diff --git a/.golangci.example.yml b/.golangci.example.yml index d8cd938dbcde0..b1a3b11de561e 100644 --- a/.golangci.example.yml +++ b/.golangci.example.yml @@ -369,6 +369,10 @@ linters-settings: # Available rules: https://github.com/securego/gosec#available-rules excludes: - G204 + # Filter out the issues with a lower severity than the given value. Valid options are: low, medium, high. + serveity: "high" + # Filter out the issues with a lower confidence than the given value. Valid options are: low, medium, high. + confidence: "medium" # To specify the configuration of rules. # The configuration of rules is not fully documented by gosec: # https://github.com/securego/gosec#configuration diff --git a/pkg/config/linters_settings.go b/pkg/config/linters_settings.go index c32f2570706ac..e84954d3b1c74 100644 --- a/pkg/config/linters_settings.go +++ b/pkg/config/linters_settings.go @@ -294,9 +294,11 @@ type GoModGuardSettings struct { } type GoSecSettings struct { - Includes []string - Excludes []string - Config map[string]interface{} `mapstructure:"config"` + Includes []string + Excludes []string + Severity string + Confidence string + Config map[string]interface{} `mapstructure:"config"` } type GovetSettings struct { diff --git a/pkg/golinters/gosec.go b/pkg/golinters/gosec.go index 328ba5ccc7c57..d61251b540cd6 100644 --- a/pkg/golinters/gosec.go +++ b/pkg/golinters/gosec.go @@ -9,6 +9,7 @@ import ( "strings" "sync" + "github.com/pkg/errors" "github.com/securego/gosec/v2" "github.com/securego/gosec/v2/rules" "golang.org/x/tools/go/analysis" @@ -68,7 +69,16 @@ func NewGosec(settings *config.GoSecSettings) *goanalysis.Linter { if len(issues) == 0 { return nil, nil } + severity, err := convertToScore(settings.Severity) + if err != nil { + lintCtx.Log.Warnf("Provided severity %s, use low instead. Valid options: low, medium, high", err) + } + confidence, err := convertToScore(settings.Confidence) + if err != nil { + lintCtx.Log.Warnf("Provided string %s, use low instead. Valid options: low, medium, high", err) + } + issues = filterIssues(issues, severity, confidence) res := make([]goanalysis.Issue, 0, len(issues)) for _, i := range issues { text := fmt.Sprintf("%s: %s", i.RuleID, i.What) // TODO: use severity and confidence @@ -126,3 +136,27 @@ func gosecRuleFilters(includes, excludes []string) []rules.RuleFilter { return filters } + +func convertToScore(str string) (gosec.Score, error) { + str = strings.ToLower(str) + switch str { + case "", "low": + return gosec.Low, nil + case "medium": + return gosec.Medium, nil + case "high": + return gosec.High, nil + default: + return gosec.Low, errors.Errorf("'%s' not valid", str) + } +} + +func filterIssues(issues []*gosec.Issue, severity, confidence gosec.Score) []*gosec.Issue { + res := make([]*gosec.Issue, 0) + for _, issue := range issues { + if issue.Severity >= severity && issue.Confidence >= confidence { + res = append(res, issue) + } + } + return res +} diff --git a/test/testdata/configs/gosec.yml b/test/testdata/configs/gosec.yml index 41ea1cea5a512..a634559bbc2c4 100644 --- a/test/testdata/configs/gosec.yml +++ b/test/testdata/configs/gosec.yml @@ -3,6 +3,8 @@ linters-settings: includes: - G306 - G101 + serveity: "low" + confidence: "low" config: G306: "0666" G101: