------------------------------------------------------------------- Mon Mar 23 08:50:38 UTC 2026 - Felix Niederwanger - Update to version 2.25.0: * chore(deps): bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#1617) * fix: allow barry action to access secrets on fork PRs (#1616) * fix: reduce G117 false positives for custom marshalers and transformed values (#1614) (#1615) * Add barry security scanner as a step in the CI (#1612) * chore(deps): update all dependencies (#1611) * fix: prevent taint analysis hang on packages with many CHA call graph edges (#1608) (#1610) * Add some skills for claude code to automate some tasks (#1609) * Add G701-G706 rule-to-CWE mappings and CWE-117, CWE-918 entries (#1606) * fix: skip SSA analysis on ill-typed packages to prevent panic (#1607) * Port G120 from SSA-based to taint analysis (fixes #1600, #1603) (#1605) * fix(G118): eliminate false positive for package-level cancel variables (#1602) * feat: add G124 rule for insecure HTTP cookie configuration (#1599) * feat: add G709 rule for unsafe deserialization of untrusted data (#1598) * feat: add G708 rule for server-side template injection via text/template (#1597) * fix(G118): eliminate false positive when cancel is called via struct field in a closure (#1596) * Fix infinite recursion in interprocedural taint analysis (#1594) * Fix G118 false positive when cancel is stored in returned struct field (#1593) * Fix G118 false positive on cancel called inside goroutine closure (#1592) * fix(analyzer): per-package rule instantiation eliminates concurrent map crash (#1589) * chore(deps): update all dependencies (#1588) * fix(G118): treat returned cancel func as called (fixes #1584) (#1585) * chore(go): update supported Go versions to 1.25.8 and 1.26.1 (#1583) * Update the README with the correct version of the Github action for gosec (#1582) * chore(deps): update all dependencies (#1579) * Fix G115 false positives for guarded int64-to-byte conversions (#1578) * Update the container image migration notice (#1576) * chore(action): bump gosec to 2.24.7 (#1575) ------------------------------------------------------------------- Mon Mar 02 07:33:42 UTC 2026 - Felix Niederwanger - Update to version 2.24.7: * Ignore nosec comments in action integration workflow to generate some warnings (#1573) * Add a workflow for action integration test (#1571) * fix(sarif): avoid invalid null relationships in SARIF output (#1569) * chore: migrate gosec container image references to GHCR (#1567) * Update gorelease to use the latest cosign bundle argument (#1565) * Migrate goreleaser to use the proper cosign arguments (#1564) * Update the cosing to version v3.0.5 (#1563) * fix(release): use existing cosign-installer action version (#1562) * chore(prompts): add skill and prompt to update supported Go versions (#1561) * chore(prompts): add action version update skill and prompt (#1560) * fix(analyzers): avoid SSA dependency cycle blowups in issue #1555 paths (#1559) * Add a SKILL and PROMPT for fixing a GitHub issue (#1558) * Add a SKILL and PROMPT for generating rules with AI (#1557) * fix(G120): prevent hang-like analysis blowup in wrapper protection checks (#1556) * fix(G705): eliminate false positive when guard type cannot be resolved (#1554) * Remove gcmurphy from funding list * Extend the release workflow to push the container images also to GHCR * Update to gosec to v2.24.0 in the action and fix the docker image signing (#1552) ------------------------------------------------------------------- Fri Feb 27 13:44:59 UTC 2026 - Felix Niederwanger - Update to version 2.24.0: * fix: G704 false positive on const URL (#1551) * fix(G705): eliminate false positive for non-HTTP io.Writer (#1550) * G120: avoid false positive when MaxBytesReader is applied in middleware (#1547) * Fix G602 regression coverage for issue #1545 and stabilize G117 TOML test dependency (#1546) * taint: skip `context.Context` arguments during taint propagation to fix false positives (#1543) * test: add missing rules to formatter report tests (#1540) * chore(deps): update all dependencies (#1541) * Regenrate the TLS config rule (#1539) * Improve documentation (#1538) * Expand analyzer-core test coverage for orchestration, go/analysis adapter logic, and taint integration (#1537) * Add unit tests for CLI orchestration, TLS config generation, and SSA cache behavior (#1536) * Add G707 taint analyzer for SMTP command/header injection (#1535) * Add G123 analyzer for tls.VerifyPeerCertificate resumption bypass risk (#1534) * Add G122 SSA analyzer for filepath.Walk/WalkDir symlink TOCTOU race risks (#1532) * fix(G602): avoid false positives for range-over-array indexing (#1531) * Improve taint analyzer performance with shared SSA cache, parallel analyzer execution, and CI regression guard (#1530) * fix: taint analysis false positives with G703,G705 (#1522) * Extend the G117 rule to cover other types of serialization such as yaml/xml/toml (#1529) * Fix the G117 rule to take the JSON serialization into account (#1528) * (docs) fix justification format (#1524) * Add G121 analyzer for