gosec icon indicating copy to clipboard operation
gosec copied to clipboard
verified publisher icon securego

How to ignore rule by pattern matching? Something like // #nosec G104 /Print/

Open DavidGamba opened this issue 2 years ago • 2 comments

Summary

I would like to ignore the unhandled errors rule by pattern matching against the function name. I am getting G104 errors from fatih/color Fprintf calls.

Steps to reproduce the behavior

import 	"github.com/fatih/color"

color.New(color.FgBlack, color.BgRed, color.Bold).Fprintf(os.Stderr, msg)

gosec version

2.15.0

Go version (output of 'go version')

go version go1.20.1 darwin/arm64

Operating system / Environment

MacOS 13

Expected behavior

Updating the // #nosec G104 annotation to allow for an additional function pattern match:

// #nosec G104 /Fprint/ /Print/
package main

Or in a config file somewhere.

Actual behavior

Nosec annotation can only be added globally without exceptions or per line.

DavidGamba avatar Apr 11 '23 18:04 DavidGamba

@DavidGamba This functionality is not available at the moment. It is possible to ignore one rule for an entire line by just adding the following comment:

// #nosec G104

I think this feature makes sense when there are multiple function calls returning the same warning (e.g. G104 for not checking the returned error) and one wants to ignore only some of these errors. Is this what you are thinking of?

ccojocar avatar May 17 '23 12:05 ccojocar

Yes, adding the // #nosec G104 per line does the trick but given that I know that I want to ignore error for all Fprintf calls it would be great to do it globally. The code already ignores the stdlibs Fprintf calls globally by default.

The config file didn't work for me, even after trying different permutations:

{
	"G104": {
		"github.com/fatih/color": ["Fprintf"],
		"color": ["Fprintf"],
		"color": ["New"]
	}
}

issues:
    - severity: 0
      confidence: 2
      cwe:
        id: "703"
        name: Improper Check or Handling of Exceptional Conditions
        description: The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.
      ruleid: G104
      what: Errors unhandled.
      file: /Users/davidgamba/xxx/cmd/k/main.go
      code: |
        100: 		case strings.Contains(kcontext, "pro"):
        101: 			color.New(color.FgBlack, color.BgRed, color.Bold).Fprintf(os.Stderr, msg)
        102: 		case strings.Contains(kcontext, "dev"):
      line: "101"
      col: "4"
      nosec: false
      suppressions: []
stats:
    numfiles: 1
    numlines: 260
    numnosec: 0
    numfound: 1
gosecversion: 2.16.0

DavidGamba avatar May 17 '23 14:05 DavidGamba

I think is difficult to have pattern matching constantly across all rules because they perform different checks, and nonsec is checked globally. I would rather go with a rule configuration. Closing this for now. Thanks

ccojocar avatar May 28 '24 09:05 ccojocar