search

securego / gosec

Go security checker
https://securego.io
Apache License 2.0
7.71k stars 606 forks source link

possible regression on first g104 sample #1157

Closed kristovatlas closed 2 months ago

kristovatlas commented 2 months ago

Summary

The first example in testutils/g104_samples.go does not seem to be detected.

Steps to reproduce the behavior

g104.go:

package main

import "fmt"

func test() (int,error) {
    return 0, nil
}

func main() {
    v, _ := test()
    fmt.Println(v)
}
% gosec ./...
[gosec] 2024/06/19 12:07:06 Including rules: default
[gosec] 2024/06/19 12:07:06 Excluding rules: default
[gosec] 2024/06/19 12:07:06 Import directory: /Users/redacted/g104
[gosec] 2024/06/19 12:07:06 Checking package: main
[gosec] 2024/06/19 12:07:06 Checking file: /Users/redacted/g104/g104.go
Results:

Summary:
  Gosec  : dev
  Files  : 1
  Lines  : 12
  Nosec  : 0
  Issues : 0

gosec version

% git log
commit 2ae137abcf405533ad6e549e9363e58e4f6e8b7d (HEAD -> master, upstream/master, upstream/HEAD, origin/master, origin/HEAD)
Author: Cosmin Cojocar <cosmin@cojocar.ch>
Date:   Tue Jun 11 21:34:19 2024 +0200

    Update to go versions to 1.21.11 and 1.22.4

    Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>

Go version (output of 'go version')

% go version
go version go1.22.4 darwin/arm64

Operating system / Environment

MacOS

Expected behavior

Summary:
  Gosec  : dev
  Files  : 1
  Lines  : 12
  Nosec  : 0
  Issues : 1

Actual behavior

G104 not detected

ccojocar commented 2 months ago

The first test expects that in this case gosec doesn't create an warning for unhandled error (see the 0 value in the assertion). The ignored errors are only flagged for a specific set of allowed functions which are more security sensitive (https://github.com/securego/gosec/blob/2ae137abcf405533ad6e549e9363e58e4f6e8b7d/rules/errors.go#L85).