})
+ It("should report errors when there are disable directives
after a //gosec:disable WrongRuleList", func() {
+ sample := testutils.SampleCodeG405[0]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G405")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "c, e :=
des.NewCipher([]byte(\"mySecret\"))", "//gosec:disable
G301\n//gosec:disable\nc, e := des.NewCipher([]byte(\"mySecret\"))", 1)
+ nosecPackage.AddFile("cipher.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ nosecIssues, _, _ := analyzer.Report()
+ Expect(nosecIssues).Should(HaveLen(sample.Errors))
+ })
+
It("should report errors when there are nosec tags after a
#nosec WrongRuleList annotation", func() {
sample := testutils.SampleCodeG406[0]
source := sample.Code[0]
@@ -901,6 +1314,23 @@
Expect(nosecIssues).Should(HaveLen(sample.Errors))
})
+ It("should report errors when there are disable directives
after a //gosec:disable WrongRuleList", func() {
+ sample := testutils.SampleCodeG406[0]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G406")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "h :=
md4.New()", "//gosec:disable G301\n//gosec:disable\nh := md4.New()", 1)
+ nosecPackage.AddFile("md4.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ nosecIssues, _, _ := analyzer.Report()
+ Expect(nosecIssues).Should(HaveLen(sample.Errors))
+ })
+
It("should be possible to use an alternative nosec tag", func()
{
// Rule for MD5 weak crypto usage
sample := testutils.SampleCodeG401[0]
@@ -1366,6 +1796,26 @@
})
It("should not report an error if the violation is suppressed",
func() {
+ sample := testutils.SampleCodeG401[0]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G401")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "h :=
md5.New()", "h := md5.New() //gosec:disable G401 -- Justification", 1)
+ nosecPackage.AddFile("md5.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ issues, _, _ := analyzer.Report()
+ Expect(issues).To(HaveLen(sample.Errors))
+ Expect(issues[0].Suppressions).To(HaveLen(1))
+
Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource"))
+
Expect(issues[0].Suppressions[0].Justification).To(Equal("Justification"))
+ })
+
+ It("should not report an error if the violation is suppressed",
func() {
sample := testutils.SampleCodeG405[0]
source := sample.Code[0]
analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G405")).RulesInfo())
@@ -1386,6 +1836,26 @@
})
It("should not report an error if the violation is suppressed",
func() {
+ sample := testutils.SampleCodeG405[0]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G405")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "c, e :=
des.NewCipher([]byte(\"mySecret\"))", "c, e :=
des.NewCipher([]byte(\"mySecret\")) //gosec:disable G405 -- Justification", 1)
+ nosecPackage.AddFile("cipher.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ issues, _, _ := analyzer.Report()
+ Expect(issues).To(HaveLen(sample.Errors))
+ Expect(issues[0].Suppressions).To(HaveLen(1))
+
Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource"))
+
Expect(issues[0].Suppressions[0].Justification).To(Equal("Justification"))
+ })
+
+ It("should not report an error if the violation is suppressed",
func() {
sample := testutils.SampleCodeG406[0]
source := sample.Code[0]
analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G406")).RulesInfo())
@@ -1405,6 +1875,26 @@
Expect(issues[0].Suppressions[0].Justification).To(Equal("Justification"))
})
+ It("should not report an error if the violation is suppressed",
func() {
+ sample := testutils.SampleCodeG406[0]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G406")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "h :=
md4.New()", "h := md4.New() //gosec:disable G406 -- Justification", 1)
+ nosecPackage.AddFile("md4.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ issues, _, _ := analyzer.Report()
+ Expect(issues).To(HaveLen(sample.Errors))
+ Expect(issues[0].Suppressions).To(HaveLen(1))
+
Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource"))
+
Expect(issues[0].Suppressions[0].Justification).To(Equal("Justification"))
+ })
+
It("should not report an error if the violation is suppressed
without certain rules", func() {
sample := testutils.SampleCodeG401[0]
source := sample.Code[0]
@@ -1426,6 +1916,26 @@
})
It("should not report an error if the violation is suppressed
without certain rules", func() {
