Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package gosec for openSUSE:Factory checked in at 2025-07-30 11:45:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gosec (Old) and /work/SRC/openSUSE:Factory/.gosec.new.13279 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gosec" Wed Jul 30 11:45:31 2025 rev:25 rq:1296369 version:2.22.7 Changes: -------- --- /work/SRC/openSUSE:Factory/gosec/gosec.changes 2025-06-17 18:22:12.094255257 +0200 +++ /work/SRC/openSUSE:Factory/.gosec.new.13279/gosec.changes 2025-07-30 11:46:36.033760389 +0200 @@ -1,0 +2,15 @@ +Tue Jul 29 07:04:07 UTC 2025 - Felix Niederwanger <[email protected]> + +- Update to version 2.22.7: + * Fix crash in hardcoded_nonce analyzer + * Update go action to use release v2.22.6 + * Update go version to 1.24.5 and 1.23.11 in the CI + * chore(deps): update module google.golang.org/api to v0.242.0 + * chore(deps): update all dependencies + * chore(deps): update all dependencies + * chore(deps): update all dependencies + * chore(deps): update all dependencies + * Do not allow dashes in file names + * Update gosec to version 2.22.5 in Github action + +------------------------------------------------------------------- Old: ---- gosec-2.22.5.obscpio New: ---- gosec-2.22.7.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gosec.spec ++++++ --- /var/tmp/diff_new_pack.YJQJZS/_old 2025-07-30 11:46:36.889795800 +0200 +++ /var/tmp/diff_new_pack.YJQJZS/_new 2025-07-30 11:46:36.889795800 +0200 @@ -17,7 +17,7 @@ Name: gosec -Version: 2.22.5 +Version: 2.22.7 Release: 0 Summary: CLI tool to scan the Go AST and SSA code representations for security problems License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.YJQJZS/_old 2025-07-30 11:46:36.937797786 +0200 +++ /var/tmp/diff_new_pack.YJQJZS/_new 2025-07-30 11:46:36.945798117 +0200 @@ -4,7 +4,8 @@ <param name="filename">gosec</param> <param name="url">https://github.com/securego/gosec.git</param> <param name="scm">git</param> - <param name="revision">v2.22.5</param> + <param name="revision">v2.22.7</param> + <param name="match-tag">v*</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="versionrewrite-replacement">\1</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.YJQJZS/_old 2025-07-30 11:46:36.961798779 +0200 +++ /var/tmp/diff_new_pack.YJQJZS/_new 2025-07-30 11:46:36.965798945 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/securego/gosec.git</param> - <param name="changesrevision">d2d3ae66bd8d340b78b5142b6fe610691783c2fe</param></service></servicedata> + <param name="changesrevision">32975f4bab0d7b683a88756aaf3fa5502188b476</param></service></servicedata> (No newline at EOF) ++++++ gosec-2.22.5.obscpio -> gosec-2.22.7.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.22.5/.github/workflows/ci.yml new/gosec-2.22.7/.github/workflows/ci.yml --- old/gosec-2.22.5/.github/workflows/ci.yml 2025-06-16 11:50:02.000000000 +0200 +++ new/gosec-2.22.7/.github/workflows/ci.yml 2025-07-21 17:19:49.000000000 +0200 @@ -10,7 +10,7 @@ test: strategy: matrix: - version: [{go: '1.23.10', golangci: 'latest'}, {go: '1.24.4', golangci: 'latest'}] + version: [{go: '1.23.11', golangci: 'latest'}, {go: '1.24.5', golangci: 'latest'}] runs-on: ubuntu-latest env: GO111MODULE: on @@ -48,7 +48,7 @@ - name: Setup go uses: actions/setup-go@v5 with: - go-version: '1.24.4' + go-version: '1.24.5' - name: Checkout Source