Golangci-lint: gosec panic on for _, _ = range foo

Created on 26 Jun 2020 · 6Comments · Source: golangci/golangci-lint

Test content:

package main

func main() {
        var foo []int64
        for _, _ = range foo {
        }
}

Invocation:

golangci-lint run  -v --enable gosec

Notes:

standalone gosec doesn't produce this panic.
verbose output/environment below is MacOS but I get the same result on FreeBSD and Linux. Tested on 1.14.3 and 1.14.4.
A change to for range foo { avoids the panic.
[x] Yes, I'm using a binary release within 2 latest major releases. Only such installations are supported.
[x] Yes, I've searched similar issues on GitHub and didn't find any.
[x] Yes, I've included all information below (version, config, etc).

Version of golangci-lint

$ golangci-lint --version
golangci-lint has version 1.27.0 built from fb74c2e on 2020-05-13T18:45:55Z

Config file

$ cat .golangci.yml
I am not using a .golangci.yml

Go environment

$ go version && go env
go version go1.14.3 darwin/amd64
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/chris/Library/Caches/go-build"
GOENV="/Users/chris/Library/Application Support/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/chris/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/Cellar/go/1.14.3/libexec"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.14.3/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/chris/git/transmission/tmp/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/hf/9lsqq0jd5c59p2nvjb6wtk3w0000gn/T/go-build259483492=/tmp/go-build -gno-record-gcc-switches -fno-common"

Verbose output of running

$ golangci-lint cache clean

$ golangci-lint run  -v --enable gosec
INFO [config_reader] Config search paths: [./ /Users/chris/git/transmission/tmp /Users/chris/git/transmission /Users/chris/git /Users/chris /Users /]
INFO [lintersdb] Active 11 linters: [deadcode errcheck gosec gosimple govet ineffassign staticcheck structcheck typecheck unused varcheck]
INFO [loader] Go packages loading at mode 575 (compiled_files|imports|types_sizes|deps|exports_file|files|name) took 105.85597ms
INFO [runner/filename_unadjuster] Pre-built 0 adjustments in 211.129µs
INFO [linters context/goanalysis] analyzers took 21.277884ms with top 10 stages: ctrlflow: 3.445133ms, printf: 3.411593ms, fact_deprecated: 3.350724ms, fact_purity: 2.151399ms, buildir: 1.129769ms, structcheck: 239.298µs, errcheck: 231.067µs, SA2001: 202.562µs, isgenerated: 200.977µs, ineffassign: 198.154µs
WARN [linters context] Panic: gosec: package "main" (isInitialPkg: true, needAnalyzeSource: true): runtime error: invalid memory address or nil pointer dereference: goroutine 235 [running]:
runtime/debug.Stack(0x1bef160, 0x3c, 0xc000972c58)
        /opt/hostedtoolcache/go/1.14.2/x64/src/runtime/debug/stack.go:24 +0x9d
github.com/golangci/golangci-lint/pkg/golinters/goanalysis.(*action).analyzeSafe.func1(0xc00025b620)
        /home/runner/work/golangci-lint/golangci-lint/pkg/golinters/goanalysis/runner.go:508 +0x1b5
panic(0x1a27ee0, 0x2452070)
        /opt/hostedtoolcache/go/1.14.2/x64/src/runtime/panic.go:969 +0x166
github.com/securego/gosec/v2/rules.(*implicitAliasing).Match(0xc00096a660, 0x1d5a2e0, 0xc0000ad5e0, 0xc000976000, 0x2593c00, 0x0, 0x3)
        /home/runner/go/pkg/mod/github.com/securego/gosec/[email protected]/rules/implicit_aliasing.go:36 +0x271
github.com/securego/gosec/v2.(*Analyzer).Visit(0xc00096a2a0, 0x1d5a2e0, 0xc0000ad5e0, 0x1d50180, 0xc00096a2a0)
        /home/runner/go/pkg/mod/github.com/securego/gosec/[email protected]/analyzer.go:353 +0x472
go/ast.Walk(0x1d50180, 0xc00096a2a0, 0x1d5a2e0, 0xc0000ad5e0)
        /opt/hostedtoolcache/go/1.14.2/x64/src/go/ast/walk.go:52 +0x66
go/ast.walkStmtList(0x1d50180, 0xc00096a2a0, 0xc0004a90a0, 0x2, 0x2)
        /opt/hostedtoolcache/go/1.14.2/x64/src/go/ast/walk.go:32 +0x9e
go/ast.Walk(0x1d50180, 0xc00096a2a0, 0x1d598e0, 0xc0003ddc50)
        /opt/hostedtoolcache/go/1.14.2/x64/src/go/ast/walk.go:224 +0x1adf
go/ast.Walk(0x1d50180, 0xc00096a2a0, 0x1d59e60, 0xc0003ddc80)
        /opt/hostedtoolcache/go/1.14.2/x64/src/go/ast/walk.go:344 +0xd98
go/ast.walkDeclList(0x1d50180, 0xc00096a2a0, 0xc000613f90, 0x1, 0x1)
        /opt/hostedtoolcache/go/1.14.2/x64/src/go/ast/walk.go:38 +0x9e
go/ast.Walk(0x1d50180, 0xc00096a2a0, 0x1d59de0, 0xc00009f680)
        /opt/hostedtoolcache/go/1.14.2/x64/src/go/ast/walk.go:353 +0x264e
github.com/securego/gosec/v2.(*Analyzer).Check(0xc00096a2a0, 0xc000973c70)
        /home/runner/go/pkg/mod/github.com/securego/gosec/[email protected]/analyzer.go:219 +0x435
github.com/golangci/golangci-lint/pkg/golinters.NewGosec.func1.1(0xc000968180, 0xc93bf79, 0x255d620, 0xc0006c0080, 0x2)
        /home/runner/work/golangci-lint/golangci-lint/pkg/golinters/gosec.go:50 +0x16b
github.com/golangci/golangci-lint/pkg/golinters/goanalysis.(*action).analyze(0xc00025b620)
        /home/runner/work/golangci-lint/golangci-lint/pkg/golinters/goanalysis/runner.go:590 +0xa25
github.com/golangci/golangci-lint/pkg/golinters/goanalysis.(*action).analyzeSafe.func2()
        /home/runner/work/golangci-lint/golangci-lint/pkg/golinters/goanalysis/runner.go:512 +0x2a
github.com/golangci/golangci-lint/pkg/timeutils.(*Stopwatch).TrackStage(0xc0000ad4a0, 0x1b3f5a9, 0x5, 0xc000899770)
        /home/runner/work/golangci-lint/golangci-lint/pkg/timeutils/stopwatch.go:111 +0x50
github.com/golangci/golangci-lint/pkg/golinters/goanalysis.(*action).analyzeSafe(0xc00025b620)
        /home/runner/work/golangci-lint/golangci-lint/pkg/golinters/goanalysis/runner.go:511 +0x91
github.com/golangci/golangci-lint/pkg/golinters/goanalysis.(*loadingPackage).analyze.func2(0xc0005438a0, 0xc00025b620)
        /home/runner/work/golangci-lint/golangci-lint/pkg/golinters/goanalysis/runner.go:1058 +0x61
created by github.com/golangci/golangci-lint/pkg/golinters/goanalysis.(*loadingPackage).analyze
        /home/runner/work/golangci-lint/golangci-lint/pkg/golinters/goanalysis/runner.go:1053 +0x306
INFO [linters context/goanalysis] analyzers took 423.322µs with top 10 stages: buildir: 333.584µs, U1000: 89.738µs
INFO [runner] processing took 5.223µs with stages: max_same_issues: 2.28µs, skip_dirs: 504ns, skip_files: 319ns, cgo: 285ns, nolint: 264ns, max_from_linter: 239ns, autogenerated_exclude: 238ns, path_prettifier: 177ns, diff: 161ns, filename_unadjuster: 154ns, identifier_marker: 151ns, source_code: 87ns, exclude: 76ns, max_per_file_from_linter: 75ns, uniq_by_line: 72ns, exclude-rules: 71ns, path_shortener: 70ns
INFO [runner] linters took 428.395891ms with stages: goanalysis_metalinter: 423.280547ms, unused: 5.044023ms
INFO File cache stats: 0 entries of total size 0B
INFO Memory: 7 samples, avg is 70.8MB, max is 70.8MB
INFO Execution took 552.583813ms

bug dependencies

Source

shric

Most helpful comment

Apologies, looks like it was fixed in gosec but they've not made a release since -- https://github.com/securego/gosec/issues/475

shric on 26 Jun 2020

👍2

All 6 comments

Hey, thank you for opening your first Issue ! 🙂 If you would like to contribute we have a guide for contributors.

boring-cyborg[bot] on 26 Jun 2020

Hi, I am facing the same issue for gosec v2.3.0 (which is the version used in golangci-lint)

$ cat main.go             
package main

func main() {
        var foo []int64
        for _, _ = range foo {
        }
}

$ gosec ./...
[gosec] 2020/06/26 22:36:04 Including rules: default
[gosec] 2020/06/26 22:36:04 Excluding rules: default
[gosec] 2020/06/26 22:36:04 Import directory: /home/tammach/temp
[gosec] 2020/06/26 22:36:04 Checking package: main
[gosec] 2020/06/26 22:36:04 Checking file: /home/tammach/temp/main.go
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x6bab71]

goroutine 1 [running]:
github.com/securego/gosec/v2/rules.(*implicitAliasing).Match(0xc0001a6f60, 0x7e1740, 0xc00007f2c0, 0xc00015a070, 0xa79120, 0x0, 0x3)
    /home/runner/work/gosec/gosec/rules/implicit_aliasing.go:36 +0x271
github.com/securego/gosec/v2.(*Analyzer).Visit(0xc0000743c0, 0x7e1740, 0xc00007f2c0, 0x7df880, 0xc0000743c0)
    /home/runner/work/gosec/gosec/analyzer.go:353 +0x472
go/ast.Walk(0x7df880, 0xc0000743c0, 0x7e1740, 0xc00007f2c0)
    /opt/hostedtoolcache/go/1.14.2/x64/src/go/ast/walk.go:52 +0x66
go/ast.walkStmtList(0x7df880, 0xc0000743c0, 0xc000666da0, 0x2, 0x2)
    /opt/hostedtoolcache/go/1.14.2/x64/src/go/ast/walk.go:32 +0x9e
go/ast.Walk(0x7df880, 0xc0000743c0, 0x7e0ec0, 0xc00069f590)
    /opt/hostedtoolcache/go/1.14.2/x64/src/go/ast/walk.go:224 +0x1adf
go/ast.Walk(0x7df880, 0xc0000743c0, 0x7e1340, 0xc00069f5c0)
    /opt/hostedtoolcache/go/1.14.2/x64/src/go/ast/walk.go:344 +0xd98
go/ast.walkDeclList(0x7df880, 0xc0000743c0, 0xc00069a2d0, 0x1, 0x1)
    /opt/hostedtoolcache/go/1.14.2/x64/src/go/ast/walk.go:38 +0x9e
go/ast.Walk(0x7df880, 0xc0000743c0, 0x7e12c0, 0xc000670000)
    /opt/hostedtoolcache/go/1.14.2/x64/src/go/ast/walk.go:353 +0x264e
github.com/securego/gosec/v2.(*Analyzer).Check(0xc0000743c0, 0xc0006b1b00)
    /home/runner/work/gosec/gosec/analyzer.go:219 +0x435
github.com/securego/gosec/v2.(*Analyzer).Process(0xc0000743c0, 0x0, 0x0, 0x0, 0xc000068490, 0x1, 0x1, 0x1, 0x0)
    /home/runner/work/gosec/gosec/analyzer.go:140 +0xfb
main.main()
    /home/runner/work/gosec/gosec/cmd/gosec/main.go:335 +0x78c

sayboras on 26 Jun 2020

If this is an issue with the latest version of gosec, please file an issue in the gosec project. If it's fixed upstream we should just bump the dependency in golangci-lint.