+ sample := testutils.SampleCodeG401[0]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G401")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "h :=
md5.New()", "h := md5.New() //gosec:disable", 1)
+ nosecPackage.AddFile("md5.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ issues, _, _ := analyzer.Report()
+ Expect(issues).To(HaveLen(sample.Errors))
+ Expect(issues[0].Suppressions).To(HaveLen(1))
+
Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource"))
+
Expect(issues[0].Suppressions[0].Justification).To(Equal(""))
+ })
+
+ It("should not report an error if the violation is suppressed
without certain rules", func() {
sample := testutils.SampleCodeG405[0]
source := sample.Code[0]
analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G405")).RulesInfo())
@@ -1446,6 +1956,26 @@
})
It("should not report an error if the violation is suppressed
without certain rules", func() {
+ sample := testutils.SampleCodeG405[0]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G405")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "c, e :=
des.NewCipher([]byte(\"mySecret\"))", "c, e :=
des.NewCipher([]byte(\"mySecret\")) //gosec:disable", 1)
+ nosecPackage.AddFile("cipher.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ issues, _, _ := analyzer.Report()
+ Expect(issues).To(HaveLen(sample.Errors))
+ Expect(issues[0].Suppressions).To(HaveLen(1))
+
Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource"))
+
Expect(issues[0].Suppressions[0].Justification).To(Equal(""))
+ })
+
+ It("should not report an error if the violation is suppressed
without certain rules", func() {
sample := testutils.SampleCodeG406[0]
source := sample.Code[0]
analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G406")).RulesInfo())
@@ -1465,6 +1995,26 @@
Expect(issues[0].Suppressions[0].Justification).To(Equal(""))
})
+ It("should not report an error if the violation is suppressed
without certain rules", func() {
+ sample := testutils.SampleCodeG406[0]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G406")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source, "h :=
md4.New()", "h := md4.New() //gosec:disable", 1)
+ nosecPackage.AddFile("md4.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ issues, _, _ := analyzer.Report()
+ Expect(issues).To(HaveLen(sample.Errors))
+ Expect(issues[0].Suppressions).To(HaveLen(1))
+
Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource"))
+
Expect(issues[0].Suppressions[0].Justification).To(Equal(""))
+ })
+
It("should not report an error if the rule is not included",
func() {
sample := testutils.SampleCodeG101[0]
source := sample.Code[0]
@@ -1618,6 +2168,27 @@
Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource"))
})
+ It("should not report an error if the violation is suppressed
on a struct filed", func() {
+ sample := testutils.SampleCodeG402[0]
+ source := sample.Code[0]
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G402")).RulesInfo())
+
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecSource := strings.Replace(source,
+ "TLSClientConfig:
&tls.Config{InsecureSkipVerify: true}",
+ "TLSClientConfig:
&tls.Config{InsecureSkipVerify: true} //gosec:disable G402", 1)
+ nosecPackage.AddFile("tls.go", nosecSource)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ issues, _, _ := analyzer.Report()
+ Expect(issues).To(HaveLen(sample.Errors))
+ Expect(issues[0].Suppressions).To(HaveLen(1))
+
Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource"))
+ })
+
It("should not report an error if the violation is suppressed
on multi-lien issue", func() {
source := `
package main
@@ -1633,6 +2204,37 @@
func main() {
fmt.Printf("Label: %s ", TokenLabel)
}
+ `
+ analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G101")).RulesInfo())
+ nosecPackage := testutils.NewTestPackage()
+ defer nosecPackage.Close()
+ nosecPackage.AddFile("pwd.go", source)
+ err := nosecPackage.Build()
+ Expect(err).ShouldNot(HaveOccurred())
+ err = analyzer.Process(buildTags, nosecPackage.Path)
+ Expect(err).ShouldNot(HaveOccurred())
+ issues, _, _ := analyzer.Report()
+ Expect(issues).To(HaveLen(1))
+ Expect(issues[0].Suppressions).To(HaveLen(1))
+
Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource"))
+
Expect(issues[0].Suppressions[0].Justification).To(Equal("false positive, this
is not a private data"))
+ })
+
+ It("should not report an error if the violation is suppressed
on multi-lien issue", func() {
+ source := `
+package main
+
+import (
+ "fmt"
+)
+
+const TokenLabel = `
+ source += "`" + `
+f62e5bcda4fae4f82370da0c6f20697b8f8447ef
+ ` + "`" + "//gosec:disable G101 -- false positive, this is not a private
data" + `
+func main() {
+ fmt.Printf("Label: %s ", TokenLabel)
+}
`
analyzer.LoadRules(rules.Generate(false,
rules.NewRuleFilter(false, "G101")).RulesInfo())
nosecPackage := testutils.NewTestPackage()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.22.2/go.mod new/gosec-2.22.3/go.mod
--- old/gosec-2.22.2/go.mod 2025-03-05 11:40:35.000000000 +0100
+++ new/gosec-2.22.3/go.mod 2025-04-04 10:36:07.000000000 +0200
@@ -7,13 +7,13 @@
github.com/gookit/color v1.5.4
github.com/lib/pq v1.10.9
github.com/mozilla/tls-observatory v0.0.0-20210609171429-7bc42856d2e5
- github.com/onsi/ginkgo/v2 v2.22.2
- github.com/onsi/gomega v1.36.2
+ github.com/onsi/ginkgo/v2 v2.23.3
+ github.com/onsi/gomega v1.36.3
github.com/stretchr/testify v1.10.0
- golang.org/x/crypto v0.35.0
- golang.org/x/text v0.22.0
- golang.org/x/tools v0.30.0
- google.golang.org/api v0.223.0
+ golang.org/x/crypto v0.36.0
+ golang.org/x/text v0.23.0
+ golang.org/x/tools v0.31.0
+ google.golang.org/api v0.228.0
gopkg.in/yaml.v3 v3.0.1
)
@@ -21,7 +21,7 @@
cloud.google.com/go v0.116.0 // indirect
cloud.google.com/go/ai v0.8.0 // indirect
cloud.google.com/go/auth v0.15.0 // indirect
- cloud.google.com/go/auth/oauth2adapt v0.2.7 // indirect
+ cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
cloud.google.com/go/compute/metadata v0.6.0 // indirect
cloud.google.com/go/longrunning v0.5.7 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
@@ -32,7 +32,7 @@
github.com/google/go-cmp v0.7.0 // indirect
github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad // indirect
github.com/google/s2a-go v0.1.9 // indirect
- github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
+ github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
github.com/googleapis/gax-go/v2 v2.14.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/stretchr/objx v0.5.2 // indirect
@@ -43,16 +43,16 @@
go.opentelemetry.io/otel v1.34.0 // indirect
go.opentelemetry.io/otel/metric v1.34.0 // indirect
go.opentelemetry.io/otel/trace v1.34.0 // indirect
- golang.org/x/mod v0.23.0 // indirect
- golang.org/x/net v0.35.0 // indirect
- golang.org/x/oauth2 v0.26.0 // indirect
- golang.org/x/sync v0.11.0 // indirect
- golang.org/x/sys v0.30.0 // indirect
- golang.org/x/time v0.10.0 // indirect
- google.golang.org/genproto/googleapis/api
v0.0.0-20241209162323-e6fa225c2576 // indirect
- google.golang.org/genproto/googleapis/rpc
v0.0.0-20250219182151-9fdb1cabc7b2 // indirect
- google.golang.org/grpc v1.70.0 // indirect
- google.golang.org/protobuf v1.36.5 // indirect
+ golang.org/x/mod v0.24.0 // indirect
+ golang.org/x/net v0.37.0 // indirect
+ golang.org/x/oauth2 v0.28.0 // indirect
+ golang.org/x/sync v0.12.0 // indirect
+ golang.org/x/sys v0.31.0 // indirect
+ golang.org/x/time v0.11.0 // indirect
+ google.golang.org/genproto/googleapis/api
v0.0.0-20250106144421-5f5ef82da422 // indirect
+ google.golang.org/genproto/googleapis/rpc
v0.0.0-20250313205543-e70fdf4c4cb4 // indirect
+ google.golang.org/grpc v1.71.0 // indirect
+ google.golang.org/protobuf v1.36.6 // indirect
)
go 1.23.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.22.2/go.sum new/gosec-2.22.3/go.sum
--- old/gosec-2.22.2/go.sum 2025-03-05 11:40:35.000000000 +0100
+++ new/gosec-2.22.3/go.sum 2025-04-04 10:36:07.000000000 +0200
@@ -19,8 +19,8 @@
cloud.google.com/go/ai v0.8.0/go.mod
h1:t3Dfk4cM61sytiggo2UyGsDVW3RF1qGZaUKDrZFyqkE=
cloud.google.com/go/auth v0.15.0
h1:Ly0u4aA5vG/fsSsxu98qCQBemXtAtJf+95z9HK+cxps=
cloud.google.com/go/auth v0.15.0/go.mod
h1:WJDGqZ1o9E9wKIL+IwStfyn/+s59zl4Bi+1KQNVXLZ8=
-cloud.google.com/go/auth/oauth2adapt v0.2.7
h1:/Lc7xODdqcEw8IrZ9SvwnlLX6j9FHQM74z6cBk9Rw6M=
-cloud.google.com/go/auth/oauth2adapt v0.2.7/go.mod
h1:NTbTTzfvPl1Y3V1nPpOgl2w6d/FjO7NNUQaWSox6ZMc=
+cloud.google.com/go/auth/oauth2adapt v0.2.8
h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
+cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod
h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
cloud.google.com/go/bigquery v1.0.1/go.mod
h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
cloud.google.com/go/bigquery v1.3.0/go.mod
h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
cloud.google.com/go/bigquery v1.4.0/go.mod
h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
@@ -190,8 +190,8 @@
github.com/google/uuid v1.1.1/go.mod
h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod
h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.3.4
h1:XYIDZApgAnrN1c855gTgghdIA6Stxb52D5RnLI1SLyw=
-github.com/googleapis/enterprise-certificate-proxy v0.3.4/go.mod
h1:YKe7cfqYXjKGpGvmSg28/fFvhNzinZQm8DGnaburhGA=
+github.com/googleapis/enterprise-certificate-proxy v0.3.6
h1:GW/XbdyBFQ8Qe+YAmFU9uHLo7OnF5tL52HFAgMmyrf4=
+github.com/googleapis/enterprise-certificate-proxy v0.3.6/go.mod
h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA=
github.com/googleapis/gax-go/v2 v2.0.4/go.mod
h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
github.com/googleapis/gax-go/v2 v2.0.5/go.mod
h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
github.com/googleapis/gax-go/v2 v2.14.1
h1:hb0FFeiPaQskmvakKu5EbCbpntQn48jyHuvrkurSS/Q=
@@ -290,11 +290,11 @@
github.com/olekukonko/tablewriter v0.0.2/go.mod
h1:rSAaSIOAGT9odnlyGlUfAJaoc5w2fSBUmeGDbRWPxyQ=
github.com/onsi/ginkgo v1.6.0/go.mod
h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.10.3/go.mod
h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo/v2 v2.22.2
h1:/3X8Panh8/WwhU/3Ssa6rCKqPLuAkVY2I0RoyDLySlU=
-github.com/onsi/ginkgo/v2 v2.22.2/go.mod
h1:oeMosUL+8LtarXBHu/c0bx2D/K9zyQ6uX3cTyztHwsk=
+github.com/onsi/ginkgo/v2 v2.23.3
h1:edHxnszytJ4lD9D5Jjc4tiDkPBZ3siDeJJkUZJJVkp0=
+github.com/onsi/ginkgo/v2 v2.23.3/go.mod
h1:zXTP6xIp3U8aVuXN8ENK9IXRaTjFnpVB9mGmaSRvxnM=
github.com/onsi/gomega v1.7.1/go.mod
h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
-github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8=
-github.com/onsi/gomega v1.36.2/go.mod
h1:DdwyADRjrc825LhMEkD76cHR5+pUnjhUN8GlHlRPHzY=
+github.com/onsi/gomega v1.36.3 h1:hID7cr8t3Wp26+cYnfcjR6HpJ00fdogN6dqZ1t6IylU=
+github.com/onsi/gomega v1.36.3/go.mod
h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
github.com/opentracing/opentracing-go v1.1.0/go.mod
h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
github.com/pelletier/go-toml v1.2.0/go.mod
h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod
h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
@@ -391,8 +391,8 @@
go.opentelemetry.io/otel/metric v1.34.0/go.mod
h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE=
go.opentelemetry.io/otel/sdk v1.34.0
h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
go.opentelemetry.io/otel/sdk v1.34.0/go.mod
h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/sdk/metric v1.32.0
h1:rZvFnvmvawYb0alrYkjraqJq0Z4ZUJAiyYCU9snn1CU=
-go.opentelemetry.io/otel/sdk/metric v1.32.0/go.mod
h1:PWeZlq0zt9YkYAp3gjKZ0eicRYvOh1Gd+X99x6GHpCQ=
+go.opentelemetry.io/otel/sdk/metric v1.34.0
h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
+go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod
h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
go.opentelemetry.io/otel/trace v1.34.0
h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k=
go.opentelemetry.io/otel/trace v1.34.0/go.mod
h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
go.uber.org/atomic v1.3.2/go.mod
h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
@@ -413,8 +413,8 @@
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod
h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod
h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod
h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs=
-golang.org/x/crypto v0.35.0/go.mod
h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
+golang.org/x/crypto v0.36.0/go.mod
h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod
h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod
h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod
h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -446,8 +446,8 @@
golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod
h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.23.0 h1:Zb7khfcRGKk+kqfxFaP5tZqCnDZMjC5VtUBs87Hr6QM=
-golang.org/x/mod v0.23.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod
h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod
h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod
h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -480,15 +480,15 @@
golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod
h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod
h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod
h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
-golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
+golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
+golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod
h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod
h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod
h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod
h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod
h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.26.0 h1:afQXWNNaeC4nvZ0Ed9XvCCzXM6UHJG7iCg0W4fPqSBE=
-golang.org/x/oauth2 v0.26.0/go.mod
h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
+golang.org/x/oauth2 v0.28.0/go.mod
h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod
h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod
h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod
h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -498,8 +498,8 @@
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod
h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod
h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod
h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
-golang.org/x/sync v0.11.0/go.mod
h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
+golang.org/x/sync v0.12.0/go.mod
h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod
h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod
h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod
h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -540,25 +540,25 @@
golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod
h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod
h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod
h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
-golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod
h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
-golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
-golang.org/x/term v0.29.0/go.mod
h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
+golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
+golang.org/x/term v0.30.0/go.mod
h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod
h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod
h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
-golang.org/x/text v0.22.0/go.mod
h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod
h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod
h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod
h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod
h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod
h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod
h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.10.0 h1:3usCWA8tQn0L8+hFJQNgzpWbd89begxN66o1Ojdn5L4=
-golang.org/x/time v0.10.0/go.mod
h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
+golang.org/x/time v0.11.0/go.mod
h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod
h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod
h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod
h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -605,8 +605,8 @@
golang.org/x/tools v0.0.0-20200626171337-aa94e735be7f/go.mod
h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20200630154851-b2d8b0336632/go.mod
h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20200706234117-b22de6825cf7/go.mod
h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.30.0 h1:BgcpHewrV5AUp2G9MebG4XPFI1E2W41zU1SaqVA9vJY=
-golang.org/x/tools v0.30.0/go.mod
h1:c347cR/OJfw5TI+GfX7RUPNMdDRRbjvYTS0jPyvsVtY=
+golang.org/x/tools v0.31.0 h1:0EedkvKDbh+qistFTd0Bcwe/YLh4vHwWEkiI0toFIBU=
+golang.org/x/tools v0.31.0/go.mod
h1:naFTU+Cev749tSJRXJlna0T3WxKvb1kWEx15xA4SdmQ=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod
h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod
h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod
h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -626,8 +626,8 @@
google.golang.org/api v0.24.0/go.mod
h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
google.golang.org/api v0.28.0/go.mod
h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
google.golang.org/api v0.29.0/go.mod
h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
-google.golang.org/api v0.223.0 h1:JUTaWEriXmEy5AhvdMgksGGPEFsYfUKaPEYXd4c3Wvc=
-google.golang.org/api v0.223.0/go.mod
h1:C+RS7Z+dDwds2b+zoAk5hN/eSfsiCn0UDrYof/M4d2M=
+google.golang.org/api v0.228.0 h1:X2DJ/uoWGnY5obVjewbp8icSL5U4FzuCfy9OjbLSnLs=
+google.golang.org/api v0.228.0/go.mod
h1:wNvRS1Pbe8r4+IfBIniV8fwCpGwTrYa+kMUDiC5z5a4=
google.golang.org/appengine v1.1.0/go.mod
h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
