Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gosec rule G602 always ignored #4904

Closed
6 of 7 tasks
getvictor opened this issue Aug 14, 2024 · 1 comment · Fixed by #4906
Closed
6 of 7 tasks

gosec rule G602 always ignored #4904

getvictor opened this issue Aug 14, 2024 · 1 comment · Fixed by #4906
Assignees
Labels
bug Something isn't working

Comments

@getvictor
Copy link

Welcome

  • Yes, I'm using a binary release within 2 latest releases. Only such installations are supported.
  • Yes, I've searched similar issues on GitHub and didn't find any.
  • Yes, I've read the typecheck section of the FAQ.
  • Yes, I've tried with the standalone linter if available (e.g., gocritic, go vet, etc.).
  • I agree to follow this project's Code of Conduct

Description of the problem

I manually inserted the problematic code in a file (from gosec test for the rule G602):

	s := make([]byte, 0)
	fmt.Println(s[:3])

This problem is not caught when running :

golangci-lint run --no-config --enable gosec --new

However, when running gosec standalone the issue is caught:

[/Users/victor/work/fleet/server/vulnerabilities/nvd/sync.go:212] - G602 (CWE-118): slice bounds out of range (Confidence: HIGH, Severity: LOW)
    211: 	s := make([]byte, 0)
  > 212: 	fmt.Println(s[:3])
    213:

Additional info

❯ golangci-lint --version
golangci-lint has version v1.60.1 built with go1.22.6 from (unknown, modified: ?, mod sum: "h1:DRKNqNTQRLBJZ1il5u4fvgLQCjQc7QFs0DbhksJtVJE=") on (unknown)

gosec version v2.20.0

Version of golangci-lint

$ golangci-lint --version
golangci-lint has version v1.60.1 built with go1.22.6 from (unknown, modified: ?, mod sum: "h1:DRKNqNTQRLBJZ1il5u4fvgLQCjQc7QFs0DbhksJtVJE=") on (unknown)

Configuration

# paste configuration file or CLI flags here

Go environment

$ go version && go env
go version go1.22.4 darwin/arm64
GO111MODULE=''
GOARCH='arm64'
GOBIN=''
GOCACHE='/Users/victor/Library/Caches/go-build'
GOENV='/Users/victor/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMODCACHE='/Users/victor/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/victor/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/Users/victor/go/pkg/mod/golang.org/[email protected]'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/Users/victor/go/pkg/mod/golang.org/[email protected]/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.22.4'
GCCGO='gccgo'
AR='ar'
CC='clang'
CXX='clang++'
CGO_ENABLED='1'
GOMOD='/Users/victor/work/fleet/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/pt/vp167s1s5d128n7yk9blrbk00000gn/T/go-build2116536770=/tmp/go-build -gno-record-gcc-switches -fno-common'

Verbose output of running

Note: I inserted some additional bad code and see that rule G404 is getting caught, but not G602.

$ golangci-lint cache clean
$ golangci-lint run -v --no-config --enable gosec --new
INFO golangci-lint has version v1.60.1 built with go1.22.6 from (unknown, modified: ?, mod sum: "h1:DRKNqNTQRLBJZ1il5u4fvgLQCjQc7QFs0DbhksJtVJE=") on (unknown)
INFO [lintersdb] Active 7 linters: [errcheck gosec gosimple govet ineffassign staticcheck unused]
INFO [loader] Go packages loading at mode 575 (files|imports|name|types_sizes|deps|exports_file|compiled_files) took 4.009403459s
INFO [runner/filename_unadjuster] Pre-built 0 adjustments in 121.513791ms
INFO [linters_context/goanalysis] analyzers took 3m49.290323359s with top 10 stages: buildir: 1m10.338186497s, unused: 6.49955775s, gosec: 5.945758868s, fact_deprecated: 4.874734488s, printf: 4.346454672s, ctrlflow: 4.083380389s, S1038: 3.909541329s, inspect: 3.808951638s, nilness: 2.811794047s, fact_purity: 2.762367427s
INFO [runner] Issues before processing: 2866, after processing: 1
INFO [runner] Processors filtering stat (in/out): max_from_linter: 1/1, path_prefixer: 1/1, exclude-rules: 2866/1103, nolint: 1103/928, sort_results: 1/1, filename_unadjuster: 2866/2866, path_prettifier: 2866/2866, skip_dirs: 2866/2866, identifier_marker: 2866/2866, exclude: 2866/2866, diff: 916/1, max_per_file_from_linter: 1/1, fixer: 1/1, cgo: 2866/2866, skip_files: 2866/2866, uniq_by_line: 928/916, max_same_issues: 1/1, source_code: 1/1, path_shortener: 1/1, severity-rules: 1/1, invalid_issue: 2866/2866, autogenerated_exclude: 2866/2866
INFO [runner] processing took 935.716082ms with stages: diff: 526.263083ms, nolint: 249.450042ms, autogenerated_exclude: 66.680957ms, path_prettifier: 38.278834ms, exclude-rules: 29.02125ms, identifier_marker: 20.765291ms, skip_dirs: 2.068291ms, cgo: 1.23775ms, invalid_issue: 1.080292ms, filename_unadjuster: 640.666µs, uniq_by_line: 117.792µs, source_code: 93.959µs, max_per_file_from_linter: 9.459µs, max_same_issues: 4.626µs, skip_files: 1.458µs, path_shortener: 833ns, max_from_linter: 500ns, fixer: 458ns, sort_results: 292ns, exclude: 166ns, severity-rules: 42ns, path_prefixer: 41ns
INFO [runner] linters took 14.62322275s with stages: goanalysis_metalinter: 13.6870875s
server/vulnerabilities/nvd/sync.go:214:13: G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand) (gosec)
	randNum := rand.Uint64()
	           ^
INFO File cache stats: 1 entries of total size 8.5KiB
INFO Memory: 188 samples, avg is 1305.5MB, max is 2733.0MB
INFO Execution took 18.767178791s

A minimal reproducible example or link to a public repository

package nvd

import "fmt"

func bad() {
	s := make([]byte, 0)
	fmt.Println(s[:3])
}

Validation

  • Yes, I've included all information above (version, config, etc.).

Supporter

@getvictor getvictor added the bug Something isn't working label Aug 14, 2024
Copy link

boring-cyborg bot commented Aug 14, 2024

Hey, thank you for opening your first Issue ! 🙂 If you would like to contribute we have a guide for contributors.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants