Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive: go/uncontrolled-allocation-size, even though length is limited via min function #16371

Open
fzipp opened this issue May 1, 2024 · 1 comment
Open

False positive: go/uncontrolled-allocation-size, even though length is limited via min function #16371

fzipp opened this issue May 1, 2024 · 1 comment
Labels
false-positive

Comments

@fzipp
Copy link

fzipp commented May 1, 2024

A false positive of "Slice memory allocation with excessive size value" in Go (Rule ID: go/uncontrolled-allocation-size).

It's a false positive, because the length of the allocated slice is explicitly limited via the min function, so it should not be reported. Link to source code:

https://github.com/fzipp/canvas/blob/9bf9f5531d570cf664d7c0f931b02dd3749f4fce/event.go#L402

const maxTouchListLength = 10
length := buf.readByte()
limitedLength := min(length, maxTouchListLength)
list := make(TouchList, limitedLength)

URL to the alert on GitHub code scanning:
https://github.com/fzipp/canvas/security/code-scanning/2
@ginsbach
Copy link
Contributor

ginsbach commented May 1, 2024

Thank you for this false positive report. Resolving this issue is not a current product priority, but we acknowledge the report and will track it internally for future consideration, or if we observe repeated instances of the same problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
false-positive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fzipp @ginsbach