Closed
Description
Welcome
- Yes, I'm using a binary release within 2 latest major releases. Only such installations are supported.
- Yes, I've searched similar issues on GitHub and didn't find any.
- Yes, I've read the typecheck section of the FAQ (https://golangci-lint.run/usage/faq/#why-do-you-have-typecheck-errors).
- Yes, I've tried with the standalone linter if available (e.g., gocritic, go vet, etc.). (https://golangci-lint.run/usage/linters/)
Description of the problem
The latest release v1.54.2 of golangci-lint includes an updated version of of gosec v2.17.0 with changes which introduced a number of false positives.
The changes in question were introduced in the following PRs:
- Feature: G101 match variable values and names securego/gosec#971
- This seems not properly tested because there's already an issue with multiple people complaining about false positives.
- Ignore struct pointers in G601 securego/gosec#1003
- Another overlooked behavior resulting in false positive as reported in Rule G601 does not recognize a pointer to a struct field securego/gosec#966 (comment)
Since this is a very popular linter trusted by many, a release should be made reverting the linter to a stable version until the above issues are addressed.
Version of golangci-lint
$ golangci-lint --version
golangci-lint has version 1.54.2 built with go1.21.0 from 411e0bb on 2023-08-21T11:04:00ZConfiguration
default-configGo environment
$ go version
go version go1.21.0 darwin/arm64Verbose output of running
$ golangci-lint cache clean
$ golangci-lint run -v
...G101: Potential hardcoded credentials (gosec)
SQSQueueURL = "workertest-sqs-queue-url"A minimal reproducible example or link to a public repository
// add your code hereValidation
- Yes, I've included all information above (version, config, etc.).