google.golang.org/appengine v1.4.0/go.mod
h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
google.golang.org/appengine v1.5.0/go.mod
h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -666,10 +666,10 @@
google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod
h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
google.golang.org/genproto v0.0.0-20200626011028-ee7919e894b5/go.mod
h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
google.golang.org/genproto v0.0.0-20200707001353-8e8330bf89df/go.mod
h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576
h1:CkkIfIt50+lT6NHAVoRYEyAvQGFM7xEwXUUywFvEb3Q=
-google.golang.org/genproto/googleapis/api
v0.0.0-20241209162323-e6fa225c2576/go.mod
h1:1R3kvZ1dtP3+4p4d3G8uJ8rFk/fWlScl38vanWACI08=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250219182151-9fdb1cabc7b2
h1:DMTIbak9GhdaSxEjvVzAeNZvyc03I61duqNbnm3SU0M=
-google.golang.org/genproto/googleapis/rpc
v0.0.0-20250219182151-9fdb1cabc7b2/go.mod
h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
+google.golang.org/genproto/googleapis/api v0.0.0-20250106144421-5f5ef82da422
h1:GVIKPyP/kLIyVOgOnTwFOrvQaQUzOzGMCxgFUOEmm24=
+google.golang.org/genproto/googleapis/api
v0.0.0-20250106144421-5f5ef82da422/go.mod
h1:b6h1vNKhxaSoEI+5jc3PJUCustfli/mRab7295pY7rw=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4
h1:iK2jbkWL86DXjEx0qiHcRE9dE4/Ahua5k6V8OWFb//c=
+google.golang.org/genproto/googleapis/rpc
v0.0.0-20250313205543-e70fdf4c4cb4/go.mod
h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
google.golang.org/grpc v1.8.0/go.mod
h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
google.golang.org/grpc v1.19.0/go.mod
h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
google.golang.org/grpc v1.20.1/go.mod
h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
@@ -684,8 +684,8 @@
google.golang.org/grpc v1.28.0/go.mod
h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
google.golang.org/grpc v1.29.0/go.mod
h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
google.golang.org/grpc v1.29.1/go.mod
h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
-google.golang.org/grpc v1.70.0 h1:pWFv03aZoHzlRKHWicjsZytKAiYCtNS0dHbXnIdq7jQ=
-google.golang.org/grpc v1.70.0/go.mod
h1:ofIJqVKDXx/JiXrwr2IG4/zwdH9txy3IlF40RmcJSQw=
+google.golang.org/grpc v1.71.0 h1:kF77BGdPTQ4/JZWMlb9VpJ5pa25aqvVqogsxNHHdeBg=
+google.golang.org/grpc v1.71.0/go.mod
h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod
h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod
h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod
h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -696,8 +696,8 @@
google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod
h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
google.golang.org/protobuf v1.24.0/go.mod
h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
google.golang.org/protobuf v1.25.0/go.mod
h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
-google.golang.org/protobuf v1.36.5
h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod
h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.6
h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod
h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod
h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod
h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod
h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.22.2/issue/issue.go
new/gosec-2.22.3/issue/issue.go
--- old/gosec-2.22.2/issue/issue.go 2025-03-05 11:40:35.000000000 +0100
+++ new/gosec-2.22.3/issue/issue.go 2025-04-04 10:36:07.000000000 +0200
@@ -65,7 +65,6 @@
"G110": "409",
"G111": "22",
"G112": "400",
- "G113": "190",
"G114": "676",
"G115": "190",
"G201": "89",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.22.2/report/formatter_test.go
new/gosec-2.22.3/report/formatter_test.go
--- old/gosec-2.22.2/report/formatter_test.go 2025-03-05 11:40:35.000000000
+0100
+++ new/gosec-2.22.3/report/formatter_test.go 2025-04-04 10:36:07.000000000
+0200
@@ -278,11 +278,40 @@
})
Context("When using different report formats", func() {
grules := []string{
- "G101", "G102", "G103", "G104", "G106", "G107", "G109",
- "G110", "G111", "G112", "G113", "G201", "G202", "G203",
- "G204", "G301", "G302", "G303", "G304", "G305", "G401",
- "G402", "G403", "G404", "G405", "G406", "G407", "G501",
- "G502", "G503", "G504", "G505", "G506", "G507", "G601",
+ "G101",
+ "G102",
+ "G103",
+ "G104",
+ "G106",
+ "G107",
+ "G109",
+ "G110",
+ "G111",
+ "G112",
+ "G201",
+ "G202",
+ "G203",
+ "G204",
+ "G301",
+ "G302",
+ "G303",
+ "G304",
+ "G305",
+ "G401",
+ "G402",
+ "G403",
+ "G404",
+ "G405",
+ "G406",
+ "G407",
+ "G501",
+ "G502",
+ "G503",
+ "G504",
+ "G505",
+ "G506",
+ "G507",
+ "G601",
}
It("csv formatted report should contain the CWE mapping",
func() {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.22.2/report/html/template.html
new/gosec-2.22.3/report/html/template.html
--- old/gosec-2.22.2/report/html/template.html 2025-03-05 11:40:35.000000000
+0100
+++ new/gosec-2.22.3/report/html/template.html 2025-04-04 10:36:07.000000000
+0200
@@ -10,7 +10,7 @@
<script type="text/javascript"
src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.11.1/languages/go.min.js";
integrity="sha512-weC0VNVf2qQR6OY675qO0AEL92gt3h5f2VGjhMUvi/UqFHaWzIEL5S/8Dt763fWfKftchzb7GryvEj/2HC9Exw=="
crossorigin="anonymous"></script>
<script type="text/javascript"
src="https://cdnjs.cloudflare.com/ajax/libs/react/15.7.0/react.min.js";
integrity="sha512-+TFn1Gqbwx/qgwW3NU1/YtFYTfHGeD1e/8YfJZzkb6TFEZP4SUwp1Az9DMeWh3qC0F+YPKXbV3YclMUwBTvO3g=="
crossorigin="anonymous"></script>
<script type="text/javascript"
src="https://cdnjs.cloudflare.com/ajax/libs/react/15.6.1/react-dom.min.js";
integrity="sha512-8C49ZG/SaQnWaUgCHTU1o8uIQNYE6R8me38SwF26g2Q0byEXF4Jlvm+T/JAMHMeTBiEVPslSZRv9Xt4AV0pfmw=="
crossorigin="anonymous"></script>
- <script type="text/javascript"
src="https://cdnjs.cloudflare.com/ajax/libs/babel-standalone/7.26.4/babel.min.js";
integrity="sha512-hX7KzoYtNHhNJsz8TAHyddcegokOwhmYiFWCDHqFkcoNVsYwCziO+NISSRlNKpfOYaqyQxm2+MTCJqSaHssJTA=="
crossorigin="anonymous"></script>
+ <script type="text/javascript"
src="https://cdnjs.cloudflare.com/ajax/libs/babel-standalone/7.26.5/babel.min.js";
integrity="sha512-Y37Caenc5CZqwSMwWZj+5uxkB3Loc9yJNHvb+eSwEsT6nhURSrPZo39vTnb5g8UvOGCNXRbQ+xQvnqr2rR9nRw=="
crossorigin="anonymous"></script>
<style>
.field-label {
min-width: 80px;
@@ -73,7 +73,7 @@
var current = ReactDOM.findDOMNode(this);
hljs.highlightElement(current);
},
- render: function() {
+ render: function() {
return (
<pre className="go"><code >{ this.props.code }</code></pre>
);
@@ -407,14 +407,14 @@
<div className="column is-one-quarter">
<Navigation
data={ this.props.data }
- severity={ this.state.severity }
+ severity={ this.state.severity }
confidence={ this.state.confidence }
issueType={ this.state.issueType }
- allSeverities={ this.state.allSeverities }
+ allSeverities={ this.state.allSeverities }
allConfidences={ this.state.allConfidences }
allIssueTypes={ this.state.allIssueTypes }
- onSeverity={ this.handleSeverity }
- onConfidence={ this.handleConfidence }
+ onSeverity={ this.handleSeverity }
+ onConfidence={ this.handleConfidence }
onIssueType={ this.handleIssueType }
/>
</div>
@@ -437,4 +437,4 @@
);
</script>
</body>
-</html>
\ No newline at end of file
+</html>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.22.2/rules/math_big_rat.go
new/gosec-2.22.3/rules/math_big_rat.go
--- old/gosec-2.22.2/rules/math_big_rat.go 2025-03-05 11:40:35.000000000
+0100
+++ new/gosec-2.22.3/rules/math_big_rat.go 1970-01-01 01:00:00.000000000
+0100
@@ -1,45 +0,0 @@
-package rules
-
-import (
- "go/ast"
-
- "github.com/securego/gosec/v2"
- "github.com/securego/gosec/v2/issue"
-)
-
-type usingOldMathBig struct {
- issue.MetaData
- calls gosec.CallList
-}
-
-func (r *usingOldMathBig) ID() string {
- return r.MetaData.ID
-}
-
-func (r *usingOldMathBig) Match(node ast.Node, ctx *gosec.Context) (gi
*issue.Issue, err error) {
- if callExpr := r.calls.ContainsPkgCallExpr(node, ctx, false); callExpr
== nil {
- return nil, nil
- }
-
- confidence := issue.Low
- major, minor, build := gosec.GoVersion()
- if major == 1 && (minor == 16 && build < 14 || minor == 17 && build <
7) {
- confidence = issue.Medium
- }
-
- return ctx.NewIssue(node, r.ID(), r.What, r.Severity, confidence), nil
-}
-
-// NewUsingOldMathBig rule detects the use of Rat.SetString from math/big.
-func NewUsingOldMathBig(id string, _ gosec.Config) (gosec.Rule, []ast.Node) {
- calls := gosec.NewCallList()
- calls.Add("math/big.Rat", "SetString")
- return &usingOldMathBig{
- calls: calls,
- MetaData: issue.MetaData{
- ID: id,
- What: "Potential uncontrolled memory consumption in
Rat.SetString (CVE-2022-23772)",
- Severity: issue.High,
- },
- }, []ast.Node{(*ast.CallExpr)(nil)}
-}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.22.2/rules/rulelist.go
new/gosec-2.22.3/rules/rulelist.go
--- old/gosec-2.22.2/rules/rulelist.go 2025-03-05 11:40:35.000000000 +0100
+++ new/gosec-2.22.3/rules/rulelist.go 2025-04-04 10:36:07.000000000 +0200
@@ -75,7 +75,6 @@
{"G110", "Detect io.Copy instead of io.CopyN when
decompression", NewDecompressionBombCheck},
{"G111", "Detect http.Dir('/') as a potential risk",
NewDirectoryTraversal},
{"G112", "Detect ReadHeaderTimeout not configured as a
potential risk", NewSlowloris},
- {"G113", "Usage of Rat.SetString in math/big with an overflow",
NewUsingOldMathBig},
{"G114", "Use of net/http serve function that has no support
for setting timeouts", NewHTTPServeWithoutTimeouts},
// injection
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.22.2/rules/rules_test.go
new/gosec-2.22.3/rules/rules_test.go
--- old/gosec-2.22.2/rules/rules_test.go 2025-03-05 11:40:35.000000000
+0100
+++ new/gosec-2.22.3/rules/rules_test.go 2025-04-04 10:36:07.000000000
+0200
@@ -103,10 +103,6 @@
runner("G112", testutils.SampleCodeG112)
})
- It("should detect potential uncontrolled memory consumption in
Rat.SetString", func() {
- runner("G113", testutils.SampleCodeG113)
- })
-
It("should detect uses of net/http serve functions that have no
support for setting timeouts", func() {
runner("G114", testutils.SampleCodeG114)
})
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.22.2/testutils/g101_samples.go
new/gosec-2.22.3/testutils/g101_samples.go
--- old/gosec-2.22.2/testutils/g101_samples.go 2025-03-05 11:40:35.000000000
+0100
+++ new/gosec-2.22.3/testutils/g101_samples.go 2025-04-04 10:36:07.000000000
+0200
@@ -322,6 +322,50 @@
}
`}, 0, gosec.NewConfig()},
+ {[]string{`
+package main
+
+import "fmt"
+
+//gosec:disable G101
+const (
+ ConfigLearnerTokenAuth string = "learner_auth_token_config"
//gosec:disable G101
+)
+
+func main() {
+ fmt.Printf("%s\n", ConfigLearnerTokenAuth)
+}
+
+`}, 0, gosec.NewConfig()},
+ {[]string{`
+package main
+
+import "fmt"
+
+//gosec:disable G101
+const (
+ ConfigLearnerTokenAuth string = "learner_auth_token_config"
+)
+
+func main() {
+ fmt.Printf("%s\n", ConfigLearnerTokenAuth)
+}
+
+`}, 0, gosec.NewConfig()},
+ {[]string{`
+package main
+
+import "fmt"
+
+const (
+ ConfigLearnerTokenAuth string = "learner_auth_token_config"
//gosec:disable G101
+)
+
+func main() {
+ fmt.Printf("%s\n", ConfigLearnerTokenAuth)
+}
+
+`}, 0, gosec.NewConfig()},
}
// SampleCodeG101Values code snippets for hardcoded credentials
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.22.2/testutils/g112_samples.go
new/gosec-2.22.3/testutils/g112_samples.go
--- old/gosec-2.22.2/testutils/g112_samples.go 2025-03-05 11:40:35.000000000
+0100
+++ new/gosec-2.22.3/testutils/g112_samples.go 2025-04-04 10:36:07.000000000
+0200
@@ -102,4 +102,36 @@
fmt.Print("test")
}
`}, 0, gosec.NewConfig()},
+ {[]string{`
+package main
+
+import (
+ "fmt"
+ "net/http"
+ "sync"
+)
+
+type Server struct {
+ hs *http.Server
+ mux *http.ServeMux
+ mu sync.Mutex
+}
+
+func New(listenAddr string) *Server {
+ mux := http.NewServeMux()
+
+ return &Server{
+ hs: &http.Server{ //gosec:disable G112 - Not publicly exposed
+ Addr: listenAddr,
+ Handler: mux,
+ },
+ mux: mux,
+ mu: sync.Mutex{},
+ }
+}
+
+func main() {
+ fmt.Print("test")
+}
+`}, 0, gosec.NewConfig()},
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gosec-2.22.2/testutils/g113_samples.go
new/gosec-2.22.3/testutils/g113_samples.go
--- old/gosec-2.22.2/testutils/g113_samples.go 2025-03-05 11:40:35.000000000
+0100
+++ new/gosec-2.22.3/testutils/g113_samples.go 1970-01-01 01:00:00.000000000
+0100
@@ -1,22 +0,0 @@
-package testutils
-
-import "github.com/securego/gosec/v2"
-
-// SampleCodeG113 - Usage of Rat.SetString in math/big with an overflow
-var SampleCodeG113 = []CodeSample{
- {[]string{`
-package main
-
-import (
- "math/big"
- "fmt"
-)
-
-func main() {
- r := big.Rat{}
- r.SetString("13e-9223372036854775808")
-
- fmt.Println(r)
-}
-`}, 1, gosec.NewConfig()},
-}
++++++ gosec.obsinfo ++++++
--- /var/tmp/diff_new_pack.K2l9hZ/_old 2025-04-07 18:41:59.256979544 +0200
+++ /var/tmp/diff_new_pack.K2l9hZ/_new 2025-04-07 18:41:59.260979713 +0200
@@ -1,5 +1,5 @@
name: gosec
-version: 2.22.2
-mtime: 1741171235
-commit: 136f6c00402b11775d4f4a45d5a21e2f6dd99db2
+version: 2.22.3
+mtime: 1743755767
+commit: 1d458c50e1a9aa6c0d414dfde3998d66cf2c4fc7
++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/gosec/vendor.tar.gz
/work/SRC/openSUSE:Factory/.gosec.new.1907/vendor.tar.gz differ: char 5, line 1
