Skip to content

Panic in gosec 2.21.3 conversion overflow analyzer #1229

New issue
New issue
Closed
#1232
Closed
Panic in gosec 2.21.3 conversion overflow analyzer#1229
#1232
@gmwiz

Description

@gmwiz
gmwiz
opened on Sep 19, 2024

Summary

We started getting panic on some of our routine gosec scans. I'm not certain as to what exactly triggers it, but it happens when scanning a large project.

panic: unexpected constant value: <nil>

goroutine 1 [running]:
golang.org/x/tools/go/ssa.(*Const).Uint64(0xc0098c2300)
        golang.org/x/[email protected]/go/ssa/const.go:214 +0x105
github.com/securego/gosec/v2/analyzers.updateExplicitValues(0xc00124b250, 0xc0098c2300)
        github.com/securego/gosec/[email protected]/analyzers/conversion_overflow.go:398 +0xce
github.com/securego/gosec/v2/analyzers.updateResultFromBinOp(0xc00124b250, 0xc008eee1c0, 0xc00124b550?, 0x0)
        github.com/securego/gosec/[email protected]/analyzers/conversion_overflow.go:378 +0x110
github.com/securego/gosec/v2/analyzers.getResultRange(0xc004f6acd8, 0xc0030c7130, 0xc00124b550)
        github.com/securego/gosec/[email protected]/analyzers/conversion_overflow.go:322 +0x305
github.com/securego/gosec/v2/analyzers.hasExplicitRangeCheck(0xc0030c7130, {0xc0011a78d8?, 0x6?})
        github.com/securego/gosec/[email protected]/analyzers/conversion_overflow.go:270 +0x279
github.com/securego/gosec/v2/analyzers.isSafeConversion(0xc0030c7130)
        github.com/securego/gosec/[email protected]/analyzers/conversion_overflow.go:187 +0xaa
github.com/securego/gosec/v2/analyzers.runConversionOverflow(0xc005cb6460)
        github.com/securego/gosec/[email protected]/analyzers/conversion_overflow.go:81 +0x27e
github.com/securego/gosec/v2.(*Analyzer).CheckAnalyzers(0xc000e9c480, 0xc000f14000)
        github.com/securego/gosec/[email protected]/analyzer.go:446 +0x4a2
github.com/securego/gosec/v2.(*Analyzer).Process(0xc000e9c480, {0x0, 0x0, 0x0}, {0xc0002cd6c0, 0xd, 0x3d?})
        github.com/securego/gosec/[email protected]/analyzer.go:317 +0x488
main.main()
        github.com/securego/gosec/[email protected]/cmd/gosec/main.go:476 +0xde5

Steps to reproduce the behavior

Scan a directory using:

gosec -concurrency=1 -verbose -nosec=false -confidence=high -severity=high

gosec version

2.21.3

Go version (output of 'go version')

1.22.4

Operating system / Environment

Linux

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions