18890 Recommended update for gosec moderate openSUSE Backports SLE-15-SP6 Update This update for gosec fixes the following issues: Update to version 2.22.4: * Update to go version 1.24.3 and 1.23.9 * update: updated the build command to include version metadata * chore(deps): update all dependencies * Update the AI provider API key value when provided as an argument * chore(deps): update module google.golang.org/api to v0.230.0 * chore(deps): update module google.golang.org/api to v0.229.0 * chore(deps): update all dependencies * Comment the reason why the file can be nil when an issue is created * Handle nil file when creating a new issue * chore(deps): update all dependencies (#1333) Update to version 2.22.3: * Update version in 'action.yml' to 2.22.3 (anticipating next version (#1332) * Update go version to 1.24.2 and 1.23.8 (#1331) * remove G113. It only affects old/unsupported versions of Go (#1328) * chore(deps): update all dependencies (#1325) * Add SSOJet (#1320) * chore(deps): update all dependencies (#1319) * Update the integrity sha for babel dependency in html report (#1316) * Add support for `//gosec:disable` directive (#1314) * chore(deps): update all dependencies (#1315) Update to version 2.22.2: * Update to go version 1.24.1 and 1.23.7 (#1313) * chore(deps): update all dependencies (#1310) * chore(deps): update all dependencies (#1308) * Update gosec version in the GitHub action to v2.22.1 (#1307) * chore(deps): update module google.golang.org/api to v0.221.0 (#1305) Update to version 2.22.1: * Update cosign to v2.4.2 (#1303) * Add support for go 1.24 and phased out support for go 1.22 (#1302) * chore(deps): update all dependencies (#1300) * Update to go version 1.23.6 and 1.22.12 (#1299) * chore(deps): update module google.golang.org/api to v0.219.0 (#1296) * chore(deps): update module google.golang.org/api to v0.218.0 (#1294) * Add test to conver unit parssing for G115 rule (#1293) * Update to go version 1.23.5 and 1.22.11 (#1291) * chore(deps): update all dependencies (#1290) * Update gosec in github action to 2.22.0 (#1286) Update to version 2.22.0: * Update what message for G104 (#1282) * chore(deps): update module github.com/onsi/ginkgo/v2 to v2.22.2 (#1281) * chore(deps): update all dependencies (#1280) * chore(deps): update all dependencies (#1279) * Simplify sortIssues implementation (#1277) * Enable testifylint and fix up lint issues (#1276) * Refactor AppendError to check for build.NoGoError (#1273) * chore(deps): update module golang.org/x/net to v0.33.0 [security] (#1275) * Update README.md (#1274) * Rule documentation updates (#1272) * Replace old golang.org links with new go.dev (#1271) * Refactor AppendError to use strings.Contains (#1270) * Simplify Analyzer.ignore by reducing nesting (#1269) * Improve capitalization in AI API flags descriptions (#1267) * Remove unused golint dependency (#1266) * Simplify tests by using GinkgoT().TempDir() (#1265) * Documentation on adding new rules and analyzers (#1262) * chore(deps): update all dependencies (#1268) * Update to go 1.22.10 and 1.23.4 versions (#1264) * chore(deps): update module golang.org/x/crypto to v0.31.0 [security] (#1263) * chore(deps): update all dependencies (#1261) * chore(deps): update module github.com/onsi/gomega to v1.36.0 (#1259) * fix: revive.redefines-builtin-id lint warnings (#1257) * Fix typos in comments and fields * Remove the decryption funtions/methods from G407 check * Upate go to version 1.23.3 and 1.22.9 * Fix G115 false positive when going from parsed uint to larger int * chore(deps): update all dependencies * chore(deps): update all dependencies * chore(deps): update all dependencies * chore(deps): update all dependencies * chore(deps): update all dependencies * Update go version to 1.23.2 and 1.22.8 * chore(deps): update module google.golang.org/api to v0.201.0 * chore(deps): update all dependencies * chore(deps): update all dependencies * Fix the cosign step to authenticate with the container registry * chore(deps): update module google.golang.org/api to v0.199.0 Update to version 2.21.4: * Update the gosec to v2.21.4 in the Github action * Add the version into goreleaser config * chore(deps): update module google.golang.org/api to v0.198.0 (#1233) * Prevent panic: unexpected constant value: <nil> (#1232) * Fix running single analyzer which isn't a rule bug (#1231) Update to version 2.21.3: * Update gosec