G104 fails to catch err reassignments

[omercnet]

Summary

Since err is commonly used, it's not uncommon to have it reassigned
If someone forgets to check it before reassigning it, G104 should catch it

Steps to reproduce the behavior

package main

import (
	"io"
	"log"
	"os"
)

func main() {
	_, _ = io.WriteString(os.Stdout, "Hello World") // # this is ok

	_, err := io.WriteString(os.Stdout, "Hello World")
	if err != nil { // good
		log.Fatal(err)
	}

	_, err = io.WriteString(os.Stdout, "Hello World") // # this err will not be checked
	_, err = io.WriteString(os.Stdout, "Hello World") // # this err will be checked

	if err != nil { // checking the second err but not the first one
		log.Fatal(err)
	}

}

gosec version

2.14.0

Go version (output of 'go version')

go version go1.19.2

Operating system / Environment

darwin/arm64

Expected behavior

Should catch the err that wasn't checked

Actual behavior

Doesn't.

[omercnet]

https://staticcheck.io/ does catch this, worth looking into how they implement this check

[TimonOmsk]

@ccojocar I'll take this one. Finally have some time to dive deep into the SSA :)

[ccojocar]

@TimonOmsk feel free to take on this issue. Thanks