G115 ignores bounds checks

[rittneje]

Summary

G115 reports issues even if we do proper bounds checks. This is similar in spirit to #1185, but would require the linter to be smarter.

Steps to reproduce the behavior

var x []string

if len(x) <= math.MaxUint32 {
    y := uint32(len(x))
    fmt.Println(y)
}

This reports integer overflow conversion int -> uint32 (gosec).

gosec version

I am running via golangci-lint v1.62.0.

Go version (output of 'go version')

n/a

Operating system / Environment

n/a

Expected behavior

The linter should see that there is a bounds check and thus be able to prove to itself that the overflow is impossible.

Actual behavior

The linter does not consider anything about prior bounds checks, leading to false positives that need to be ignored, diminishing the utility of the check.

[ccojocar]

Another case to handle which is safe because the size is checked during parsing:

v,_ := strconv.ParseInt("1",10,32) 
v32 := int32(v) 

[palsivertsen]

This issue was introduced with release v1.60.2 of golangci-lint which bumps gosec version from 5f0084e to 81cda2f in golangci/golangci-lint#4927

[rittneje]

@ccojocar This issue should be re-opened. First, the linked PR did not fix it. The code snippet in my original issue description is still flagged, as is the following example.

func foo(x int) uint32 {
	if x < 0 {
		return 0
	}
	if x > math.MaxUint32 {
		return math.MaxUint32
	}
	return uint32(x)
}

(I tested with commit c52dc0e.)

Furthermore, from reading the code itself, it doesn't seem to care at all what the bounds checks are actually doing, just that they are present. So even if the code did work, the following would have been allowed even though it should be flagged:

func foo(x int) uint32 {
	if x < 0 {
		return 0
	}
	return uint32(x)
}

[ccojocar]

@czechbol It seems that there some more use cases which are not handled in #1189. I would be great if you could also check the bounds. Thanks

[czechbol]

Hi, @ccojocar, thanks for the heads up. I'll take a closer look when I have a bit of time.