Closed nmanoogian closed 3 years ago
It looks like there are 3 gosec errors. The output is a little tough to grok at first but it's mostly just pointing out required code changes. The most relevant fields are
details
andfile
. The first issue that's reportedG304 - Potential file inclusion via variable
is likely intentional behavior. You can see how we ignore these by searching the codebase fornosec
. The other two should be fixed.
Ah, G304 was the one I was most confused about. The other two are straightforward but I had a different batch of advisories before I made the buffer changes. I'll make the necessary updates now 👍
@Piccirello Do you think it would be worth it to add a --delimiter
option to let people pick between {{ }}
, { }
, ${ }
, <% %>
, etc.?
@Piccirello Do you think it would be worth it to add a
--delimiter
option to let people pick between{{ }}
,{ }
,${ }
,<% %>
, etc.?
Hmm, good question. I think we can add that later since it would be backwards compatible. Let's get a couple users first and have someone request this.
One thought on naming: what do you think of doppler secrets substitute
(or some other verb). My concern with template
is that we have project templates, which sound similar but are completely different.
Hmm, good question. I think we can add that later since it would be backwards compatible. Let's get a couple users first and have someone request this.
Yep, I was thinking the same 👍
One thought on naming: what do you think of doppler secrets substitute (or some other verb). My concern with template is that we have project templates, which sound similar but are completely different.
Oh, that's a great point. Here are some options off the top of my head:
I'm kinda leaning towards substitute or inject. My main hesitation with substitute is that you can do quite a bit more with this that just a plain 'ole find-and-replace.
substitute / sub inject replace format (inspired by python's format function but maybe sounds too much like indentation, etc) interpolate / interp
My vote would go to substitute or inject 👍
@Piccirello Can I get your take on these Salus advisories as well?