fix: suppress gosec false positives blocking all PRs#30
Merged
Conversation
- G602 in main.go: slice index is guarded by len() check above - G704 in data.go: HTTP requests use package-level constant URLs, not user-provided input (false positive SSRF detection) - G706 in data.go: logged status_code is an integer from HTTP response, not user-controlled input (false positive log injection) - README: update Homebrew tap path to alexei-led/tap All three issues are confirmed false positives in gosec's taint analysis. The nolint directives include explanatory comments. Co-authored-by: Marvin <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
All open PRs (#24, #25, #26) are failing CI because
golangci-lintwithgosecreports false positives in the existing codebase:cmd/spotinfo/main.go:288: G602— slice index out of range (false positive; length is checked above)internal/spot/data.go:53: G704— SSRF via taint analysis (false positive; URL is a package-level constant, not user input)internal/spot/data.go:63: G706— Log injection via taint analysis (false positive; logged value is an integer HTTP status code)internal/spot/data.go:114: G704— same as above, for pricing datainternal/spot/data.go:124: G706— same as above, for pricing dataFix
Added
//nolint:gosecdirectives with explanatory comments on each affected line. These are confirmed false positives:advices[0]access is guarded byif len(advices) == 1— gosec doesn't track this invariant.spotAdvisorJSONURL,spotPriceJSURL) are package-level constants pointing to AWS public endpoints — not user-provided input.int(HTTP status code) from a response to our own constant-URL request — no user data flows into the log.Also includes a README fix: updated Homebrew tap path from
alexei-led/spotinfotoalexei-led/tap.Impact
Merging this PR will unblock CI for #24, #25, and #26.
🤖 Automated response by Marvin • alexei-led