Track both #nosec and #nosec rulelist for one violation (#741)

securego · Dec 20, 2021 · 2d1c1a6 · 2d1c1a6
1 parent e0f354a
commit 2d1c1a6
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 6 deletions.
diff --git a/analyzer.go b/analyzer.go
@@ -394,10 +394,13 @@ func (gosec *Analyzer) Visit(n ast.Node) ast.Visitor {
 
 	for _, rule := range gosec.ruleset.RegisteredFor(n) {
 		// Check if all rules are ignored.
-		suppressions, ignored := ignores[aliasOfAllRules]
-		if !ignored {
-			suppressions, ignored = ignores[rule.ID()]
-		}
+		generalSuppressions, generalIgnored := ignores[aliasOfAllRules]
+		// Check if the specific rule is ignored
+		ruleSuppressions, ruleIgnored := ignores[rule.ID()]
+
+		ignored := generalIgnored || ruleIgnored
+		suppressions := append(generalSuppressions, ruleSuppressions...)
+
 		// Track external suppressions.
 		if gosec.ruleset.IsRuleSuppressed(rule.ID()) {
 			ignored = true

diff --git a/analyzer_test.go b/analyzer_test.go
@@ -620,7 +620,7 @@ var _ = Describe("Analyzer", func() {
 			err = analyzer.Process(buildTags, nosecPackage.Path)
 			Expect(err).ShouldNot(HaveOccurred())
 			issues, _, _ := analyzer.Report()
-			Expect(issues).To(HaveLen(1))
+			Expect(issues).To(HaveLen(sample.Errors))
 			Expect(issues[0].Suppressions).To(HaveLen(1))
 			Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource"))
 			Expect(issues[0].Suppressions[0].Justification).To(Equal("Justification"))
@@ -640,12 +640,31 @@ var _ = Describe("Analyzer", func() {
 			err = analyzer.Process(buildTags, nosecPackage.Path)
 			Expect(err).ShouldNot(HaveOccurred())
 			issues, _, _ := analyzer.Report()
-			Expect(issues).To(HaveLen(1))
+			Expect(issues).To(HaveLen(sample.Errors))
 			Expect(issues[0].Suppressions).To(HaveLen(1))
 			Expect(issues[0].Suppressions[0].Kind).To(Equal("inSource"))
 			Expect(issues[0].Suppressions[0].Justification).To(Equal(""))
 		})
 
+		It("should track multiple suppressions if the violation is suppressed by both #nosec and #nosec RuleList", func() {
+			sample := testutils.SampleCodeG101[0]
+			source := sample.Code[0]
+			analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G101")).RulesInfo())
+
+			nosecPackage := testutils.NewTestPackage()
+			defer nosecPackage.Close()
+			nosecSource := strings.Replace(source, "}", "} //#nosec G101 -- Justification", 1)
+			nosecSource = strings.Replace(nosecSource, "func", "//#nosec\nfunc", 1)
+			nosecPackage.AddFile("pwd.go", nosecSource)
+			err := nosecPackage.Build()
+			Expect(err).ShouldNot(HaveOccurred())
+			err = analyzer.Process(buildTags, nosecPackage.Path)
+			Expect(err).ShouldNot(HaveOccurred())
+			issues, _, _ := analyzer.Report()
+			Expect(issues).To(HaveLen(sample.Errors))
+			Expect(issues[0].Suppressions).To(HaveLen(2))
+		})
+
 		It("should not report an error if the rule is not included", func() {
 			sample := testutils.SampleCodeG101[0]
 			source := sample.Code[0]