gosec: exclude G601 and G113 #4736
Conversation
ldez
added
bug
| @@ -179,17 +166,35 @@ func convertGosecGlobals(globalOptionFromConfig any, conf gosec.Config) { | |||
| func gosecRuleFilters(includes, excludes []string) []rules.RuleFilter { | |||
| var filters []rules.RuleFilter | |||
|
|
|||
| if len(includes) > 0 { | |||
| filters = append(filters, rules.NewRuleFilter(false, includes...)) | |||
| cleanIncludes := cleanRules(includes) | |||
There was a problem hiding this comment.
Should we really remove the possibility to enable them even if a user wants to? I get we remove them from default rules if no config is provided but if explicitly enabled by a config I would expect them to be enabled, the extra time isn't necessarily a blocker for everyone.
There was a problem hiding this comment.
the extra time isn't necessarily a blocker for everyone.
We are talking about a duration multiplied by at least 4 (milliseconds becomes seconds).
Should we really remove the possibility to enable them even if a user wants to?
We cannot really play with "default" because the current problem impacts users who already explicitly enable those rules.
This fix is a temporary fix, we will create the real fix when gosec allows us to handle the Go version.
There was a problem hiding this comment.
If you feel uncomfortable with this PR, we can downgrade to v2.19.0.
But technically, the v2.19.0 contains a bug with how to handle the Go version on the same rules.
There was a problem hiding this comment.
We are talking about a duration multiplied by at least 4 (milliseconds becomes seconds).
Yeah I saw your table but to me 10s isn't a blocker in my CI e.g. so if I was using this check I would be annoyed it wasn't up to me to opt in.
This fix is a temporary fix, we will create the real fix when gosec allows us to handle the Go version.
Got that, I guess it's not the end of the world and for people who reeeally care they can probably stick to an older version of golangci-lint.
|
Supersedes by #4748 |
Temporary fix.
Related to #4735