From ac75d44f5635e83e6e91347f7350f1b3c87ee5af Mon Sep 17 00:00:00 2001
From: Cosmin Cojocar <cosmin@cojocar.ch>
Date: Tue, 28 May 2024 11:46:49 +0100
Subject: [PATCH] Fix nosec when applied to a block

Handle properly nosec directive when applied to a block or as a single
line on a multi-line issue.

Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>
---
 analyzer.go               |  2 +-
 analyzer_test.go          | 46 +++++++++++++++++++++++++++++++++++++++
 testutils/g101_samples.go | 44 +++++++++++++++++++++++++++++++++++++
 3 files changed, 91 insertions(+), 1 deletion(-)

diff --git a/analyzer.go b/analyzer.go
index f7dd895..430a947 100644
--- a/analyzer.go
+++ b/analyzer.go
@@ -122,7 +122,7 @@ func (i ignores) get(file string, line string) map[string][]issue.SuppressionInf
 	start, end := i.parseLine(line)
 	if is, ok := i[file]; ok {
 		for _, i := range is {
-			if start <= i.start && end >= i.end {
+			if i.start <= start && i.end >= end || start <= i.start && end >= i.end {
 				return i.suppressions
 			}
 		}
diff --git a/analyzer_test.go b/analyzer_test.go
index 73b7ee6..c8cf7db 100644
--- a/analyzer_test.go
+++ b/analyzer_test.go
@@ -220,6 +220,52 @@ var _ = Describe("Analyzer", func() {
 			Expect(nosecIssues).Should(BeEmpty())
 		})
 
+		It("should not report errors when a nosec  block and line comment are present", func() {
+			sample := testutils.SampleCodeG101[23]
+			source := sample.Code[0]
+			analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G101")).RulesInfo())
+
+			nosecPackage := testutils.NewTestPackage()
+			defer nosecPackage.Close()
+			nosecPackage.AddFile("g101.go", source)
+			err := nosecPackage.Build()
+			Expect(err).ShouldNot(HaveOccurred())
+			err = analyzer.Process(buildTags, nosecPackage.Path)
+			Expect(err).ShouldNot(HaveOccurred())
+			nosecIssues, _, _ := analyzer.Report()
+			Expect(nosecIssues).Should(BeEmpty())
+		})
+		It("should not report errors when only a nosec  block is present", func() {
+			sample := testutils.SampleCodeG101[24]
+			source := sample.Code[0]
+			analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G101")).RulesInfo())
+
+			nosecPackage := testutils.NewTestPackage()
+			defer nosecPackage.Close()
+			nosecPackage.AddFile("g101.go", source)
+			err := nosecPackage.Build()
+			Expect(err).ShouldNot(HaveOccurred())
+			err = analyzer.Process(buildTags, nosecPackage.Path)
+			Expect(err).ShouldNot(HaveOccurred())
+			nosecIssues, _, _ := analyzer.Report()
+			Expect(nosecIssues).Should(BeEmpty())
+		})
+		It("should not report errors when a single line nosec  is present on a multi-line issue", func() {
+			sample := testutils.SampleCodeG112[3]
+			source := sample.Code[0]
+			analyzer.LoadRules(rules.Generate(false, rules.NewRuleFilter(false, "G112")).RulesInfo())
+
+			nosecPackage := testutils.NewTestPackage()
+			defer nosecPackage.Close()
+			nosecPackage.AddFile("g112.go", source)
+			err := nosecPackage.Build()
+			Expect(err).ShouldNot(HaveOccurred())
+			err = analyzer.Process(buildTags, nosecPackage.Path)
+			Expect(err).ShouldNot(HaveOccurred())
+			nosecIssues, _, _ := analyzer.Report()
+			Expect(nosecIssues).Should(BeEmpty())
+		})
+
 		It("should report errors when an exclude comment is present for a different rule", func() {
 			sample := testutils.SampleCodeG401[0]
 			source := sample.Code[0]
diff --git a/testutils/g101_samples.go b/testutils/g101_samples.go
index dcf7857..a1e34fb 100644
--- a/testutils/g101_samples.go
+++ b/testutils/g101_samples.go
@@ -278,6 +278,50 @@ func main() {
 	fmt.Println(bearer)
 }
 `}, 1, gosec.NewConfig()},
+		{[]string{`
+package main
+
+import "fmt"
+
+// #nosec G101
+const (
+	ConfigLearnerTokenAuth string = "learner_auth_token_config" // #nosec G101
+)
+
+func main() {
+	fmt.Printf("%s\n", ConfigLearnerTokenAuth)
+}
+
+`}, 0, gosec.NewConfig()},
+		{[]string{`
+package main
+
+import "fmt"
+
+// #nosec G101
+const (
+	ConfigLearnerTokenAuth string = "learner_auth_token_config"
+)
+
+func main() {
+	fmt.Printf("%s\n", ConfigLearnerTokenAuth)
+}
+	
+`}, 0, gosec.NewConfig()},
+		{[]string{`
+package main
+
+import "fmt"
+
+const (
+	ConfigLearnerTokenAuth string = "learner_auth_token_config" // #nosec G101
+)
+
+func main() {
+	fmt.Printf("%s\n", ConfigLearnerTokenAuth)
+}
+	
+`}, 0, gosec.NewConfig()},
 	}
 
 	// SampleCodeG101Values code snippets for hardcoded credentials