Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gosec: latest version (v2.17.0) returning false positives #4037

Closed
5 tasks done
Smelton01 opened this issue Aug 22, 2023 · 5 comments · Fixed by #4120
Closed
5 tasks done

gosec: latest version (v2.17.0) returning false positives #4037

Smelton01 opened this issue Aug 22, 2023 · 5 comments · Fixed by #4120
Labels
bug Something isn't working dependencies Relates to an upstream dependency

Comments

@Smelton01
Copy link

Welcome

Description of the problem

The latest release v1.54.2 of golangci-lint includes an updated version of of gosec v2.17.0 with changes which introduced a number of false positives.

The changes in question were introduced in the following PRs:

Since this is a very popular linter trusted by many, a release should be made reverting the linter to a stable version until the above issues are addressed.

Version of golangci-lint

$ golangci-lint --version
golangci-lint has version 1.54.2 built with go1.21.0 from 411e0bb on 2023-08-21T11:04:00Z

Configuration

default-config

Go environment

$ go version 
go version go1.21.0 darwin/arm64

Verbose output of running

$ golangci-lint cache clean
$ golangci-lint run -v
...G101: Potential hardcoded credentials (gosec)
        SQSQueueURL  = "workertest-sqs-queue-url"

A minimal reproducible example or link to a public repository

// add your code here

Validation

  • Yes, I've included all information above (version, config, etc.).
@Smelton01 Smelton01 added the bug Something isn't working label Aug 22, 2023
@boring-cyborg
Copy link

boring-cyborg bot commented Aug 22, 2023

Hey, thank you for opening your first Issue ! 🙂 If you would like to contribute we have a guide for contributors.

@vitaly-eureka-security
Copy link

The relevant issue in gosec repo: securego/gosec#1001

@ldez ldez added the dependencies Relates to an upstream dependency label Aug 22, 2023
@atc0005 atc0005 mentioned this issue Aug 23, 2023
Merged
atc0005 added a commit to atc0005/go-ci that referenced this issue Aug 24, 2023
@atc0005
Downgrade golangci-lint from v1.54.2 to v1.54.1
06e9b78 
Multiple false-positive detections from gosec linter for G101
rule violation: "G101: Potential hardcoded credentials (gosec)"

See also:

- securego/gosec#1001
- golangci/golangci-lint#4037
@atc0005 atc0005 mentioned this issue Aug 24, 2023
Merged
olblak added a commit to updatecli/updatecli that referenced this issue Aug 24, 2023
@olblak
Downgrade golangci linter to 1.54.1
934e2e2 
Due to golangci/golangci-lint#4037
We have many false positive
@olblak olblak mentioned this issue Aug 24, 2023
Merged
olblak added a commit to updatecli/updatecli that referenced this issue Aug 24, 2023
@olblak
Downgrade golangci linter to 1.54.1 (#1532)
ee5b82f 
Due to golangci/golangci-lint#4037
We have many false positive
@atc0005
Copy link

atc0005 commented Sep 11, 2023
edited
Loading

The relevant issue in gosec repo: securego/gosec#1001

FWIW: Closed as resolved per securego/gosec#1009

EDIT: See also:

@ldez
Copy link
Member

ldez commented Sep 11, 2023

I'm aware but there is no release 🤷

@atc0005
Copy link

atc0005 commented Oct 9, 2023

@ldez

New upstream release:

@ldez ldez mentioned this issue Oct 9, 2023
Merged
@ldez ldez closed this as completed in #4120 Oct 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working dependencies Relates to an upstream dependency
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

build(deps): bump github.com/securego/gosec/v2 from 2.17.0 to 2.18.0 golangci/golangci-lint
4 participants
@ldez @atc0005 @Smelton01 @vitaly-eureka-security