(*Analyzer).Check: skip analyzing files within */testutil/*

Skips analyzing files within */testutil/* directories as those have plenty of testing code but the number of bug reports is numerous yet doesn't add value and instead causes a mental fatigue that ends up drowning out actual security issues. Fixes #52
cosmos · Oct 6, 2022 · d5d527a · d5d527a
1 parent cffc933
commit d5d527a
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/analyzer.go b/analyzer.go
@@ -301,6 +301,16 @@ func (gosec *Analyzer) load(pkgPath string, conf *packages.Config) ([]*packages.
 	return pkgs, nil
 }
 
+func underTestUtilDirOrPath(path string) bool {
+	splits := strings.Split(path, string(filepath.Separator))
+	for _, split := range splits {
+		if split == "testutil" {
+			return true
+		}
+	}
+	return false
+}
+
 // Check runs analysis on the given package
 func (gosec *Analyzer) Check(pkg *packages.Package) {
 	gosec.logger.Println("Checking package:", pkg.Name)
@@ -312,6 +322,13 @@ func (gosec *Analyzer) Check(pkg *packages.Package) {
 		if filepath.Ext(checkedFile) != ".go" {
 			continue
 		}
+
+		// Skip over analyzing files in */testutil/* as they are causing spurious failures yet don't return
+		// much value in vulnerability reports. Please see https://github.com/cosmos/gosec/issues/52
+		if underTestUtilDirOrPath(checkedFile) {
+			continue
+		}
+
 		gosec.logger.Println("Checking file:", checkedFile)
 		gosec.context.FileSet = pkg.Fset
 		gosec.context.Config = gosec.config