Grant Murphy

FWIW Go is reasonably safe wrt ReDOS type attacks - see https://checkmarx.com/blog/redos-go/.

I guess the thinking here was that there are perhaps some cases where a panic would have security implications such as Denial of Service. It could be worth keeping this...

Think this makes a lot of sense and I've wanted to explore this for a while. We may be able to leverage some functionality from here as well: "golang.org/x/tools/go/callgraph" "golang.org/x/tools/go/loader"...

+1 Thanks for the suggestion. Will add this to the backlog.

Just as an update I've created the repository github.com/securego/securego.github.io and registered the securego.io domain for this purpose. I'm hoping to get some spare time to work on this soon.

One of the reasons that alert is getting triggered is that gosec currently doesn't have the taint analysis / backtracking required to resolve all usage of the `foo` function or...

In all the cases above I think we only alert if an argument to filepath.Join is being called with a identifier that we can't resolve. If it is a string...

I think what is happening here is G107 is trying to resolve the `url` variable to a known constant or basic literal. This mechanism is currently pretty basic and unable...

I think this is a reasonable request. I'll put it on the backlog. Thanks for the suggestion.

It might be interesting to re-use go's parser + ast to do this. e.g. using a subset of golang simple expressions. proof of concept idea here - https://play.golang.org/p/c1yfMxvTbrw