search

kkHAIKE / contextcheck

Analyzer: check whether a function uses a non-inherited context
Apache License 2.0
43 stars 3 forks source link

Stop analysis on 3rd party code #9

Open arxeiss opened 2 years ago

arxeiss commented 2 years ago

I have some false positives on the code, which is not in my control. Can you stop analysis, if the error occurs in 3rd party libraries?

Example

import (
    "github.com/lestrrat-go/jwx/jwt"
    ...
)

func verifyTokenFormat(bearerToken string) error {
    _, err := jwt.ParseString(bearerToken, jwt.WithValidate(true), jwt.WithAcceptableSkew(time.Second))
    return err
}

This is source of ParseString, still does not accept context, but is already in 3rd party code: https://github.com/lestrrat-go/jwx/blob/develop/v2/jwt/jwt.go#L87

func ParseString(s string, options ...ParseOption) (Token, error) {
    return parseBytes([]byte(s), options...)
}

And here is code of parseBytes which does not accept context, but has variable named ctx. https://github.com/lestrrat-go/jwx/blob/develop/v2/jwt/jwt.go#L158

func parseBytes(data []byte, options ...ParseOption) (Token, error) {
    var ctx parseCtx

    // Validation is turned on by default. You need to specify
    // jwt.WithValidate(false) if you want to disable it
    ctx.validate = true
...

Error

The code above is causing this issue 

identity/authorization.go:123:30: Function `verifyTokenFormat->parseBytes` should pass the context parameter (contextcheck)
                if err := verifyTokenFormat(sub.AccessToken); err != nil {
kkHAIKE commented 2 years ago

try this command contextcheck -pkgprefix=<your go.mod pkgname> ./...

golang-ci long time no release, 😢

arxeiss commented 2 years ago

Thank you, this works. However, contextcheck has no configuration in golangci-lint and we use that.

kkHAIKE commented 2 years ago

'pkgprefix' option is not need in golang-ci, it work for standalone cli only. new version released https://github.com/golangci/golangci-lint/releases/tag/v1.50.0

gonzaloserrano commented 2 years ago

I'm testing golangci-int 1.50.0 with contextcheck and I have the same issue with the very same jwt library. Any advice?

kkHAIKE commented 2 years ago

I'm testing golangci-int 1.50.0 with contextcheck and I have the same issue with the very same jwt library. Any advice?

show me some code

arxeiss commented 2 years ago

So I upgraded to 1.50 and only change is, that error format is changed too:

golangci-lint run --timeout 2m0s ./...
identity/authorization.go:123:30: Function `verifyTokenFormat->ParseString->parseBytes->parse->Decrypt->parseJSONOrCompact->parseCompact->makeDummyRecipient` should pass the context parameter (contextcheck)
                if err := verifyTokenFormat(sub.AccessToken); err != nil {
                                           ^

You can verify that with this repository https://github.com/indykite/jarvis-sdk-go It still uses 1.49 with ignoring the old message format: https://github.com/indykite/jarvis-sdk-go/blob/master/.golangci.yml#L145

kkHAIKE commented 2 years ago

I think the pkgpath filtering function is invalid..

it's a bug.

arxeiss commented 2 years ago

I'm not really sure. Because when I execute this contextcheck -pkgprefix="github.com/indykite/jarvis-sdk-go" ./... I got no errors

kkHAIKE commented 2 years ago

I'm sure, because contextcheck -pkgprefix=xxx is hard filter by xxx..

https://github.com/kkHAIKE/contextcheck/commit/d3358674bd75995fff87b452304d8761e5fa56a0

wait next golang-ci release...