mirror of
https://github.com/securego/gosec.git
synced 2024-11-05 19:45:51 +00:00
Update README with details which describe the current behaviour of #nosec
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
This commit is contained in:
Cosmin Cojocar
Cosmin Cojocar
parent
d8a6d358dc
commit
e298388908
1 changed files with 18 additions and 16 deletions
32
README.md
32
README.md
|
|
@ -274,31 +274,33 @@ gosec -exclude-generated ./...
|
||||||
|
|
||||||
### Annotating code
|
### Annotating code
|
||||||
|
|
||||||
As with all automated detection tools, there will be cases of false positives. In cases where gosec reports a failure that has been manually verified as being safe,
|
As with all automated detection tools, there will be cases of false positives.
|
||||||
|
In cases where gosec reports a failure that has been manually verified as being safe,
|
||||||
it is possible to annotate the code with a comment that starts with `#nosec`.
|
it is possible to annotate the code with a comment that starts with `#nosec`.
|
||||||
|
|
||||||
The `#nosec` comment should have the format `#nosec [RuleList] [-- Justification]`.
|
The `#nosec` comment should have the format `#nosec [RuleList] [-- Justification]`.
|
||||||
|
|
||||||
The annotation causes gosec to stop processing any further nodes within the
|
The `#nosec` comment needs to be placed on the line where the warning is reported.
|
||||||
AST so can apply to a whole block or more granularly to a single expression.
|
|
||||||
|
|
||||||
```go
|
```go
|
||||||
|
func main() {
|
||||||
import "md5" //#nosec
|
tr := &http.Transport{
|
||||||
|
TLSClientConfig: &tls.Config{
|
||||||
|
InsecureSkipVerify: true, // #nosec G402
|
||||||
func main(){
|
},
|
||||||
|
|
||||||
/* #nosec */
|
|
||||||
if x > y {
|
|
||||||
h := md5.New() // this will also be ignored
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
client := &http.Client{Transport: tr}
|
||||||
|
_, err := client.Get("https://golang.org/")
|
||||||
|
if err != nil {
|
||||||
|
fmt.Println(err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
When a specific false positive has been identified and verified as safe, you may wish to suppress only that single rule (or a specific set of rules)
|
When a specific false positive has been identified and verified as safe, you may
|
||||||
within a section of code, while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within
|
wish to suppress only that single rule (or a specific set of rules) within a section of code,
|
||||||
|
while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within
|
||||||
the `#nosec` annotation, e.g: `/* #nosec G401 */` or `//#nosec G201 G202 G203`
|
the `#nosec` annotation, e.g: `/* #nosec G401 */` or `//#nosec G201 G202 G203`
|
||||||
|
|
||||||
You could put the description or justification text for the annotation. The
|
You could put the description or justification text for the annotation. The
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue