build(deps): bump github.com/securego/gosec/v2 from 2.21.0 to 2.21.1 #4982
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Bumps [github.com/securego/gosec/v2](https://github.com/securego/gosec) from 2.21.0 to 2.21.1. - [Release notes](https://github.com/securego/gosec/releases) - [Changelog](https://github.com/securego/gosec/blob/master/.goreleaser.yml) - [Commits](securego/gosec@v2.21.0...v2.21.1) --- updated-dependencies: - dependency-name: github.com/securego/gosec/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
ldez
deleted the
dependabot/go_modules/github.com/securego/gosec/v2-2.21.1
branch
|
For anyone interested, gosec rules G115 has been improved, but there are still some false-positive to be fixed |
|
It turns out it's a pretty complex problem that I totally didn't anticipate. I spent 2 weeks on at least resolving the most glaring issues with the original implementation that simply flagged any conversion from a larger int to a smaller one. |
|
Now G115 has been spread with its false positives, we cannot provide a solution inside golangci-lint. Users have either disabled G115 or ignored some of the reports, so bad things are done 😢. So now, we will just wait for the next release of gosec, but I think this rule will always have false positives. |
|
@czechbol and thanks for doing it, this rule addition was promising, but indeed the consequences were unexpected. So thanks again. |
Bumps github.com/securego/gosec/v2 from 2.21.0 to 2.21.1.
Release notes
Sourced from github.com/securego/gosec/v2's releases.
Commits
0ce4453Rollback the SARIF version to 2.1 since github doesn't support 2.2 (#1210)ea26e84Update gosec in github action to v2.21.0 (#1208)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)