Releases: securego/gosec
Releases Β· securego/gosec
v2.24.7
Changelog
- bb17e42 Ignore nosec comments in action integration workflow to generate some warnings (#1573)
- e1502ad Add a workflow for action integration test (#1571)
- f8691bd fix(sarif): avoid invalid null relationships in SARIF output (#1569)
- ade1d0e chore: migrate gosec container image references to GHCR (#1567)
v2.24.6
v2.24.0
Changelog
- 271492b fix: G704 false positive on const URL (#1551)
- 1341aea fix(G705): eliminate false positive for non-HTTP io.Writer (#1550)
- f2262c8 G120: avoid false positive when MaxBytesReader is applied in middleware (#1547)
- 5b580c7 Fix G602 regression coverage for issue #1545 and stabilize G117 TOML test dependency (#1546)
- eba2d15 taint: skip
context.Contextarguments during taint propagation to fix false positives (#1543) - a6381c1 test: add missing rules to formatter report tests (#1540)
- fea9725 chore(deps): update all dependencies (#1541)
- f3e2fac Regenrate the TLS config rule (#1539)
- 200461f Improve documentation (#1538)
- 078a62a Expand analyzer-core test coverage for orchestration, go/analysis adapter logic, and taint integration (#1537)
- ffdc620 Add unit tests for CLI orchestration, TLS config generation, and SSA cache behavior (#1536)
- c13a486 Add G707 taint analyzer for SMTP command/header injection (#1535)
- f61ed31 Add G123 analyzer for tls.VerifyPeerCertificate resumption bypass risk (#1534)
- b568aa1 Add G122 SSA analyzer for filepath.Walk/WalkDir symlink TOCTOU race risks (#1532)
- 1735e5a fix(G602): avoid false positives for range-over-array indexing (#1531)
- caf93d0 Improve taint analyzer performance with shared SSA cache, parallel analyzer execution, and CI regression guard (#1530)
- bd11fbe fix: taint analysis false positives with G703,G705 (#1522)
- e34e8dd Extend the G117 rule to cover other types of serialization such as yaml/xml/toml (#1529)
- b940702 Fix the G117 rule to take the JSON serialization into account (#1528)
- 4f84627 (docs) fix justification format (#1524)
- 36ba72b Add G121 analyzer for unsafe CORS bypass patterns in CrossOriginProtection (#1521)
- 238f982 Add G120 SSA analyzer for unbounded form parsing in HTTP handlers (#1520)
- 89cde27 Add G119 analyzer for unsafe redirect header propagation in CheckRedirect callbacks (#1519)
- 14fdd9c Fix G115 false positives and negatives (Issue #1501) (#1518)
- cec54ec chore(deps): update all dependencies (#1517)
- 2b2077e Add G118 SSA analyzer for context propagation failures that can cause goroutine/resource leaks (#1516)
- a7666f3 Add G113: Detect HTTP Request Smuggling via conflicting headers (CVE-2025-22891, CWE-444) (#1515)
- 47f8b52 Add G408: SSH PublicKeyCallback Authentication Bypass Analyzer (#1513)
- 4f1f362 Add more unit tests to improve coverage (#1512)
- 9344582 Improve test coverage in various areas (#1511)
- 8d1b2c6 Imprve the test coverage (#1510)
- 993c1c4 Fix incorrect detection of fixed iv in G407 (#1509)
- 8668b74 Add support for go 1.26.x and removed support for go 1.24.x (#1508)
- 514225c Fix the sonar report to follow the latest schema (#1507)
- 000384e fix: broken taint analysis causing false positives (#1506)
- 616192c fix: panic on float constants in overflow analyzer (#1505)
- 79956a3 fix: panic when scanning multi-module repos from root (#1504)
- 5736e8b fix: G602 false positive for array element access (#1499)
- 1b7e1e9 Update gosec to version v2.23.0 in the Github action (#1496)
v2.23.0
Changelog
- 398ad54 feat: Support for adding taint analysis engine (#1486)
- 6eacd5c chore(deps): update all dependencies (#1494)
