-
-
Notifications
You must be signed in to change notification settings - Fork 610
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Panic in gosec 2.21.3 conversion overflow analyzer #1229
Comments
I see that too scanning istio/istio for instance and the code crashing is func updateExplicitValues(result *rangeResult, constVal *ssa.Const) {
if strings.Contains(constVal.String(), "-") {
result.explicitNegativeVals = append(result.explicitNegativeVals, int(constVal.Int64()))
} else {
result.explicitPositiveVals = append(result.explicitPositiveVals, uint(constVal.Uint64()))
}
} which seems incorrect as it looks at constants that could be a string for instance with a I can fix that I think if nobody gets to it (as I have #1231 too) |
So I have a workaround but I'm finding odd I can't reproduce the issue first (as in running again it disappears) @ccojocar is there some caching somewhere ? how do I clear it ( here is the "fix": --- a/analyzers/conversion_overflow.go
+++ b/analyzers/conversion_overflow.go
@@ -357,7 +357,7 @@ func updateResultFromBinOp(result *rangeResult, binOp *ssa.BinOp, instr *ssa.Con
}
constVal, ok := y.(*ssa.Const)
- if !ok {
+ if !ok || constVal == nil {
return
} |
edit: it's constVal.Value which is nil not constVal itself. and I can sort of repro, though in different directories each time, by nuking entirely my |
I added logging, here is an example: log.Fatalf("[gosec] constVal.Value is nil flipped=%t, constVal=%#v, binOp=%#v", operandsFlipped, constVal, binOp) yields:
ps: how do I reach the actual logger from that code? |
hi, can you tag the fix? |
I can do a release. |
@ccojocar Seeing this issue again.
|
|
I was going to say the line numbers don't match the code |
Summary
We started getting panic on some of our routine gosec scans. I'm not certain as to what exactly triggers it, but it happens when scanning a large project.
Steps to reproduce the behavior
Scan a directory using:
gosec version
2.21.3
Go version (output of 'go version')
1.22.4
Operating system / Environment
Linux
The text was updated successfully, but these errors were encountered: