Open stefanb opened 11 months ago
When a Go program uses a module from Linkedin (eg https://github.com/linkedin/goavro ) the name will be mentioned in go.sum file followed by a hash on the same line, eg:
go.sum
github.com/linkedin/goavro v2.1.0+incompatible/go.mod h1:bBCwI2eGYpUI/4820s67MElg9tdeLbINjLjiM2xZFYM= github.com/linkedin/goavro/v2 v2.10.0/go.mod h1:UgQUb2N/pmueQYH9bfqFioWxzYCZXSfF8Jw03O5sjqA= github.com/linkedin/goavro/v2 v2.10.1/go.mod h1:UgQUb2N/pmueQYH9bfqFioWxzYCZXSfF8Jw03O5sjqA= github.com/linkedin/goavro/v2 v2.11.1/go.mod h1:UgQUb2N/pmueQYH9bfqFioWxzYCZXSfF8Jw03O5sjqA=
...which triggers a false positive via regexp in:
https://github.com/ZupIT/horusec/blob/873d4104a6aa89be8f86d93db8e416909d9add87/internal/services/engines/leaks/rules.go#L171-L187
This likely affects other LEAKS rulesc with loose regexp and companies publishing opensource libraries.
When a Go program uses a module from Linkedin (eg https://github.com/linkedin/goavro ) the name will be mentioned in
go.sumfile followed by a hash on the same line, eg:...which triggers a false positive via regexp in:
https://github.com/ZupIT/horusec/blob/873d4104a6aa89be8f86d93db8e416909d9add87/internal/services/engines/leaks/rules.go#L171-L187
This likely affects other LEAKS rulesc with loose regexp and companies publishing opensource libraries.