gosec icon indicating copy to clipboard operation
gosec copied to clipboard
verified publisher icon securego

G104 fails to catch err reassignments

Open omercnet opened this issue 3 years ago • 2 comments

Summary

Since err is commonly used, it's not uncommon to have it reassigned If someone forgets to check it before reassigning it, G104 should catch it

Steps to reproduce the behavior

package main

import (
	"io"
	"log"
	"os"
)

func main() {
	_, _ = io.WriteString(os.Stdout, "Hello World") // # this is ok

	_, err := io.WriteString(os.Stdout, "Hello World")
	if err != nil { // good
		log.Fatal(err)
	}

	_, err = io.WriteString(os.Stdout, "Hello World") // # this err will not be checked
	_, err = io.WriteString(os.Stdout, "Hello World") // # this err will be checked

	if err != nil { // checking the second err but not the first one
		log.Fatal(err)
	}

}

gosec version

2.14.0

Go version (output of 'go version')

go version go1.19.2

Operating system / Environment

darwin/arm64

Expected behavior

Should catch the err that wasn't checked

Actual behavior

Doesn't.

omercnet avatar Nov 13 '22 16:11 omercnet

https://staticcheck.io/ does catch this, worth looking into how they implement this check

omercnet avatar Nov 15 '22 13:11 omercnet

@ccojocar I'll take this one. Finally have some time to dive deep into the SSA :)

timonomsk avatar Nov 24 '22 23:11 timonomsk

@TimonOmsk feel free to take on this issue. Thanks

ccojocar avatar May 25 '24 09:05 ccojocar