I have a code like this:
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // need insecure TLS option for testing and development
InsecureSkipVerify: cfg.GetRedisInsecure(),
}
}
When I run golangci-lint run
it recognizes the nolint
directive and ignores that error, but when Sonarqube runs it keeps failing with a message "TLS InsecureSkipVerify may be true"
This issue https://github.com/securego/gosec/issues/278 talks about using #nosec
in the comment to disable that error. Here it talks about using it in specific parts of the statement https://github.com/securego/gosec/issues/278#issuecomment-745209803
So I've tried:
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // need insecure TLS option for testing and development
// NOSONAR #nosec
InsecureSkipVerify: cfg.GetRedisInsecure(),
}
}
And
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // need insecure TLS option for testing and development
InsecureSkipVerify: cfg.GetRedisInsecure(), // NOSONAR #nosec
}
}
And
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
InsecureSkipVerify: cfg.GetRedisInsecure(),
}
}
And
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
InsecureSkipVerify: cfg.GetRedisInsecure(), /* #nosec */
}
}
And
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
/* #nosec */ InsecureSkipVerify: cfg.GetRedisInsecure(), /* #nosec */
}
}
And
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
/* #nosec */ InsecureSkipVerify: cfg.GetRedisInsecure() /* #nosec */, /* #nosec */
}
}
And
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
/* #nosec */ InsecureSkipVerify: /* #nosec */ cfg.GetRedisInsecure() /* #nosec */, /* #nosec */
}
}
And
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
/* #nosec */ InsecureSkipVerify /* #nosec */ :/* #nosec */ cfg.GetRedisInsecure(), /* #nosec */
}
}
I have open this issue in the gosec project https://github.com/securego/gosec/issues/780
What else can I do to ignore this in gosec?
As @rodolfo has suggested, I reproduce the solution mentioned on Github as it might help someone else.
Apparently using // #nosec G402
on the same line as the if
statement fixes the problem:
if cfg.GetRedisTLS() { // #nosec G402
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
InsecureSkipVerify: cfg.GetRedisInsecure(),
}
}
If you don't have an if statement, you can make a command block
{ // #nosec G402
clientOpts.tlsConfig := &tls.Config{
RootCAs: or.certificates,
InsecureSkipVerify: or.insecure,
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.