Bug in v2.22.6 #1368
Description
Hello - we are experiencing crashes in our CI/CD after upgrading to the latest version.
Here is the stack trace:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x68 pc=0x685b57]
goroutine 1 [running]:
golang.org/x/tools/go/ssa.(*Function).RelString(0x0, 0xc002f0f308?)
/home/runner/go/pkg/mod/golang.org/x/[email protected]/go/ssa/func.go:527 +0x17
golang.org/x/tools/go/ssa.(*Function).String(...)
/home/runner/go/pkg/mod/golang.org/x/[email protected]/go/ssa/ssa.go:1566
github.com/securego/gosec/v2/analyzers.isContainedInMap({0x11459b8, 0xc00301fe40}, 0xc0030a04e0)
/home/runner/go/pkg/mod/github.com/securego/gosec/[email protected]/analyzers/hardcoded_nonce.go:205 +0xb4
github.com/securego/gosec/v2/analyzers.iterateTrackedFunctionsAndAddArgs({0x1145c40?, 0xc003088b00?}, 0xc002f0f480?, 0xc0030a04e0)
/home/runner/go/pkg/mod/github.com/securego/gosec/[email protected]/analyzers/hardcoded_nonce.go:231 +0x167
github.com/securego/gosec/v2/analyzers.getArgsFromTrackedFunctions({0xc00305bd00, 0x6, 0xfddeb1?}, 0xc002f0f698)
/home/runner/go/pkg/mod/github.com/securego/gosec/[email protected]/analyzers/hardcoded_nonce.go:215 +0xb1
github.com/securego/gosec/v2/analyzers.runHardCodedNonce(0xc000458620)
/home/runner/go/pkg/mod/github.com/securego/gosec/[email protected]/analyzers/hardcoded_nonce.go:57 +0x365
github.com/securego/gosec/v2.(*Analyzer).CheckAnalyzers(0xc000bcc280, 0xc000e11ba0)
/home/runner/go/pkg/mod/github.com/securego/gosec/[email protected]/analyzer.go:449 +0x4a2
github.com/securego/gosec/v2.(*Analyzer).Process(0xc000bcc280, {0x0, 0x0, 0x0}, {0xc000afa588, 0x53, 0x3d?})
/home/runner/go/pkg/mod/github.com/securego/gosec/[email protected]/analyzer.go:320 +0x487
main.main()
/home/runner/go/pkg/mod/github.com/securego/gosec/[email protected]/cmd/gosec/main.go:477 +0xe05
here is the output of my go env:
AR='ar'
CC='clang'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='clang++'
GCCGO='gccgo'
GO111MODULE=''
GOARCH='arm64'
GOARM64='v8.0'
GOAUTH='netrc'
GOBIN='/Users/dsmith/.local/share/mise/installs/go/1.24.5/bin'
GOCACHE='/Users/dsmith/Library/Caches/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/Users/dsmith/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/40/1txjdhmn0h364vrv89tj46mr0000gp/T/go-build2211409954=/tmp/go-build -gno-record-gcc-switches -fno-common'
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMOD='/Users/dsmith/dm/cyber/go.mod'
GOMODCACHE='/Users/dsmith/go/pkg/mod'
GONOPROXY='github.com/digitalmint/*'
GONOSUMDB='github.com/digitalmint/*'
GOOS='darwin'
GOPATH='/Users/dsmith/go'
GOPRIVATE='github.com/digitalmint/*'
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/Users/dsmith/.local/share/mise/installs/go/1.24.5'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/Users/dsmith/Library/Application Support/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/Users/dsmith/.local/share/mise/installs/go/1.24.5/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.24.5'
GOWORK=''
PKG_CONFIG='pkg-config'
Here is a git repo that reproduces the issue when gosec is run on the main file: https://github.com/smithcoin/example-gosecfail