gosec: Check fails with cryptic error when run from parent dir

Summary

(Sorry if I’m doing anything wrong, I’m a total Go newbie)

I’m trying to use gosec to check a rather large codebase that uses modules and Go 1.19. When running gosec . in a folder of one of the modules, it succeeds; however, when running gosec modulefolder from the parent folder of the module, the check fails with a cryptic message:

parsing errors in pkg "eplist": parsing line: strconv.Atoi: parsing "\\Programy\\gosec-min-repro\\eplist\\a.go": invalid syntax

I have managed to reduce the repro case to only a few lines of code, attached below.

Steps to reproduce the behavior

Create a folder eplist, and in it, file a.go with the following contents:

package eplist

import (
	goplist "howett.net/plist"
)

func Un(data []byte, out interface{}) (err error) {
	_, err = goplist.Unmarshal(data, out)
	return
}

Add the go.mod file:

module eplist

go 1.18

require howett.net/plist v1.0.0

Run gosec . from the eplist folder, it should succeed. Run gosec eplist from the parent folder, it fails. Run gosec from any other folder (with absolute or relative path to eplist as parameter) and it fails with the same error.

gosec version

$>gosec --version
Version: dev
Git tag:
Build date:

Not much useful; I believe it is version v2@v2.13.1, since a folder of such name is in my $GOPATH/pkg/mod/github.com/securego/gosec folder.

Go version (output of ‘go version’)

go version go1.19.3 windows/amd64

Operating system / Environment

Windows 10

Expected behavior

Consistent behavior between runs from the module folder and from its parent folder. If an error is reported, include more details, such as line number.

Further notes

What I’m trying to achieve in the end is a script that checks all in-house modules used by our main module, as well as that main module, in a single gosec invocation (so that the output is all in a single file). For that, I’m recursively parsing the go.mod files of the in-house modules for all local folders containing the code, and then passing all those folders to gosec in a single invocation.

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 15 (6 by maintainers)

Most upvoted comments

Note: As for the Further notes, my approach seems to work for 30+ other modules, only one fails, it seems to be related to the howett.net/plist package, but I have no idea what’s wrong.

+1
madmaxoft on Jan 26, 2023
Read more comments on GitHub
← react-data-export: Error when installing API
gosec: G307: gosec starts detecting G307 (CWE-703) even with proposed way to safely handle errors →