gosec icon indicating copy to clipboard operation
gosec copied to clipboard
verified publisher icon securego

G602 (CWE-118): slice index out of range false positive

Open dev-gto opened this issue 2 months ago • 7 comments

Hello all,

the gosec v2.22.10 (released yesterday) started to complain regarding false positives for G602 (CWE-118): slice index out of range

for instance, the following code shouldn't generate warning, should it?

package main

func main() {
	value := "1234567890"
	weight := []int{2, 3, 4, 5, 6, 7}
	wLen := len(weight)
	l := len(value) - 1

	addr := make([]any, 7)
	sum := 0
	weight[2] = 3
	for i := l; i >= 0; i-- {
		v := int(value[i] - '0')
		if v < 0 || v > 9 {
			println("invalid number at column", i+1)
			break
		}
		addr[2] = v
		sum += v * weight[(l-i)%wLen]
	}
	println(sum)
}

[/{redacted}/main.go:21] - G602 (CWE-118): slice index out of range (Confidence: HIGH, Severity: LOW)
    20: 		addr[2] = v
  > 21: 		sum += v * weight[(l-i)%wLen]
    22: 	}

Autofix: 

[/{redacted}/main.go:20] - G602 (CWE-118): slice index out of range (Confidence: HIGH, Severity: LOW)
    19: 		}
  > 20: 		addr[2] = v
    21: 		sum += v * weight[(l-i)%wLen]

Autofix: 

Summary:
  Gosec  : dev
  Files  : 1
  Lines  : 24
  Nosec  : 0
  Issues : 2

Can you please evaluate this?

Kind regards,

dev-gto avatar Oct 16 '25 12:10 dev-gto

We also have lots of false positives when working with switches and arrays in our package netutil in AdguardTeam/golibs. For example:

    86  func isLocallyServedV6(ip [16]byte) (ok bool) {
    87          switch ip[0] {
    88          case 0x00:
    89                  return string(ip[1:15]) == "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" &&
    90                          ip[15]&0xFE == 0x00
    91          case 0x20:
    92                  return string(ip[1:4]) == "\x01\x0D\xB8"
    93          case 0xFE:
    94                  return ip[1]&0xC0 == 0x80  // False positive here.
    95          default:
    96                  return ip[0] == 0xFD       // False positive here.
    97          }
    98  }

ainar-g avatar Oct 17 '25 14:10 ainar-g

@kondratev please could you have a look at this issue? I think is related to #1396. Thanks

ccojocar avatar Oct 20 '25 12:10 ccojocar

Running into the same error here. More info at https://github.com/Jacalz/hegelmote/actions/runs/18954459763/job/54127535975.

Jacalz avatar Oct 30 '25 20:10 Jacalz

We're also seeing lots of false-positives. I had to open a pretty silly PR to fix many of them: https://github.com/OffchainLabs/nitro/pull/3944

eljobe avatar Nov 03 '25 20:11 eljobe

My case (I used golanci-lint):

const (
    val1 = 1
    val2 = 2
)

buf := make([]byte, 4)

buf[0] = val1 // G602: slice index out of range (gosec)

buf[1] = val2 // G602: slice index out of range (gosec)

denisvmedia avatar Nov 10 '25 12:11 denisvmedia

Hello, I have been using golangci-lint v.2.6.1 with go 1.25.4 and I have the same false positive with the following function using modernized loop:

// WeeklyPlanDayQuantity is the number of days in a weekly plan.
const WeeklyPlanDayQuantity int = 14

// WeeklyPlanDays gives all dates included in a weekly plan from its start.
func WeeklyPlanDays(start time.Time) [WeeklyPlanDayQuantity]time.Time {
	var days [WeeklyPlanDayQuantity]time.Time
	for i := range WeeklyPlanDayQuantity {
		days[i] = start.AddDate(0, 0, i) // G602: slice index out of range
	}
	return days
}

The error disappear if I revert back to old-school:

// WeeklyPlanDays gives all dates included in a weekly plan from its start.
func WeeklyPlanDays(start time.Time) [WeeklyPlanDayQuantity]time.Time {
	var days [WeeklyPlanDayQuantity]time.Time
	for i := 0; i < WeeklyPlanDayQuantity; i++ {
		days[i] = start.AddDate(0, 0, i)
	}
	return days
}

boreec avatar Nov 12 '25 05:11 boreec

WIP

kondratev avatar Nov 24 '25 20:11 kondratev