gosec icon indicating copy to clipboard operation
gosec copied to clipboard

Published 20 hours ago verified publisher icon securego

#nosec G115 doesn't work in particular cases if it's preceded by an open bracket {

Open paul-at-cybr opened this issue 4 months ago • 3 comments

Summary

In specific cases of int conversion, // #nosec G115 fails to disable the warning if there's an open bracket between the comment and the issue it's addressing.

Steps to reproduce the behavior

package main

import "fmt"

func main() {
	ten := 10
	uintTen := uint(10)
	configVal := uint(ten) // #nosec G115 -- this works
	inputSlice := []int{1, 2, 3, 4, 5}

	if len(inputSlice) <= int(uintTen) { // #nosec G115 -- this works
		fmt.Println("hello world!")
	}

	if len(inputSlice) <= int(configVal) { // #nosec G115 -- this fails
		fmt.Println("hello world!")
	}

	if len(inputSlice) <= int(configVal) /* #nosec G115 -- this works, but is horrible */ {
		fmt.Println("hello world!")
	}

	// #nosec G115 - This also works, although the documentation implies it shouldn't
	if len(inputSlice) <= int(configVal) {
		fmt.Println("hello world!")
	}
}

gosec version

Version: 2.21.4
Git tag: v2.21.4
Build date: 2024-09-26T11:55:22Z

Go version (output of 'go version')

go version go1.23.2 linux/amd64

Operating system / Environment

Any

Expected behavior

A nosec comment that always works

Actual behavior

A nosec comment that sometimes doesn't work

paul-at-cybr avatar Oct 10 '24 14:10 paul-at-cybr