False positive: go/uncontrolled-allocation-size, even though length is limited via `min` function

[fzipp]

A false positive of "Slice memory allocation with excessive size value" in Go (Rule ID: go/uncontrolled-allocation-size).

It's a false positive, because the length of the allocated slice is explicitly limited via the min function, so it should not be reported. Link to source code:

https://github.com/fzipp/canvas/blob/9bf9f5531d570cf664d7c0f931b02dd3749f4fce/event.go#L402

const maxTouchListLength = 10
length := buf.readByte()
limitedLength := min(length, maxTouchListLength)
list := make(TouchList, limitedLength)

URL to the alert on GitHub code scanning:
https://github.com/fzipp/canvas/security/code-scanning/2

[ginsbach]

Thank you for this false positive report. Resolving this issue is not a current product priority, but we acknowledge the report and will track it internally for future consideration, or if we observe repeated instances of the same problem.