unsafe CORS bypass patterns in CrossOriginProtection (#1521) * Add G120 SSA analyzer for unbounded form parsing in HTTP handlers (#1520) * Add G119 analyzer for unsafe redirect header propagation in CheckRedirect callbacks (#1519) * Fix G115 false positives and negatives (Issue #1501) (#1518) * chore(deps): update all dependencies (#1517) * Add G118 SSA analyzer for context propagation failures that can cause goroutine/resource leaks (#1516) * Add G113: Detect HTTP Request Smuggling via conflicting headers (CVE-2025-22891, CWE-444) (#1515) * Add G408: SSH PublicKeyCallback Authentication Bypass Analyzer (#1513) * Add more unit tests to improve coverage (#1512) * Improve test coverage in various areas (#1511) * Imprve the test coverage (#1510) * Fix incorrect detection of fixed iv in G407 (#1509) * Add support for go 1.26.x and removed support for go 1.24.x (#1508) * Fix the sonar report to follow the latest schema (#1507) * fix: broken taint analysis causing false positives (#1506) * fix: panic on float constants in overflow analyzer (#1505) * fix: panic when scanning multi-module repos from root (#1504) * fix: G602 false positive for array element access (#1499) * Update gosec to version v2.23.0 in the Github action (#1496) ------------------------------------------------------------------- Mon Feb 23 08:19:44 UTC 2026 - Felix Niederwanger - Update to version 2.23.0: * feat: Support for adding taint analysis engine (#1486) * chore(deps): update all dependencies (#1494) * chore(deps): update all dependencies (#1494) * chore(deps): update all dependencies (#1488) * Fix G602 analyzer panic that kills gosec process (#1491) * update go version to 1.25.7 (#1492) * Fix URL regexp and remove redundant Google regex patterns (#1485) * feat: implement global cache usage in rules (#1480) * chore(deps): update module google.golang.org/genai to v1.43.0 (#1484) * refactor: optimize nosec parsing and reduce allocations (#1478) * Fix SARIF artifactChanges null validation error (#1483) * feat: optimize GetCallInfo with per-package sync.Pool caching (#1481) * feat: implement entropy pre-filtering to optimize secret detection (#1479) * feat: ensure GoVersion is cached using sync.Once (#1477) * Fix #1240: nosec comments now work with trailing open brackets (#1475) * Debug Build Profiling Support: Code improvement suggestions for PR#1471 (#1476) * Update the go version to 1.25.6 and 1.24.12 (#1474) * G115: Enhance RangeAnalyzer with constant propagation and chained arithmetic support (#1470) * chore(deps): update all dependencies (#1473) * feat: support path-based rule exclusions via exclude-rules (#1465) * Optimize analyzer with parallel package processing (#1466) * feat: add goanalysis package for nogo (#1449) * Refactor Analyzers: Unify Range Logic & Optimize Allocations (#1464) * Optimize G115, G602, G407 analyzers to reduce allocations and memory (#1463) * refactor(g115): improve coverage (#1462) * Refine G407 to improve detection and coverage of hardcoded nonces (#1460) * chore(deps): update all dependencies (#1461) * Refactor rules to use callListRule base structure (#1458) * feat(slice): enhance slice bounds analysis with dynamic bounds handling (#1457) * remove deprecated ast.Object (#1455) * feat(sql): enhance SQL injection detection with improved string concatenation checks (#1454) * feat(rules): enhance subprocess variable checks (#1453) * feat(resolve): enhance TryResolve to handle KeyValueExpr, IndexExpr, and SliceExpr (#1452) * feat: add secrets serialization G117 (#1451) * feat(rules): add support for detecting high entropy strings in composite literals (#1447) * whitelist crypto/rand Read from error checks (#1446) * chore(deps): update all dependencies (#1443) * Improve slice bound check (#1442) * docs: add documentation for using gosec with private modules (#1441) * chore(deps): update all dependencies (#1440) * docs: add G116 rule description to README (#1439) * Update GitHub action to gosec 2.22.11 (#1438) ------------------------------------------------------------------- Thu Dec 11 12:38:36 UTC 2025 - Felix Niederwanger - Update to version 2.22.11: * feature: add rule for trojan source (#1431) * feat(ai): add OpenAI and custom API provider support (#1424) * chore: Migrate from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 (#1437) * chore(deps): update module google.golang.org/genai to v1.37.0 (#1435) * refactor: simplify report functions in main.go (#1434) * Update go to 1.25.5 and 1.24.11 in CI (#1433) * chore(deps): update all dependencies (#1425) * feat(ai): add support for latest Claude models and update provider flags (#1423) * Bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#1427) * chore(deps): update module golang.org/x/crypto to v0.45.0 [security] (#1428) * fix: correct schema with temporary placeholder (#1418) * perf: skip SSA analysis if no analyzers are loaded (#1419) * test: add sarif validation (#1417) * chore(deps): update all dependencies (#1421) * Update go to version 1.25.4 and 1.24.10 in CI (#1415) * fix: build tag parsing. (#1413) * chore(deps): update all dependencies (#1411) * chore(deps): update all dependencies (#1409) * chore(deps): update all dependencies (#1408) * Update gosec to version v2.22.10 in the github action (#1405) ------------------------------------------------------------------- Wed Oct 15 09:47:09 UTC 2025 - Felix Niederwanger - Update to version 2.22.10: * Update go to version 1.25.3 and 1.24.9 in CI (#1404) * chore(deps): update all dependencies (#1402) * Update go to version 1.25.2 and 2.24.8 in CI (#1401) * chore(deps): update all dependencies (#1399) * check nil slices, partially check bounds (#1396) * Remove unused target from the makefile * Use the ginkgo command install by the dependencies * Keep the go module at 1.24 version for compatibility reasons * Remove manual test deps * fix: text must be supplied when markdown is used * fix: improve error message of CheckAnalyzers * fix: log panic on SSA * chore(deps): update all dependencies * Update gosec to version v.22.9 in the github action ------------------------------------------------------------------- Mon Sep 22 12:36:33 UTC 2025 - Felix Niederwanger - Update to version 2.22.9: * Update cosign to v2.6.0 and go in the CI to latest version * fix(autofix): unnecessary conversion * feat(autofix): update gemini sdk and add anthropic claude * feat(G304): add os.Root remediation hint (Autofix) when Go >= 1.24 * chore(deps): update all dependencies * refactor(G304): remove unused trackJoin helper; no functional change * style: gofmt rules/readfile.go * test(g304): add samples for var perm and var flag with cleaned path\n\n- Ensure G304 does not fire when only non-path args (flag/perm) are variables\n- Both samples use filepath.Clean on the path arg\n- Rules suite remains green (42 passed) * rules(G304): analyze only path arg; ignore flag/perm vars; track Clean and safe Join; fix nil-context panic\n\n- Limit G304 checks to first arg (path) for os.Open/OpenFile/ReadFile, avoiding false positives when flag/perm are variables\n- Track filepath.Clean so cleaned identifiers are treated as safe\n- Consider safe joins: filepath.Join(const|resolvedBase, Clean(var)|cleanedIdent)\n- Record Join(...) assigned to identifiers and allow if later cleaned\n- Fix panic by passing non-nil context in trackJoinAssignStmt\n- All rules tests: 42 passed * rules(G202): detect SQL concat in ValueSpec declarations; add test sample\n\n- Handle var query string = 'SELECT ...' + user style declarations\n- Reuse existing binary expr detection on ValueSpec.Values\n- Add postgres sample mirroring issue #1309 report\n- Rules tests: 42 passed * chore(deps): update all dependencies * chore(deps): update all dependencies * chore(deps): update all dependencies * Update gosec version to v2.22.8 in the Github action ------------------------------------------------------------------- Mon Aug 18 08:29:42 UTC 2025 - Felix Niederwanger - Update to version 2.22.8: * Add support for go version 1.25.0 * Update go version in CI to 1.24.6 and 1.23.12 * chore(deps): update all dependencies * chore(deps): update all dependencies * Update github action to release v2.22.7 ------------------------------------------------------------------- Tue Jul 29 07:04:07 UTC 2025 - Felix Niederwanger - Update to version 2.22.7: * Fix crash in hardcoded_nonce analyzer * Update go action to use release v2.22.6 * Update go version to 1.24.5 and 1.23.11 in the CI * chore(deps): update module google.golang.org/api to v0.242.0 * chore(deps): update all dependencies * chore(deps): update all dependencies * chore(deps): update all dependencies * chore(deps): update all dependencies * Do not allow dashes in file names * Update gosec to version 2.22.5 in Github action ------------------------------------------------------------------- Mon Jun 16 14:06:09 UTC 2025 - Felix Niederwanger - Update to version 2.22.5: * Switch back go.mod to minimum 1.23.0 * Update dependencies * Update go version 1.24.4 and 1.23.10 in CI * chore(deps): update all dependencies * G201/G202: add checks for injection into sql.Conn methods * chore(deps): update module google.golang.org/api to v0.235.0 * chore(deps): update module google.golang.org/api to v0.234.0 * chore(deps): update module google.golang.org/api to v0.233.0 * chore(deps): update module google.golang.org/api to v0.232.0 ------------------------------------------------------------------- Thu May 22 08:30:48 UTC 2025 - Felix Niederwanger - Switch vendor from gz to xz for consistency ------------------------------------------------------------------- Thu May 22 08:27:49 UTC 2025 - Felix Niederwanger - Switch from version to revision in _service ------------------------------------------------------------------- Thu May 08 13:40:23 UTC 2025 - Felix Niederwanger - Update to version 2.22.4: * Update to go version 1.24.3 and 1.23.9 * update: updated the build command to include version metadata * chore(deps): update all dependencies * Update the AI provider API key value when provided as an argument * chore(deps): update module google.golang.org/api to v0.230.0 * chore(deps): update module google.golang.org/api to v0.229.0 * chore(deps): update