- 181a7cb chore(deps): update all dependencies (#1494)
- e2fa6ab chore(deps): update all dependencies (#1488)
- eb252ba Fix G602 analyzer panic that kills gosec process (#1491)
- 20d71a0 update go version to 1.25.7 (#1492)
- a631af8 Fix URL regexp and remove redundant Google regex patterns (#1485)
- 8968502 feat: implement global cache usage in rules (#1480)
- 04f729c chore(deps): update module google.golang.org/genai to v1.43.0 (#1484)
- ade0e8f refactor: optimize nosec parsing and reduce allocations (#1478)
- d24bbf7 Fix SARIF artifactChanges null validation error (#1483)
- 15cba7f feat: optimize GetCallInfo with per-package sync.Pool caching (#1481)
- 5288673 feat: implement entropy pre-filtering to optimize secret detection (#1479)
- d9a9bcd feat: ensure GoVersion is cached using sync.Once (#1477)
- 516260a Fix #1240: nosec comments now work with trailing open brackets (#1475)
- be0fd6d Debug Build Profiling Support: Code improvement suggestions for PR#1471 (#1476)
- b579523 Update the go version to 1.25.6 and 1.24.12 (#1474)
- bd3c738 G115: Enhance RangeAnalyzer with constant propagation and chained arithmetic support (#1470)
- 6897b36 chore(deps): update all dependencies (#1473)
- 9f20212 feat: support path-based rule exclusions via exclude-rules (#1465)
- 726d847 Optimize analyzer with parallel package processing (#1466)
- 3150b28 feat: add goanalysis package for nogo (#1449)
- 7284e15 Refactor Analyzers: Unify Range Logic & Optimize Allocations (#1464)
- 7a4ccef Optimize G115, G602, G407 analyzers to reduce allocations and memory (#1463)
- 833d791 refactor(g115): improve coverage (#1462)
- 0cc9e01 Refine G407 to improve detection and coverage of hardcoded nonces (#1460)
- 303f84d chore(deps): update all dependencies (#1461)
- 7387d22 Refactor rules to use callListRule base structure (#1458)
- 52f5dbf feat(slice): enhance slice bounds analysis with dynamic bounds handling (#1457)
- 649e2c8 remove deprecated ast.Object (#1455)
- 35a92b4 feat(sql): enhance SQL injection detection with improved string concatenation checks (#1454)
- bc9d2bc feat(rules): enhance subprocess variable checks (#1453)
- 8a5404e feat(resolve): enhance TryResolve to handle KeyValueExpr, IndexExpr, and SliceExpr (#1452)
- 0f6f21c feat: add secrets serialization G117 (#1451)
- 717706e feat(rules): add support for detecting high entropy strings in composite literals (#1447)
- 082deb6 whitelist crypto/rand Read from error checks (#1446)
- 095d529 chore(deps): update all dependencies (#1443)
- c073629 Improve slice bound check (#1442)
- 538a05c docs: add documentation for using gosec with private modules (#1441)
- 2580437 chore(deps): update all dependencies (#1440)
- 872b331 docs: add G116 rule description to README (#1439)
- dcf93a8 Update GitHub action to gosec 2.22.11 (#1438)
v2.22.11
Changelog
- 424fc4c feature: add rule for trojan source (#1431)
- aa2e2fb feat(ai): add OpenAI and custom API provider support (#1424)
- b6eea26 chore: Migrate from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 (#1437)
- 41f28e2 chore(deps): update module google.golang.org/genai to v1.37.0 (#1435)
- daccba6 refactor: simplify report functions in main.go (#1434)
- d4be287 Update go to 1.25.5 and 1.24.11 in CI (#1433)
- fde7515 chore(deps): update all dependencies (#1425)
- 20c9506 feat(ai): add support for latest Claude models and update provider flags (#1423)
- bd9e372 Bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#1427)
- 7aa7e93 chore(deps): update module golang.org/x/crypto to v0.45.0 [security] (#1428)
- a58917f fix: correct schema with temporary placeholder (#1418)
- 8b0d0b8 perf: skip SSA analysis if no analyzers are loaded (#1419)
- 8a5d01a test: add sarif validation (#1417)
- a8fefd1 chore(deps): update all dependencies (#1421)
- c34cbbf Update go to version 1.25.4 and 1.24.10 in CI (#1415)
- 10cf58a fix: build tag parsing. (#1413)
- d2d7348 chore(deps): update all dependencies (#1411)
- afa853e chore(deps): update all dependencies (#1409)
- 6b2e6e4 chore(deps): update all dependencies (#1408)
- 0adab9d Update gosec to version v2.22.10 in the github action (#1405)
v2.22.10
Changelog
- 6be2b51 Update go to version 1.25.3 and 1.24.9 in CI (#1404)
- fddb942 chore(deps): update all dependencies (#1402)
- f676031 Update go to version 1.25.2 and 2.24.8 in CI (#1401)
- 35f7ec2 chore(deps): update all dependencies (#1399)
- 01029f0 check nil slices, partially check bounds (#1396)
- 34db3de Remove unused target from the makefile
- f5a3b7a Use the ginkgo command install by the dependencies
- 761fcbc Keep the go module at 1.24 version for compatibility reasons
- 2238079 Remove manual test deps
- bb08aa3 fix: text must be supplied when markdown is used
- 23597d2 fix: improve error message of CheckAnalyzers
- 8d7e9d5 fix: log panic on SSA
- 0d8255e chore(deps): update all dependencies
- f9c52aa Update gosec to version v.22.9 in the github action
v2.22.9
Changelog
- 15d5c61 Update cosign to v2.6.0 and go in the CI to latest version
- 7b8713e fix(autofix): unnecessary conversion
- 64ebfc0 feat(autofix): update gemini sdk and add anthropic claude
- 506407e feat(G304): add os.Root remediation hint (Autofix) when Go >= 1.24
- 3ead143 chore(deps): update all dependencies
- e81fba3 refactor(G304): remove unused trackJoin helper; no functional change
- ab078db style: gofmt rules/readfile.go
- e6218c8 test(g304): add samples for var perm and var flag with cleaned path\n\n- Ensure G304 does not fire when only non-path args (flag/perm) are variables\n- Both samples use filepath.Clean on the path arg\n- Rules suite remains green (42 passed)
- 79f835d rules(G304): analyze only path arg; ignore flag/perm vars; track Clean and safe Join; fix nil-context panic\n\n- Limit G304 checks to first arg (path) for os.Open/OpenFile/ReadFile, avoiding false positives when flag/perm are variables\n- Track filepath.Clean so cleaned identifiers are treated as safe\n- Consider safe joins: filepath.Join(const|resolvedBase, Clean(var)|cleanedIdent)\n- Record Join(...) assigned to identifiers and allow if later cleaned\n- Fix panic by passing non-nil context in trackJoinAssignStmt\n- All rules tests: 42 passed
- 40ac530 rules(G202): detect SQL concat in ValueSpec declarations; add test sample\n\n- Handle var query string = 'SELECT ...' + user style declarations\n- Reuse existing binary expr detection on ValueSpec.Values\n- Add postgres sample mirroring issue #1309 report\n- Rules tests: 42 passed
- 4be6b11 chore(deps): update all dependencies
- 5af1117 chore(deps): update all dependencies
- 287b46c chore(deps): update all dependencies
- cee0aea Update gosec version to v2.22.8 in the Github action
v2.22.8
v2.22.7
v2.22.6
Changelog
- bc3f214 Update go version to 1.24.5 and 1.23.11 in the CI
- 925741b chore(deps): update module google.golang.org/api to v0.242.0
- 59ae7e9 chore(deps): update all dependencies
- e7abd9e chore(deps): update all dependencies
- 35e7bc1 chore(deps): update all dependencies
- 2d1ed95 chore(deps): update all dependencies
- 4a8cb46 Do not allow dashes in file names
- bcc8afb Update gosec to version 2.22.5 in Github action