Panic in G304 when variable references is not defined in the same file as its usage. #937
Description
Summary
G304 will panic and segfault if the variable referenced is NOT contained in the file where the clean call originates.
This is because ident.Obj may be nil if the referenced declaration is in another file. It also may be incorrect.
Steps to reproduce the behavior
Have a function in file A which has a line that looks like:
whoCares, err := filepath.Rel(variableDefinedInAnotherFile, "unimportant")
Have another file B which contains the variable definition for that variable:
var variableDefinedInAnotherFile string
Scan the path with those two files in it.
BOOM, segfault.
gosec version
Introduced in 2.15.0
Go version (output of 'go version')
go version go1.19.5 darwin/arm64
Operating system / Environment
Darwin tiny.local 22.3.0 Darwin Kernel Version 22.3.0: Mon Jan 30 20:39:35 PST 2023; root:xnu-8792.81.3~2/RELEASE_ARM64_T8103 arm64
Expected behavior
- No segfault
- Possibly kvetch about
Actual behavior
panic, segfault, sad faces.
This can be seen the G304 test cases added, or by using v2.15.0 to scan:
github.com/DrHayt/sample