all dependencies * Comment the reason why the file can be nil when an issue is created * Handle nil file when creating a new issue * chore(deps): update all dependencies (#1333) ------------------------------------------------------------------- Mon Apr 07 08:46:06 UTC 2025 - Felix Niederwanger - Update to version 2.22.3: * Update version in 'action.yml' to 2.22.3 (anticipating next version (#1332) * Update go version to 1.24.2 and 1.23.8 (#1331) * remove G113. It only affects old/unsupported versions of Go (#1328) * chore(deps): update all dependencies (#1325) * Add SSOJet (#1320) * chore(deps): update all dependencies (#1319) * Update the integrity sha for babel dependency in html report (#1316) * Add support for `//gosec:disable` directive (#1314) * chore(deps): update all dependencies (#1315) ------------------------------------------------------------------- Thu Mar 06 16:20:12 UTC 2025 - felix.niederwanger@suse.de - Update to version 2.22.2: * Update to go version 1.24.1 and 1.23.7 (#1313) * chore(deps): update all dependencies (#1310) * chore(deps): update all dependencies (#1308) * Update gosec version in the GitHub action to v2.22.1 (#1307) * chore(deps): update module google.golang.org/api to v0.221.0 (#1305) ------------------------------------------------------------------- Thu Feb 13 14:18:59 UTC 2025 - felix.niederwanger@suse.de - Update to version 2.22.1: * Update cosign to v2.4.2 (#1303) * Add support for go 1.24 and phased out support for go 1.22 (#1302) * chore(deps): update all dependencies (#1300) * Update to go version 1.23.6 and 1.22.12 (#1299) * chore(deps): update module google.golang.org/api to v0.219.0 (#1296) * chore(deps): update module google.golang.org/api to v0.218.0 (#1294) * Add test to conver unit parssing for G115 rule (#1293) * Update to go version 1.23.5 and 1.22.11 (#1291) * chore(deps): update all dependencies (#1290) * Update gosec in github action to 2.22.0 (#1286) ------------------------------------------------------------------- Thu Jan 09 12:31:07 UTC 2025 - felix.niederwanger@suse.de - Update to version 2.22.0: * Update what message for G104 (#1282) * chore(deps): update module github.com/onsi/ginkgo/v2 to v2.22.2 (#1281) * chore(deps): update all dependencies (#1280) * chore(deps): update all dependencies (#1279) * Simplify sortIssues implementation (#1277) * Enable testifylint and fix up lint issues (#1276) * Refactor AppendError to check for build.NoGoError (#1273) * chore(deps): update module golang.org/x/net to v0.33.0 [security] (#1275) * Update README.md (#1274) * Rule documentation updates (#1272) * Replace old golang.org links with new go.dev (#1271) * Refactor AppendError to use strings.Contains (#1270) * Simplify Analyzer.ignore by reducing nesting (#1269) * Improve capitalization in AI API flags descriptions (#1267) * Remove unused golint dependency (#1266) * Simplify tests by using GinkgoT().TempDir() (#1265) * Documentation on adding new rules and analyzers (#1262) * chore(deps): update all dependencies (#1268) * Update to go 1.22.10 and 1.23.4 versions (#1264) * chore(deps): update module golang.org/x/crypto to v0.31.0 [security] (#1263) * chore(deps): update all dependencies (#1261) * chore(deps): update module github.com/onsi/gomega to v1.36.0 (#1259) * fix: revive.redefines-builtin-id lint warnings (#1257) * Fix typos in comments and fields * Remove the decryption funtions/methods from G407 check * Upate go to version 1.23.3 and 1.22.9 * Fix G115 false positive when going from parsed uint to larger int * chore(deps): update all dependencies * chore(deps): update all dependencies * chore(deps): update all dependencies * chore(deps): update all dependencies * chore(deps): update all dependencies * Update go version to 1.23.2 and 1.22.8 * chore(deps): update module google.golang.org/api to v0.201.0 * chore(deps): update all dependencies * chore(deps): update all dependencies * Fix the cosign step to authenticate with the container registry * chore(deps): update module google.golang.org/api to v0.199.0 ------------------------------------------------------------------- Thu Sep 26 14:11:23 UTC 2024 - felix.niederwanger@suse.de - Update to version 2.21.4: * Update the gosec to v2.21.4 in the Github action * Add the version into goreleaser config * chore(deps): update module google.golang.org/api to v0.198.0 (#1233) * Prevent panic: unexpected constant value: (#1232) * Fix running single analyzer which isn't a rule bug (#1231) ------------------------------------------------------------------- Wed Sep 18 18:34:55 UTC 2024 - felix.niederwanger@suse.de - Update to version 2.21.3: * Update gosec version to v2.21.3 in github action (#1227) * Populate the fixes only when autofix is not empty (#1226) * chore(deps): update all dependencies (#1223) * G115 Struct Attribute Checks (#1221) ------------------------------------------------------------------- Tue Sep 10 07:42:28 UTC 2024 - felix.niederwanger@suse.de - Update to version 2.21.2: * Update the github action to v2.21.2 (#1218) * Update the SARIF schema URL (#1217) * Update go version to 1.23.1 and 