version to v2.21.3 in github action (#1227) * Populate the fixes only when autofix is not empty (#1226) * chore(deps): update all dependencies (#1223) * G115 Struct Attribute Checks (#1221) Update to version 2.21.2: * Update the github action to v2.21.2 (#1218) * Update the SARIF schema URL (#1217) * Update go version to 1.23.1 and 1.22.7 (#1216) * chore(deps): update all dependencies (#1215) * Update gosec version to v2.21.1 in github action (#1213) * Rollback the SARIF version to 2.1 since github doesn't support 2.2 (#1210) * Update gosec in github action to v2.21.0 (#1208) * Update cosign version to v2.4.0 in release github workflow (#1207) * Improvement the int conversion overflow logic to handle bound checks (#1194) * fix: G602 support for nested conditionals with bounds check (#1201) * Update go.mod to sue go 1.22.0 toolchain * chore(deps): update all dependencies * Make variable name more clear * Make variable names more explicity and reduce duplications * Fix formatting * Refactor to reduce some fuctions and variable names * Pass the value argument directly since is an interface * Added suggested changes * Added another test case in order to increase code coverage * Removed function parameter which is always the same * Formatting problems(CI was not passing) * Updated analyzer to use new way of initialization * Migrated the rule to the analyzers folder * Refractored code a little bit * Added new rule G407(hardcoded IV/nonce) * Fix conversion overflow false positive when using ParseUint * Add a build step to measure the scan perfomance * Fix conversion overflow false positives when they are checked or pre-determined * Update go.mod * chore(deps): update all dependencies * Fix false positive in conversion overflow check from uint8/int8 type * Disable staticcheck SA1019 rule * Update the golangci linters * Add more test to cover more use cases for G115 rule * Allow excluding analyzers globally (#1180) * Update to Go 1.23.0 (#1183) * chore(deps): update all dependencies (#1182) * Read the AI API key also from an environment variable (#1181) * Add support to generate auto fixes using LLM (AI) (#1177) * chore(deps): update all dependencies * chore(deps): update all dependencies * chore(deps): update all dependencies * chore(deps): update dependency babel-standalone to v7.24.10 * Resolve underlying type to detect overflows in type aliases * chore(deps): update dependency babel-standalone to v7.24.8 * Fix multifile ignores * Add -enable-audit cli flag * Update to go 1.22.5 and 1.21.12 * chore(deps): update all dependencies * Added more rules * Fixed coverage workflow * Fixed CI workflow * Minor changes * Split the G401 rule into two separate ones * Updated G401 corresponding CWE * chore(deps): update docker/build-push-action action to v6 * Update to go versions to 1.21.11 and 1.22.4 * chore(deps): update all dependencies * Fix nosec when applied to a block * Add more types to templates rule * Map the G115 rule to an CWE ID * chore(deps): update all dependencies * Update README with G115 rule description * Remove deprecated megacheck linter from golangci * Format imports * Update .gitignore * Add a new rule to detect integer overflow on integer types conversion * feat: add env var to override the Go version detection * Use the proper logic when disabling the go module version * Update the README with some details related to Go version used by the rules * Add an environment varialbe which disables the parsing of Go version from module file * chore(deps): update module github.com/onsi/ginkgo/v2 to v2.17.3 Update to version 2.20.0: * Update docker image in action to v2.20.0 * Catch os.ModePerm permissions in os.WriteFile * Add a unit test to detect the false negative in rule G306 for os.ModePerm permissions * Add filepath.EvalSymlinks to clean functions in rule G304 * chore(deps): update all dependencies * Update Go to version 2.22.3 in CI and release * chore(deps): update module golang.org/x/text to v0.15.0 * chore(deps): update all dependencies * chore(deps): update module github.com/onsi/gomega to v1.33.0 * Update to go 1.22.2 * chore(deps): update all dependencies * chore(deps): update module github.com/onsi/ginkgo/v2 to v2.17.1 * chore(deps): update all dependencies * fix(helpers/goversion): get from go.mod * chore: fix function name * chore(deps): update all dependencies * Format the imports using the gci tool * Fixup: delete unused variable * Fix test: update test to comply with the spec of generated sources * Refactor: use standard function to check if a file is generated * Fix lint warnings * Add support for math/rand/v2 added in Go 1.22 * Skip the G601 tests for Go version 1.22 * Update go version to 1.22.1 and 1.21.8 * Ignore 'implicit memory aliasing' rule for Go 1.22+ * chore(deps): update all dependencies * chore(deps): update module golang.org/x/tools to v0.18.0 * fix(hardcoded): remove duplicated `Stripe API Key` Update to version 2.19.0: * Update gosec version to v2.19.0 in the Github action * Update CI to go version 1.22 * chore(deps): update all dependencies * chore(deps): update all dependencies * chore(deps): update all dependencies * chore(deps): update all dependencies * chore(deps): update all dependencies * chore(deps): update dependency babel-standalone to v7.23.7 * chore(deps): update module golang.org/x/crypto to v0.17.0 [security] * chore(deps): update all dependencies * chore(deps): update actions/setup-go action to v5 * Fix lint warnings by properly formatting the files * chore: Refactor Sample Code to Separate Files * Update go version to 1.21.5 and 1.20.12 (#1084) * chore(deps): update all dependencies (#1080) * Ignore the issues from generated files when using the analysis framework (#1079) * Update README with upload-sarif v2 (#1078) * chore(deps): update dependency babel-standalone to v7.23.4 Update to 2.18.2: * Disable dot-imports in revive linter * Run the gosec with data race detector active during tests * Fix data race in the analyzer * Fix test that checks the overriden nosec directive * Clean global state in flgs tests * Format the file * Update README with details which describe the current of #nosec * Ensure the ignores are parsed before analysing the package Update to version 2.18.2: * Added ppc64le support * chore(deps): update all dependencies * Ensure ignores are handled properly for multi-line issues * Update Go to version 1.21.4 and 1.20.11 * chore(deps): update module golang.org/x/text to v0.14.0 * chore(deps): update all dependencies * Remove the hardcoded GOOS value when building the Linux binary to enable support for container image for ARM * Avoid allocations with `(*regexp.Regexp).MatchString` * Fix some typos * Update local installation instructions by removing the details for Go 1.16 Update to version 2.18.1: * chore(deps): update all dependencies * Update gosec to version 2.18.1 in the action * Update cosign version to v2.2.0 * Refactor how ignored issues are tracked * Restrict the maximum depth when tracking the slice bounds * Handle empty ssa results * Handle gracefully any panic that occurs when building the SSA representation of a package * Fix typo * Handle new function when getting the call info in case is overriden * Bump golang.org/x/net from 0.16.0 to 0.17.0 (#1037) * Update to Go 1.21.3 and 1.20.10 (#1035) * Update the list of unsafe functions detected by the unsafe rule (#1033) Update to version 2.18.0: * Update the action to use gosec version v2.18.0 (#1029) * Use a step ID in github release action to get the digest of the image (#1028) * Update to go version 1.21.2 and 1.20.9 (#1027) * chore(deps): update all dependencies (#1026) * Enable gochecknoinits; fix lint issues; use consts for some vars (#1022) * Fix typos in struct fields, comments, and docs (#1023) * chore(deps): update all dependencies * Fix lint warning * Add a new rule which detects when a file is created with os.Create but the configured permissions are less than 0666 * Fix lint warnings * Update ginkgo to latest version * Redesign and reimplement the slice out of bounds check using SSA code representation * docs: add reMarkable to users list * chore(deps): update all dependencies * Drop support for go 1.19.x since go team doesn't ship anymore security fixes for it * Update to latest go version * chore(deps): update all dependencies (#1011) * Fix hardcoded_credentials rule to only match on more specific patterns (#1009) * chore(deps): update all dependencies (#1008) * Exclude maps from slince bounce check rule (#1006) * Ignore struct pointers in G601 (#1003) * Update gosec image version to 2.17.0 in the Github action (#1002) gosec-2.22.4-bp156.2.3.2.src.rpm gosec-2.22.4-bp156.2.3.2.x86_64.rpm gosec-2.22.4-bp156.2.3.2.aarch64.rpm gosec-2.22.4-bp156.2.3.2.ppc64le.rpm gosec-2.22.4-bp156.2.3.2.s390x.rpm