From 7a681734beddee89f85b0a3f604485f159bfd188 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Oct 2021 20:15:41 +0000 Subject: [PATCH 1/4] build(deps): bump github.com/securego/gosec/v2 from 2.8.1 to 2.9.1 Bumps [github.com/securego/gosec/v2](https://github.com/securego/gosec) from 2.8.1 to 2.9.1. - [Release notes](https://github.com/securego/gosec/releases) - [Changelog](https://github.com/securego/gosec/blob/master/.goreleaser.yml) - [Commits](https://github.com/securego/gosec/compare/v2.8.1...v2.9.1) --- updated-dependencies: - dependency-name: github.com/securego/gosec/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index 0242ee045d13..56558bf63de4 100644 --- a/go.mod +++ b/go.mod @@ -65,7 +65,7 @@ require ( github.com/ryancurrah/gomodguard v1.2.3 github.com/ryanrolds/sqlclosecheck v0.3.0 github.com/sanposhiho/wastedassign/v2 v2.0.6 - github.com/securego/gosec/v2 v2.8.1 + github.com/securego/gosec/v2 v2.9.1 github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c github.com/shirou/gopsutil/v3 v3.21.9 github.com/sirupsen/logrus v1.8.1 diff --git a/go.sum b/go.sum index 288191078fcb..76a9a0df330b 100644 --- a/go.sum +++ b/go.sum @@ -318,7 +318,7 @@ github.com/google/uuid v0.0.0-20161128191214-064e2069ce9c/go.mod h1:TIyPZe4Mgqvf github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0= @@ -461,7 +461,7 @@ github.com/letsencrypt/pkcs11key/v4 v4.0.0/go.mod h1:EFUvBDay26dErnNb70Nd0/VW3tJ github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.9.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= -github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/lib/pq v1.10.3/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/logrusorgru/aurora v0.0.0-20181002194514-a7b3b318ed4e/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/magiconair/properties v1.8.5 h1:b6kJs+EmPFMYGkow9GiUyCyOvIwYetYJ3fSaWak/Gls= @@ -557,13 +557,12 @@ github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= -github.com/onsi/ginkgo v1.16.2/go.mod h1:CObGmKUOKaSC0RjmoAK7tKyn4Azo5P2IWuoMnvwxz1E= github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc= github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= -github.com/onsi/gomega v1.13.0 h1:7lLHu94wT9Ij0o6EWWclhu0aOh32VxhkwEJvzuWPeak= -github.com/onsi/gomega v1.13.0/go.mod h1:lRk9szgn8TxENtWd0Tp4c3wjlRfMTMH27I+3Je41yGY= +github.com/onsi/gomega v1.16.0 h1:6gjqkI8iiRHMvdccRJM8rVKjCWk6ZIm6FTm3ddIe4/c= +github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/otiai10/copy v1.2.0 h1:HvG945u96iNadPoG2/Ja2+AUJeW5YuFQMixq9yirC+k= github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw= @@ -639,8 +638,8 @@ github.com/sagikazarmark/crypt v0.1.0/go.mod h1:B/mN0msZuINBtQ1zZLEQcegFJJf9vnYI github.com/sanposhiho/wastedassign/v2 v2.0.6 h1:+6/hQIHKNJAUixEj6EmOngGIisyeI+T3335lYTyxRoA= github.com/sanposhiho/wastedassign/v2 v2.0.6/go.mod h1:KyZ0MWTwxxBmfwn33zh3k1dmsbF2ud9pAAGfoLfjhtI= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= -github.com/securego/gosec/v2 v2.8.1 h1:Tyy/nsH39TYCOkqf5HAgRE+7B5D8sHDwPdXRgFWokh8= -github.com/securego/gosec/v2 v2.8.1/go.mod h1:pUmsq6+VyFEElJMUX+QB3p3LWNHXg1R3xh2ssVJPs8Q= +github.com/securego/gosec/v2 v2.9.1 h1:anHKLS/ApTYU6NZkKa/5cQqqcbKZURjvc+MtR++S4EQ= +github.com/securego/gosec/v2 v2.9.1/go.mod h1:oDcDLcatOJxkCGaCaq8lua1jTnYf6Sou4wdiJ1n4iHc= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c h1:W65qqJCIOVP4jpqPQ0YvHYKwcMEMVWIzWC5iNQQfBTU= github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c/go.mod h1:/PevMnwAxekIXwN8qQyfc5gl2NlkB3CQlkizAbOkeBs= @@ -804,6 +803,7 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8= golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= From 532a4d9eacc56eb023a1282c8c6f80ac56a4d996 Mon Sep 17 00:00:00 2001 From: Fernandez Ludovic Date: Mon, 18 Oct 2021 22:54:47 +0200 Subject: [PATCH 2/4] fix: new param --- pkg/golinters/gosec.