SUSE Package Hub - openSUSE-2026-167

Update Info

openSUSE-2026-167

Security update for gosec

Type: security
Severity: moderate
Issued: 2026-05-16
Description:
This update for gosec fixes the following issues:

- Update to version 2.26.1:
  * Update cosign to v3.0.6 (#1659)
  * Sync taint rule docs and add missing CWE mappings for G113/G307 (#1658)
  * Update all dependencies (#1657)
  * Add G710 rule for open redirect via taint analysis (#1654)
  * Fix formatting
  * Update the default models use by autofix and phase out the older models
  * Format and clean-up the README
  * Add HTTP file-serving function to the skins of pathtraversal analyzer (#1647)
  * Skip flaging the TLS min version for go 1.18+ (#1646)
  * chore(deps): bump go.opentelemetry.io/otel from 1.39.0 to 1.41.0 (#1645)
  * Added filepath.Abs as a sanitizer (#1643)
  * Allow rune to byte conversion (#1642)
  * Allow platform specific conversions (#1641)
  * chore(deps): update all dependencies (#1639)
  * chore(deps): update all dependencies (#1634)
  * chore(go): update supported Go versions to 1.25.9 and 1.26.2 (#1633)
  * Fix: Bump go-version: 1.25.8 to 1.25.9 in ci (#1632)
  * fix(taint): gate *http.Request auto-taint on entry-point detection (#1630)
  * chore(deps): update all dependencies (#1631)
  * Added a visited cycle-detection guard in the *ssa.Phi case (#1626)
  * chore(deps): update all dependencies (#1625)
  * fix(G706): scope slog sinks to msg arg only to prevent false positives on structured attributes (#1623)
  * Gate the AI security review by the security-review environment (#1621)
  * Fix anthropic autofix after dependencies update (#1620)
  * chore(deps): update all dependencies (#1619)
  * chore(action): bump gosec to 2.25.0 (#1618)

- Update to version 2.25.0:
  * chore(deps): bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#1617)
  * fix: allow barry action to access secrets on fork PRs (#1616)
  * fix: reduce G117 false positives for custom marshalers and transformed values (#1614) (#1615)
  * Add barry security scanner as a step in the CI (#1612)
  * chore(deps): update all dependencies (#1611)
  * fix: prevent taint analysis hang on packages with many CHA call graph edges (#1608) (#1610)
  * Add some skills for claude code to automate some tasks (#1609)
  * Add G701-G706 rule-to-CWE mappings and CWE-117, CWE-918 entries (#1606)
  * fix: skip SSA analysis on ill-typed packages to prevent panic (#1607)
  * Port G120 from SSA-based to taint analysis (fixes #1600, #1603) (#1605)
  * fix(G118): eliminate false positive for package-level cancel variables (#1602)
  * feat: add G124 rule for insecure HTTP cookie configuration (#1599)
  * feat: add G709 rule for unsafe deserialization of untrusted data (#1598)
  * feat: add G708 rule for server-side template injection via text/template (#1597)
  * fix(G118): eliminate false positive when cancel is called via struct field in a closure (#1596)
  * Fix infinite recursion in interprocedural taint analysis (#1594)
  * Fix G118 false positive when cancel is stored in returned struct field (#1593)
  * Fix G118 false positive on cancel called inside goroutine closure (#1592)
  * fix(analyzer): per-package rule instantiation eliminates concurrent map crash (#1589)
  * chore(deps): update all dependencies (#1588)
  * fix(G118): treat returned cancel func as called (fixes #1584) (#1585)
  * chore(go): update supported Go versions to 1.25.8 and 1.26.1 (#1583)
  * Update the README with the correct version of the Github action for gosec (#1582)
  * chore(deps): update all dependencies (#1579)
  * Fix G115 false positives for guarded int64-to-byte conversions (#1578)
  * Update the container image migration notice (#1576)
  * chore(action): bump gosec to 2.24.7 (#1575)

- Update to version 2.24.7:
  * Ignore nosec comments in action integration workflow to generate some warnings (#1573)
  * Add a workflow for action integration test (#1571)
  * fix(sarif): avoid invalid null relationships in SARIF output (#1569)
  * chore: migrate gosec container image references to GHCR (#1567)
  * Update gorelease to use the latest cosign bundle argument (#1565)
  * Migrate goreleaser to use the proper cosign arguments (#1564)
  * Update the cosing to version v3.0.5 (#1563)
  * fix(release): use existing cosign-installer action version (#1562)
  * chore(prompts): add skill and prompt to update supported Go versions (#1561)
  * chore(prompts): add action version update skill and prompt (#1560)
  * fix(analyzers): avoid SSA dependency cycle blowups in issue #1555 paths (#1559)
  * Add a SKILL and PROMPT for fixing a GitHub issue (#1558)
  * Add a SKILL and PROMPT for generating rules with AI (#1557)
  * fix(G120): prevent hang-like analysis blowup in wrapper protection checks (#1556)
  * fix(G705): eliminate false positive when guard type cannot be resolved (#1554)
  * Remove gcmurphy from funding list
  * Extend the release workflow to push the container images also to GHCR
  * Update to gosec to v2.24.0 in the action and fix the docker image signing (#1552)

- Update to version 2.24.0:
  * fix: G704 false positive on const URL (#1551)
  * fix(G705): eliminate false positive for non-HTTP io.Writer (#1550)
  * G120: avoid false positive when MaxBytesReader is applied in middleware (#1547)
  * Fix G602 regression coverage for issue #1545 and stabilize G117 TOML test dependency (#1546)
  * taint: skip `context.Context` arguments during taint propagation to fix false positives (#1543)
  * test: add missing rules to formatter report tests (#1540)
  * chore(deps): update all dependencies (#1541)
  * Regenrate the TLS config rule (#1539)
  * Improve documentation (#1538)
  * Expand analyzer-core test coverage for orchestration, go/analysis adapter logic, and taint integration (#1537)
  * Add unit tests for CLI orchestration, TLS config generation, and SSA cache behavior (#1536)
  * Add G707 taint analyzer for SMTP command/header injection (#1535)
  * Add G123 analyzer for tls.VerifyPeerCertificate resumption bypass risk (#1534)
  * Add G122 SSA analyzer for filepath.Walk/WalkDir symlink TOCTOU race risks (#1532)
  * fix(G602): avoid false positives for range-over-array indexing (#1531)
  * Improve taint analyzer performance with shared SSA cache, parallel analyzer execution, and CI regression guard (#1530)
  * fix: taint analysis false positives with G703,G705 (#1522)
  * Extend the G117 rule to cover other types of serialization such as yaml/xml/toml (#1529)
  * Fix the G117 rule to take the JSON serialization into account (#1528)
  * (docs) fix justification format (#1524)
  * Add G121 analyzer for unsafe CORS bypass patterns in CrossOriginProtection (#1521)
  * Add G120 SSA analyzer for unbounded form parsing in HTTP handlers (#1520)
  * Add G119 analyzer for unsafe redirect header propagation in CheckRedirect callbacks (#1519)
  * Fix G115 false positives and negatives (Issue #1501) (#1518)
  * chore(deps): update all dependencies (#1517)
  * Add G118 SSA analyzer for context propagation failures that can cause goroutine/resource leaks (#1516)
  * Add G113: Detect HTTP Request Smuggling via conflicting headers (CVE-2025-22891, CWE-444) (#1515)
  * Add G408: SSH PublicKeyCallback Authentication Bypass Analyzer (#1513)
  * Add more unit tests to improve coverage (#1512)
  * Improve test coverage in various areas (#1511)
  * Imprve the test coverage (#1510)
  * Fix incorrect detection of fixed iv in G407 (#1509)
  * Add support for go 1.26.x and removed support for go 1.24.x (#1508)
  * Fix the sonar report to follow the latest schema (#1507)
  * fix: broken taint analysis causing false positives (#1506)
  * fix: panic on float constants in overflow analyzer (#1505)
  * fix: panic when scanning multi-module repos from root (#1504)
  * fix: G602 false positive for array element access (#1499)
  * Update gosec to version v2.23.0 in the Github action (#1496)

- Update to version 2.23.0:
  * feat: Support for adding taint analysis engine (#1486)
  * chore(deps): update all dependencies (#1494)
  * chore(deps): update all dependencies (#1494)
  * chore(deps): update all dependencies (#1488)
  *  Fix G602 analyzer panic that kills gosec process (#1491)
  * update go version to 1.25.7 (#1492)
  * Fix URL regexp and remove redundant Google regex patterns (#1485)
  * feat: implement global cache usage in rules (#1480)
  * chore(deps): update module google.golang.org/genai to v1.43.0 (#1484)
  * refactor: optimize nosec parsing and reduce allocations (#1478)
  * Fix SARIF artifactChanges null validation error (#1483)
  * feat: optimize GetCallInfo with per-package sync.Pool caching (#1481)
  * feat: implement entropy pre-filtering to optimize secret detection (#1479)
  * feat: ensure GoVersion is cached using sync.Once (#1477)
  * Fix #1240: nosec comments now work with trailing open brackets (#1475)
  * Debug Build Profiling Support: Code improvement suggestions for PR#1471 (#1476)
  * Update the go version to 1.25.6 and 1.24.12 (#1474)
  * G115: Enhance RangeAnalyzer with constant propagation and chained arithmetic support (#1470)
  * chore(deps): update all dependencies (#1473)
  * feat: support path-based rule exclusions via exclude-rules (#1465)
  * Optimize analyzer with parallel package processing (#1466)
  * feat: add goanalysis package for nogo (#1449)
  * Refactor Analyzers: Unify Range Logic & Optimize Allocations (#1464)
  * Optimize G115, G602, G407 analyzers to reduce allocations and memory (#1463)
  * refactor(g115): improve coverage (#1462)
  * Refine G407 to improve detection and coverage of hardcoded nonces (#1460)
  * chore(deps): update all dependencies (#1461)
  * Refactor rules to use callListRule base structure (#1458)
  * feat(slice): enhance slice bounds analysis with dynamic bounds handling (#1457)
  * remove deprecated ast.Object (#1455)
  * feat(sql): enhance SQL injection detection with improved string concatenation checks (#1454)
  * feat(rules): enhance subprocess variable checks (#1453)
  * feat(resolve): enhance TryResolve to handle KeyValueExpr, IndexExpr, and SliceExpr (#1452)
  * feat: add secrets serialization G117 (#1451)
  * feat(rules): add support for detecting high entropy strings in composite literals (#1447)
  * whitelist crypto/rand Read from error checks (#1446)
  * chore(deps): update all dependencies (#1443)
  * Improve slice bound check (#1442)
  * docs: add documentation for using gosec with private modules (#1441)
  * chore(deps): update all dependencies (#1440)
  * docs: add G116 rule description to README (#1439)
  * Update GitHub action to gosec 2.22.11 (#1438)

- Update to version 2.22.11:
  * feature: add rule for trojan source (#1431)
  * feat(ai): add OpenAI and custom API provider support (#1424)
  * chore: Migrate from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 (#1437)
  * chore(deps): update module google.golang.org/genai to v1.37.0 (#1435)
  * refactor: simplify report functions in main.go (#1434)
  * Update go to 1.25.5 and 1.24.11 in CI (#1433)
  * chore(deps): update all dependencies (#1425)
  * feat(ai): add support for latest Claude models and update provider flags (#1423)
  * Bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#1427)
  * chore(deps): update module golang.org/x/crypto to v0.45.0 [security] (#1428)
  * fix: correct schema with temporary placeholder (#1418)
  * perf: skip SSA analysis if no analyzers are loaded (#1419)
  * test: add sarif validation (#1417)
  * chore(deps): update all dependencies (#1421)
  * Update go to version 1.25.4 and 1.24.10 in CI (#1415)
  * fix: build tag parsing. (#1413)
  * chore(deps): update all dependencies (#1411)
  * chore(deps): update all dependencies (#1409)
  * chore(deps): update all dependencies (#1408)
  * Update gosec to version v2.22.10 in the github action (#1405)