uses: actions/checkout@v4 - uses: actions/cache@v4 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.22.5/.github/workflows/release.yml new/gosec-2.22.7/.github/workflows/release.yml --- old/gosec-2.22.5/.github/workflows/release.yml 2025-06-16 11:50:02.000000000 +0200 +++ new/gosec-2.22.7/.github/workflows/release.yml 2025-07-21 17:19:49.000000000 +0200 @@ -17,7 +17,7 @@ - name: Set up Go uses: actions/setup-go@v5 with: - go-version: '1.24.4' + go-version: '1.24.5' - name: Install Cosign uses: sigstore/cosign-installer@v3 with: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.22.5/.golangci.yml new/gosec-2.22.7/.golangci.yml --- old/gosec-2.22.5/.golangci.yml 2025-06-16 11:50:02.000000000 +0200 +++ new/gosec-2.22.7/.golangci.yml 2025-07-21 17:19:49.000000000 +0200 @@ -24,6 +24,9 @@ rules: - name: dot-imports disabled: true + - name: filename-format + arguments: + - ^[a-z][_a-z0-9]*.go$ - name: redefines-builtin-id staticcheck: checks: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.22.5/action.yml new/gosec-2.22.7/action.yml --- old/gosec-2.22.5/action.yml 2025-06-16 11:50:02.000000000 +0200 +++ new/gosec-2.22.7/action.yml 2025-07-21 17:19:49.000000000 +0200 @@ -10,7 +10,7 @@ runs: using: 'docker' - image: 'docker://securego/gosec:2.22.3' + image: 'docker://securego/gosec:2.22.6' args: - ${{ inputs.args }} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.22.5/analyzers/hardcoded_nonce.go new/gosec-2.22.7/analyzers/hardcoded_nonce.go --- old/gosec-2.22.5/analyzers/hardcoded_nonce.go 2025-06-16 11:50:02.000000000 +0200 +++ new/gosec-2.22.7/analyzers/hardcoded_nonce.go 2025-07-21 17:19:49.000000000 +0200 @@ -197,12 +197,20 @@ } func addToVarsMap(value ssa.Value, mapToAddTo map[string]*ssa.Value) { - key := value.Name() + value.Type().String() + value.String() + value.Parent().String() + var parent string + if value.Parent() != nil { + parent = value.Parent().String() + } + key := value.Name() + value.Type().String() + value.String() + parent mapToAddTo[key] = &value } func isContainedInMap(value ssa.Value, mapToCheck map[string]*ssa.Value) bool { - key := value.Name() + value.Type().String() + value.String() + value.Parent().String() + var parent string + if value.Parent() != nil { + parent = value.Parent().String() + } + key := value.Name() + value.Type().String() + value.String() + parent _, contained := mapToCheck[key] return contained } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.22.5/go.mod new/gosec-2.22.7/go.mod --- old/gosec-2.22.5/go.mod 2025-06-16 11:50:02.000000000 +0200 +++ new/gosec-2.22.7/go.mod 2025-07-21 17:19:49.000000000 +0200 @@ -10,10 +10,10 @@ github.com/onsi/ginkgo/v2 v2.23.4 github.com/onsi/gomega v1.37.0 github.com/stretchr/testify v1.10.0 - golang.org/x/crypto v0.39.0 - golang.org/x/text v0.26.0 - golang.org/x/tools v0.34.0 - google.golang.org/api v0.237.0 + golang.org/x/crypto v0.40.0 + golang.org/x/text v0.27.0 + golang.org/x/tools v0.35.0 + google.golang.org/api v0.242.0 gopkg.in/yaml.v3 v3.0.1 ) @@ -44,11 +44,11 @@ go.opentelemetry.io/otel/metric v1.36.0 // indirect go.opentelemetry.io/otel/trace v1.36.0 // indirect go.uber.org/automaxprocs v1.6.0 // indirect - golang.org/x/mod v0.25.0 // indirect - golang.org/x/net v0.41.0 // indirect + golang.org/x/mod v0.26.0 // indirect + golang.org/x/net v0.42.0 // indirect golang.org/x/oauth2 v0.30.0 // indirect - golang.org/x/sync v0.15.0 // indirect - golang.org/x/sys v0.33.0 // indirect + golang.org/x/sync v0.16.0 // indirect + golang.org/x/sys v0.34.0 // indirect golang.org/x/time v0.12.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.22.5/go.sum new/gosec-2.22.7/go.sum --- old/gosec-2.22.5/go.sum 2025-06-16 11:50:02.000000000 +0200 +++ new/gosec-2.22.7/go.sum 2025-07-21 17:19:49.000000000 +0200 @@ -417,8 +417,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= -golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM= -golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U= +golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM= +golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -452,8 +452,8 @@ golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w= -golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww= +golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg= +golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -486,8 +486,8 @@ golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw= -golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA= +golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs= +golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -504,8 +504,8 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8= -golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw= +golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -546,18 +546,18 @@ golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= -golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA= +golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= -golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg= -golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ= +golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg= +golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M= -golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA= +golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4= +golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -611,8 +611,8 @@ golang.org/x/tools v0.0.0-20200626171337-aa94e735be7f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200630154851-b2d8b0336632/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200706234117-b22de6825cf7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo= -golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg= +golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0= +golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -632,8 +632,8 @@ google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= -google.golang.org/api v0.237.0 h1:MP7XVsGZesOsx3Q8WVa4sUdbrsTvDSOERd3Vh4xj/wc= -google.golang.org/api v0.237.0/go.mod h1:cOVEm2TpdAGHL2z+UwyS+kmlGr3bVWQQ6sYEqkKje50= +google.golang.org/api v0.242.0 h1:7Lnb1nfnpvbkCiZek6IXKdJ0MFuAZNAJKQfA1ws62xg= +google.golang.org/api v0.242.0/go.mod h1:cOVEm2TpdAGHL2z+UwyS+kmlGr3bVWQQ6sYEqkKje50= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.22.5/report/html/template.html new/gosec-2.22.7/report/html/template.html --- old/gosec-2.22.5/report/html/template.html 2025-06-16 11:50:02.000000000 +0200 +++ new/gosec-2.22.7/report/html/template.html 2025-07-21 17:19:49.000000000 +0200 @@ -4,13 +4,13 @@ <meta charset="utf-8"> <title>Golang Security Checker</title> <link rel="shortcut