Track both #nosec and #nosec rulelist for one violation

[Yiwei-Ding]

Problem

For this piece of code

package main

import "fmt"

// #nosec -- j1
func main() {
	username := "admin"
	/* #nosec G101 -- j2 */
	password := "f62e5bcda4fae4f82370da0c6f20697b8f8447ef"
	fmt.Println("Doing something with: ", username, password)
}

If we run gosec -fmt=sarif -track-suppressions ./... on it...

Expected:

"suppressions": [
  { "kind": "inSource", "justification": "j1" },
  { "kind": "inSource", "justification": "j2" }
]

Actual:

"suppressions": [
  { "kind": "inSource", "justification": "j1" }
]

Root cause

If gosec ignores all rules, it will skip checking specific rules.

Solution

Check both general suppressions and specific rule suppressions, then merge then together.

[codecov-commenter]

Codecov Report

Merging #741 (88d4d18) into master (b45f95f) will increase coverage by 0.03%.
The diff coverage is 70.58%.

@@            Coverage Diff             @@
##           master     #741      +/-   ##
==========================================
+ Coverage   73.91%   73.95%   +0.03%     
==========================================
  Files          47       47              
  Lines        2891     2895       +4     
==========================================
+ Hits         2137     2141       +4     
  Misses        692      692              
  Partials       62       62              

Impacted Files	Coverage Δ
cmd/gosec/main.go	0.00% <0.00%> (ø)
analyzer.go	90.80% <100.00%> (+0.13%)	⬆️
issue.go	76.92% <100.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e0f354a...88d4d18. Read the comment docs.