From c67c96ac9ea0cea11fd3725b44f425756f085935 Mon Sep 17 00:00:00 2001 From: Cosmin Cojocar Date: Wed, 22 May 2024 10:08:42 +0200 Subject: [PATCH 1/2] Add an environment varialbe which disables the parsing of Go version from module file Signed-off-by: Cosmin Cojocar --- helpers.go | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/helpers.go b/helpers.go index 2e28b31871..098d31194a 100644 --- a/helpers.go +++ b/helpers.go @@ -32,6 +32,9 @@ import ( "strings" ) +// noGoModVersion disables the parsing of go version from go module file present in the project +const noGoModVersion = "GOSECNOMODVERSION" + // MatchCallByPackage ensures that the specified package is imported, // adjusts the name for any aliases and ignores cases that are // initialization only imports. @@ -498,12 +501,13 @@ func RootPath(root string) (string, error) { // GoVersion returns parsed version of Go mod version and fallback to runtime version if not found. func GoVersion() (int, int, int) { - goVersion, err := goModVersion() - if err != nil { - return parseGoVersion(strings.TrimPrefix(runtime.Version(), "go")) + _, ok := os.LookupEnv(noGoModVersion) + if ok { + if goModVersion, err := goModVersion(); err == nil { + return parseGoVersion(goModVersion) + } } - - return parseGoVersion(goVersion) + return parseGoVersion(strings.TrimPrefix(runtime.Version(), "go")) } type goListOutput struct { From 83dd054bb920f8865fc605e8a8deec3aaadb262c Mon Sep 17 00:00:00 2001 From: Cosmin Cojocar Date: Wed, 22 May 2024 10:17:50 +0200 Subject: [PATCH 2/2] Update the README with some details related to Go version used by the rules Signed-off-by: Cosmin Cojocar --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 70633028bb..9d5ed3fbf0 100644 --- a/README.md +++ b/README.md @@ -230,6 +230,12 @@ You can also configure the hard-coded credentials rule `G101` with additional pa } ``` +#### Go version + +Some rules require a specific Go version which is retrieved from the Go module file present in the project. If this version cannot be found, it will fallback to Go runtime version. + +The Go module version is parsed using the `go list` command which in some cases might lead to performance degradation. In this situation, the go module version can be easily disabled by setting the environment variable `GOSECNOMODVERSION=on`. + ### Dependencies gosec will fetch automatically the dependencies of the code which is being analyzed when go module is turned on (e.g.`GO111MODULE=on`). If this is not the case,