securego · ccojocar · Oct 18, 2023 · Oct 18, 2023 · Oct 18, 2023
diff --git a/Makefile b/Makefile
@@ -32,7 +32,7 @@ install-govulncheck:
 		go install golang.org/x/vuln/cmd/govulncheck@latest; \
 	fi
 
-test: install-test-deps build fmt vet sec govulncheck
+test: install-test-deps build-race fmt vet sec govulncheck
 	$(GINKGO) -v --fail-fast
 
 fmt:
@@ -64,6 +64,9 @@ test-coverage: install-test-deps
 build:
 	go build -o $(BIN) ./cmd/gosec/
 
+build-race:
+	go build -race -o $(BIN) ./cmd/gosec/
+
 clean:
 	rm -rf build vendor dist coverage.txt
 	rm -f release image $(BIN)

diff --git a/analyzer.go b/analyzer.go
@@ -184,6 +184,7 @@ type Analyzer struct {
 	trackSuppressions bool
 	concurrency       int
 	analyzerList      []*analysis.Analyzer
+	mu                sync.Mutex
 }
 
 // NewAnalyzer builds a new analyzer.
@@ -324,7 +325,9 @@ func (gosec *Analyzer) load(pkgPath string, conf *packages.Config) ([]*packages.
 	// step 1/3 create build context.
 	buildD := build.Default
 	// step 2/3: add build tags to get env dependent files into basePackage.
+	gosec.mu.Lock()
 	buildD.BuildTags = conf.BuildFlags
+	gosec.mu.Unlock()
 	basePackage, err := buildD.ImportDir(pkgPath, build.ImportComment)
 	if err != nil {
 		return []*packages.Package{}, fmt.Errorf("importing dir %q: %w", pkgPath, err)
@@ -348,7 +351,9 @@ func (gosec *Analyzer) load(pkgPath string, conf *packages.Config) ([]*packages.
 	}
 
 	// step 3/3 remove build tags from conf to proceed build correctly.
+	gosec.mu.Lock()
 	conf.BuildFlags = nil
+	defer gosec.mu.Unlock()
 	pkgs, err := packages.Load(conf, packageFiles...)
 	if err != nil {
 		return []*packages.Package{}, fmt.Errorf("loading files from package %q: %w", pkgPath, err)