mirror of
https://github.com/securego/gosec.git
synced 2024-12-24 03:25:53 +00:00
Update README with details which describe the current behaviour of #nosec
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
This commit is contained in:
parent
d8a6d358dc
commit
e298388908
1 changed files with 18 additions and 16 deletions
34
README.md
34
README.md
|
@ -274,31 +274,33 @@ gosec -exclude-generated ./...
|
|||
|
||||
### Annotating code
|
||||
|
||||
As with all automated detection tools, there will be cases of false positives. In cases where gosec reports a failure that has been manually verified as being safe,
|
||||
As with all automated detection tools, there will be cases of false positives.
|
||||
In cases where gosec reports a failure that has been manually verified as being safe,
|
||||
it is possible to annotate the code with a comment that starts with `#nosec`.
|
||||
|
||||
The `#nosec` comment should have the format `#nosec [RuleList] [-- Justification]`.
|
||||
|
||||
The annotation causes gosec to stop processing any further nodes within the
|
||||
AST so can apply to a whole block or more granularly to a single expression.
|
||||
The `#nosec` comment needs to be placed on the line where the warning is reported.
|
||||
|
||||
```go
|
||||
func main() {
|
||||
tr := &http.Transport{
|
||||
TLSClientConfig: &tls.Config{
|
||||
InsecureSkipVerify: true, // #nosec G402
|
||||
},
|
||||
}
|
||||
|
||||
import "md5" //#nosec
|
||||
|
||||
|
||||
func main(){
|
||||
|
||||
/* #nosec */
|
||||
if x > y {
|
||||
h := md5.New() // this will also be ignored
|
||||
}
|
||||
|
||||
client := &http.Client{Transport: tr}
|
||||
_, err := client.Get("https://golang.org/")
|
||||
if err != nil {
|
||||
fmt.Println(err)
|
||||
}
|
||||
}
|
||||
|
||||
```
|
||||
|
||||
When a specific false positive has been identified and verified as safe, you may wish to suppress only that single rule (or a specific set of rules)
|
||||
within a section of code, while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within
|
||||
When a specific false positive has been identified and verified as safe, you may
|
||||
wish to suppress only that single rule (or a specific set of rules) within a section of code,
|
||||
while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within
|
||||
the `#nosec` annotation, e.g: `/* #nosec G401 */` or `//#nosec G201 G202 G203`
|
||||
|
||||
You could put the description or justification text for the annotation. The
|
||||
|
|
Loading…
Reference in a new issue