Commit a6e0f63
Alex Godoroja
fix(gosec): suppress G703 taint false-positives on aux-file carry
The aux paths are resolveUnder-confined (bundle/staging roots) and aux is a
constant allow-list ('install.json'/'install.sh'), so no traversal is possible.
gosec's SSA taint analyzer can't see resolveUnder as a sanitizer, so annotate the
file ops + the new staging-cleanup with #nosec G703 (the same pattern this file
already uses for the binary copy).1 parent 23ab958 commit a6e0f63
1 file changed
Lines changed: 4 additions & 4 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1196 | 1196 | | |
1197 | 1197 | | |
1198 | 1198 | | |
1199 | | - | |
| 1199 | + | |
1200 | 1200 | | |
1201 | 1201 | | |
1202 | | - | |
| 1202 | + | |
1203 | 1203 | | |
1204 | 1204 | | |
1205 | 1205 | | |
1206 | 1206 | | |
1207 | 1207 | | |
1208 | 1208 | | |
1209 | | - | |
1210 | | - | |
| 1209 | + | |
| 1210 | + | |
1211 | 1211 | | |
1212 | 1212 | | |
1213 | 1213 | | |
| |||
0 commit comments