- Update to version 2.22.10:
  * Update go to version 1.25.3 and 1.24.9 in CI (#1404)
  * chore(deps): update all dependencies (#1402)
  * Update go to version 1.25.2 and 2.24.8 in CI (#1401)
  * chore(deps): update all dependencies (#1399)
  * check nil slices, partially check bounds (#1396)
  * Remove unused target from the makefile
  * Use the ginkgo command install by the dependencies
  * Keep the go module at 1.24 version for compatibility reasons
  * Remove manual test deps
  * fix: text must be supplied when markdown is used
  * fix: improve error message of CheckAnalyzers
  * fix: log panic on SSA
  * chore(deps): update all dependencies
  * Update gosec to version v.22.9 in the github action

- Update to version 2.22.9:
  * Update cosign to v2.6.0 and go in the CI to latest version
  * fix(autofix): unnecessary conversion
  * feat(autofix): update gemini sdk and add anthropic claude
  * feat(G304): add os.Root remediation hint (Autofix) when Go >= 1.24
  * chore(deps): update all dependencies
  * refactor(G304): remove unused trackJoin helper; no functional change
  * style: gofmt rules/readfile.go
  * test(g304): add samples for var perm and var flag with cleaned path\n\n- Ensure G304 does not fire when only non-path args (flag/perm) are variables\n- Both samples use filepath.Clean on the path arg\n- Rules suite remains green (42 passed)
  * rules(G304): analyze only path arg; ignore flag/perm vars; track Clean and safe Join; fix nil-context panic\n\n- Limit G304 checks to first arg (path) for os.Open/OpenFile/ReadFile, avoiding false positives when flag/perm are variables\n- Track filepath.Clean so cleaned identifiers are treated as safe\n- Consider safe joins: filepath.Join(const|resolvedBase, Clean(var)|cleanedIdent)\n- Record Join(...) assigned to identifiers and allow if later cleaned\n- Fix panic by passing non-nil context in trackJoinAssignStmt\n- All rules tests: 42 passed
  * rules(G202): detect SQL concat in ValueSpec declarations; add test sample\n\n- Handle var query string = 'SELECT ...' + user style declarations\n- Reuse existing binary expr detection on ValueSpec.Values\n- Add postgres sample mirroring issue #1309 report\n- Rules tests: 42 passed
  * chore(deps): update all dependencies
  * chore(deps): update all dependencies
  * chore(deps): update all dependencies
  * Update gosec version to v2.22.8 in the Github action

- Update to version 2.22.8:
  * Add support for go version 1.25.0
  * Update go version in CI to 1.24.6 and 1.23.12
  * chore(deps): update all dependencies
  * chore(deps): update all dependencies
  * Update github action to release v2.22.7

- Update to version 2.22.7:
  * Fix crash in hardcoded_nonce analyzer
  * Update go action to use release v2.22.6
  * Update go version to 1.24.5 and 1.23.11 in the CI
  * chore(deps): update module google.golang.org/api to v0.242.0
  * chore(deps): update all dependencies
  * chore(deps): update all dependencies
  * chore(deps): update all dependencies
  * chore(deps): update all dependencies
  * Do not allow dashes in file names
  * Update gosec to version 2.22.5 in Github action

- Update to version 2.22.5:
  * Switch back go.mod to minimum 1.23.0
  * Update dependencies
  * Update go version 1.24.4 and 1.23.10 in CI
  * chore(deps): update all dependencies
  * G201/G202: add checks for injection into sql.Conn methods
  * chore(deps): update module google.golang.org/api to v0.235.0
  * chore(deps): update module google.golang.org/api to v0.234.0
  * chore(deps): update module google.golang.org/api to v0.233.0
  * chore(deps): update module google.golang.org/api to v0.232.0

- Switch vendor from gz to xz for consistency

- Switch from version to revision in _service
References

CVE: CVE-2025-22891
Packages

gosec-2.26.1-bp157.2.6.1