could not import io/fs (invalid package name: "")

[030]

Summary

Steps to reproduce the behavior

import "io/fs"

and use filepath.WalkDir

gosec version

I assume 2.6.1 as I use snap. Unclear as there is no version subcommand` included in the tool.

Go version (output of 'go version')

go version go1.16 linux/amd64

Operating system / Environment

ubuntu 18.04

Expected behavior

no errors

Actual behavior

  > [line 5 : column 2] - could not import io/fs (invalid package name: "")

  > [line 42 : column 22] - WalkDir not declared by package filepath

[ccojocar]

Thanks for reporting this. gosec doesn't support yet Go 1.16. Hopefully this will get fixed soon.

[ccojocar]

Fixed by https://github.com/securego/gosec/releases/tag/v2.7.0

[030]

@ccojocar Thank you. Could you update the snap package as well?

[ccojocar]

@030 I don't maintain the snap package. I hope the maintainer will update it soon.

[lcbm]

Hi, @ccojocar! Thanks your effort in resolving this issue so quickly 😄

I'm wondering if you could help us... at our project, we're still seeing this issue with https://github.com/securego/gosec/releases/tag/v2.7.0 and golang:1.16 (golang:1.15 works fine) 😢

I'll leave the repro steps here, but feel free to ask further questions or point out mistakes of my part! 👇

Steps for reproduction:

Clone repo with project for reproduction:

$ git clone git@github.com:lcbm/gosec-580.git
$ cd gosec-580

To reproduce locally:

# get gosec at the v2.7.0 revision
$ go get github.com/securego/gosec/v2/cmd/gosec@v2.7.0

# run gosec
$ gosec ./...
# or ~/go/bin/gosec ./...

To reproduce via GitLab-CI and gitlab-runner:

# run the 'gitlab-runner' docker image
$ docker run --detach --name gitlab-runner --restart always --volume /var/run/docker.sock:/var/run/docker.sock --volume `pwd`:`pwd` gitlab/gitlab-runner:v13.7.0

# execute the 'security_test' job
$ docker exec -it --workdir $(pwd) gitlab-runner gitlab-runner exec docker security_test

Go version:

• Local: go1.16 linux/amd64
• CI: Dockerhub/golang:1.16

Operating System/Environment:

• Local: Linux 5.11.2-arch1-1 x86_64
• CI: Dockerhub/golang:1.16

Expected behavior:

I expected the security test command to succeed, as it does with go1.15.

Actual behavior:

Local gosec log

λ  ~/go/bin/gosec ./...
[gosec] 2021/03/04 13:50:57 Including rules: default
[gosec] 2021/03/04 13:50:57 Excluding rules: default
[gosec] 2021/03/04 13:50:57 Import directory: /home/leleco/projects/knot/src/gosec-580/internal/config
[gosec] 2021/03/04 13:50:58 Checking package: config
[gosec] 2021/03/04 13:50:58 Checking file: /home/leleco/projects/knot/src/gosec-580/internal/config/config.go
[gosec] 2021/03/04 13:50:58 Import directory: /home/leleco/projects/knot/src/gosec-580/pkg/logging
[gosec] 2021/03/04 13:50:58 Checking package: logging
[gosec] 2021/03/04 13:50:58 Checking file: /home/leleco/projects/knot/src/gosec-580/pkg/logging/logger.go
[gosec] 2021/03/04 13:50:58 Checking file: /home/leleco/projects/knot/src/gosec-580/pkg/logging/logrus.go
[gosec] 2021/03/04 13:50:58 Import directory: /home/leleco/projects/knot/src/gosec-580/pkg/server
[gosec] 2021/03/04 13:50:58 Checking package: server
[gosec] 2021/03/04 13:50:58 Checking file: /home/leleco/projects/knot/src/gosec-580/pkg/server/server.go
[gosec] 2021/03/04 13:50:58 Import directory: /home/leleco/projects/knot/src/gosec-580/cmd
[gosec] 2021/03/04 13:50:58 Checking package: main
[gosec] 2021/03/04 13:50:58 Checking file: /home/leleco/projects/knot/src/gosec-580/cmd/main.go
Results:

Golang errors in file: [/home/leleco/projects/knot/src/gosec-580/cmd/main.go]:

  > [line 14 : column 9] - logger.Info undefined (type *invalid type has no field or method Info)


Golang errors in file: [/home/leleco/projects/knot/src/gosec-580/internal/config/config.go]:

  > [line 41 : column 10] - logger.Fatalf undefined (type *invalid type has no field or method Fatalf)


Golang errors in file: [/home/leleco/projects/knot/src/gosec-580/pkg/logging/logrus.go]:

  > [line 6 : column 2] - could not import github.com/sirupsen/logrus (invalid package name: "")


Golang errors in file: [/home/leleco/projects/knot/src/gosec-580/pkg/server/server.go]:

  > [line 10 : column 2] - could not import github.com/gorilla/mux (invalid package name: "")



Summary:
   Files: 5
   Lines: 194
   Nosec: 0
  Issues: 0

GitLab CI log

λ docker exec -it --workdir $(pwd) gitlab-runner gitlab-runner exec docker security_test
Runtime platform                                    arch=amd64 os=linux pid=240 revision=943fc252 version=13.7.0
Running with gitlab-runner 13.7.0 (943fc252)
Preparing the "docker" executor
Using Docker executor with image golang:1.16 ...
Pulling docker image golang:1.16 ...
Using docker image sha256:f15d23d9676357ce6d4079f4b20f6759bd5412d4be63cc15a1cc24023b21e42a for golang:1.16 with digest golang@sha256:cbb576bcae3775e8f2a2ddc7012c69044604f8d8dfc031089deb353f5ee7b071 ...
Preparing environment
Running on runner--project-0-concurrent-0 via 927c1e18467e...
Getting source from Git repository
Fetching changes...
Initialized empty Git repository in /builds/project-0/.git/
Created fresh repository.
Checking out a3dab856 as lcbm-list-endpoint...

Skipping Git submodules setup
Executing "step_script" stage of the job script
$ go get github.com/securego/gosec/v2/cmd/gosec@v2.7.0
go: downloading github.com/securego/gosec/v2 v2.7.0
go: downloading github.com/gookit/color v1.3.8
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354
go: downloading golang.org/x/tools v0.1.0
go: downloading golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
go: downloading golang.org/x/sys v0.0.0-20210228012217-479acdf4ea46
go: downloading golang.org/x/mod v0.4.1
go get: upgraded github.com/gorilla/mux v1.7.3 => v1.8.0
go get: added github.com/securego/gosec/v2 v2.7.0
go get: upgraded github.com/sirupsen/logrus v1.6.0 => v1.7.0
$ gosec ./...
[gosec] 2021/03/04 16:11:59 Including rules: default
[gosec] 2021/03/04 16:11:59 Excluding rules: default
[gosec] 2021/03/04 16:11:59 Import directory: /builds/project-0/cmd
[gosec] 2021/03/04 16:12:05 Checking package: main
[gosec] 2021/03/04 16:12:05 Checking file: /builds/project-0/cmd/main.go
[gosec] 2021/03/04 16:12:05 Import directory: /builds/project-0/pkg/entities
[gosec] 2021/03/04 16:12:05 Checking package: entities
[gosec] 2021/03/04 16:12:05 Checking file: /builds/project-0/pkg/entities/source.go
[gosec] 2021/03/04 16:12:05 Import directory: /builds/project-0/pkg/interactors
[gosec] 2021/03/04 16:12:05 Checking package: interactors
[gosec] 2021/03/04 16:12:05 Checking file: /builds/project-0/pkg/interactors/create_source.go
[gosec] 2021/03/04 16:12:05 Checking file: /builds/project-0/pkg/interactors/errors.go
[gosec] 2021/03/04 16:12:05 Checking file: /builds/project-0/pkg/interactors/interactor.go
[gosec] 2021/03/04 16:12:05 Checking file: /builds/project-0/pkg/interactors/list_sources.go
[gosec] 2021/03/04 16:12:05 Import directory: /builds/project-0/pkg/logging
[gosec] 2021/03/04 16:12:06 Checking package: logging
[gosec] 2021/03/04 16:12:06 Checking file: /builds/project-0/pkg/logging/logger.go
[gosec] 2021/03/04 16:12:06 Checking file: /builds/project-0/pkg/logging/logrus.go
[gosec] 2021/03/04 16:12:06 Import directory: /builds/project-0/pkg/mocks
[gosec] 2021/03/04 16:12:09 Checking package: mocks
[gosec] 2021/03/04 16:12:09 Checking file: /builds/project-0/pkg/mocks/source_store.go
[gosec] 2021/03/04 16:12:09 Import directory: /builds/project-0/docs
[gosec] 2021/03/04 16:12:09 Checking package: docs
[gosec] 2021/03/04 16:12:09 Checking file: /builds/project-0/docs/docs.go
[gosec] 2021/03/04 16:12:09 Import directory: /builds/project-0/internal/config
[gosec] 2021/03/04 16:12:09 Checking package: config
[gosec] 2021/03/04 16:12:09 Checking file: /builds/project-0/internal/config/config.go
[gosec] 2021/03/04 16:12:09 Import directory: /builds/project-0/pkg/controllers
[gosec] 2021/03/04 16:12:10 Checking package: controllers
[gosec] 2021/03/04 16:12:10 Checking file: /builds/project-0/pkg/controllers/source.go
[gosec] 2021/03/04 16:12:10 Import directory: /builds/project-0/pkg/data
[gosec] 2021/03/04 16:12:10 Checking package: data
[gosec] 2021/03/04 16:12:10 Checking file: /builds/project-0/pkg/data/mongo.go
[gosec] 2021/03/04 16:12:10 Checking file: /builds/project-0/pkg/data/source_store.go
[gosec] 2021/03/04 16:12:10 Import directory: /builds/project-0/pkg/server
[gosec] 2021/03/04 16:12:10 Checking package: server
[gosec] 2021/03/04 16:12:10 Checking file: /builds/project-0/pkg/server/server.go
Results:

Golang errors in file: [/builds/project-0/cmd/main.go]:

  > [line 19 : column 9] - logger.Info undefined (type *invalid type has no field or method Info)


Golang errors in file: [/builds/project-0/internal/config/config.go]:

  > [line 41 : column 10] - logger.Fatalf undefined (type *invalid type has no field or method Fatalf)


Golang errors in file: [/builds/project-0/pkg/logging/logrus.go]:

  > [line 6 : column 2] - could not import github.com/sirupsen/logrus (invalid package name: "")


Golang errors in file: [/builds/project-0/pkg/server/server.go]:

  > [line 14 : column 2] - could not import github.com/gorilla/mux (invalid package name: "")



Summary:
   Files: 15
   Lines: 751
   Nosec: 0
  Issues: 0

ERROR: Job failed: exit code 1
FATAL: exit code 1

Other information:

.gitlab-ci.yml

image: golang:1.16 

stages:
  - test

security_test:
  stage: test
  script:
    - go get github.com/securego/gosec/v2/cmd/gosec@v2.7.0
    - gosec ./...

[ccojocar]

On my side, it seems that all the files from your repository are scanned successfully without any error:

$gosec ./...
[gosec] 2021/03/04 18:10:40 Including rules: default
[gosec] 2021/03/04 18:10:40 Excluding rules: default
[gosec] 2021/03/04 18:10:40 Import directory: /Users/cosmin/go/src/github.com/securego/samples/go1_16/gosec-580/cmd
[gosec] 2021/03/04 18:10:41 Checking package: main
[gosec] 2021/03/04 18:10:41 Checking file: /Users/cosmin/go/src/github.com/securego/samples/go1_16/gosec-580/cmd/main.go
[gosec] 2021/03/04 18:10:41 Import directory: /Users/cosmin/go/src/github.com/securego/samples/go1_16/gosec-580/internal/config
[gosec] 2021/03/04 18:10:41 Checking package: config
[gosec] 2021/03/04 18:10:41 Checking file: /Users/cosmin/go/src/github.com/securego/samples/go1_16/gosec-580/internal/config/config.go
[gosec] 2021/03/04 18:10:41 Import directory: /Users/cosmin/go/src/github.com/securego/samples/go1_16/gosec-580/pkg/logging
[gosec] 2021/03/04 18:10:41 Checking package: logging
[gosec] 2021/03/04 18:10:41 Checking file: /Users/cosmin/go/src/github.com/securego/samples/go1_16/gosec-580/pkg/logging/logger.go
[gosec] 2021/03/04 18:10:41 Checking file: /Users/cosmin/go/src/github.com/securego/samples/go1_16/gosec-580/pkg/logging/logrus.go
[gosec] 2021/03/04 18:10:41 Import directory: /Users/cosmin/go/src/github.com/securego/samples/go1_16/gosec-580/pkg/server
[gosec] 2021/03/04 18:10:41 Checking package: server
[gosec] 2021/03/04 18:10:41 Checking file: /Users/cosmin/go/src/github.com/securego/samples/go1_16/gosec-580/pkg/server/server.go
Results:


Summary:
   Files: 5
   Lines: 194
   Nosec: 0
  Issues: 0

 gosec -v
flag provided but not defined: -v

gosec - Golang security checker

gosec analyzes Go source code to look for common programming mistakes that
can lead to security problems.

VERSION: 2.7.0
GIT TAG: v2.7.0
BUILD DATE: 2021-03-04T09:00:15Z

Can you build the app?

[lcbm]

Thanks for the prompt response! 🎉

That's odd... the issue is also present in our CI and reproducible with the commands in To reproduce via GitLab-CI and gitlab-runner: step of steps for reproduction.

EDIT 👇

I just noticed that I misunderstood your response! Edited my response to answer your question 😅 👇

I tried building gosec from master branch and it works! I also tried using go install with the @latest version and it works as well 👇

NOTE: go1.16 introduced modules changes, including in go install (see the Installing an executable at a specific version section).

go install github.com/securego/gosec/v2/cmd/gosec@latest

If I use go get ..., however, it continues to not work... furthermore, $ gosec -v (both locally and in the CI) output is different from yours (again, when using go get):

$ gosec -v
flag provided but not defined: -v

gosec - Golang security checker

gosec analyzes Go source code to look for common programming mistakes that
can lead to security problems.

VERSION: dev
GIT TAG: 
BUILD DATE: 

Additionally, I tried testing some things on my end... LMK if you have interest in a MR for this commit 😄

[030]

However, the snap package seems to have the same issue alexmurray/gosec-snap#1 It seems that the go get still downloads the previous version.

[030]

It works when I install gosec using the commands that are depicted in the readme, e.g. raw content install, but the tar.gz looks like to fail as well.

[ccojocar]

@030 Have you tried the last released version and it still fails? I cannot reproduce it on my side.

[030]

@ccojocar When I install the tar the issue has been resolved, but when I use the snap it still fails. I will close this ticket as the issue resides in the snap repository.