1.22.7 (#1216) * chore(deps): update all dependencies (#1215) * Update gosec version to v2.21.1 in github action (#1213) * Rollback the SARIF version to 2.1 since github doesn't support 2.2 (#1210) * Update gosec in github action to v2.21.0 (#1208) * Update cosign version to v2.4.0 in release github workflow (#1207) * Improvement the int conversion overflow logic to handle bound checks (#1194) * fix: G602 support for nested conditionals with bounds check (#1201) * Update go.mod to sue go 1.22.0 toolchain * chore(deps): update all dependencies * Make variable name more clear * Make variable names more explicity and reduce duplications * Fix formatting * Refactor to reduce some fuctions and variable names * Pass the value argument directly since is an interface * Added suggested changes * Added another test case in order to increase code coverage * Removed function parameter which is always the same * Formatting problems(CI was not passing) * Updated analyzer to use new way of initialization * Migrated the rule to the analyzers folder * Refractored code a little bit * Added new rule G407(hardcoded IV/nonce) * Fix conversion overflow false positive when using ParseUint * Add a build step to measure the scan perfomance * Fix conversion overflow false positives when they are checked or pre-determined * Update go.mod * chore(deps): update all dependencies * Fix false positive in conversion overflow check from uint8/int8 type * Disable staticcheck SA1019 rule * Update the golangci linters * Add more test to cover more use cases for G115 rule * Allow excluding analyzers globally (#1180) * Update to Go 1.23.0 (#1183) * chore(deps): update all dependencies (#1182) * Read the AI API key also from an environment variable (#1181) * Add support to generate auto fixes using LLM (AI) (#1177) * chore(deps): update all dependencies * chore(deps): update all dependencies * chore(deps): update all dependencies * chore(deps): update dependency babel-standalone to v7.24.10 * Resolve underlying type to detect overflows in type aliases * chore(deps): update dependency babel-standalone to v7.24.8 * Fix multifile ignores * Add -enable-audit cli flag * Update to go 1.22.5 and 1.21.12 * chore(deps): update all dependencies * Added more rules * Fixed coverage workflow * Fixed CI workflow * Minor changes * Split the G401 rule into two separate ones * Updated G401 corresponding CWE * chore(deps): update docker/build-push-action action to v6 * Update to go versions to 1.21.11 and 1.22.4 * chore(deps): update all dependencies * Fix nosec when applied to a block * Add more types to templates rule * Map the G115 rule to an CWE ID * chore(deps): update all dependencies * Update README with G115 rule description * Remove deprecated megacheck linter from golangci * Format imports * Update .gitignore * Add a new rule to detect integer overflow on integer types conversion * feat: add env var to override the Go version detection * Use the proper logic when disabling the go module version * Update the README with some details related to Go version used by the rules * Add an environment varialbe which disables the parsing of Go version from module file * chore(deps): update module github.com/onsi/ginkgo/v2 to v2.17.3 ------------------------------------------------------------------- Thu May 16 08:20:50 UTC 2024 - felix.niederwanger@suse.de - Update to version 2.20.0: * Update docker image in action to v2.20.0 * Catch os.ModePerm permissions in os.WriteFile * Add a unit test to detect the false negative in rule G306 for os.ModePerm permissions * Add filepath.EvalSymlinks to clean functions in rule G304 * chore(deps): update all dependencies * Update Go to version 2.22.3 in CI and release * chore(deps): update module golang.org/x/text to v0.15.0 * chore(deps): update all dependencies * chore(deps): update module github.com/onsi/gomega to v1.33.0 * Update to go 1.22.2 * chore(deps): update all dependencies * chore(deps): update module github.com/onsi/ginkgo/v2 to v2.17.1 * chore(deps): update all dependencies * fix(helpers/goversion): get from go.mod * chore: fix function name * chore(deps): update all dependencies * Format the imports using the gci tool * Fixup: delete unused variable * Fix test: update test to comply with the spec of generated sources * Refactor: use standard function to check if a file is generated * Fix lint warnings * Add support for math/rand/v2 added in Go 1.22 * Skip the G601 tests for Go version 1.22 * Update go version to 1.22.1 and 1.21.8 * Ignore 'implicit memory aliasing' rule for Go 1.22+ * chore(deps): update all dependencies * chore(deps): update module golang.org/x/tools to v0.18.0 * fix(hardcoded): remove duplicated `Stripe API Key` ------------------------------------------------------------------- Tue Feb 13 07:48:54 UTC 2024 - felix.niederwanger@suse.de - Update to version 2.19.0: * Update gosec version to v2.19.0 in the Github action * Update CI to go version 1.22 * chore(deps): update all dependencies * chore(deps): update all dependencies * chore(deps): update all dependencies * chore(deps): update all