Open chheda-deshaw opened 4 days ago
I think there are some cgo issues, because some symbols cannot be found:
Golang errors in file: []:
> [line 0 : column 0] - # command-line-arguments
_example/vtable/vtable.go:22:78: undefined: sqlite3.VTab
_example/vtable/vtable.go:23:11: c.DeclareVTab undefined (type *sqlite3.SQLiteConn has no field or method DeclareVTab)
_example/vtable/vtable.go:36:79: undefined: sqlite3.VTab
_example/vtable/vtable.go:46:39: undefined: sqlite3.VTabCursor
_example/vtable/vtable.go:65:48: undefined: sqlite3.InfoConstraint
_example/vtable/vtable.go:65:77: undefined: sqlite3.InfoOrderBy
_example/vtable/vtable.go:65:100: undefined: sqlite3.IndexResult
_example/vtable/vtable.go:67:18: undefined: sqlite3.IndexResult
_example/vtable/main.go:14:16: conn.CreateModule undefined (type *sqlite3.SQLiteConn has no field or method CreateModule)
gosec doesn't work well with cgo packages.
I see, thanks @ccojocar.
Is there a way I can exclude the .cache directory? -exclude-dir
only seems to work for dirs within the project being scanned.
I think this expansion is in the Go AST package which tries to resolve the cgo symbols. I would leave the bug open to try to investigate if we can do something to improve the situation.
Summary
I'm relatively new to Go and have been learning as I go along. I noticed a potential issue with gosec and wanted to bring it to your attention. Please let me know if there's any additional information I can provide or if there's anything specific I should check. When
gosec
is run on C-Go projects, it makes references to artifacts in the~/.cache/go-build
and sometimes the findings are not accurate.Steps to reproduce the behavior
gosec version
2.21.4
Go version (output of 'go version')
go version go1.23.2 linux/amd64
Operating system / Environment
RHEL8
Expected behavior
NA
Actual behavior
When you run it on
go-sqlite3
there are a lot of findings pointing to~/.cache/go-build
. But many a times the line references are to comments or braces. For e.g.:And so on.... For my use case, I'm leaning towards excluding the cache directory from the scanner. These findings in cache aren't really helpful cause we don't know the source in the project that led to it. What else can be done here?
Thanks!