#nosec G115 doesn't work in particular cases if it's preceded by an open bracket {

[paul-at-cybr]

Summary

In specific cases of int conversion, // #nosec G115 fails to disable the warning if there's an open bracket between the comment and the issue it's addressing.

Steps to reproduce the behavior

package main

import "fmt"

func main() {
	ten := 10
	uintTen := uint(10)
	configVal := uint(ten) // #nosec G115 -- this works
	inputSlice := []int{1, 2, 3, 4, 5}

	if len(inputSlice) <= int(uintTen) { // #nosec G115 -- this works
		fmt.Println("hello world!")
	}

	if len(inputSlice) <= int(configVal) { // #nosec G115 -- this fails
		fmt.Println("hello world!")
	}

	if len(inputSlice) <= int(configVal) /* #nosec G115 -- this works, but is horrible */ {
		fmt.Println("hello world!")
	}

	// #nosec G115 - This also works, although the documentation implies it shouldn't
	if len(inputSlice) <= int(configVal) {
		fmt.Println("hello world!")
	}
}

gosec version

Version: 2.21.4
Git tag: v2.21.4
Build date: 2024-09-26T11:55:22Z

Go version (output of 'go version')

go version go1.23.2 linux/amd64

Operating system / Environment

Any

Expected behavior

A nosec comment that always works

Actual behavior

A nosec comment that sometimes doesn't work

[ccojocar]

Did you try to place the comment on above the if you want to ignore?

[paul-at-cybr]

Huh, that worked - Updating the title and description to be more accurate, and added a little bit to the example.

[ccojocar]

The nosec typically is ignoring an entire AST node, and not just a line. We did some improvements to be more fine grained, but it seems that this case is not handled.