Go modules support for 1.12 (#297)

* support go module * fix implement and uncommented out tests * includes test package * remove test environment go1.10 or older
2024-11-05 19:45:51 +00:00 · 2019-04-25 16:25:32 +09:00 · 2019-04-25 16:25:32 +09:00 · 85d180848d
commit 85d180848d
parent eaba99df37
5 changed files with 102 additions and 81 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -1,9 +1,8 @@
 language: go
 go:
  - "1.9.x"
  - "1.10.x"
  - "1.11.x"
  - "1.12.x"
  - tip
 install:
@ -16,6 +15,7 @@ install:
  - go get -u github.com/securego/gosec/cmd/gosec/...
  - go get -v -t ./...
  - export PATH=$PATH:$HOME/gopath/bin
  - export GO111MODULE=on
 script: make test
--- a/analyzer.go
+++ b/analyzer.go
@ -18,7 +18,6 @@ package gosec
 import (
 	"go/ast"
 	"go/build"
 	"go/parser"
 	"go/token"
 	"go/types"
 	"log"
@ -27,9 +26,10 @@ import (
 	"reflect"
 	"regexp"
 	"strconv"
 	"strings"
-	"golang.org/x/tools/go/loader"
+	"golang.org/x/tools/go/packages"
 )
 // The Context is populated with data parsed from the source code as it is scanned.
@ -102,11 +102,12 @@ func (gosec *Analyzer) LoadRules(ruleDefinitions map[string]RuleBuilder) {
 func (gosec *Analyzer) Process(buildTags []string, packagePaths ...string) error {
 	ctx := build.Default
 	ctx.BuildTags = append(ctx.BuildTags, buildTags...)
-	packageConfig := loader.Config{
+	conf := &packages.Config{
-		Build:       &ctx,
+		Mode:  packages.LoadSyntax,
-		ParserMode:  parser.ParseComments,
+		Tests: true,
 		AllowErrors: true,
 	}
 	pkgs := []*packages.Package{}
 	for _, packagePath := range packagePaths {
 		abspath, err := GetPkgAbsPath(packagePath)
 		if err != nil {
@ -125,14 +126,15 @@ func (gosec *Analyzer) Process(buildTags []string, packagePaths ...string) error
 			packageFiles = append(packageFiles, path.Join(packagePath, filename))
 		}
-		packageConfig.CreateFromFilenames(basePackage.Name, packageFiles...)
+		_pkgs, err := packages.Load(conf, packageFiles...)
 		if err != nil {
 			return err
 		}
 		pkgs = append(pkgs, _pkgs...)
 	}
-	builtPackage, err := packageConfig.Load()
+
-	if err != nil {
+	for _, packageInfo := range pkgs {
 		return err
 	}
 	for _, packageInfo := range builtPackage.AllPackages {
 		if len(packageInfo.Errors) != 0 {
 			for _, packErr := range packageInfo.Errors {
 				// infoErr contains information about the error
@ -160,26 +162,28 @@ func (gosec *Analyzer) Process(buildTags []string, packagePaths ...string) error
 			}
 		}
 	}
 	sortErrors(gosec.errors) // sorts errors by line and column in the file
-	for _, pkg := range builtPackage.Created {
+	for _, pkg := range pkgs {
 		gosec.logger.Println("Checking package:", pkg.String())
-		for _, file := range pkg.Files {
+		for _, file := range pkg.Syntax {
-			gosec.logger.Println("Checking file:", builtPackage.Fset.File(file.Pos()).Name())
+			gosec.logger.Println("Checking file:", pkg.Fset.File(file.Pos()).Name())
-			gosec.context.FileSet = builtPackage.Fset
+			gosec.context.FileSet = pkg.Fset
 			gosec.context.Config = gosec.config
 			gosec.context.Comments = ast.NewCommentMap(gosec.context.FileSet, file, file.Comments)
 			gosec.context.Root = file
-			gosec.context.Info = &pkg.Info
+			gosec.context.Info = pkg.TypesInfo
-			gosec.context.Pkg = pkg.Pkg
+			gosec.context.Pkg = pkg.Types
-			gosec.context.PkgFiles = pkg.Files
+			gosec.context.PkgFiles = pkg.Syntax
 			gosec.context.Imports = NewImportTracker()
 			gosec.context.Imports.TrackPackages(gosec.context.Pkg.Imports()...)
 			ast.Walk(gosec, file)
 			gosec.stats.NumFiles++
-			gosec.stats.NumLines += builtPackage.Fset.File(file.Pos()).LineCount()
+			gosec.stats.NumLines += pkg.Fset.File(file.Pos()).LineCount()
 		}
 	}
 	return nil
 }
--- a/go.mod
+++ b/go.mod
@ -2,21 +2,18 @@ module github.com/securego/gosec
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/golang/protobuf v1.2.0 // indirect
+	github.com/golang/protobuf v1.3.1 // indirect
-	github.com/kisielk/gotool v0.0.0-20161130080628-0de1eaf82fa3
+	github.com/kisielk/gotool v1.0.0
 	github.com/kr/pretty v0.1.0 // indirect
-	github.com/mozilla/tls-observatory v0.0.0-20180409132520-8791a200eb40
+	github.com/mozilla/tls-observatory v0.0.0-20190404164649-a3c1b6cfecfd
-	github.com/nbutton23/zxcvbn-go v0.0.0-20160627004424-a22cb81b2ecd
+	github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d
-	github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c
+	github.com/onsi/ginkgo v1.8.0
-	github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c
+	github.com/onsi/gomega v1.5.0
-	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/ryanuber/go-glob v1.0.0
-	github.com/ryanuber/go-glob v0.0.0-20170128012129-256dc444b735
+	github.com/stretchr/testify v1.3.0 // indirect
-	github.com/stretchr/testify v1.2.2 // indirect
+	golang.org/x/net v0.0.0-20190415214537-1da14a5a36f2 // indirect
-	golang.org/x/net v0.0.0-20170915142106-8351a756f30f // indirect
+	golang.org/x/sys v0.0.0-20190416152802-12500544f89f // indirect
-	golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f // indirect
+	golang.org/x/tools v0.0.0-20190417005754-4ca4b55e2050
 	golang.org/x/sys v0.0.0-20171026204733-164713f0dfce // indirect
 	golang.org/x/text v0.0.0-20170915090833-1cbadb444a80 // indirect
 	golang.org/x/tools v0.0.0-20170915040203-e531a2a1c15f
 	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
-	gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7
+	gopkg.in/yaml.v2 v2.2.2
 )
--- a/go.sum
+++ b/go.sum
@ -1,39 +1,59 @@
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/kisielk/gotool v0.0.0-20161130080628-0de1eaf82fa3 h1:s/sV9geKJwXXzcrFiQdiiIFgfesbREplXWR9ZFgnGSQ=
+github.com/golang/protobuf v1.3.1 h1:YF8+flBXS5eO826T4nzqPrxfhQThhXl0YzfuUPu4SBg=
-github.com/kisielk/gotool v0.0.0-20161130080628-0de1eaf82fa3/go.mod h1:jxZFDH7ILpTPQTk+E2s+z4CUas9lVNjIuKR4c5/zKgM=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/kisielk/gotool v1.0.0 h1:AV2c/EiW3KqPNT9ZKl07ehoAGi4C5/01Cfbblndcapg=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/mozilla/tls-observatory v0.0.0-20180409132520-8791a200eb40 h1:Q0XH6Ql1+Z6YbUKyWyI0sD8/9yH0U8x86yA8LuWMJwY=
+github.com/mozilla/tls-observatory v0.0.0-20190404164649-a3c1b6cfecfd h1:Av0AX0PnAlPZ3AY2rQUobGFaZfE4KHVRdKWIEPvsCWY=
-github.com/mozilla/tls-observatory v0.0.0-20180409132520-8791a200eb40/go.mod h1:SrKMQvPiws7F7iqYp8/TX+IhxCYhzr6N/1yb8cwHsGk=
+github.com/mozilla/tls-observatory v0.0.0-20190404164649-a3c1b6cfecfd/go.mod h1:SrKMQvPiws7F7iqYp8/TX+IhxCYhzr6N/1yb8cwHsGk=
-github.com/nbutton23/zxcvbn-go v0.0.0-20160627004424-a22cb81b2ecd h1:hEzcdYzgmGA1zDrSYdh+OE4H43RrglXdZQ5ip/+93GU=
+github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d h1:AREM5mwr4u1ORQBMvzfzBgpsctsbQikCVpvC+tX285E=
-github.com/nbutton23/zxcvbn-go v0.0.0-20160627004424-a22cb81b2ecd/go.mod h1:o96djdrsSGy3AWPyBgZMAGfxZNfgntdJG+11KU4QvbU=
+github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d/go.mod h1:o96djdrsSGy3AWPyBgZMAGfxZNfgntdJG+11KU4QvbU=
-github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c h1:Hww8mOyEKTeON4bZn7FrlLismspbPc1teNRUVH7wLQ8=
+github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.8.0 h1:VkHVNpR4iVnU8XQR6DBm8BqYjN7CRzw+xKUbVVbbW9w=
-github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c h1:eSfnfIuwhxZyULg1NNuZycJcYkjYVGYe7FczwQReM6U=
+github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
+github.com/onsi/gomega v1.5.0 h1:izbySO9zDPmjJ8rDjLvkA2zJHIo+HkYXHnf7eN7SSyo=
 github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/ryanuber/go-glob v0.0.0-20170128012129-256dc444b735 h1:7YvPJVmEeFHR1Tj9sZEYsmarJEQfMVYpd/Vyy/A8dqE=
+github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
-github.com/ryanuber/go-glob v0.0.0-20170128012129-256dc444b735/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
+github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
-github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
-golang.org/x/net v0.0.0-20170915142106-8351a756f30f h1:gBDN4vcizo3zTVoOZWdw1W3KB3Yh9lxB8I1uOgf/7n0=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-golang.org/x/net v0.0.0-20170915142106-8351a756f30f/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190415214537-1da14a5a36f2 h1:iC0Y6EDq+rhnAePxGvJs2kzUAYcwESqdcGRPzEUfzTU=
 golang.org/x/net v0.0.0-20190415214537-1da14a5a36f2/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f h1:wMNYb4v58l5UBM7MYRLPG6ZhfOqbKu7X5eyFl8ZhKvA=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20171026204733-164713f0dfce h1:BDMHZhZQhI6KuA6MzarSMksZq8ZegBJ3mSbFKLEYG/w=
+golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20171026204733-164713f0dfce/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/text v0.0.0-20170915090833-1cbadb444a80 h1:LMxnNSL1jel8frQKy+gjCcwcgLsd3UEDVGg9DD8ryxw=
+golang.org/x/sys v0.0.0-20190416152802-12500544f89f h1:1ZH9RnjNgLzh6YrsRp/c6ddZ8Lq0fq9xztNOoWJ2sz4=
-golang.org/x/text v0.0.0-20170915090833-1cbadb444a80/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/sys v0.0.0-20190416152802-12500544f89f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/tools v0.0.0-20170915040203-e531a2a1c15f h1:2bTOCVQtYN868SqJlTyB1SOrvrmeurDB7H5ylUynHsY=
+golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
-golang.org/x/tools v0.0.0-20170915040203-e531a2a1c15f/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/tools v0.0.0-20190417005754-4ca4b55e2050 h1:F2v+dqex82KbcdFuJrgIWjWXfT48L8i0Qh8NFaZPNZg=
 golang.org/x/tools v0.0.0-20190417005754-4ca4b55e2050/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7 h1:+t9dhfO+GNOIGJof6kPOAenx7YgrZMTdRPV+EsnPabk=
+gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
-gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
+gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
--- a/testutils/pkg.go
+++ b/testutils/pkg.go
@ -3,7 +3,6 @@ package testutils
 import (
 	"fmt"
 	"go/build"
 	"go/parser"
 	"io/ioutil"
 	"log"
 	"os"
@ -11,13 +10,13 @@ import (
 	"strings"
 	"github.com/securego/gosec"
-	"golang.org/x/tools/go/loader"
+	"golang.org/x/tools/go/packages"
 )
 type buildObj struct {
-	pkg     *build.Package
+	pkg    *build.Package
-	config  loader.Config
+	config *packages.Config
-	program *loader.Program
+	pkgs   []*packages.Package
 }
 // TestPackage is a mock package for testing purposes
@ -37,9 +36,7 @@ func NewTestPackage() *TestPackage {
 		goPath = build.Default.GOPATH
 	}
-	// Files must exist in $GOPATH
+	workingDir, err := ioutil.TempDir("", "gosecs_test")
 	sourceDir := path.Join(goPath, "src")
 	workingDir, err := ioutil.TempDir(sourceDir, "gosecs_test")
 	if err != nil {
 		return nil
 	}
@ -84,20 +81,23 @@ func (p *TestPackage) Build() error {
 	}
 	var packageFiles []string
 	packageConfig := loader.Config{Build: &build.Default, ParserMode: parser.ParseComments}
 	for _, filename := range basePackage.GoFiles {
 		packageFiles = append(packageFiles, path.Join(p.Path, filename))
 	}
-	packageConfig.CreateFromFilenames(basePackage.Name, packageFiles...)
+	conf := &packages.Config{
-	program, err := packageConfig.Load()
+		Mode:  packages.LoadSyntax,
 		Tests: false,
 	}
 	pkgs, err := packages.Load(conf, packageFiles...)
 	if err != nil {
 		return err
 	}
 	p.build = &buildObj{
-		pkg:     basePackage,
+		pkg:    basePackage,
-		config:  packageConfig,
+		config: conf,
-		program: program,
+		pkgs:   pkgs,
 	}
 	return nil
 }
@ -109,18 +109,18 @@ func (p *TestPackage) CreateContext(filename string) *gosec.Context {
 		return nil
 	}
-	for _, pkg := range p.build.program.Created {
+	for _, pkg := range p.build.pkgs {
-		for _, file := range pkg.Files {
+		for _, file := range pkg.Syntax {
-			pkgFile := p.build.program.Fset.File(file.Pos()).Name()
+			pkgFile := pkg.Fset.File(file.Pos()).Name()
 			strip := fmt.Sprintf("%s%c", p.Path, os.PathSeparator)
 			pkgFile = strings.TrimPrefix(pkgFile, strip)
 			if pkgFile == filename {
 				ctx := &gosec.Context{
-					FileSet: p.build.program.Fset,
+					FileSet: pkg.Fset,
 					Root:    file,
 					Config:  gosec.NewConfig(),
-					Info:    &pkg.Info,
+					Info:    pkg.TypesInfo,
-					Pkg:     pkg.Pkg,
+					Pkg:     pkg.Types,
 					Imports: gosec.NewImportTracker(),
 				}
 				ctx.Imports.TrackPackages(ctx.Pkg.Imports()...)