codeql icon indicating copy to clipboard operation
codeql copied to clipboard
verified publisher icon github

False positive: go/uncontrolled-allocation-size, even though length is limited via `min` function

Open fzipp opened this issue 1 year ago • 1 comments

A false positive of "Slice memory allocation with excessive size value" in Go (Rule ID: go/uncontrolled-allocation-size).

It's a false positive, because the length of the allocated slice is explicitly limited via the min function, so it should not be reported. Link to source code:

https://github.com/fzipp/canvas/blob/9bf9f5531d570cf664d7c0f931b02dd3749f4fce/event.go#L402

const maxTouchListLength = 10
length := buf.readByte()
limitedLength := min(length, maxTouchListLength)
list := make(TouchList, limitedLength)

URL to the alert on GitHub code scanning: https://github.com/fzipp/canvas/security/code-scanning/2

fzipp avatar May 01 '24 06:05 fzipp

Thank you for this false positive report. Resolving this issue is not a current product priority, but we acknowledge the report and will track it internally for future consideration, or if we observe repeated instances of the same problem.

ginsbach avatar May 01 '24 12:05 ginsbach