From 87ea9ef71de188ec08d861698cbfb7e7bca8a168 Mon Sep 17 00:00:00 2001
From: Oleksandr Redko <oleksandr.red+github@gmail.com>
Date: Sun, 15 Dec 2024 19:22:40 +0200
Subject: [PATCH] gosec: handling of global nosec option when it is false
 (#5228)

---
 pkg/golinters/gosec/gosec.go                 | 10 +++++++++-
 pkg/golinters/gosec/gosec_test.go            | 16 ++++++++++++++++
 pkg/golinters/gosec/testdata/gosec_nosec.go  | 14 ++++++++++++++
 pkg/golinters/gosec/testdata/gosec_nosec.yml |  5 +++++
 4 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 pkg/golinters/gosec/testdata/gosec_nosec.go
 create mode 100644 pkg/golinters/gosec/testdata/gosec_nosec.yml

diff --git a/pkg/golinters/gosec/gosec.go b/pkg/golinters/gosec/gosec.go
index a5367399b8fb..6b46beaccfe4 100644
--- a/pkg/golinters/gosec/gosec.go
+++ b/pkg/golinters/gosec/gosec.go
@@ -184,7 +184,15 @@ func convertGosecGlobals(globalOptionFromConfig any, conf gosec.Config) {
 	}
 
 	for k, v := range globalOptionMap {
-		conf.SetGlobal(gosec.GlobalOption(k), fmt.Sprintf("%v", v))
+		option := gosec.GlobalOption(k)
+
+		// Set nosec global option only if the value is true
+		// https://github.com/securego/gosec/blob/v2.21.4/analyzer.go#L572
+		if option == gosec.Nosec && v == false {
+			continue
+		}
+
+		conf.SetGlobal(option, fmt.Sprintf("%v", v))
 	}
 }
 
diff --git a/pkg/golinters/gosec/gosec_test.go b/pkg/golinters/gosec/gosec_test.go
index 5535339a7c0b..c7e31f2782e4 100644
--- a/pkg/golinters/gosec/gosec_test.go
+++ b/pkg/golinters/gosec/gosec_test.go
@@ -39,6 +39,22 @@ func Test_toGosecConfig(t *testing.T) {
 				},
 			},
 		},
+		{
+			desc: "with global settings nosec enabled",
+			settings: &config.GoSecSettings{
+				Config: map[string]any{
+					gosec.Globals: map[string]any{
+						string(gosec.Nosec): false,
+						string(gosec.Audit): "true",
+					},
+				},
+			},
+			expected: gosec.Config{
+				"global": map[gosec.GlobalOption]string{
+					"audit": "true",
+				},
+			},
+		},
 		{
 			desc: "rule specified setting",
 			settings: &config.GoSecSettings{
diff --git a/pkg/golinters/gosec/testdata/gosec_nosec.go b/pkg/golinters/gosec/testdata/gosec_nosec.go
new file mode 100644
index 000000000000..f1eb3d3478cd
--- /dev/null
+++ b/pkg/golinters/gosec/testdata/gosec_nosec.go
@@ -0,0 +1,14 @@
+//golangcitest:args -Egosec
+//golangcitest:config_path testdata/gosec_nosec.yml
+package testdata
+
+import (
+	"crypto/md5" // want "G501: Blocklisted import crypto/md5: weak cryptographic primitive"
+	"log"
+)
+
+func Gosec() {
+	// #nosec G401
+	h := md5.New()
+	log.Print(h)
+}
diff --git a/pkg/golinters/gosec/testdata/gosec_nosec.yml b/pkg/golinters/gosec/testdata/gosec_nosec.yml
new file mode 100644
index 000000000000..2c4c81fa66ec
--- /dev/null
+++ b/pkg/golinters/gosec/testdata/gosec_nosec.yml
@@ -0,0 +1,5 @@
+linters-settings:
+  gosec:
+    config:
+      global:
+        nosec: false