Closed
Description
Summary
After update to latest Golang & gosec version, I see this security error:
[...] - G307 (CWE-703): Deferring unsafe method "Close" on type "*os.File" (Confidence: HIGH, Severity: MEDIUM)
49: }
> 50: defer file.Close()
51:
Summary:
Files: 6
Lines: 231
Nosec: 0
Issues: 1My function never changes and looks like:
// ...
// NewConfig returns a new decoded Config struct
func NewConfig(configPath string) (*Config, error) {
// Validate config path
if err := ValidateConfigPath(configPath); err != nil {
return nil, err
}
// Create config structure
config := &Config{}
// Open config file
file, err := os.Open(filepath.Clean(configPath))
if err != nil {
return nil, err
}
defer file.Close() // <-- error G307 (CWE-703) on this line
// Init new YAML decode
d := yaml.NewDecoder(file)
// Start YAML decoding from file
if err := d.Decode(&config); err != nil {
return nil, err
}
return config, nil
}
// ...Steps to reproduce the behavior
- Create function with open/close file
- Run gosec
gosec version
$ gosec
VERSION: 2.4.0
GIT TAG: v2.4.0
BUILD DATE: 2020-07-24T07:54:54ZGo version (output of 'go version')
go version go1.15 linux/amd64Operating system / Environment
$ uname -a
Linux vic-linux-pc 5.8.0-2-MANJARO #1 SMP PREEMPT Sat Aug 8 17:55:27 UTC 2020 x86_64 GNU/LinuxExpected behavior
No errors, or solve this error.
Actual behavior
CI (GitHub Actions) send warnings and skip my code to master branch (but this code wasn't changed and works fine at lower version).