Skip to content

nosec comment below another comment breaks the nosec annotation #743

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
camporter opened this issue Dec 17, 2021 · 3 comments · Fixed by #748
Closed

nosec comment below another comment breaks the nosec annotation #743

camporter opened this issue Dec 17, 2021 · 3 comments · Fixed by #748

Comments

@camporter
Copy link

Summary

When annotating with // #nosec, if there is a comment directly above the annotation, the annotation does not work as the two comments are treated as a multiline comment.

It appears that #735 changed whether a comment needs to only contain the annotation or whether the annotation needs to be at the beginning of a comment.

I don't necessarily think this should change now, but just wanted to highlight that this was a regression with v2.9.3 and below.

Steps to reproduce the behavior

// something
// #nosec
h := md5.New()

gosec version

v2.9.5

Go version (output of 'go version')

go version go1.16.11 linux/amd64

Operating system / Environment

Linux

Expected behavior

gosec ignores the comment from above, or docs are updated to avoid multiline comments.

Actual behavior

gosec does not handle the nosec annotation.
@ccojocar
Copy link
Member

Thanks for pointing this out. Previously gosec used to ignore the entire AST under the #nosec comment. Maybe we can handle this now as a special case. What do you think @Yiwei-Ding?

This was referenced Dec 21, 2021
Merged
Merged
@Yiwei-Ding
Copy link
Contributor

My very first idea of putting #nosec as a prefix is to avoid something like // G101#nosecG102somethingelseG401, which looked strange but also worked.

I got 2 solutions here:

  • Roll back to the previous behavior, i.e., if a comment (group) contains #nosec, gosec will trying to ignore violations. 
    foundDefaultTag := strings.Contains(comment, noSecDefaultTag)
foundAlternativeTag := strings.Contains(comment, noSecAlternativeTag)
  • Discard the content before #nosec and consider the the reset of the comment as the #nosec annotation. 
    if foundDefaultTag || foundAlternativeTag {
    if foundDefaultTag {
        comment = strings.SplitN(comment, noSecDefaultTag, 2)[1]
    } else {
        comment = strings.SplitN(comment, noSecAlternativeTag, 2)[1]
    }

Both are good to me. What's your idea @ccojocar ?

@ccojocar
Copy link
Member

Discarding what's in front of nosec, it looks to me like a better option. The users should write the comment following the documented format, if they want their suppression message to show up in the report.

@Yiwei-Ding Yiwei-Ding mentioned this issue Dec 23, 2021
Merged
ccojocar pushed a commit that referenced this issue Jan 3, 2022
@Yiwei-Ding
Fix #743 (#748)

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
72f1145 
* Check if nosec tag is in front of a line

* Use \n instead of a whitespace in a test case
@Yiwei-Ding Yiwei-Ding mentioned this issue Jan 14, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix #743 Yiwei-Ding/gosec
3 participants
@camporter @ccojocar @Yiwei-Ding