dependencies * chore(deps): update all dependencies * chore(deps): update dependency babel-standalone to v7.23.7 * chore(deps): update module golang.org/x/crypto to v0.17.0 [security] * chore(deps): update all dependencies * chore(deps): update actions/setup-go action to v5 * Fix lint warnings by properly formatting the files * chore: Refactor Sample Code to Separate Files * Update go version to 1.21.5 and 1.20.12 (#1084) * chore(deps): update all dependencies (#1080) * Ignore the issues from generated files when using the analysis framework (#1079) * Update README with upload-sarif v2 (#1078) * chore(deps): update dependency babel-standalone to v7.23.4 ------------------------------------------------------------------- Sat Nov 25 19:22:09 UTC 2023 - Dirk Müller - update to 2.18.2: * Disable dot-imports in revive linter * Run the gosec with data race detector active during tests * Fix data race in the analyzer * Fix test that checks the overriden nosec directive * Clean global state in flgs tests * Format the file * Update README with details which describe the current of #nosec * Ensure the ignores are parsed before analysing the package ------------------------------------------------------------------- Sat Nov 25 19:19:43 UTC 2023 - dmueller@suse.com - Update to version 2.18.2: * Added ppc64le support * chore(deps): update all dependencies * Ensure ignores are handled properly for multi-line issues * Update Go to version 1.21.4 and 1.20.11 * chore(deps): update module golang.org/x/text to v0.14.0 * chore(deps): update all dependencies * Remove the hardcoded GOOS value when building the Linux binary to enable support for container image for ARM * Avoid allocations with `(*regexp.Regexp).MatchString` * Fix some typos * Update local installation instructions by removing the details for Go 1.16 ------------------------------------------------------------------- Tue Oct 17 14:29:50 UTC 2023 - felix.niederwanger@suse.de - Update to version 2.18.1: * chore(deps): update all dependencies * Update gosec to version 2.18.1 in the action * Update cosign version to v2.2.0 * Refactor how ignored issues are tracked * Restrict the maximum depth when tracking the slice bounds * Handle empty ssa results * Handle gracefully any panic that occurs when building the SSA representation of a package * Fix typo * Handle new function when getting the call info in case is overriden * Bump golang.org/x/net from 0.16.0 to 0.17.0 (#1037) * Update to Go 1.21.3 and 1.20.10 (#1035) * Update the list of unsafe functions detected by the unsafe rule (#1033) ------------------------------------------------------------------- Mon Oct 9 13:23:33 UTC 2023 - Jeff Kowalczyk - Packaging improvements: * Summary and Description clarify the purpose of this CLI tool * Use Group: Development/Languages/Go instead of Other * Drop BuildRequires: golang-packaging. The recommended Go toolchain dependency is BuildRequires: golang(API) >= 1.x or optionally the metapackage BuildRequires: go * Drop Requires: golang-packaging. The original macros for file movements into GOPATH are obsolete with Go modules. Macro go_nostrip is no longer needed with current binutils and Go. * Remove %%{go_nostrip} macro which is no longer recommended ------------------------------------------------------------------- Mon Oct 09 09:02:02 UTC 2023 - felix.niederwanger@suse.com - Update to version 2.18.0: * Update the action to use gosec version v2.18.0 (#1029) * Use a step ID in github release action to get the digest of the image (#1028) * Update to go version 1.21.2 and 1.20.9 (#1027) * chore(deps): update all dependencies (#1026) * Enable gochecknoinits; fix lint issues; use consts for some vars (#1022) * Fix typos in struct fields, comments, and docs (#1023) * chore(deps): update all dependencies * Fix lint warning * Add a new rule which detects when a file is created with os.Create but the configured permissions are less than 0666 * Fix lint warnings * Update ginkgo to latest version * Redesign and reimplement the slice out of bounds check using SSA code representation * docs: add reMarkable to users list * chore(deps): update all dependencies * Drop support for go 1.19.x since go team doesn't ship anymore security fixes for it * Update to latest go version * chore(deps): update all dependencies (#1011) * Fix hardcoded_credentials rule to only match on more specific patterns (#1009) * chore(deps): update all dependencies (#1008) * Exclude maps from slince bounce check rule (#1006) * Ignore struct pointers in G601 (#1003) * Update gosec image version to 2.17.0 in the Github action (#1002) - Packaging improvements: * Use BuildRequires: golang(API) >= 1.20 instead of go >= 1.20. The go metapackage points to a single go version that increments at a date TBD after each go1.x major release. The expression golang(API) is available immediately upon each go1.x major release and is stable for expressing the minimum version or a temporarily pinned version. ------------------------------------------------------------------- Thu Aug 17 12:57:28 UTC 2023 - Felix Niederwanger felix.niederwanger@suse.com - Update to version 2.17.0: * Update cosign to version v2.1.1 (#1000) * Enable go 1.21.0 in the CI build (#998) * chore(deps): update all dependencies (#997) * Update to go version 1.20.7 and 1.19.12 (#993) * chore(deps): update all dependencies (#992) * chore(deps): update module github.com/onsi/gomega to v1.27.10 (#991) * fix: correctly identify infixed concats as potential SQL injections (#987) * chore(deps): update all dependencies (#989) * Add a new flag terse to show only the results and summary (#986) * Switch to a maintained fork of zxcvbn module (#984) ------------------------------------------------------------------- Fri Aug 4 08:27:41 UTC 2023 - Felix Niederwanger - Require go 1.20 ------------------------------------------------------------------- Tue May 23 09:10:04 UTC 2023 - Felix Niederwanger - Update to version 2.16.0 * Update cosign to latest version in release Github action * chore(deps): update all dependencies * Update go version in build and release scripts * chore(deps): update all dependencies * Update Go version to 1.20.3 * chore(deps): update all dependencies * Fix for Dockerfile smell DL3059 * README: upgrade GitHub action in examples * enable ginkgolinter linter * chore(deps): update all dependencies * correct gci linter * remove deprecated linters * increase timeout to 5m * chore(deps): update all dependencies * Use the latest version * Fix some linting warnings * Fix lint warning * Bump the go versions and golanci * chore(deps): update all dependencies * Check nil pointer when variable is declared in a different file * fix dead link to issue.go in README.md * Remove rule G307 which checks when an error is not handled when a file or socket connection is closed * Fix rule index reference into sarif report * Bump golang.org/x/net from 0.6.0 to 0.7.0 * Format file * Use the gosec issue in the go analysers * Fix file formatting * Update Go version in CI builds * Fix method name in the comment * Extract the issue in its own package * Add support for Go analysis framework and SSA code representation * chore(deps): update all dependencies * Remove the version form ci github action * Pin github action to latest release version 2.15.0 * Revert the image tag in github action until a working solution is found * Fix version interpolation in github action image * Add gosec version as an input parameter to GitHub action * Update release build script ------------------------------------------------------------------- Mon Feb 6 15:09:19 UTC 2023 - Felix Niederwanger * Update to version 2.15.0 - Fix dependencies after renovate update - chore(deps): update all dependencies (#922) - Update to Go 1.20 and fix unit tests (#923) - Update Go to latest version (#920) - Update hardcoded_credentials.go fix: adaper equal expr which const value at left (#917) - Fix github latest URL (#918) - Fix github release url (#916) - chore(deps): update module github.com/onsi/ginkgo/v2 to v2.7.0 (#914) - Update Go version in CI script (#913) - Track back when a file path was sanitized with filepath.Clean (#912) - Fix the TLS config rule when parsing the settings from a variable (#911) - Fix build after updating the dependencies (#910) - chore(deps): update all dependencies (#909) - Fix dependencies after renovate update (#907) - chore(deps): update all dependencies (#906) - Update slack badge and link (#905) - Auto-detect TLS MinVersion integer base (#903) - Adding s390x support (#902) - chore(deps): update all dependencies (#904) - chore(deps): update all dependencies (#898) - Additional types for bad defer check (#897) - chore(deps): update all dependencies (#894) - chore(deps): update all dependencies (#892) - Update Go version in CI scripts (#889) - chore(deps): update all dependencies (#888) - Allow to override build date with SOURCE_DATE_EPOCH (#887) - chore(deps): update all dependencies (#886) - chore(deps): update all dependencies (#884) - fileperms: bitwise permission comparison (#883) ------------------------------------------------------------------- Mon Dec 12 19:31:05 UTC 2022 - Felix Niederwanger - Switch OBS source service from tar_scm to obs_scm. * Embed version info with go build arg GIT_TAG="v%{version}" * _service obs_scm switch from tar_scm * _service obs_scm switch param revision (branch) to version (tag) * _service tar set to buildtime * _service recompress set to buildtime * _service recompress change tar compression from gz to xz ------------------------------------------------------------------- Mon Oct 17 13:45:23 UTC 2022 - Felix Niederwanger * Update to versin 2.14.0 - Pin release build to Go version 1.19.2 (#882) - Refactor to support duplicate imports with different aliases (#865) - chore(deps): update all dependencies (#881) - go.mod: ginkgo/v2 v2.3.1, golang.org/x/text v0.3.8, update go versions (#880) - Update Go version to 1.19 in the makefile (#876) - chore(deps): update all dependencies (#875) - Add CWE-676 to cwe mapping (#874) - chore(deps): update all dependencies (#872) - Add a way to use private repositories on GitHub (#869) - chore(deps): update all dependencies (#868) - Check go version when installing govulncheck - Check go version when running govulncheck - Add vulncheck to the test steps - chore(deps): update all dependencies - Fix false positives for G404 with aliased packages - chore(deps): update all dependencies - chore(deps): update all dependencies - fix: add a CWE ID mapping to rule G114 - chore(deps): update golang.org/x/crypto digest to bc19a97 ------------------------------------------------------------------- Mon Aug 22 08:47:01 UTC 2022 - Felix Niederwanger * Update to version 2.13.1 - fix: make sure that nil Cwe pointer is handled when getting the CWE ID - test: remove white spaces from template - fix: handle nil CWE pointer in text template * Update to version 2.13.0 - chore(deps): update dependency babel-standalone to v7 - chore: update module go to 1.19 - chore: fix lint warnings - chore: add support for Go 1.19 - fix: parsing of the Go version (#844) - Detect use of net/http functions that have no support for setting timeouts (#842) - Refactor SQL rules for better extensibility (#841) - chore(deps): update module golang.org/x/tools to v0.1.12 (#840) - Fix lint warning - Check the suppressed issues when generating the exit code - Fix for G402. Check package path instead of package name (#838) - fix G204 bugs (#835) - Phase out support for Go 1.16 since is not supported anymore by Go team (#837) - chore(deps): update all dependencies (#836) - chore(deps): update dependency highlight.js to v11.6.0 (#830) - fix: filepaths with git anywhere in them being erroneously excluded (#828) - Fix wrong location for G109 (#829) - chore(deps): update golang.org/x/crypto digest to 0559593 (#826) - fix ReadTimeout for G112 rule - Pin cosign-installer to v2 (#824) * Update to version 2.12.0 - chore(deps): update all dependencies (#822) - Add check for usage of Rat.SetString in math/big with an overflow error (#819) - Remove additional --update for apk in Dockerfile (#818) - Update x/tools to pick up fix for golang/go#51629 (#817) - chore(deps): update all dependencies (#816) - chore(deps): update all dependencies (#812) - chore(deps): update all dependencies (#811) - Add new rule for Slowloris Attack - Fix the dependencies after renovate upate (#806) - chore(deps): update all dependencies (#805) - Update the description message of template rule (#803) - Fix typo in ReadMe (#802) - Fix build after renovate update (#800) - Fix use rule IDs to retrieve the rule config - chore(deps): update all dependencies (#796) ------------------------------------------------------------------- Tue Mar 22 08:10:13 UTC 2022 - Felix Niederwanger * Update to version 2.11.0 - Enable Go 1.18 in the ci and release workflows - Fix the lint action after upgrade (#790) - chore(deps): update all dependencies (#789) - Add a recursive flag -r to skip specifying ./... path - Adds directory traversal for Http.Dir("/") ------------------------------------------------------------------- Wed Mar 2 07:35:25 UTC 2022 - Felix Niederwanger * Update to version 2.10.0: - Extend the release action to sign the docker image and binary files with cosign (#781) - feat: add concurrency option to parallelize package loading (#778) - chore(deps): update all dependencies - Process the code snippet before adding it to the SARIF report - Updated sponsor link in README.md - chore(deps): update golang.org/x/crypto commit hash to 30dcbda - chore(deps): update all dependencies - Use the CWE name as a name in the SARIF report - chore(deps): update all dependencies (#771) - Resolve the TLS min version when is declarted in the same package but in a different file - Add a test for tls min version defined in a different file - chore(deps): update all dependencies (#765) ------------------------------------------------------------------- Fri Jan 21 07:49:30 UTC 2022 - Felix Niederwanger * Update to version 2.9.6: - Add db.Exec and db.Prepare to the sql rule (#763) - chore(deps): update golang.org/x/crypto commit hash to 5e0467b (#764) - Add os.Create to the readfile rule (#761) - Fix false negative for SQL injection when using DB.QueryRow.Scan() (#759) - chore(deps): update dependency highlight.js to v11.4.0 (#758) - Fix false negatives for SQL injection in multi-line queries - Find G303 with filepath.Join'd temp dirs (#754) - Find more tempdirs - build(fmt): use [ instead of [[ (#751) - Update to ginkgo v2 (#753) - Fix #743 (#748) - Handle nil when looking up a file by position into a package (#747) - Add in the config file settings for exclude and include options - chore(deps): update golang.org/x/crypto commit hash to e495a2d (#745) - Track both #nosec and #nosec rulelist for one violation (#741) - Add the sponsors section in the README file (#740) - Remove space between // and #nosec in examples and internal use ------------------------------------------------------------------- Fri Jan 14 09:33:28 UTC 2022 - Felix Niederwanger - Add position-independent executable to compiler flags ------------------------------------------------------------------- Fri Jan 14 09:15:56 UTC 2022 - Felix Niederwanger - Add version 2.9.5