gosec: impact on performances (v1.58.2)

[ldez]

Welcome

• Yes, I'm using a binary release within 2 latest major releases. Only such installations are supported.
• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've read the typecheck section of the FAQ (https://golangci-lint.run/welcome/faq/#why-do-you-have-typecheck-errors).
• Yes, I've tried with the standalone linter if available (e.g., gocritic, go vet, etc.). (https://golangci-lint.run/usage/linters/)

Description of the problem

The way to detect the Go version has been changed since gosec v2.20.0, this has an impact on performances inside golangci-lint.

v1.58.2

$ golangci-lint run --print-issued-lines=false --enable-only gosec
  Time (mean ± σ):      3.185 s ±  0.047 s    [User: 8.912 s, System: 6.396 s]
  Range (min … max):    3.112 s …  3.288 s    10 runs

v1.58.1

$ golangci-lint run --print-issued-lines=false --enable-only gosec
  Time (mean ± σ):     606.8 ms ±  18.7 ms    [User: 2388.6 ms, System: 1018.3 ms]
  Range (min … max):   584.4 ms … 648.8 ms    10 runs

Related to #4724
Related to securego/gosec#1119

Workaround:

linters-settings:
  gosec:
    excludes:
      - G601
      - G113

Version of golangci-lint

$ golangci-lint --version
golangci-lint has version 1.58.2 built with go1.22.3 from 8c4cfb61 on 2024-05-19T18:08:33Z

Configuration

linters:
  disable-all: true
  enable:
    - gosec

Go environment

$ go version
go version go1.22.3 linux/amd64

Verbose output of running

$ golangci-lint cache clean
$ golangci-lint run -v --enable-only gosec
INFO [config_reader] Config search paths: [./ /home/ldez/sources/go/src/github.com/golangci/golangci-lint /home/ldez/sources/go/src/github.com/golangci /home/ldez/sources/go/src/github.com /home/ldez/sources/go/src /home/ldez/sources/go /home/ldez/sources /home/ldez /home /] 
INFO [config_reader] Used config file .golangci.yml 
WARN [config_reader] The configuration option `linters.errcheck.ignore` is deprecated, please use `linters.errcheck.exclude-functions`. 
INFO [lintersdb] Active 1 linters: [gosec]        
INFO [loader] Go packages loading at mode 575 (types_sizes|compiled_files|exports_file|files|imports|deps|name) took 276.209269ms 
INFO [runner/filename_unadjuster] Pre-built 0 adjustments in 10.74175ms 
INFO [linters_context/goanalysis] analyzers took 13.796849767s with top 10 stages: gosec: 13.792391088s, typecheck: 4.458679ms 
INFO [runner/skip_dirs] Skipped 1 issues from dir internal/robustio by pattern internal/robustio 
INFO [runner/skip_dirs] Skipped 7 issues from dir internal/renameio by pattern internal/renameio 
INFO [runner/skip_dirs] Skipped 30 issues from dir internal/cache by pattern internal/cache 
INFO [runner] Issues before processing: 84, after processing: 0 
INFO [runner] Processors filtering stat (out/in): autogenerated_exclude: 46/46, identifier_marker: 46/46, exclude: 46/46, skip_files: 84/84, skip_dirs: 46/84, exclude-rules: 7/46, nolint: 0/7, invalid_issue: 84/84, path_prettifier: 84/84, cgo: 84/84, filename_unadjuster: 84/84 
INFO [runner] processing took 2.523228ms with stages: nolint: 863.927µs, exclude-rules: 520.538µs, path_prettifier: 440.397µs, identifier_marker: 356.908µs, autogenerated_exclude: 178.835µs, skip_dirs: 129.274µs, cgo: 22.382µs, invalid_issue: 5.406µs, filename_unadjuster: 2.21µs, max_same_issues: 679ns, uniq_by_line: 345ns, fixer: 313ns, skip_files: 294ns, source_code: 263ns, max_from_linter: 255ns, exclude: 255ns, path_shortener: 248ns, diff: 214ns, sort_results: 213ns, severity-rules: 94ns, max_per_file_from_linter: 90ns, path_prefixer: 88ns 
INFO [runner] linters took 2.995897903s with stages: goanalysis_metalinter: 2.993321711s 
INFO File cache stats: 0 entries of total size 0B 
INFO Memory: 34 samples, avg is 153.0MB, max is 182.6MB 
INFO Execution took 3.286362057s        

A minimal reproducible example or link to a public repository

https://github.com/golangci/golangci-lint

Validation

• Yes, I've included all information above (version, config, etc.).

[ldez]

We have 3 solutions:

• disable those rules: inside the golangci-lint implementation gosec: exclude G601 and G113 #4736
• create a PR on gosec to control the way to get the Go version Add an option to set the Go version securego/gosec#1143
• downgrade to v2.19.0

Note: using a fork is not a viable solution.