Update Go version in CI script (#913)

* Update Go version in CI script

* Introduce back an additional check for filepath clean to fix the unit tests
This commit is contained in:
Cosmin Cojocar 2023-01-09 16:49:02 +01:00 committed by GitHub
parent 5874e63c9e
commit c5d217da7a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 5 deletions

View file

@ -11,8 +11,8 @@ jobs:
strategy: strategy:
matrix: matrix:
go_version: go_version:
- '1.18.8' # TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880 - '1.18.9' # TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880
- '1.19.3' # TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880 - '1.19.4' # TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880
runs-on: ubuntu-latest runs-on: ubuntu-latest
env: env:
GO111MODULE: on GO111MODULE: on
@ -44,7 +44,7 @@ jobs:
- name: Setup go - name: Setup go
uses: actions/setup-go@v3 uses: actions/setup-go@v3
with: with:
go-version: '1.19.2' # TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880 go-version: '1.19.4' # TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880
- name: Checkout Source - name: Checkout Source
uses: actions/checkout@v3 uses: actions/checkout@v3
- uses: actions/cache@v3 - uses: actions/cache@v3

View file

@ -59,10 +59,20 @@ func (r *readfile) isJoinFunc(n ast.Node, c *gosec.Context) bool {
} }
// isFilepathClean checks if there is a filepath.Clean for given variable // isFilepathClean checks if there is a filepath.Clean for given variable
func (r *readfile) isFilepathClean(n *ast.Ident) bool { func (r *readfile) isFilepathClean(n *ast.Ident, c *gosec.Context) bool {
if _, ok := r.cleanedVar[n.Obj.Decl]; ok { if _, ok := r.cleanedVar[n.Obj.Decl]; ok {
return true return true
} }
if n.Obj.Kind != ast.Var {
return false
}
if node, ok := n.Obj.Decl.(*ast.AssignStmt); ok {
if call, ok := node.Rhs[0].(*ast.CallExpr); ok {
if clean := r.clean.ContainsPkgCallExpr(call, c, false); clean != nil {
return true
}
}
}
return false return false
} }
@ -101,7 +111,7 @@ func (r *readfile) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error) {
obj := c.Info.ObjectOf(ident) obj := c.Info.ObjectOf(ident)
if _, ok := obj.(*types.Var); ok && if _, ok := obj.(*types.Var); ok &&
!gosec.TryResolve(ident, c) && !gosec.TryResolve(ident, c) &&
!r.isFilepathClean(ident) { !r.isFilepathClean(ident, c) {
return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil return gosec.NewIssue(c, n, r.ID(), r.What, r.Severity, r.Confidence), nil
} }
} }