gosec: global nosec option is not honored when set to false

[alexandear]

Welcome

• Yes, I'm using a binary release within 2 latest releases. Only such installations are supported.
• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've read the typecheck section of the FAQ.
• Yes, I've tried with the standalone linter if available (e.g., gocritic, go vet, etc.).
• I agree to follow this project's Code of Conduct

Description of the problem

The // #nosec comments are not being honored when gosec's setting config.global.nosec is explicitly set to false. In the example below, the comment // #nosec G306 should ignore the reporting of the G306 issue like //nolint:gosec, but it does not.

Interestingly, // #false G306 does ignore the reporting.

When running standalone gosec, the // #nosec is honored.

$ gosec -version
Version: 2.21.4
Git tag: v2.21.4
Build date: 2024-09-26T11:55:22Z

$ gosec ./...
[gosec] 2024/12/14 19:10:27 Including rules: default
[gosec] 2024/12/14 19:10:27 Excluding rules: default
[gosec] 2024/12/14 19:10:27 Including analyzers: default
[gosec] 2024/12/14 19:10:27 Excluding analyzers: default
[gosec] 2024/12/14 19:10:27 Import directory: /Users/Oleksandr_Redko/src/gosecbug
[gosec] 2024/12/14 19:10:28 Checking package: main
[gosec] 2024/12/14 19:10:28 Checking file: /Users/Oleksandr_Redko/src/gosecbug/gosec.go
Results:


Summary:
  Gosec  : 2.21.4
  Files  : 1
  Lines  : 10
  Nosec  : 1
  Issues : 0

Version of golangci-lint

$ golangci-lint --version
golangci-lint has version 1.62.2 built with go1.23.3 from 89476e7 on 2024-11-25T14:12:23Z

Configuration

linters:
  disable-all: true
  enable:
    - gosec
linters-settings:
  gosec:
    config:
      global:
        nosec: false

Go environment

$ go version && go env
GO111MODULE=''
GOARCH='arm64'
GOBIN='/Users/Oleksandr_Redko/go/bin'
GOCACHE='/Users/Oleksandr_Redko/Library/Caches/go-build'
GOENV='/Users/Oleksandr_Redko/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMODCACHE='/Users/Oleksandr_Redko/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/Oleksandr_Redko/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/opt/homebrew/Cellar/go/1.23.4/libexec'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='local'
GOTOOLDIR='/opt/homebrew/Cellar/go/1.23.4/libexec/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.23.4'
GODEBUG=''
GOTELEMETRY='on'
GOTELEMETRYDIR='/Users/Oleksandr_Redko/Library/Application Support/go/telemetry'
GCCGO='gccgo'
GOARM64='v8.0'
AR='ar'
CC='cc'
CXX='c++'
CGO_ENABLED='1'
GOMOD='/Users/Oleksandr_Redko/src/gosecbug/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/pk/5dzf3qsj6l18s2b3zfw194840000gn/T/go-build3619068599=/tmp/go-build -gno-record-gcc-switches -fno-common'

Verbose output of running

$ golangci-lint cache clean
$ golangci-lint run -v
INFO golangci-lint has version 1.62.2 built with go1.23.3 from 89476e7 on 2024-11-25T14:12:23Z 
INFO [config_reader] Config search paths: [./ /Users/Oleksandr_Redko/src/gosecbug /Users/Oleksandr_Redko/src /Users/Oleksandr_Redko /Users /] 
INFO [config_reader] Used config file .golangci.yml 
INFO [lintersdb] Active 1 linters: [gosec]        
INFO [loader] Go packages loading at mode 8767 (exports_file|files|imports|name|types_sizes|compiled_files|deps) took 217.393375ms 
INFO [runner/filename_unadjuster] Pre-built 0 adjustments in 118µs 
INFO [linters_context/goanalysis] analyzers took 800µs with top 10 stages: gosec: 777.667µs, typecheck: 22.333µs 
INFO [runner] Processors filtering stat (in/out): filename_unadjuster: 1/1, autogenerated_exclude: 1/1, nolint: 1/1, uniq_by_line: 1/1, max_from_linter: 1/1, path_prefixer: 1/1, cgo: 1/1, exclude-rules: 1/1, max_same_issues: 1/1, severity-rules: 1/1, invalid_issue: 1/1, skip_files: 1/1, skip_dirs: 1/1, identifier_marker: 1/1, exclude: 1/1, diff: 1/1, max_per_file_from_linter: 1/1, source_code: 1/1, path_prettifier: 1/1, fixer: 1/1, sort_results: 1/1, path_shortener: 1/1 
INFO [runner] processing took 174.168µs with stages: nolint: 43.458µs, autogenerated_exclude: 27.334µs, exclude-rules: 26.959µs, path_prettifier: 24.166µs, source_code: 20.291µs, identifier_marker: 20.25µs, skip_dirs: 5.001µs, uniq_by_line: 1.25µs, max_same_issues: 917ns, invalid_issue: 916ns, path_shortener: 874ns, cgo: 792ns, max_from_linter: 459ns, filename_unadjuster: 458ns, max_per_file_from_linter: 250ns, exclude: 209ns, skip_files: 166ns, severity-rules: 126ns, fixer: 125ns, sort_results: 83ns, diff: 42ns, path_prefixer: 42ns 
INFO [runner] linters took 38.953791ms with stages: goanalysis_metalinter: 38.733125ms 
gosec.go:9:6: G306: Expect WriteFile permissions to be 0600 or less (gosec)
        _ = os.WriteFile("filename", []byte("test"), 0755)
            ^
INFO File cache stats: 1 entries of total size 116B 
INFO Memory: 4 samples, avg is 28.3MB, max is 34.6MB 
INFO Execution took 272.768375ms                  

A minimal reproducible example or link to a public repository

package main

import (
	"os"
)

func main() {
	// #nosec G306
	_ = os.WriteFile("filename", []byte("test"), 0755)
}

Validation

• Yes, I've included all information above (version, config, etc.).

Supporter

• I am a sponsor/backer through GitHub or OpenCollective