icon" type="image/png" href="https://securego.io/img/favicon.png";> - <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/bulma/1.0.3/css/bulma.min.css"; integrity="sha512-4EnjWdm80dyWrJ7rh/tlhNt6fJL52dSDSHNEqfdVmBLpJLPrRYnFa+Kn4ZZL+FRkDL5/7lAXuHylzJkpzkSM2A==" crossorigin="anonymous"/> + <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/bulma/1.0.4/css/bulma.min.css"; integrity="sha512-yh2RE0wZCVZeysGiqTwDTO/dKelCbS9bP2L94UvOFtl/FKXcNAje3Y2oBg/ZMZ3LS1sicYk4dYVGtDex75fvvA==" crossorigin="anonymous"/> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.11.1/styles/default.min.css"; integrity="sha512-hasIneQUHlh06VNBe7f6ZcHmeRTLIaQWFd43YriJ0UND19bvYRauxthDg8E4eVNPm9bRUhr5JGeqH7FRFXQu5g==" crossorigin="anonymous"/> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.11.1/highlight.min.js"; integrity="sha512-EBLzUL8XLl+va/zAsmXwS7Z2B1F9HUHkZwyS/VKwh3S7T/U0nF4BaU29EP/ZSf6zgiIxYAnKLu6bJ8dqpmX5uw==" crossorigin="anonymous"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.11.1/languages/go.min.js"; integrity="sha512-weC0VNVf2qQR6OY675qO0AEL92gt3h5f2VGjhMUvi/UqFHaWzIEL5S/8Dt763fWfKftchzb7GryvEj/2HC9Exw==" crossorigin="anonymous"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/react/15.7.0/react.min.js"; integrity="sha512-+TFn1Gqbwx/qgwW3NU1/YtFYTfHGeD1e/8YfJZzkb6TFEZP4SUwp1Az9DMeWh3qC0F+YPKXbV3YclMUwBTvO3g==" crossorigin="anonymous"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/react/15.6.1/react-dom.min.js"; integrity="sha512-8C49ZG/SaQnWaUgCHTU1o8uIQNYE6R8me38SwF26g2Q0byEXF4Jlvm+T/JAMHMeTBiEVPslSZRv9Xt4AV0pfmw==" crossorigin="anonymous"></script> - <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/babel-standalone/7.26.5/babel.min.js"; integrity="sha512-Y37Caenc5CZqwSMwWZj+5uxkB3Loc9yJNHvb+eSwEsT6nhURSrPZo39vTnb5g8UvOGCNXRbQ+xQvnqr2rR9nRw==" crossorigin="anonymous"></script> + <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/babel-standalone/7.28.1/babel.min.js"; integrity="sha512-SSqlwbIuz75Gz/tzPjqnxeFSMChqliTzO0op6pmAWyMiu9JGCsoVlJKflK4HrJNBH4SjryMrmLV4gGFn5qru/w==" crossorigin="anonymous"></script> <style> .field-label { min-width: 80px; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.22.5/rules/decompression-bomb.go new/gosec-2.22.7/rules/decompression-bomb.go --- old/gosec-2.22.5/rules/decompression-bomb.go 2025-06-16 11:50:02.000000000 +0200 +++ new/gosec-2.22.7/rules/decompression-bomb.go 1970-01-01 01:00:00.000000000 +0100 @@ -1,111 +0,0 @@ -// (c) Copyright 2016 Hewlett Packard Enterprise Development LP -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package rules - -import ( - "fmt" - "go/ast" - - "github.com/securego/gosec/v2" - "github.com/securego/gosec/v2/issue" -) - -type decompressionBombCheck struct { - issue.MetaData - readerCalls gosec.CallList - copyCalls gosec.CallList -} - -func (d *decompressionBombCheck) ID() string { - return d.MetaData.ID -} - -func containsReaderCall(node ast.Node, ctx *gosec.Context, list gosec.CallList) bool { - if list.ContainsPkgCallExpr(node, ctx, false) != nil { - return true - } - // Resolve type info of ident (for *archive/zip.File.Open) - s, idt, _ := gosec.GetCallInfo(node, ctx) - return list.Contains(s, idt) -} - -func (d *decompressionBombCheck) Match(node ast.Node, ctx *gosec.Context) (*issue.Issue, error) { - var readerVarObj map[*ast.Object]struct{} - - // To check multiple lines, ctx.PassedValues is used to store temporary data. - if _, ok := ctx.PassedValues[d.ID()]; !ok { - readerVarObj = make(map[*ast.Object]struct{}) - ctx.PassedValues[d.ID()] = readerVarObj - } else if pv, ok := ctx.PassedValues[d.ID()].(map[*ast.Object]struct{}); ok { - readerVarObj = pv - } else { - return nil, fmt.Errorf("PassedValues[%s] of Context is not map[*ast.Object]struct{}, but %T", d.ID(), ctx.PassedValues[d.ID()]) - } - - // io.Copy is a common function. - // To reduce false positives, This rule detects code which is used for compressed data only. - switch n := node.(type) { - case *ast.AssignStmt: - for _, expr := range n.Rhs { - if callExpr, ok := expr.(*ast.CallExpr); ok && containsReaderCall(callExpr, ctx, d.readerCalls) { - if idt, ok := n.Lhs[0].(*ast.Ident); ok && idt.Name != "_" { - // Example: - // r, _ := zlib.NewReader(buf) - // Add r's Obj to readerVarObj map - readerVarObj[idt.Obj] = struct{}{} - } - } - } - case *ast.CallExpr: - if d.copyCalls.ContainsPkgCallExpr(n, ctx, false) != nil { - if idt, ok := n.Args[1].(*ast.Ident); ok { - if _, ok := readerVarObj[idt.Obj]; ok { - // Detect io.Copy(x, r) - return ctx.NewIssue(n, d.ID(), d.What, d.Severity, d.Confidence), nil - } - } - } - } - - return nil, nil -} - -// NewDecompressionBombCheck detects if there is potential DoS vulnerability via decompression bomb -func NewDecompressionBombCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { - readerCalls := gosec.NewCallList() - readerCalls.Add("compress/gzip", "NewReader") - readerCalls.AddAll("compress/zlib", "NewReader", "NewReaderDict") - readerCalls.Add("compress/bzip2", "NewReader") - readerCalls.AddAll("compress/flate", "NewReader", "NewReaderDict") - readerCalls.Add("compress/lzw", "NewReader") - readerCalls.Add("archive/tar", "NewReader") - readerCalls.Add("archive/zip", "NewReader") - readerCalls.Add("*archive/zip.File", "Open") - - copyCalls := gosec.NewCallList() - copyCalls.Add("io", "Copy") - copyCalls.Add("io", "CopyBuffer") - - return &decompressionBombCheck{ - MetaData: issue.MetaData{ - ID: id, - Severity: issue.Medium, - Confidence: issue.Medium, - What: "Potential DoS vulnerability via decompression bomb", - }, - readerCalls: readerCalls, - copyCalls: copyCalls, - }, []ast.Node{(*ast.FuncDecl)(nil), (*ast.AssignStmt)(nil), (*ast.CallExpr)(nil)} -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.22.5/rules/decompression_bomb.go new/gosec-2.22.7/rules/decompression_bomb.go --- old/gosec-2.22.5/rules/decompression_bomb.go 1970-01-01 01:00:00.000000000 +0100 +++ new/gosec-2.22.7/rules/decompression_bomb.go 2025-07-21 17:19:49.000000000 +0200 @@ -0,0 +1,111 @@ +// (c) Copyright 2016 Hewlett Packard Enterprise Development LP +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package rules + +import ( + "fmt" + "go/ast" + + "github.com/securego/gosec/v2" + "github.com/securego/gosec/v2/issue" +) + +type decompressionBombCheck struct { + issue.MetaData + readerCalls gosec.CallList + copyCalls gosec.CallList +} + +func (d *decompressionBombCheck) ID() string { + return d.MetaData.ID +} + +func containsReaderCall(node ast.Node, ctx *gosec.Context, list gosec.CallList) bool { + if list.ContainsPkgCallExpr(node, ctx, false) != nil { + return true + } + // Resolve type info of ident (for *archive/zip.File.Open) + s, idt, _ := gosec.GetCallInfo(node, ctx) + return list.Contains(s, idt) +} + +func (d *decompressionBombCheck) Match(node ast.Node, ctx *gosec.Context) (*issue.Issue, error) { + var readerVarObj map[*ast.Object]struct{} + + // To check multiple lines, ctx.PassedValues is used to store temporary data. + if _, ok := ctx.PassedValues[d.ID()]; !ok { + readerVarObj = make(map[*ast.Object]struct{}) + ctx.PassedValues[d.ID()] = readerVarObj + } else if pv, ok := ctx.PassedValues[d.ID()].