gosec rule G602 always ignored

[getvictor]

Welcome

• Yes, I'm using a binary release within 2 latest releases. Only such installations are supported.
• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've read the typecheck section of the FAQ.
• Yes, I've tried with the standalone linter if available (e.g., gocritic, go vet, etc.).
• I agree to follow this project's Code of Conduct

Description of the problem

I manually inserted the problematic code in a file (from gosec test for the rule G602):

	s := make([]byte, 0)
	fmt.Println(s[:3])

This problem is not caught when running :

golangci-lint run --no-config --enable gosec --new

However, when running gosec standalone the issue is caught:

[/Users/victor/work/fleet/server/vulnerabilities/nvd/sync.go:212] - G602 (CWE-118): slice bounds out of range (Confidence: HIGH, Severity: LOW)
    211: 	s := make([]byte, 0)
  > 212: 	fmt.Println(s[:3])
    213:

Additional info

❯ golangci-lint --version
golangci-lint has version v1.60.1 built with go1.22.6 from (unknown, modified: ?, mod sum: "h1:DRKNqNTQRLBJZ1il5u4fvgLQCjQc7QFs0DbhksJtVJE=") on (unknown)

gosec version v2.20.0

Version of golangci-lint

$ golangci-lint --version
golangci-lint has version v1.60.1 built with go1.22.6 from (unknown, modified: ?, mod sum: "h1:DRKNqNTQRLBJZ1il5u4fvgLQCjQc7QFs0DbhksJtVJE=") on (unknown)

Configuration

# paste configuration file or CLI flags here

Go environment

$ go version && go env
go version go1.22.4 darwin/arm64
GO111MODULE=''
GOARCH='arm64'
GOBIN=''
GOCACHE='/Users/victor/Library/Caches/go-build'
GOENV='/Users/victor/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMODCACHE='/Users/victor/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/victor/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/Users/victor/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.22.4.darwin-arm64'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/Users/victor/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.22.4.darwin-arm64/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.22.4'
GCCGO='gccgo'
AR='ar'
CC='clang'
CXX='clang++'
CGO_ENABLED='1'
GOMOD='/Users/victor/work/fleet/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/pt/vp167s1s5d128n7yk9blrbk00000gn/T/go-build2116536770=/tmp/go-build -gno-record-gcc-switches -fno-common'

Verbose output of running

Note: I inserted some additional bad code and see that rule G404 is getting caught, but not G602.

$ golangci-lint cache clean
$ golangci-lint run -v --no-config --enable gosec --new
INFO golangci-lint has version v1.60.1 built with go1.22.6 from (unknown, modified: ?, mod sum: "h1:DRKNqNTQRLBJZ1il5u4fvgLQCjQc7QFs0DbhksJtVJE=") on (unknown)
INFO [lintersdb] Active 7 linters: [errcheck gosec gosimple govet ineffassign staticcheck unused]
INFO [loader] Go packages loading at mode 575 (files|imports|name|types_sizes|deps|exports_file|compiled_files) took 4.009403459s
INFO [runner/filename_unadjuster] Pre-built 0 adjustments in 121.513791ms
INFO [linters_context/goanalysis] analyzers took 3m49.290323359s with top 10 stages: buildir: 1m10.338186497s, unused: 6.49955775s, gosec: 5.945758868s, fact_deprecated: 4.874734488s, printf: 4.346454672s, ctrlflow: 4.083380389s, S1038: 3.909541329s, inspect: 3.808951638s, nilness: 2.811794047s, fact_purity: 2.762367427s
INFO [runner] Issues before processing: 2866, after processing: 1
INFO [runner] Processors filtering stat (in/out): max_from_linter: 1/1, path_prefixer: 1/1, exclude-rules: 2866/1103, nolint: 1103/928, sort_results: 1/1, filename_unadjuster: 2866/2866, path_prettifier: 2866/2866, skip_dirs: 2866/2866, identifier_marker: 2866/2866, exclude: 2866/2866, diff: 916/1, max_per_file_from_linter: 1/1, fixer: 1/1, cgo: 2866/2866, skip_files: 2866/2866, uniq_by_line: 928/916, max_same_issues: 1/1, source_code: 1/1, path_shortener: 1/1, severity-rules: 1/1, invalid_issue: 2866/2866, autogenerated_exclude: 2866/2866
INFO [runner] processing took 935.716082ms with stages: diff: 526.263083ms, nolint: 249.450042ms, autogenerated_exclude: 66.680957ms, path_prettifier: 38.278834ms, exclude-rules: 29.02125ms, identifier_marker: 20.765291ms, skip_dirs: 2.068291ms, cgo: 1.23775ms, invalid_issue: 1.080292ms, filename_unadjuster: 640.666µs, uniq_by_line: 117.792µs, source_code: 93.959µs, max_per_file_from_linter: 9.459µs, max_same_issues: 4.626µs, skip_files: 1.458µs, path_shortener: 833ns, max_from_linter: 500ns, fixer: 458ns, sort_results: 292ns, exclude: 166ns, severity-rules: 42ns, path_prefixer: 41ns
INFO [runner] linters took 14.62322275s with stages: goanalysis_metalinter: 13.6870875s
server/vulnerabilities/nvd/sync.go:214:13: G404: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand) (gosec)
	randNum := rand.Uint64()
	           ^
INFO File cache stats: 1 entries of total size 8.5KiB
INFO Memory: 188 samples, avg is 1305.5MB, max is 2733.0MB
INFO Execution took 18.767178791s

A minimal reproducible example or link to a public repository

package nvd

import "fmt"

func bad() {
	s := make([]byte, 0)
	fmt.Println(s[:3])
}

Validation

• Yes, I've included all information above (version, config, etc.).

Supporter

• I am a sponsor/backer through GitHub or OpenCollective

[boring-cyborg]

Hey, thank you for opening your first Issue ! 🙂 If you would like to contribute we have a guide for contributors.