New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Some of the inline code annotation stopped working #736
Comments
I can reproduce with go 17.1 and the latest master version of gosec this will raise an error: /* #nosec G401 */
hash := md5.New() this works: // #nosec G401
hash := md5.New() |
It's occur in v2.9.4. |
Apologize to bring such unhappy experience to you. Have submitted a PR #738 to fix this issue. |
Ingress-nginx is still having this issue even with v2.9.5 update. Locally and in In github CI Local env
Github Action https://github.com/kubernetes/ingress-nginx/blob/main/.github/workflows/ci.yaml#L48 Error https://github.com/kubernetes/ingress-nginx/runs/4510742592?check_suite_focus=true#step:4:304
|
Hi @ccojocar @strongjz , I guess the root cause is found! From the error message "Potential Integer overflow made by strconv.Atoi result conversion to int16/32", we can see that the exact violation is converting the result of strconv.Atoi to int16/32, not In the former version of gosec, using You could verify the conclusion from another perspective. If you use So this should be another issue "G109 tells the location at strconv.Atoi instead of strconv.Atoi result conversion to int16/32". |
A code sample could reproduce the G109 location issue: package main
import (
"fmt"
"strconv"
)
func main() {
a, err := strconv.Atoi("a")
b := int32(a) // #nosec G109
fmt.Println(b, err)
} |
Summary
The code annotations in the format:
or annotations without justification stopped working
Annotations with inline justification, work as expected.
Steps to reproduce the behavior
run gosec with the following code
gosec version
Just installed the latest version,
Go version (output of 'go version')
go version go1.16.3 linux/amd64
Operating system / Environment
Linux alexey-VB2 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Expected behavior
Do not print security warnings
Actual behavior
Warnings are printed
The text was updated successfully, but these errors were encountered: