nosec exceptions not caught with multiple comments

[TJM]

Summary

Adding a #nosec exception does not work when there are multiple comments together.

Steps to reproduce the behavior

Run gosec ./... with the below file in the current directly (only file to be safe). NOTE this is a minimal/contrived example.

package main

import (
	"crypto/tls"
)

func main() {
	var SSLSkipVerify bool

	// Some Comment
	/* #nosec G402 - SSLSkipVerify defaults to false, users are warned when switching it on. */
	_ = &tls.Config{
		InsecureSkipVerify: SSLSkipVerify,
	}

}

gosec version

v2.9.4 and v2.9.5
NOTE: v2.9.3 works

Go version (output of 'go version')

go version go1.16.10 darwin/amd64

Operating system / Environment

MacOS 11.6 (also affects Linux during CI runs)

Expected behavior

The #nosec should be processed and the "Issue" should not be listed

Actual behavior

Results:


[/Users/tmcneely/Projects/Patching/gosec-test/blah.go:13] - G402 (CWE-295): TLS InsecureSkipVerify set true. (Confidence: HIGH, Severity: HIGH)
    12:         _ = &tls.Config{
  > 13:                 InsecureSkipVerify: SSLSkipVerify,
    14:         }



Summary:
  Gosec  : 2.9.5
  Files  : 1
  Lines  : 16
  Nosec  : 0
  Issues : 1

Workaround

1. Add a blank line between the real comment and the #nosec comment
2. Downgrade to gosec v2.9.3

[ccojocar]

It seems to be related to the new changes related to nosec tracking.

@Yiwei-Ding Please could you have a look at this issue? Thanks

[Yiwei-Ding]

@ccojocar @TJM It is the same as #743, which was fixed in #748. The latest code works on my side.

Results:


Summary:
  Gosec  : dev
  Files  : 1
  Lines  : 16
  Nosec  : 1
  Issues : 0

[TJM]

Sorry about that. I must have missed that one :)