Comments (5)
gcmurphy
commented on May 22, 2024
Just merged PR #109 that will ensure the first example does not report an error.
The second example shouldn't trigger as we only look for variables containing phrases like password, key, token or secret so 'UsernameFieldLabel' shouldn't trigger it, however the error reporting for GenDecl blocks such as that didn't reference the exact constant declaration that was causing the error, instead it was referencing the entire const ( ) block. So I fixed that in PR #110.
The test is still pretty noisy which is why it has been marked as a low confidence result. We are looking at introducing and additional entropy check (see #105) which should reduce these kinds of false positives.
from gosec.
willfaught
commented on May 22, 2024
Wouldn't PasswordFieldLabel be flagged?
…On Wed, Jan 11, 2017 at 10:31 AM Grant Murphy ***@***.***> wrote:
Just merged PR #109 <#109> that
will ensure the first example does not report an error.
The second example shouldn't trigger as we only look for variables
containing phrases like password, key, token or secret so
'UsernameFieldLabel' shouldn't trigger it, however the error reporting for
GenDecl blocks such as that didn't reference the exact constant declaration
that was causing the error, instead it was referencing the entire const (
) block. So I fixed that in PR #110
<#110>.
The test is still pretty noisy which is why it has been marked as a low
confidence result. We are looking at introducing and additional entropy
check (see #105 <#105>) which
should reduce these kinds of false positives.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#108 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAD5Vhfcgme_klIKE8GOIhnA0ZHICT_bks5rRSACgaJpZM4Lgdp8>
.
from gosec.
gcmurphy
commented on May 22, 2024
Yes it would currently. There is the option to use the flag -exclude=G101 to exclude this rule.
from gosec.
gcmurphy
commented on May 22, 2024
Closing.
There isn't really a heuristic that we can use here to reduce false positives in variable naming. This test should really target things like API keys so when #105 is merged it will eliminate a large number of false positives around innocuous things like const PasswordFieldLabel = "Enter password".
In addition the option is available to exclude this test altogether via the -exclude=G101 command line option or add a // #nosec comment to the affected field. (e.g. const PasswordFieldLabel = "Enter password" // #nosec), the nosec tags are also applicable to entire blocks. (e.g. a whole block of constants).
from gosec.
willfaught
commented on May 22, 2024
OK, thanks.
from gosec.
Related Issues (20)
- Bad case of rule G101 HOT 1
- Query builders hide SQL vulnerabilities HOT 2
- Need mappings for CWE top 25 HOT 1
- G601 should not be raised when GOEXPERIMENT=loopvar is enabled HOT 1
- Create Actions PR Mode HOT 1
- apply `nosec` to entire file HOT 2
- G306 triggered on executable bit set HOT 3
- G601 with go version 1.22 or later HOT 1
- nosec statement ignored when additionally defined in front of function, const or variable segment HOT 4
- Support for `// nolint:gosec` to skip lines on top of `// #nosec` HOT 2
- Support the `math/rand/v2` added in Go 1.22 HOT 4
- QA: wrap gosec to golangci-lint speed up to 10x HOT 7
- G601 does not catch all cases HOT 1
- "Missing function body" error when parsing calls to assembly code HOT 8
- Is it possible to integrate with VS Code? HOT 1
- G101: False positive of HIGH Severity on constant HOT 2
- G306 can be easily bypassed with `os.ModePerm`
- False positive on G304 (CWE-22) after `filepath.EvalSymlinks`
- no cache usage on 18.2 and 19.0 HOT 1
- Add detection of overflow during integer conversion HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gosec.