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/golinters/gosec.go b/pkg/golinters/gosec.go index 328ba5ccc7c5..f175d32d1bc6 100644 --- a/pkg/golinters/gosec.go +++ b/pkg/golinters/gosec.go @@ -54,7 +54,7 @@ func NewGosec(settings *config.GoSecSettings) *goanalysis.Linter { nil, ).WithContextSetter(func(lintCtx *linter.Context) { analyzer.Run = func(pass *analysis.Pass) (interface{}, error) { - gosecAnalyzer := gosec.NewAnalyzer(gasConfig, true, logger) + gosecAnalyzer := gosec.NewAnalyzer(gasConfig, true, true, logger) gosecAnalyzer.LoadRules(ruleDefinitions.Builders()) pkg := &packages.Package{ From 034e50beddb8f85e21801d001f30969ee102cb21 Mon Sep 17 00:00:00 2001 From: Fernandez Ludovic Date: Mon, 18 Oct 2021 23:00:23 +0200 Subject: [PATCH 3/4] feat: exclude-generated option --- .golangci.example.yml | 2 ++ pkg/config/linters_settings.go | 7 ++++--- pkg/golinters/gosec.go | 2 +- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/.golangci.example.yml b/.golangci.example.yml index d8cd938dbcde..836947d5631a 100644 --- a/.golangci.example.yml +++ b/.golangci.example.yml @@ -369,6 +369,8 @@ linters-settings: # Available rules: https://github.com/securego/gosec#available-rules excludes: - G204 + # Exclude generated files + exclude-generated: true # To specify the configuration of rules. # The configuration of rules is not fully documented by gosec: # https://github.com/securego/gosec#configuration diff --git a/pkg/config/linters_settings.go b/pkg/config/linters_settings.go index c32f2570706a..e9e92e6c5d61 100644 --- a/pkg/config/linters_settings.go +++ b/pkg/config/linters_settings.go @@ -294,9 +294,10 @@ type GoModGuardSettings struct { } type GoSecSettings struct { - Includes []string - Excludes []string - Config map[string]interface{} `mapstructure:"config"` + Includes []string + Excludes []string + ExcludeGenerated bool `mapstructure:"exclude-generated"` + Config map[string]interface{} `mapstructure:"config"` } type GovetSettings struct { diff --git a/pkg/golinters/gosec.go b/pkg/golinters/gosec.go index f175d32d1bc6..32d73847994c 100644 --- a/pkg/golinters/gosec.go +++ b/pkg/golinters/gosec.go @@ -54,7 +54,7 @@ func NewGosec(settings *config.GoSecSettings) *goanalysis.Linter { nil, ).WithContextSetter(func(lintCtx *linter.Context) { analyzer.Run = func(pass *analysis.Pass) (interface{}, error) { - gosecAnalyzer := gosec.NewAnalyzer(gasConfig, true, true, logger) + gosecAnalyzer := gosec.NewAnalyzer(gasConfig, true, settings.ExcludeGenerated, logger) gosecAnalyzer.LoadRules(ruleDefinitions.Builders()) pkg := &packages.Package{ From 6e2734039c9ff65a0199eec427ce5e6f0db99d6d Mon Sep 17 00:00:00 2001 From: Fernandez Ludovic Date: Mon, 18 Oct 2021 23:18:01 +0200 Subject: [PATCH 4/4] fix: update report message --- test/testdata/gosec.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/testdata/gosec.go b/test/testdata/gosec.go index 951b3ebeaff4..a5edb9658a28 100644 --- a/test/testdata/gosec.go +++ b/test/testdata/gosec.go @@ -34,5 +34,5 @@ func GosecG204SubprocWithFunc() { return "/tmp/dummy" } - exec.Command("ls", arg()).Run() // ERROR "G204: Subprocess launched with function call as argument or cmd arguments" + exec.Command("ls", arg()).Run() // ERROR "G204: Subprocess launched with a potential tainted input or cmd arguments" }