Per-diagnostic annotation

[DHowett]

#nosec is an effective tool in making a codebase gas-clean, but it's not expressive enough. It disables every gas diagnostic (now and forever) but doesn't provide any auditable documentation to the annotated code.

Proposal

I propose per-diagnostic AST node annotations. Through gas adding support for disabling specific diagnostics on a set of AST nodes, annotated code becomes self-documenting. It also opens up the suppressed code to diagnostics gas may add in the future.

func a() {
    // gas(-G101, -G102)
    if x < y {
        // code that is not safe for G101, G102
        // code that may become a diagnostic error in a future version of gas
    }
}

NB: syntax not fleshed out; what would it mean to have gas(+G1, -G1, invalidchars)? Would we need to implement a custom parser? We could probably make the grammar simpler to avoid doing too much work here.

Prior Art

Clang, a popular C and C++ compiler, offers scoped diagnostic suppression on a per-diagnostic basis:

#pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wbitwise-op-parentheses"
    1 << 3 << 4 == 5 << 6; // no warning issued due to ignoring bitwise-op-parentheses
#pragma clang diagnostic pop

I believe Visual C++ and GCC offer similar.

[gcmurphy]

I think this is a reasonable request. I'll put it on the backlog. Thanks for the suggestion.

[jonmcclintock]

I've proposed an implementation in this pull request: #142

[gcmurphy]

It might be interesting to re-use go's parser + ast to do this. e.g. using a subset of golang simple expressions. proof of concept idea here - https://play.golang.org/p/c1yfMxvTbrw

[ccojocar]

This feature is now supported by tracking the suppressions https://github.com/securego/gosec#tracking-suppressions.