You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Sync stale submodule snapshot: VERSION and gosec hardening (#21)
* security: harden gosec findings (part of hawk-eco full-repo audit)
- Integer-overflow guards on numeric conversions
- File/dir permission tightening (0600/0750)
- Path-traversal cleaning and error-return handling
- Narrow, justified #nosec annotations where risk is not applicable
Module now scans clean with gosec (0 issues).
* chore: sync VERSION to match standalone
data, err:=os.ReadFile(path)// #nosec G304 -- path comes from findInspectConfigFile(dir), which searches for .inspect.toml/.inspect.yaml in the target project directory or its parents, not attacker-controlled input
file, err:=os.Open(path)// #nosec G304 -- path is the go.mod location supplied to this dependency checker (a project file to be scanned for vulnerable packages), not attacker-controlled input
data, err:=os.ReadFile(path)// #nosec G304 -- path is the package.json location supplied to this dependency checker (a project file to be scanned for vulnerable packages), not attacker-controlled input
file, err:=os.Open(path)// #nosec G304 -- path is the requirements.txt location supplied to this dependency checker (a project file to be scanned for vulnerable packages), not attacker-controlled input
file, err:=os.Open(path)// #nosec G304 -- path is filepath.Join(projectDir, "go.mod") computed by GenerateSBOM against the project directory being scanned, not attacker-controlled input
data, err:=os.ReadFile(path)// #nosec G304 -- path is filepath.Join(projectDir, "package.json") computed by GenerateSBOM against the project directory being scanned, not attacker-controlled input
file, err:=os.Open(path)// #nosec G304 -- path is filepath.Join(projectDir, "requirements.txt") computed by GenerateSBOM against the project directory being scanned, not attacker-controlled input
f, err:=os.Open(path)// #nosec G304 -- path is the source file under analysis, supplied by the scanning tool's own localization phase/CLI target; reading arbitrary project files is this tool's purpose
0 commit comments