contextcheck
contextcheck copied to clipboard
Stop analysis on 3rd party code
I have some false positives on the code, which is not in my control. Can you stop analysis, if the error occurs in 3rd party libraries?
Example
import (
"github.com/lestrrat-go/jwx/jwt"
...
)
func verifyTokenFormat(bearerToken string) error {
_, err := jwt.ParseString(bearerToken, jwt.WithValidate(true), jwt.WithAcceptableSkew(time.Second))
return err
}
This is source of ParseString
, still does not accept context, but is already in 3rd party code:
https://github.com/lestrrat-go/jwx/blob/develop/v2/jwt/jwt.go#L87
func ParseString(s string, options ...ParseOption) (Token, error) {
return parseBytes([]byte(s), options...)
}
And here is code of parseBytes
which does not accept context, but has variable named ctx
.
https://github.com/lestrrat-go/jwx/blob/develop/v2/jwt/jwt.go#L158
func parseBytes(data []byte, options ...ParseOption) (Token, error) {
var ctx parseCtx
// Validation is turned on by default. You need to specify
// jwt.WithValidate(false) if you want to disable it
ctx.validate = true
...
Error
The code above is causing this issue
identity/authorization.go:123:30: Function `verifyTokenFormat->parseBytes` should pass the context parameter (contextcheck)
if err := verifyTokenFormat(sub.AccessToken); err != nil {