-
-
Notifications
You must be signed in to change notification settings - Fork 606
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gosec not detecting an expected issue and output wrongly formatted if no issue #333
Comments
There are two separate issues I see here. The detection of the vulnerability and null pointer exception that is being triggered buy I have not been able to reproduce the detection issue locally but could maybe be related to the The null pointer exception in Java is caused by this line. The initialization doesn't create an empty array as in this example. It should be fairly easy to fix. Will submit a PR for that soon. |
the json encoding of uninitialized arrays is null. this causes a npe in sonarqube tool. we should return an empty array rather than a null value here. relates to: securego#333
@gcmurphy I think I can add some info about the vulnerability detection issue. The unexpected behavior seems due to the fact that gosec is invoked through code got cloning the repo (Travis clones the repo as one of first step) and this code does not contain the dependency code which is located remotely in the not working case.
also the remote dependency code is downloaded and the scan works fine. |
* fix(formatters) null value causes npe in sonarqube the json encoding of uninitialized arrays is null. this causes a npe in sonarqube tool. we should return an empty array rather than a null value here. relates to: #333
The NPE issue should be fixed via #333. I think we can close this now? |
ok no issue is managed correctly now since the following is returned
|
* fix(formatters) null value causes npe in sonarqube the json encoding of uninitialized arrays is null. this causes a npe in sonarqube tool. we should return an empty array rather than a null value here. relates to: securego#333
* fix(formatters) null value causes npe in sonarqube the json encoding of uninitialized arrays is null. this causes a npe in sonarqube tool. we should return an empty array rather than a null value here. relates to: securego#333
* fix(formatters) null value causes npe in sonarqube the json encoding of uninitialized arrays is null. this causes a npe in sonarqube tool. we should return an empty array rather than a null value here. relates to: securego#333
* fix(formatters) null value causes npe in sonarqube the json encoding of uninitialized arrays is null. this causes a npe in sonarqube tool. we should return an empty array rather than a null value here. relates to: securego#333
Summary
gosec sonarqube format sometimes returns
when it should not because a vulnerability is in the code.
As a consequence of this SonarQube is not able to process these results and fails with
This gosec output is returned also if no issue is in the code but it is not correctly managed by SonarQube
Steps to reproduce the behavior
Running
within a cloned repo integrated with Travis and just containing a main.go file as:
it meets the error as above described. If the file is modified to
the following is correctly returned
The vulnerability should also be detected in the previous case.
Please notice that the output below
is also returned when effectively there is no issue such as in the case the main.go file is
but SonarQube is not able to manage it and get again the exception above reported.
It should be the following if no issue is detected
Used Sonar scanner cli version is sonar-scanner-4.0.0.1744-linux.
gosec version
Installed a few minutes ago through go get github.com/securego/gosec/cmd/gosec/...
and latest release in github.com is 2.0.0
Go version (output of 'go version')
1.12.3
Operating system / Environment
Operating System Details
Distributor ID: Ubuntu
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial
Expected behavior
G101 vulnerability should be detected
Actual behavior
G101 vulnerability is not detected and the output file is not correctly formatted
The text was updated successfully, but these errors were encountered: