SUSE Package Hub - openSUSE-2025-162

Update Info

openSUSE-2025-162

Recommended update for gosec

Type: recommended
Severity: moderate
Issued: 2025-05-23
Description:
This update for gosec fixes the following issues:

Update to version 2.22.4:

  * Update to go version 1.24.3 and 1.23.9
  * update: updated the build command to include version metadata
  * chore(deps): update all dependencies
  * Update the AI provider API key value when provided as an argument
  * chore(deps): update module google.golang.org/api to v0.230.0
  * chore(deps): update module google.golang.org/api to v0.229.0
  * chore(deps): update all dependencies
  * Comment the reason why the file can be nil when an issue is created
  * Handle nil file when creating a new issue
  * chore(deps): update all dependencies (#1333)

Update to version 2.22.3:

  * Update version in 'action.yml' to 2.22.3 (anticipating next version (#1332)
  * Update go version to 1.24.2 and 1.23.8 (#1331)
  * remove G113. It only affects old/unsupported versions of Go (#1328)
  * chore(deps): update all dependencies (#1325)
  * Add SSOJet (#1320)
  * chore(deps): update all dependencies (#1319)
  * Update the integrity sha for babel dependency in html report (#1316)
  * Add support for `//gosec:disable` directive (#1314)
  * chore(deps): update all dependencies (#1315)

Update to version 2.22.2:

  * Update to go version 1.24.1 and 1.23.7 (#1313)
  * chore(deps): update all dependencies (#1310)
  * chore(deps): update all dependencies (#1308)
  * Update gosec version in the GitHub action to v2.22.1 (#1307)
  * chore(deps): update module google.golang.org/api to v0.221.0 (#1305)

Update to version 2.22.1:

  * Update cosign to v2.4.2 (#1303)
  * Add support for go 1.24 and phased out support for go 1.22 (#1302)
  * chore(deps): update all dependencies (#1300)
  * Update to go version 1.23.6 and 1.22.12 (#1299)
  * chore(deps): update module google.golang.org/api to v0.219.0 (#1296)
  * chore(deps): update module google.golang.org/api to v0.218.0 (#1294)
  * Add test to conver unit parssing for G115 rule (#1293)
  * Update to go version 1.23.5 and 1.22.11 (#1291)
  * chore(deps): update all dependencies (#1290)
  * Update gosec in github action to 2.22.0 (#1286)

Update to version 2.22.0:

  * Update what message for G104 (#1282)
  * chore(deps): update module github.com/onsi/ginkgo/v2 to v2.22.2 (#1281)
  * chore(deps): update all dependencies (#1280)
  * chore(deps): update all dependencies (#1279)
  * Simplify sortIssues implementation (#1277)
  * Enable testifylint and fix up lint issues (#1276)
  * Refactor AppendError to check for build.NoGoError (#1273)
  * chore(deps): update module golang.org/x/net to v0.33.0 [security] (#1275)
  * Update README.md (#1274)
  * Rule documentation updates (#1272)
  * Replace old golang.org links with new go.dev (#1271)
  * Refactor AppendError to use strings.Contains (#1270)
  * Simplify Analyzer.ignore by reducing nesting (#1269)
  * Improve capitalization in AI API flags descriptions (#1267)
  * Remove unused golint dependency (#1266)
  * Simplify tests by using GinkgoT().TempDir() (#1265)
  * Documentation on adding new rules and analyzers (#1262)
  * chore(deps): update all dependencies (#1268)
  * Update to go 1.22.10 and 1.23.4 versions (#1264)
  * chore(deps): update module golang.org/x/crypto to v0.31.0 [security] (#1263)
  * chore(deps): update all dependencies (#1261)
  * chore(deps): update module github.com/onsi/gomega to v1.36.0 (#1259)
  * fix: revive.redefines-builtin-id lint warnings (#1257)
  * Fix typos in comments and fields
  * Remove the decryption funtions/methods from G407 check
  * Upate go to version 1.23.3 and 1.22.9
  * Fix G115 false positive when going from parsed uint to larger int
  * chore(deps): update all dependencies
  * chore(deps): update all dependencies
  * chore(deps): update all dependencies
  * chore(deps): update all dependencies
  * chore(deps): update all dependencies
  * Update go version to 1.23.2 and 1.22.8
  * chore(deps): update module google.golang.org/api to v0.201.0
  * chore(deps): update all dependencies
  * chore(deps): update all dependencies
  * Fix the cosign step to authenticate with the container registry
  * chore(deps): update module google.golang.org/api to v0.199.0

Update to version 2.21.4:

