You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I manually inserted the problematic code in a file (from gosec test for the rule G602):
s := make([]byte, 0)
fmt.Println(s[:3])
This problem is not caught when running :
golangci-lint run --no-config --enable gosec --new
However, when running gosec standalone the issue is caught:
[/Users/victor/work/fleet/server/vulnerabilities/nvd/sync.go:212] - G602 (CWE-118): slice bounds out of range (Confidence: HIGH, Severity: LOW)
211: s := make([]byte, 0)
> 212: fmt.Println(s[:3])
213:
Additional info
❯ golangci-lint --version
golangci-lint has version v1.60.1 built with go1.22.6 from (unknown, modified: ?, mod sum: "h1:DRKNqNTQRLBJZ1il5u4fvgLQCjQc7QFs0DbhksJtVJE=") on (unknown)
gosec version v2.20.0
Version of golangci-lint
$ golangci-lint --versiongolangci-lint has version v1.60.1 built with go1.22.6 from (unknown, modified: ?, mod sum: "h1:DRKNqNTQRLBJZ1il5u4fvgLQCjQc7QFs0DbhksJtVJE=") on (unknown)
Configuration
# paste configuration file or CLI flags here
Go environment
$ go version && go envgo version go1.22.4 darwin/arm64GO111MODULE=''GOARCH='arm64'GOBIN=''GOCACHE='/Users/victor/Library/Caches/go-build'GOENV='/Users/victor/Library/Application Support/go/env'GOEXE=''GOEXPERIMENT=''GOFLAGS=''GOHOSTARCH='arm64'GOHOSTOS='darwin'GOINSECURE=''GOMODCACHE='/Users/victor/go/pkg/mod'GONOPROXY=''GONOSUMDB=''GOOS='darwin'GOPATH='/Users/victor/go'GOPRIVATE=''GOPROXY='https://proxy.golang.org,direct'GOROOT='/Users/victor/go/pkg/mod/golang.org/[email protected]'GOSUMDB='sum.golang.org'GOTMPDIR=''GOTOOLCHAIN='auto'GOTOOLDIR='/Users/victor/go/pkg/mod/golang.org/[email protected]/pkg/tool/darwin_arm64'GOVCS=''GOVERSION='go1.22.4'GCCGO='gccgo'AR='ar'CC='clang'CXX='clang++'CGO_ENABLED='1'GOMOD='/Users/victor/work/fleet/go.mod'GOWORK=''CGO_CFLAGS='-O2 -g'CGO_CPPFLAGS=''CGO_CXXFLAGS='-O2 -g'CGO_FFLAGS='-O2 -g'CGO_LDFLAGS='-O2 -g'PKG_CONFIG='pkg-config'GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/pt/vp167s1s5d128n7yk9blrbk00000gn/T/go-build2116536770=/tmp/go-build -gno-record-gcc-switches -fno-common'
Verbose output of running
Note: I inserted some additional bad code and see that rule G404 is getting caught, but not G602.
$ golangci-lint cache clean
$ golangci-lint run -v --no-config --enable gosec --newINFO golangci-lint has version v1.60.1 built with go1.22.6 from (unknown, modified: ?, mod sum: "h1:DRKNqNTQRLBJZ1il5u4fvgLQCjQc7QFs0DbhksJtVJE=") on (unknown)INFO [lintersdb] Active 7 linters: [errcheck gosec gosimple govet ineffassign staticcheck unused]INFO [loader] Go packages loading at mode 575 (files|imports|name|types_sizes|deps|exports_file|compiled_files) took 4.009403459sINFO [runner/filename_unadjuster] Pre-built 0 adjustments in 121.513791msINFO [linters_context/goanalysis] analyzers took 3m49.290323359s with top 10 stages: buildir: 1m10.338186497s, unused: 6.49955775s, gosec: 5.945758868s, fact_deprecated: 4.874734488s, printf: 4.346454672s, ctrlflow: 4.083380389s, S1038: 3.909541329s, inspect: 3.808951638s, nilness: 2.811794047s, fact_purity: 2.762367427sINFO [runner] Issues before processing: 2866, after processing: 1INFO [runner] Processors filtering stat (in/out): max_from_linter: 1/1, path_prefixer: 1/1, exclude-rules: 2866/1103, nolint: 1103/928, sort_results: 1/1, filename_unadjuster: 2866/2866, path_prettifier: 2866/2866, skip_dirs: 2866/2866, identifier_marker: 2866/2866, exclude: 2866/2866, diff: 916/1, max_per_file_from_linter: 1/1, fixer: 1/1, cgo: 2866/2866, skip_files: 2866/2866, uniq_by_line: 928/916, max_same_issues: 1/1, source_code: 1/1, path_shortener: 1/1, severity-rules: 1/1, invalid_issue: 2866/2866, autogenerated_exclude: 2866/2866INFO [runner] processing took 935.716082ms with stages: diff: 526.263083ms, nolint: 249.450042ms, autogenerated_exclude: 66.680957ms, path_prettifier: 38.278834ms, exclude-rules: 29.02125ms, identifier_marker: 20.765291ms, skip_dirs: 2.068291ms, cgo: 1.23775ms, invalid_issue: 1.080292ms, filename_unadjuster: 640.666µs, uniq_by_line: 117.792µs, source_code: 93.959µs, max_per_file_from_linter: 9.459µs, max_same_issues: 4.626µs, skip_files: 1.458µs, path_shortener: 833ns, max_from_linter: 500ns, fixer: 458ns, sort_results: 292ns, exclude: 166ns, severity-rules: 42ns, path_prefixer: 41nsINFO [runner] linters took 14.62322275s with stages: goanalysis_metalinter: 13.6870875sserver/vulnerabilities/nvd/sync.go:214:13: G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand) (gosec) randNum := rand.Uint64() ^INFO File cache stats: 1 entries of total size 8.5KiBINFO Memory: 188 samples, avg is 1305.5MB, max is 2733.0MBINFO Execution took 18.767178791s
A minimal reproducible example or link to a public repository
Welcome
typecheck
section of the FAQ.Description of the problem
I manually inserted the problematic code in a file (from gosec test for the rule G602):
This problem is not caught when running :
However, when running
gosec
standalone the issue is caught:Additional info
gosec version v2.20.0
Version of golangci-lint
Configuration
# paste configuration file or CLI flags here
Go environment
Verbose output of running
Note: I inserted some additional bad code and see that rule G404 is getting caught, but not G602.
A minimal reproducible example or link to a public repository
Validation
Supporter
The text was updated successfully, but these errors were encountered: