[英]Conflict in gosec results in golangci-lint tool
I am trying to gosec in golangci-lint .我正在尝试在golangci -lint中执行 gosec。 However, some issues that are reported in gosec do not get reported when using gosec through golangci-lint.但是,通过 golangci-lint 使用 gosec 时,不会报告 gosec 中报告的一些问题。
I've used https://github.com/golang/example project.我用过https://github.com/golang/example项目。 There were 3 issues reported when running goses.运行 gose 时报告了 3 个问题。
$ gosec gotypes
[gosec] 2020/11/12 13:56:09 Including rules: default
[gosec] 2020/11/12 13:56:09 Excluding rules: default
[gosec] 2020/11/12 13:56:09 Import directory: personal/sec-test-go/example/gotypes
[gosec] 2020/11/12 13:56:09 Checking package: main
[gosec] 2020/11/12 13:56:09 Checking file: personal/sec-test-go/example/gotypes/weave.go
Results:
[personal/sec-test-go/example/gotypes/weave.go:106] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
105: func include(file, tag string) (string, error) {
> 106: f, err := os.Open(file)
107: if err != nil {
[personal/sec-test-go/example/gotypes/weave.go:110] - G307 (CWE-703): Deferring unsafe method "Close" on type "*os.File" (Confidence: HIGH, Severity: MEDIUM)
109: }
> 110: defer f.Close()
111:
[personal/sec-test-go/example/gotypes/weave.go:30] - G307 (CWE-703): Deferring unsafe method "Close" on type "*os.File" (Confidence: HIGH, Severity: MEDIUM)
29: }
> 30: defer f.Close()
31:
Summary:
Files: 1
Lines: 191
Nosec: 0
Issues: 3
However, when I run the same code with gosec using golangci-lint none of the issues were recorded.但是,当我使用 golangci-lint 通过 gosec 运行相同的代码时,没有记录任何问题。
But when I ran both of the tools for another set of codes (another directory in the sample code), all the issues were recorded.但是当我为另一组代码(示例代码中的另一个目录)运行这两个工具时,所有问题都被记录下来了。
$ golangci-lint run outyet --disable-all -E gosec
outyet/main.go:98:12: G107: Potential HTTP request made with variable url (gosec)
r, err := http.Head(url)
$ gosec outyet
[gosec] 2020/11/12 14:07:56 Including rules: default
[gosec] 2020/11/12 14:07:56 Excluding rules: default
[gosec] 2020/11/12 14:07:56 Import directory: personal/sec-test-go/example/outyet
[gosec] 2020/11/12 14:07:56 Checking package: main
[gosec] 2020/11/12 14:07:56 Checking file: sec-test-go/example/outyet/main.go
Results:
[personal/sec-test-go/example/outyet/main.go:98] - G107 (CWE-88): Potential HTTP request made with variable url (Confidence: MEDIUM, Severity: MEDIUM)
97: pollCount.Add(1)
> 98: r, err := http.Head(url)
99: if err != nil {
Summary:
Files: 1
Lines: 140
Nosec: 0
Issues: 1
Did anyone encounter this issue?有人遇到过这个问题吗?
Golangci-lint has default settings to reduce the amount of false positives. Golangci-lint 有默认设置来减少误报的数量。
Try the --exclude-use-default=false parameter.试试 --exclude-use-default=false 参数。
golangci-lint run outyet --disable-all --exclude-use-default=false -E gosec
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.