  * Update the gosec to v2.21.4 in the Github action
  * Add the version into goreleaser config
  * chore(deps): update module google.golang.org/api to v0.198.0 (#1233)
  * Prevent panic: unexpected constant value: <nil> (#1232)
  * Fix running single analyzer which isn't a rule bug (#1231)

Update to version 2.21.3:

  * Update gosec version to v2.21.3 in github action (#1227)
  * Populate the fixes only when autofix is not empty (#1226)
  * chore(deps): update all dependencies (#1223)
  * G115 Struct Attribute Checks (#1221)

Update to version 2.21.2:

  * Update the github action to v2.21.2 (#1218)
  * Update the SARIF schema URL (#1217)
  * Update go version to 1.23.1 and 1.22.7 (#1216)
  * chore(deps): update all dependencies (#1215)
  * Update gosec version to v2.21.1 in github action (#1213)
  * Rollback the SARIF version to 2.1 since github doesn't support 2.2 (#1210)
  * Update gosec in github action to v2.21.0 (#1208)
  * Update cosign version to v2.4.0 in release github workflow (#1207)
  * Improvement the int conversion overflow logic to handle bound checks (#1194)
  * fix: G602 support for nested conditionals with bounds check (#1201)
  * Update go.mod to sue go 1.22.0 toolchain
  * chore(deps): update all dependencies
  * Make variable name more clear
  * Make variable names more explicity and reduce duplications
  * Fix formatting
  * Refactor to reduce some fuctions and variable names
  * Pass the value argument directly since is an interface
  * Added suggested changes
  * Added another test case in order to increase code coverage
  * Removed function parameter which is always the same
  * Formatting problems(CI was not passing)
  * Updated analyzer to use new way of initialization
  * Migrated the rule to the analyzers folder
  * Refractored code a little bit
  * Added new rule G407(hardcoded IV/nonce)
  * Fix conversion overflow false positive when using ParseUint
  * Add a build step to measure the scan perfomance
  * Fix conversion overflow false positives when they are checked or pre-determined
  * Update go.mod
  * chore(deps): update all dependencies
  * Fix false positive in conversion overflow check from uint8/int8 type
  * Disable staticcheck SA1019 rule
  * Update the golangci linters
  * Add more test to cover more use cases for G115 rule
  * Allow excluding analyzers globally (#1180)
  * Update to Go 1.23.0 (#1183)
  * chore(deps): update all dependencies (#1182)
  * Read the AI API key also from an environment variable (#1181)
  * Add support to generate auto fixes using LLM (AI) (#1177)
  * chore(deps): update all dependencies
  * chore(deps): update all dependencies
  * chore(deps): update all dependencies
  * chore(deps): update dependency babel-standalone to v7.24.10
  * Resolve underlying type to detect overflows in type aliases
  * chore(deps): update dependency babel-standalone to v7.24.8
  * Fix multifile ignores
  * Add -enable-audit cli flag
  * Update to go 1.22.5 and 1.21.12
  * chore(deps): update all dependencies
  * Added more rules
  * Fixed coverage workflow
  * Fixed CI workflow
  * Minor changes
  * Split the G401 rule into two separate ones
  * Updated G401 corresponding CWE
  * chore(deps): update docker/build-push-action action to v6
  * Update to go versions to 1.21.11 and 1.22.4
  * chore(deps): update all dependencies
  * Fix nosec when applied to a block
  * Add more types to templates rule
  * Map the G115 rule to an CWE ID
  * chore(deps): update all dependencies
  * Update README with G115 rule description
  * Remove deprecated megacheck linter from golangci
  * Format imports
  * Update .gitignore
  * Add a new rule to detect integer overflow on integer types conversion
  * feat: add env var to override the Go version detection
  * Use the proper logic when disabling the go module version
  * Update the README with some details related to Go version used by the rules
  * Add an environment varialbe which disables the parsing of Go version from module file
  * chore(deps): update module github.com/onsi/ginkgo/v2 to v2.17.3

Update to version 2.20.0:

  * Update docker image in action to v2.20.0
  * Catch os.ModePerm permissions in os.WriteFile
  * Add a unit test to detect the false negative in rule G306 for os.ModePerm permissions
  * Add filepath.EvalSymlinks to clean functions in rule G304
  * chore(deps): update all dependencies
  * Update Go to version 2.22.3 in CI and release
  * chore(deps): update module golang.org/x/text to v0.15.0
  * chore(deps): update all dependencies
  * chore(deps): update module github.com/onsi/gomega to v1.33.0
  * Update to go 1.22.2
  * chore(deps): update all dependencies
  * chore(deps): update module github.com/onsi/ginkgo/v2 to v2.17.1
  * chore(deps): update all dependencies
  * fix(helpers/goversion): get from go.mod
  * chore: fix function name
  * chore(deps): update all dependencies
  * Format the imports using the gci tool
  * Fixup: delete unused variable
  * Fix test: update test to comply with the spec of generated sources
  * Refactor: use standard function to check if a file is generated
  * Fix lint warnings
  * Add support for math/rand/v2 added in Go 1.22
  * Skip the G601 tests for Go version 1.22
  * Update go version to 1.22.1 and 1.21.8
  * Ignore 'implicit memory aliasing' rule for Go 1.22+
  * chore(deps): update all dependencies
  * chore(deps): update module golang.org/x/tools to v0.18.0
  * fix(hardcoded): remove duplicated `Stripe API Key`

Update to version 2.19.0:

  * Update gosec version to v2.19.0 in the Github action
  * Update CI to go version 1.22
  * chore(deps): update all dependencies
  * chore(deps): update all dependencies
  * chore(deps): update all dependencies
  * chore(deps): update all dependencies
  * chore(deps): update all dependencies
  * chore(deps): update dependency babel-standalone to v7.23.7
  * chore(deps): update module golang.org/x/crypto to v0.17.0 [security]
  * chore(deps): update all dependencies
  * chore(deps): update actions/setup-go action to v5
  * Fix lint warnings by properly formatting the files
  * chore: Refactor Sample Code to Separate Files
  * Update go version to 1.21.5 and 1.20.12 (#1084)
  * chore(deps): update all dependencies (#1080)
  * Ignore the issues from generated files when using the analysis framework (#1079)
  * Update README with upload-sarif v2 (#1078)
  * chore(deps): update dependency babel-standalone to v7.23.4

Update to 2.18.2:

  * Disable dot-imports in revive linter
  * Run the gosec with data race detector active during
    tests
  * Fix data race in the analyzer
  * Fix test that checks the overriden nosec directive
  * Clean global state in flgs tests
  * Format the file
  * Update README with details which describe the current
    of #nosec
  * Ensure the ignores are parsed before analysing the
    package

Update to version 2.18.2:

  * Added ppc64le support
  * chore(deps): update all dependencies
  * Ensure ignores are handled properly for multi-line issues
  * Update Go to version 1.21.4 and 1.20.11
  * chore(deps): update module golang.org/x/text to v0.14.0
  * chore(deps): update all dependencies
  * Remove the hardcoded GOOS value when building the Linux binary to enable support for container image for ARM
  * Avoid allocations with `(*regexp.Regexp).MatchString`
  * Fix some typos
  * Update local installation instructions by removing the details for Go 1.16

Update to version 2.18.1:

  * chore(deps): update all dependencies
  * Update gosec to version 2.18.1 in the action
  * Update cosign version to v2.2.0
  * Refactor how ignored issues are tracked
  * Restrict the maximum depth when tracking the slice bounds
  * Handle empty ssa results
  * Handle gracefully any panic that occurs when building the SSA representation of a package
  * Fix typo
  * Handle new function when getting the call info in case is overriden
  * Bump golang.org/x/net from 0.16.0 to 0.17.0 (#1037)
  * Update to Go 1.21.3 and 1.20.10 (#1035)
  * Update the list of unsafe functions detected by the unsafe rule (#1033)

Update to version 2.18.0:

  * Update the action to use gosec version v2.18.0 (#1029)
  * Use a step ID in github release action to get the digest of the image (#1028)
  * Update to go version 1.21.2 and 1.20.9 (#1027)
  * chore(deps): update all dependencies (#1026)
  * Enable gochecknoinits; fix lint issues; use consts for some vars (#1022)
  * Fix typos in struct fields, comments, and docs (#1023)
  * chore(deps): update all dependencies
  * Fix lint warning
  * Add a new rule which detects when a file is created with os.Create but the configured permissions are less than 0666
  * Fix lint warnings
  * Update ginkgo to latest version
  * Redesign and reimplement the slice out of bounds check using SSA code representation
  * docs: add reMarkable to users list
  * chore(deps): update all dependencies
  * Drop support for go 1.19.x since go team doesn't ship anymore security fixes for it
  * Update to latest go version
  * chore(deps): update all dependencies (#1011)
  * Fix hardcoded_credentials rule to only match on more specific patterns (#1009)
  * chore(deps): update all dependencies (#1008)
  * Exclude maps from slince bounce check rule (#1006)
  * Ignore struct pointers in G601 (#1003)
  * Update gosec image version to 2.17.0 in the Github action (#1002)
References

No references
Packages

gosec-2.22.4-bp156.2.3.2