From c5d217da7a4372ff2505aff3ddcb650278285c96 Mon Sep 17 00:00:00 2001 From: Cosmin Cojocar Date: Mon, 9 Jan 2023 16:49:02 +0100 Subject: [PATCH] Update Go version in CI script (#913) * Update Go version in CI script * Introduce back an additional check for filepath clean to fix the unit tests --- .github/workflows/ci.yml | 6 +++--- rules/readfile.go | 14 ++++++++++++-- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2112a1b..fa7eac7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,8 +11,8 @@ jobs: strategy: matrix: go_version: - - '1.18.8' # TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880 - - '1.19.3' # TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880 + - '1.18.9' # TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880 + - '1.19.4' # TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880 runs-on: ubuntu-latest env: GO111MODULE: on @@ -44,7 +44,7 @@ jobs: - name: Setup go uses: actions/setup-go@v3 with: - go-version: '1.19.2' # TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880 + go-version: '1.19.4' # TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880 - name: Checkout Source uses: actions/checkout@v3 - uses: actions/cache@v3 diff --git a/rules/readfile.go b/rules/readfile.go index 18e977c..8dcf053 100644 --- a/rules/readfile.go +++ b/rules/readfile.go @@ -59,10 +59,20 @@ func (r *readfile) isJoinFunc(n ast.Node, c *gosec.Context) bool { } // isFilepathClean checks if there is a filepath.Clean for given variable -func (r *readfile) isFilepathClean(n *ast.Ident) bool { +func (r *readfile) isFilepathClean(n *ast.Ident, c *gosec.Context) bool { if _, ok := r.cleanedVar[n.Obj.Decl]; ok { return true } + if n.Obj.Kind != ast.Var { + return false + } + if node, ok := n.Obj.Decl.(*ast.AssignStmt); ok { + if call, ok := node.Rhs[0].(*ast.CallExpr); ok { + if clean := r.clean.ContainsPkgCallExpr(call, c, false); clean != nil { + return true + } + } + } return false } @@ -101,7 +111,7 @@ func (r *readfile) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) { obj := c.Info.ObjectOf(ident) if _, ok := obj.(*types.Var); ok && !gosec.TryResolve(ident, c) && - !r.isFilepathClean(ident) { + !r.isFilepathClean(ident, c) { return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil } }