build(deps): bump github.com/securego/gosec/v2 from 5f0084eb01a9 to 8…

…1cda2f91fbe (#4927)
golangci · Aug 20, 2024 · f338f3e · f338f3e
1 parent 741df1f
commit f338f3e
Show file tree

Hide file tree

Showing 7 changed files with 84 additions and 29 deletions.
diff --git a/.golangci.next.reference.yml b/.golangci.next.reference.yml
@@ -853,6 +853,7 @@ linters-settings:
       - G112 # Potential slowloris attack
       - G113 # Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772)
       - G114 # Use of net/http serve function that has no support for setting timeouts
+      - G115 # Potential integer overflow when converting between integer types
       - G201 # SQL query construction using format string
       - G202 # SQL query construction using string concatenation
       - G203 # Use of unescaped data in HTML templates
@@ -864,16 +865,21 @@ linters-settings:
       - G305 # File traversal when extracting zip/tar archive
       - G306 # Poor file permissions used when writing to a new file
       - G307 # Poor file permissions used when creating a file with os.Create
-      - G401 # Detect the usage of DES, RC4, MD5 or SHA1
+      - G401 # Detect the usage of MD5 or SHA1
       - G402 # Look for bad TLS connection settings
       - G403 # Ensure minimum RSA key length of 2048 bits
       - G404 # Insecure random number source (rand)
+      - G405 # Detect the usage of DES or RC4
+      - G406 # Detect the usage of MD4 or RIPEMD160
       - G501 # Import blocklist: crypto/md5
       - G502 # Import blocklist: crypto/des
       - G503 # Import blocklist: crypto/rc4
       - G504 # Import blocklist: net/http/cgi
       - G505 # Import blocklist: crypto/sha1
+      - G506 # Import blocklist: golang.org/x/crypto/md4
+      - G507 #Import blocklist: golang.org/x/crypto/ripemd160
       - G601 # Implicit memory aliasing of items from a range statement
+      - G602 # Slice access out of bounds
 
     # To specify a set of rules to explicitly exclude.
     # Available rules: https://github.com/securego/gosec#available-rules
@@ -892,6 +898,7 @@ linters-settings:
       - G112 # Potential slowloris attack
       - G113 # Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772)
       - G114 # Use of net/http serve function that has no support for setting timeouts
+      - G115 # Potential integer overflow when converting between integer types
       - G201 # SQL query construction using format string
       - G202 # SQL query construction using string concatenation
       - G203 # Use of unescaped data in HTML templates
@@ -903,16 +910,21 @@ linters-settings:
       - G305 # File traversal when extracting zip/tar archive
       - G306 # Poor file permissions used when writing to a new file
       - G307 # Poor file permissions used when creating a file with os.Create
-      - G401 # Detect the usage of DES, RC4, MD5 or SHA1
+      - G401 # Detect the usage of MD5 or SHA1
       - G402 # Look for bad TLS connection settings
       - G403 # Ensure minimum RSA key length of 2048 bits
       - G404 # Insecure random number source (rand)
+      - G405 # Detect the usage of DES or RC4
+      - G406 # Detect the usage of MD4 or RIPEMD160
       - G501 # Import blocklist: crypto/md5
       - G502 # Import blocklist: crypto/des
       - G503 # Import blocklist: crypto/rc4
       - G504 # Import blocklist: net/http/cgi
       - G505 # Import blocklist: crypto/sha1
+      - G506 # Import blocklist: golang.org/x/crypto/md4
+      - G507 #Import blocklist: golang.org/x/crypto/ripemd160
       - G601 # Implicit memory aliasing of items from a range statement
+      - G602 # Slice access out of bounds
 
     # Exclude generated files
     # Default: false

diff --git a/.golangci.yml b/.golangci.yml
@@ -204,6 +204,21 @@ issues:
       linters: [gocritic]
       text: "rangeValCopy: each iteration copies 160 bytes \\(consider pointers or indexing\\)"
 
+    # Related to file sizes.
+    - path: pkg/goanalysis/runner_loadingpackage.go
+      linters: [gosec]
+      text: "G115: integer overflow conversion uintptr -> int"
+
+    # Related to PID.
+    - path: test/bench/bench_test.go
+      linters: [gosec]
+      text: "G115: integer overflow conversion int -> int32"
+
+    # Related to the result of computation but divided multiple times by 1024.
+    - path: test/bench/bench_test.go
+      linters: [gosec]
+      text: "G115: integer overflow conversion uint64 -> int"
+
   exclude-dirs:
     - test/testdata_etc # test files
     - internal/cache # extracted from Go code

diff --git a/go.mod b/go.mod
@@ -92,7 +92,7 @@ require (
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
 	github.com/sashamelentyev/interfacebloat v1.1.0
 	github.com/sashamelentyev/usestdlibvars v1.27.0
-	github.com/securego/gosec/v2 v2.20.1-0.20240525090044-5f0084eb01a9
+	github.com/securego/gosec/v2 v2.20.1-0.20240820084340-81cda2f91fbe
 	github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c
 	github.com/shirou/gopsutil/v3 v3.24.5
 	github.com/sirupsen/logrus v1.9.3
@@ -124,7 +124,7 @@ require (
 	go-simpler.org/musttag v0.12.2
 	go-simpler.org/sloglint v0.7.2
 	go.uber.org/automaxprocs v1.5.3
-	golang.org/x/exp v0.0.0-20240103183307-be819d1f06fc
+	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
 	golang.org/x/tools v0.24.0
 	gopkg.in/yaml.v3 v3.0.1
 	honnef.co/go/tools v0.5.1
@@ -192,8 +192,8 @@ require (
 	golang.org/x/mod v0.20.0 // indirect
 	golang.org/x/sync v0.8.0 // indirect
 	golang.org/x/sys v0.23.0 // indirect
-	golang.org/x/text v0.15.0 // indirect
-	google.golang.org/protobuf v1.33.0 // indirect
+	golang.org/x/text v0.17.0 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 )
diff --git a/go.sum b/go.sum
diff --git a/jsonschema/golangci.next.jsonschema.json b/jsonschema/golangci.next.jsonschema.json
@@ -137,6 +137,7 @@
         "G112",
         "G113",
         "G114",
+        "G115",
         "G201",
         "G202",
         "G203",
@@ -152,12 +153,17 @@
         "G402",
         "G403",
         "G404",
+        "G405",
+        "G406",
         "G501",
         "G502",
         "G503",
         "G504",
         "G505",
-        "G601"
+        "G506",
+        "G507",
+        "G601",
+        "G602"
       ]
     },
     "govet-analyzers": {

diff --git a/pkg/goanalysis/runners.go b/pkg/goanalysis/runners.go
@@ -134,7 +134,7 @@ func saveIssuesToCache(allPkgs []*packages.Package, pkgsFromCache map[*packages.
 		perPkgIssues[i.Pkg] = append(perPkgIssues[i.Pkg], *i)
 	}
 
-	savedIssuesCount := int32(0)
+	var savedIssuesCount int64 = 0
 	lintResKey := getIssuesCacheKey(analyzers)
 
 	workerCount := runtime.GOMAXPROCS(-1)
@@ -162,7 +162,7 @@ func saveIssuesToCache(allPkgs []*packages.Package, pkgsFromCache map[*packages.
 					})
 				}
 
-				atomic.AddInt32(&savedIssuesCount, int32(len(encodedIssues)))
+				atomic.AddInt64(&savedIssuesCount, int64(len(encodedIssues)))
 				if err := lintCtx.PkgCache.Put(pkg, pkgcache.HashModeNeedAllDeps, lintResKey, encodedIssues); err != nil {
 					lintCtx.Log.Infof("Failed to save package %s issues (%d) to cache: %s", pkg, len(pkgIssues), err)
 				} else {

diff --git a/pkg/golinters/gosec/gosec.go b/pkg/golinters/gosec/gosec.go
@@ -10,6 +10,7 @@ import (
 	"sync"
 
 	"github.com/securego/gosec/v2"
+	"github.com/securego/gosec/v2/analyzers"
 	"github.com/securego/gosec/v2/issue"
 	"github.com/securego/gosec/v2/rules"
 	"golang.org/x/tools/go/analysis"
@@ -27,16 +28,20 @@ func New(settings *config.GoSecSettings) *goanalysis.Linter {
 	var mu sync.Mutex
 	var resIssues []goanalysis.Issue
 
-	var filters []rules.RuleFilter
 	conf := gosec.NewConfig()
+
+	var ruleFilters []rules.RuleFilter
+	var analyzerFilters []analyzers.AnalyzerFilter
 	if settings != nil {
-		filters = gosecRuleFilters(settings.Includes, settings.Excludes)
+		ruleFilters = createRuleFilters(settings.Includes, settings.Excludes)
+		analyzerFilters = createAnalyzerFilters(settings.Includes, settings.Excludes)
 		conf = toGosecConfig(settings)
 	}
 
 	logger := log.New(io.Discard, "", 0)
 
-	ruleDefinitions := rules.Generate(false, filters...)
+	ruleDefinitions := rules.Generate(false, ruleFilters...)
+	analyzerDefinitions := analyzers.Generate(false, analyzerFilters...)
 
 	analyzer := &analysis.Analyzer{
 		Name: linterName,
@@ -53,7 +58,9 @@ func New(settings *config.GoSecSettings) *goanalysis.Linter {
 		analyzer.Run = func(pass *analysis.Pass) (any, error) {
 			// The `gosecAnalyzer` is here because of concurrency issue.
 			gosecAnalyzer := gosec.NewAnalyzer(conf, true, settings.ExcludeGenerated, false, settings.Concurrency, logger)
+
 			gosecAnalyzer.LoadRules(ruleDefinitions.RulesInfo())
+			gosecAnalyzer.LoadAnalyzers(analyzerDefinitions.AnalyzersInfo())
 
 			issues := runGoSec(lintCtx, pass, settings, gosecAnalyzer)
 
@@ -176,8 +183,23 @@ func convertGosecGlobals(globalOptionFromConfig any, conf gosec.Config) {
 	}
 }
 
+// based on https://github.com/securego/gosec/blob/81cda2f91fbe1bf4735feb55febcae03e697a92b/cmd/gosec/main.go#L258-L275
+func createAnalyzerFilters(includes, excludes []string) []analyzers.AnalyzerFilter {
+	var filters []analyzers.AnalyzerFilter
+
+	if len(includes) > 0 {
+		filters = append(filters, analyzers.NewAnalyzerFilter(false, includes...))
+	}
+
+	if len(excludes) > 0 {
+		filters = append(filters, analyzers.NewAnalyzerFilter(true, excludes...))
+	}
+
+	return filters
+}
+
 // based on https://github.com/securego/gosec/blob/569328eade2ccbad4ce2d0f21ee158ab5356a5cf/cmd/gosec/main.go#L170-L188
-func gosecRuleFilters(includes, excludes []string) []rules.RuleFilter {
+func createRuleFilters(includes, excludes []string) []rules.RuleFilter {
 	var filters []rules.RuleFilter
 
 	if len(includes) > 0 {