golangci: Disable gosec rules that don't apply to CLI tools#387
Merged
nirs merged 1 commit intoRamenDR:mainfrom Mar 4, 2026
Merged
golangci: Disable gosec rules that don't apply to CLI tools#387nirs merged 1 commit intoRamenDR:mainfrom
nirs merged 1 commit intoRamenDR:mainfrom
Conversation
After upgrading golangci-lint, gosec reports new errors that are false positives for this project: G602 (slice bounds out of range): Flagged in fingerprint.go where we iterate over a sha256 sum and index into a slice created with the same length. Gosec cannot prove the lengths match through static analysis. Since Go has runtime bounds checking, out of bounds access causes a panic with a clear stack trace rather than silent memory corruption. With good test coverage, this check adds noise without value. G703 (path traversal via taint analysis): Flagged in htmlfmt when reading/writing files from command line args. This rule is designed for web services where user input could escape a sandboxed directory. For CLI tools, the user can specify any path - this is the intended behavior, not a vulnerability. G705 (XSS via taint analysis): Flagged in htmlfmt when printing to stderr. This rule is designed for web services outputting HTML. Stderr is plain text, not rendered as HTML, so XSS is not possible. Disabled only for tools/ directory to keep XSS checks active for HTML report generation in pkg/. Assisted-by: Cursor/Claude Opus 4.5 Signed-off-by: Nir Soffer <nsoffer@redhat.com>
parikshithb
approved these changes
Mar 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
After upgrading golangci-lint, gosec reports new errors that are false positives for this project:
G602 (slice bounds out of range):
Flagged in fingerprint.go where we iterate over a sha256 sum and index into a slice created with the same length. Gosec cannot prove the lengths match through static analysis. Since Go has runtime bounds checking, out of bounds access causes a panic with a clear stack trace rather than silent memory corruption. With good test coverage, this check adds noise without value.
G703 (path traversal via taint analysis):
Flagged in htmlfmt when reading/writing files from command line args. This rule is designed for web services where user input could escape a sandboxed directory. For CLI tools, the user can specify any path - this is the intended behavior, not a vulnerability.
G705 (XSS via taint analysis):
Flagged in htmlfmt when printing to stderr. This rule is designed for web services outputting HTML. Stderr is plain text, not rendered as HTML, so XSS is not possible. Disabled only for tools/ directory to keep XSS checks active for HTML report generation in pkg/.