Cosmin Cojocar comments

Results 156 comments of


                                            Cosmin Cojocar

The spod daemonset can't work,the log is that fatal error: timer when must be positive.

My assumption is that this might be related to the system timer. It might be caused by a desynchronisation but I am not totally sure.

Per-diagnostic annotation

This feature is now supported by tracking the suppressions https://github.com/securego/gosec#tracking-suppressions.

Write a package for data flow analysis

gosec supports now Analysers and SSA code representation.

Flag potential sensitive information leak in Get URLs

This could be caught be the secrets detection rule which can be configured with custom patterns.

Add rules for regular expressions (regexp)

Not clear what is the security value of such a rule in the context of Go which is quite safe with respect to regular expressions. Closing for now.

Rewrite to leverage the go analysis package

#929 addressed this issue and also some rule such as slice bounds was implemented using SSA. Other rules will be implemented also when it makes sense.

gosec G101 false positive

This can be fixed by tweaking the entropy and the custom patters of the rule G101.

Detect panics within code base

Closing this issue seems doesn't seem to bring a lot of security benefits.

Add checks for potential PII and PHI

This can be addressed by using a custom pattern in the secrets detection rule.

Use multiple output formats

Closing this since it can be handled with a script, and is not cleared what is the value of supporting this feature in gosec. Thanks