contextcheck Stop analysis on 3rd party code

Stop analysis on 3rd party code

Open arxeiss opened this issue 1 year ago • 9 comments

I have some false positives on the code, which is not in my control. Can you stop analysis, if the error occurs in 3rd party libraries?

Example

import (
    "github.com/lestrrat-go/jwx/jwt"
    ...
)

func verifyTokenFormat(bearerToken string) error {
    _, err := jwt.ParseString(bearerToken, jwt.WithValidate(true), jwt.WithAcceptableSkew(time.Second))
    return err
}

This is source of ParseString, still does not accept context, but is already in 3rd party code: https://github.com/lestrrat-go/jwx/blob/develop/v2/jwt/jwt.go#L87

func ParseString(s string, options ...ParseOption) (Token, error) {
	return parseBytes([]byte(s), options...)
}

And here is code of parseBytes which does not accept context, but has variable named ctx. https://github.com/lestrrat-go/jwx/blob/develop/v2/jwt/jwt.go#L158

func parseBytes(data []byte, options ...ParseOption) (Token, error) {
	var ctx parseCtx

	// Validation is turned on by default. You need to specify
	// jwt.WithValidate(false) if you want to disable it
	ctx.validate = true
...

Error

The code above is causing this issue

identity/authorization.go:123:30: Function `verifyTokenFormat->parseBytes` should pass the context parameter (contextcheck)
                if err := verifyTokenFormat(sub.AccessToken); err != nil {

Sep 30 '22 08:09 arxeiss

contextcheck contextcheck copied to clipboard

Stop analysis on 3rd party code

Example

Error

contextcheck
contextcheck copied to clipboard