Allow for sub-string of affected code for whitelisting #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
wongherlung
changed the title
wongherlung
changed the title
jeremyyap
approved these changes
Jan 20, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In the newer version of gosec (formerly known as gas), the affected code/line will now output the line numbers and the lines before and after the affected code/line. This complicates the process of whitelisting findings from gosec as our whitelist file requires the exact output code to be in the JSON.
For example, a whitelisted finding entry will now look like this:
{ "details": "Potential file inclusion via variable", "file": "/src/test/testHelper.go", "code": "53: func LoadTestFixtureAsString(t *testing.T, filename string) string {\n54: \tfixture, err := ioutil.ReadFile(filepath.Join("test-fixtures", filename))\n55: \tif err != nil {\n", "reason": "Code is only used for testing" }The
codehas to be manually escaped in order to exactly match what was supplied by gosec.Given that we'll most probably be doing away with this report filter in the future, an interim stop-gap measure will be to allow for the
codein the whitelist file to be a substring of the supplied code from gosec. This way it is easier to match and whitelist a finding.