Problem
pkg/cli/firewall_policy.go:466–468 uses a bare named return when os.ReadDir fails:
// 4. Legacy separate firewall-audit-logs artifact (backward compat for older runs)
entries, err := os.ReadDir(runDir)
if err != nil {
return // returns whatever manifestPath/auditJSONLPath were set so far
}If os.ReadDir(runDir) fails (e.g., permission denied, path does not exist), the function detectFirewallAuditArtifacts silently returns whatever (manifestPath, auditJSONLPath) values were accumulated from steps 1–3, without surfacing the error.
For security auditing, this means:
- If the legacy artifact was the only artifact present and steps 1–3 found nothing, the audit silently returns empty results
- The calling
analyzeFirewallPolicy function then calls loadPolicyManifest("") which fails, but the root cause (ReadDir error) is invisible
- There is no log message or error return to indicate the scan was incomplete
Location
pkg/cli/firewall_policy.go, function detectFirewallAuditArtifacts, line 466–468
Current Code
func detectFirewallAuditArtifacts(runDir string) (manifestPath, auditJSONLPath string) {
// ... steps 1-3 ...
// Step 4: legacy artifact
entries, err := os.ReadDir(runDir)
if err != nil {
return // silent partial return
}
// ...
}Recommended Fix
Change the function signature to return an error, or at minimum log the error:
func detectFirewallAuditArtifacts(runDir string) (manifestPath, auditJSONLPath string, err error) {
// ... steps 1-3 ...
entries, readErr := os.ReadDir(runDir)
if readErr != nil {
err = fmt.Errorf("detectFirewallAuditArtifacts: reading run dir %s: %w", runDir, readErr)
return
}
// ...
}Or, if a function signature change is too disruptive, log the error before returning:
entries, err := os.ReadDir(runDir)
if err != nil {
firewallPolicyLog.Printf("Warning: could not read run directory for legacy artifact scan: %v", err)
return
}Impact
- Severity: Medium (security auditing path)
- Scenario: Affects
gh aw audit when the run directory is inaccessible or partially downloaded
- Risk: Security audit silently reports incomplete results without indicating why
Validation
Estimated Effort: Small
Generated by Sergo · Run §25243999835
Generated by Sergo - Serena Go Expert · ● 767.1K · ◷
Problem
pkg/cli/firewall_policy.go:466–468uses a bare namedreturnwhenos.ReadDirfails:If
os.ReadDir(runDir)fails (e.g., permission denied, path does not exist), the functiondetectFirewallAuditArtifactssilently returns whatever(manifestPath, auditJSONLPath)values were accumulated from steps 1–3, without surfacing the error.For security auditing, this means:
analyzeFirewallPolicyfunction then callsloadPolicyManifest("")which fails, but the root cause (ReadDir error) is invisibleLocation
pkg/cli/firewall_policy.go, functiondetectFirewallAuditArtifacts, line 466–468Current Code
Recommended Fix
Change the function signature to return an error, or at minimum log the error:
Or, if a function signature change is too disruptive, log the error before returning:
Impact
gh aw auditwhen the run directory is inaccessible or partially downloadedValidation
detectFirewallAuditArtifactswith a non-readablerunDiranalyzeFirewallPolicypropagates the error correctlyEstimated Effort: Small
Generated by Sergo · Run §25243999835