(map[*ast.Object]struct{}); ok { + readerVarObj = pv + } else { + return nil, fmt.Errorf("PassedValues[%s] of Context is not map[*ast.Object]struct{}, but %T", d.ID(), ctx.PassedValues[d.ID()]) + } + + // io.Copy is a common function. + // To reduce false positives, This rule detects code which is used for compressed data only. + switch n := node.(type) { + case *ast.AssignStmt: + for _, expr := range n.Rhs { + if callExpr, ok := expr.(*ast.CallExpr); ok && containsReaderCall(callExpr, ctx, d.readerCalls) { + if idt, ok := n.Lhs[0].(*ast.Ident); ok && idt.Name != "_" { + // Example: + // r, _ := zlib.NewReader(buf) + // Add r's Obj to readerVarObj map + readerVarObj[idt.Obj] = struct{}{} + } + } + } + case *ast.CallExpr: + if d.copyCalls.ContainsPkgCallExpr(n, ctx, false) != nil { + if idt, ok := n.Args[1].(*ast.Ident); ok { + if _, ok := readerVarObj[idt.Obj]; ok { + // Detect io.Copy(x, r) + return ctx.NewIssue(n, d.ID(), d.What, d.Severity, d.Confidence), nil + } + } + } + } + + return nil, nil +} + +// NewDecompressionBombCheck detects if there is potential DoS vulnerability via decompression bomb +func NewDecompressionBombCheck(id string, _ gosec.Config) (gosec.Rule, []ast.Node) { + readerCalls := gosec.NewCallList() + readerCalls.Add("compress/gzip", "NewReader") + readerCalls.AddAll("compress/zlib", "NewReader", "NewReaderDict") + readerCalls.Add("compress/bzip2", "NewReader") + readerCalls.AddAll("compress/flate", "NewReader", "NewReaderDict") + readerCalls.Add("compress/lzw", "NewReader") + readerCalls.Add("archive/tar", "NewReader") + readerCalls.Add("archive/zip", "NewReader") + readerCalls.Add("*archive/zip.File", "Open") + + copyCalls := gosec.NewCallList() + copyCalls.Add("io", "Copy") + copyCalls.Add("io", "CopyBuffer") + + return &decompressionBombCheck{ + MetaData: issue.MetaData{ + ID: id, + Severity: issue.Medium, + Confidence: issue.Medium, + What: "Potential DoS vulnerability via decompression bomb", + }, + readerCalls: readerCalls, + copyCalls: copyCalls, + }, []ast.Node{(*ast.FuncDecl)(nil), (*ast.AssignStmt)(nil), (*ast.CallExpr)(nil)} +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.22.5/rules/directory-traversal.go new/gosec-2.22.7/rules/directory-traversal.go --- old/gosec-2.22.5/rules/directory-traversal.go 2025-06-16 11:50:02.000000000 +0200 +++ new/gosec-2.22.7/rules/directory-traversal.go 1970-01-01 01:00:00.000000000 +0100 @@ -1,65 +0,0 @@ -package rules - -import ( - "go/ast" - "regexp" - - "github.com/securego/gosec/v2" - "github.com/securego/gosec/v2/issue" -) - -type traversal struct { - pattern *regexp.Regexp - issue.MetaData -} - -func (r *traversal) ID() string { - return r.MetaData.ID -} - -func (r *traversal) Match(n ast.Node, ctx *gosec.Context) (*issue.Issue, error) { - switch node := n.(type) { - case *ast.CallExpr: - return r.matchCallExpr(node, ctx) - } - return nil, nil -} - -func (r *traversal) matchCallExpr(assign *ast.CallExpr, ctx *gosec.Context) (*issue.Issue, error) { - for _, i := range assign.Args { - if basiclit, ok1 := i.(*ast.BasicLit); ok1 { - if fun, ok2 := assign.Fun.