Skip to content

gosec: G602 false positive #6420

Open
Open
gosec: G602 false positive#6420
Assignees
ldez
Labels
bugSomething isn't working
@theory

Description

@theory
theory
opened on Mar 7, 2026

Welcome

  • Yes, I'm using a binary release within 2 latest releases. Only such installations are supported.
  • Yes, I've searched similar issues on GitHub and didn't find any.
  • Yes, I've read the typecheck section of the FAQ.
  • Yes, I've tried with the standalone linter if available (e.g., gocritic, go vet, etc.).
  • I agree to follow this project's Code of Conduct

How did you install golangci-lint?

Brew

Description of the problem

securego/gosec#1250 fixed in gosec but not golangci-lint. From my project:

golangci-lint version
golangci-lint has version 2.11.1 built with go1.26.1 from 89a46a2 on 2026-03-06T13:59:43Zgolangci-lint run
spec/selector.go:308:21: G602: slice index out of range (gosec)
		switch end := args[endArg].(type) {
		                  ^
1 issues:
* gosec: 1

But with gosec (installed from source today):

gosec ./spec            
[gosec] 2026/03/07 17:46:42 Including rules: default
[gosec] 2026/03/07 17:46:42 Excluding rules: default
[gosec] 2026/03/07 17:46:42 Including analyzers: default
[gosec] 2026/03/07 17:46:42 Excluding analyzers: default
[gosec] 2026/03/07 17:46:42 Import directory: /Users/david/dev/go/jsonpath/spec
[gosec] 2026/03/07 17:46:42 Checking package: spec
[gosec] 2026/03/07 17:46:42 Checking file: /Users/david/dev/go/jsonpath/spec/filter.go
[gosec] 2026/03/07 17:46:42 Checking file: /Users/david/dev/go/jsonpath/spec/function.go
[gosec] 2026/03/07 17:46:42 Checking file: /Users/david/dev/go/jsonpath/spec/function_string.go
[gosec] 2026/03/07 17:46:42 Checking file: /Users/david/dev/go/jsonpath/spec/normalized.go
[gosec] 2026/03/07 17:46:42 Checking file: /Users/david/dev/go/jsonpath/spec/op.go
[gosec] 2026/03/07 17:46:42 Checking file: /Users/david/dev/go/jsonpath/spec/op_string.go
[gosec] 2026/03/07 17:46:42 Checking file: /Users/david/dev/go/jsonpath/spec/query.go
[gosec] 2026/03/07 17:46:42 Checking file: /Users/david/dev/go/jsonpath/spec/segment.go
[gosec] 2026/03/07 17:46:42 Checking file: /Users/david/dev/go/jsonpath/spec/selector.go
[gosec] 2026/03/07 17:46:42 Checking file: /Users/david/dev/go/jsonpath/spec/spec.go
Results:


Summary:
  Gosec  : dev
  Files  : 10
  Lines  : 2144
  Nosec  : 0
  Issues : 0

gosec looks to be the latest version, so I'm not sure why it's still reporting the issue.

Version of golangci-lint

Details 
$ golangci-lint --version
golangci-lint has version 2.11.1 built with go1.26.1 from 89a46a2 on 2026-03-06T13:59:43Z

Configuration

Details 
version: "2"
run:
  build-tags:
    - compare
linters:
  default: all
  disable:
    # Too strict.
    - cyclop # redundant, covered by gocyclo
    - depguard
    - exhaustruct
    - funcorder # new, too much to move around
    - nestif # redundant, covered by gocyclo
    - nlreturn
    - testpackage
    - varnamelen
    - wsl
    - wsl_v5
    - noinlineerr
  settings:
    dupword:
      ignore:
        - R.
    errcheck:
      disable-default-exclusions: false
      check-type-assertions: false
      check-blank: false
      exclude-functions:
        - fmt.Fprintf
        - fmt.Fprintln
        - fmt.Fprint
    exhaustive:
      default-signifies-exhaustive: true
    funlen:
      ignore-comments: true
    ireturn:
      allow:
        - anon
        - error
        - empty
        - stdlib
        - generic
        - spec\.PathValue
        - spec\.FuncExprArg
        - spec\.Selector
        - spec\.BasicExpr
        - spec\.CompVal
  exclusions:
    generated: lax
    rules:
      # Exclude some linters from running on tests files.
      - linters:
          - err113
          - funlen
          - maintidx
          - wrapcheck
        path: _test\.go
      - linters:
          - err113
        path: registry/funcs\.go
    paths:
      - third_party$
      - builtin$
      - examples$
formatters:
  enable:
    - gci
    - gofmt
    - gofumpt
    - goimports
  exclusions:
    generated: lax
    paths:
      - third_party$
      - builtin$
      - examples$

Go environment

Details 
$ go version && go env
go version go1.26.1 darwin/arm64
AR='ar'
CC='cc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='c++'
GCCGO='gccgo'
GO111MODULE=''
GOARCH='arm64'
GOARM64='v8.0'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/Users/david/Library/Caches/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/Users/david/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/_c/9qfk97x92zq400p82xhtbw240000gn/T/go-build474861682=/tmp/go-build -gno-record-gcc-switches -fno-common'
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMOD='/Users/david/dev/go/jsonpath/go.mod'
GOMODCACHE='/Users/david/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/david/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/opt/homebrew/Cellar/go/1.26.1/libexec'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/Users/david/Library/Application Support/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/opt/homebrew/Cellar/go/1.26.1/libexec/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.26.1'
GOWORK=''
PKG_CONFIG='pkg-config'

Verbose output of running

Details 
$ golangci-lint cache clean
$ golangci-lint run -v
level=info msg="golangci-lint has version 2.11.1 built with go1.26.1 from 89a46a2 on 2026-03-06T13:59:43Z"
level=info msg="[config_reader] Config search paths: [./ /Users/david/dev/go/jsonpath /Users/david/dev/go /Users/david/dev /Users/david /Users /]"
level=info msg="[config_reader] Used config file .golangci.yaml"
level=info msg="[config_reader] Module name \"github.com/theory/jsonpath\""
level=info msg="[goenv] Read go env for 8.214625ms: map[string]string{\"GOCACHE\":\"/Users/david/Library/Caches/go-build\", \"GOROOT\":\"/opt/homebrew/Cellar/go/1.26.1/libexec\"}"
level=info msg="[lintersdb] Active 105 linters: [arangolint asasalint asciicheck bidichk bodyclose canonicalheader containedctx contextcheck copyloopvar decorder dogsled dupl dupword durationcheck embeddedstructfieldcheck err113 errcheck errchkjson errname errorlint exhaustive exptostd fatcontext forbidigo forcetypeassert funlen gci ginkgolinter gocheckcompilerdirectives gochecknoglobals gochecknoinits gochecksumtype gocognit goconst gocritic gocyclo godoclint godot godox gofmt gofumpt goheader goimports gomoddirectives gomodguard goprintffuncname gosec gosmopolitan govet grouper iface importas inamedparam ineffassign interfacebloat intrange iotamixing ireturn lll loggercheck maintidx makezero mirror misspell mnd modernize musttag nakedret nilerr nilnesserr nilnil noctx nolintlint nonamedreturns nosprintfhostport paralleltest perfsprint prealloc predeclared promlinter protogetter reassign recvcheck revive rowserrcheck sloglint spancheck sqlclosecheck staticcheck tagalign tagliatelle testableexamples testifylint thelper tparallel unconvert unparam unqueryvet unused usestdlibvars usetesting wastedassign whitespace wrapcheck zerologlint]"
level=info msg="[loader] Using build tags: [compare]"
level=info msg="[loader] Go packages loading at mode 8767 (compiled_files|exports_file|files|imports|deps|name|types_sizes) took 152.209583ms"
level=info msg="[runner/filename_unadjuster] Pre-built 0 adjustments in 4.875667ms"
level=info msg="[linters_context] importas settings found, but no aliases listed. List aliases under alias: key."
level=info msg="[linters_context/goanalysis] analyzers took 16.37172386s with top 10 stages: wastedassign: 1.060729583s, gosec: 829.133708ms, goimports: 626.377875ms, dupl: 435.307375ms, gofumpt: 385.120667ms, errorlint: 363.249375ms, gci: 335.521792ms, buildir: 307.98246ms, unqueryvet: 282.136083ms, misspell: 259.413ms"
level=info msg="[runner/exclusion_paths] Skipped 0 issues by pattern \"third_party$\""
level=info msg="[runner/exclusion_paths] Skipped 0 issues by pattern \"builtin$\""
level=info msg="[runner/exclusion_paths] Skipped 0 issues by pattern \"examples$\""
level=info msg="[runner/exclusion_rules] Skipped 55 issues by rules: [Path: \"_test\\\\.go\", Linters: \"err113, funlen, maintidx, wrapcheck\"]"
level=info msg="[runner/exclusion_rules] Skipped 10 issues by rules: [Path: \"registry/funcs\\\\.go\", Linters: \"err113\"]"
level=info msg="[runner/exclusion_rules] Skipped 0 issues by rules: [Path: \"third_party$\", Linters: \"gci, gofmt, gofumpt, goimports\"]"
level=info msg="[runner/exclusion_rules] Skipped 0 issues by rules: [Path: \"builtin$\", Linters: \"gci, gofmt, gofumpt, goimports\"]"
level=info msg="[runner/exclusion_rules] Skipped 0 issues by rules: [Path: \"examples$\", Linters: \"gci, gofmt, gofumpt, goimports\"]"
level=info msg="[runner] Issues before processing: 85, after processing: 1"
level=info msg="[runner] Processors filtering stat (in/out): uniq_by_line: 1/1, max_from_linter: 1/1, source_code: 1/1, path_prettifier: 1/1, exclusion_rules: 80/15, severity-rules: 1/1, sort_results: 1/1, nolint_filter: 15/1, diff: 1/1, path_absoluter: 85/85, cgo: 85/85, path_relativity: 85/85, exclusion_paths: 85/85, max_per_file_from_linter: 1/1, max_same_issues: 1/1, path_shortener: 1/1, filename_unadjuster: 85/85, invalid_issue: 85/85, generated_file_filter: 85/80, fixer: 1/1"
level=info msg="[runner] processing took 2.259121ms with stages: nolint_filter: 1.749874ms, generated_file_filter: 345.917µs, exclusion_rules: 59.583µs, path_relativity: 42.666µs, source_code: 26.5µs, exclusion_paths: 23.125µs, sort_results: 2.791µs, invalid_issue: 2.084µs, cgo: 1.999µs, path_absoluter: 999ns, max_same_issues: 707ns, uniq_by_line: 667ns, path_shortener: 417ns, max_from_linter: 416ns, filename_unadjuster: 374ns, fixer: 334ns, path_prettifier: 250ns, diff: 209ns, max_per_file_from_linter: 167ns, severity-rules: 42ns"
level=info msg="[runner] linters took 1.408081417s with stages: goanalysis_metalinter: 1.405788667s"
spec/selector.go:308:21: G602: slice index out of range (gosec)
		switch end := args[endArg].(type) {
		                  ^
1 issues:
* gosec: 1
level=info msg="File cache stats: 1 entries of total size 15.4KiB"
level=info msg="Memory: 17 samples, avg is 197.0MB, max is 363.6MB"
level=info msg="Execution took 1.582326375s"

A minimal reproducible example or link to a public repository

Details

From https://github.com/theory/jsonpath/:

func Slice(args ...any) SliceSelector {
	const (
		startArg = 0
		endArg   = 1
		stepArg  = 2
	)
	// Set defaults.
	s := SliceSelector{0, math.MaxInt, 1}
	switch len(args) - 1 {
	case stepArg:

		switch step := args[stepArg].(type) {
		case int:
			s.step = step
		case nil:
			// Nothing to do
		default:
			panic("Third value passed to Slice is not an integer")
		}
		fallthrough
	case endArg:
		switch end := args[endArg].(type) {
		case int:
			s.end = end
		case nil:
			// Negative step: end with minimum int.
			if s.step < 0 {
				s.end = math.MinInt
			}
		default:
			panic("Second value passed to Slice is not an integer")
		}
		fallthrough
	case startArg:
		switch start := args[startArg].(type) {
		case int:
			s.start = start
		case nil:
			// Negative step: start with maximum int.
			if s.step < 0 {
				s.start = math.MaxInt
			}
		default:
			panic("First value passed to Slice is not an integer")
		}
	}
	return s
}

Validation

  • Yes, I've included all information above (version, config, etc.).

Supporter

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions