search

praetorian-inc / gokart

A static analysis tool for securing Go code
Apache License 2.0
2.18k stars 110 forks source link

Analyzers do not set ResultType #76

Open uhthomas opened 2 years ago

uhthomas commented 2 years ago

According to https://pkg.go.dev/golang.org/x/tools/go/analysis#Analyzer:

type Analyzer struct {
    // ...

    // Run applies the analyzer to a package.
    // It returns an error if the analyzer failed.
    //
    // On success, the Run function may return a result
    // computed by the Analyzer; its type must match ResultType.
    // The driver makes this result available as an input to
    // another Analyzer that depends directly on this one (see
    // Requires) when it analyzes the same package.
    //
    // To pass analysis results between packages (and thus
    // potentially between address spaces), use Facts, which are
    // serializable.
    Run func(*[Pass](https://pkg.go.dev/golang.org/x/tools/go/analysis#Pass)) (interface{}, [error](https://pkg.go.dev/builtin#error))

    // ...

    // ResultType is the type of the optional result of the Run function.
    ResultType [reflect](https://pkg.go.dev/reflect).[Type](https://pkg.go.dev/reflect#Type)

    // ...
}

Because of this, the analyzers fail to run:

analyzer "command_injection" failed: internal error: on package github.com/jcmturner/gokrb5/v8/iana, analyzer command_injection returned a result of type []util.Finding, but declared ResultType <nil>
hxtk commented 2 years ago

This issue affected me as well when I tried to create wrappers for the analyzers for use with nogo from Bazel's rules_go.

I've created a pull request to upstream the patch that I ended up using in my repository, as well as add some tests to validate the functionality.