(*ast.SelectorExpr); ok2 { - if x, ok3 := fun.X.(*ast.Ident); ok3 { - str := x.Name + "." + fun.Sel.Name + "(" + basiclit.Value + ")" - if r.pattern.MatchString(str) { - return ctx.NewIssue(assign, r.ID(), r.What, r.Severity, r.Confidence), nil - } - } - } - } - } - return nil, nil -} - -// NewDirectoryTraversal attempts to find the use of http.Dir("/") -func NewDirectoryTraversal(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { - pattern := `http\.Dir\("\/"\)|http\.Dir\('\/'\)` - if val, ok := conf[id]; ok { - conf := val.(map[string]interface{}) - if configPattern, ok := conf["pattern"]; ok { - if cfgPattern, ok := configPattern.(string); ok { - pattern = cfgPattern - } - } - } - - return &traversal{ - pattern: regexp.MustCompile(pattern), - MetaData: issue.MetaData{ - ID: id, - What: "Potential directory traversal", - Confidence: issue.Medium, - Severity: issue.Medium, - }, - }, []ast.Node{(*ast.CallExpr)(nil)} -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gosec-2.22.5/rules/directory_traversal.go new/gosec-2.22.7/rules/directory_traversal.go --- old/gosec-2.22.5/rules/directory_traversal.go 1970-01-01 01:00:00.000000000 +0100 +++ new/gosec-2.22.7/rules/directory_traversal.go 2025-07-21 17:19:49.000000000 +0200 @@ -0,0 +1,65 @@ +package rules + +import ( + "go/ast" + "regexp" + + "github.com/securego/gosec/v2" + "github.com/securego/gosec/v2/issue" +) + +type traversal struct { + pattern *regexp.Regexp + issue.MetaData +} + +func (r *traversal) ID() string { + return r.MetaData.ID +} + +func (r *traversal) Match(n ast.Node, ctx *gosec.Context) (*issue.Issue, error) { + switch node := n.(type) { + case *ast.CallExpr: + return r.matchCallExpr(node, ctx) + } + return nil, nil +} + +func (r *traversal) matchCallExpr(assign *ast.CallExpr, ctx *gosec.Context) (*issue.Issue, error) { + for _, i := range assign.Args { + if basiclit, ok1 := i.(*ast.BasicLit); ok1 { + if fun, ok2 := assign.Fun.(*ast.SelectorExpr); ok2 { + if x, ok3 := fun.X.(*ast.Ident); ok3 { + str := x.Name + "." + fun.Sel.Name + "(" + basiclit.Value + ")" + if r.pattern.MatchString(str) { + return ctx.NewIssue(assign, r.ID(), r.What, r.Severity, r.Confidence), nil + } + } + } + } + } + return nil, nil +} + +// NewDirectoryTraversal attempts to find the use of http.Dir("/") +func NewDirectoryTraversal(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { + pattern := `http\.Dir\("\/"\)|http\.Dir\('\/'\)` + if val, ok := conf[id]; ok { + conf := val.(map[string]interface{}) + if configPattern, ok := conf["pattern"]; ok { + if cfgPattern, ok := configPattern.(string); ok { + pattern = cfgPattern + } + } + } + + return &traversal{ + pattern: regexp.MustCompile(pattern), + MetaData: issue.MetaData{ + ID: id, + What: "Potential directory traversal", + Confidence: issue.Medium, + Severity: issue.Medium, + }, + }, []ast.Node{(*ast.CallExpr)(nil)} +} ++++++ gosec.obsinfo ++++++ --- /var/tmp/diff_new_pack.YJQJZS/_old 2025-07-30 11:46:37.137806060 +0200 +++ /var/tmp/diff_new_pack.YJQJZS/_new 2025-07-30 11:46:37.141806225 +0200 @@ -1,5 +1,5 @@ name: gosec -version: 2.22.5 -mtime: 1750067402 -commit: d2d3ae66bd8d340b78b5142b6fe610691783c2fe +version: 2.22.7 +mtime: 1753111189 +commit: 32975f4bab0d7b683a88756aaf3fa5502188b476 ++++++ vendor.tar.xz ++++++ ++++ 1989 lines of diff (skipped)
![https://securego.io/img/favicon.png"](https://securego.io/img/favicon.png"){kind=link}