Comments (5)
PurelyApplied
commented on July 22, 2024
1
I think, for the scope of the 1.0 Milestone, we exclusion introduced by #127 satisfies this Issue. I've opened #198 as a continuation outside the scope of the milestone, if we wish to proceed with finer-grained, comment-based suppression.
from go-flow-levee.
mlevesquedion
commented on July 22, 2024
I'm having a hard time seeing exactly how users would define an allowlist. Would users write source code positions in a file? It sounds like that would probably lead to a fair amount of toil for users. Did you have a different idea in mind?
To me code comments make the most sense because I think they are simpler for users to introduce and to maintain. I think out-of-scope findings will be avoided via #88. I'm not sure how false positives in generated code would be handled though. Perhaps we could provide users with a way to exclude files via some naming pattern.
from go-flow-levee.
mlevesquedion
commented on July 22, 2024
Whatever mechanism we choose, I'm concerned that allowing users to suppress false positives may lead to some issues going undetected, e.g. if levee reports a false positive on a given line of code, the user suppresses it through e.g. a comment, and later on the line of code is changed and becomes a true positive, but because of the suppression levee does not report it.
from go-flow-levee.
mlevesquedion
commented on July 22, 2024
A built-in way for users to suppress false positives would be to use a sanitizer. We may choose to advertise this or not. Some pros and cons to using sanitizers to suppress false positives:
Pros:
- Requires no extra work from us, since this is already supported.
- Simple for users, since they don't need to learn a new concept/mechanism.
Cons:
- Suppressing false positives is not what sanitizers are intended for. Users may create a "do nothing" sanitizer that does not actually do any sanitization and is intended merely to suppress false positives, which could lead to true positives being missed if it is used improperly. (We cannot prevent users from doing this, but we could warn against doing this in the documentation).
- We don't currently have a way to report that using a sanitizer in a given piece of code was not necessary, and I think it is unlikely that we will develop such a feature. Over time, a code base could accumulate unnecessary sanitizing calls.
from go-flow-levee.
mlevesquedion
commented on July 22, 2024
The staticcheck tool uses code comments to suppress false positives. Details here. Summary:
- False positives on a line can be suppressed via a code comment on the preceding line. Unnecessary suppressions are reported.
- False positives in an entire file can similarly be suppressed via a code comment. This is especially helpful for generated code.
from go-flow-levee.
Related Issues (20)
- go core.Sink(source) does not create report
- Handle methods on non-struct source types HOT 2
- Proposal for testdata convention - spoof source root with go.mod to assist IDEs HOT 6
- Improve error reporting when config is missing HOT 2
- Revisit tests involving source interface propagation HOT 3
- Enable exclusion of analysis by filename (rather than only package)
- Improve handling of suppression comments in nested calls
- Implement understanding of formatting verbs
- Support "reverse" propagation through Store instructions
- Determine how/whether we should explicitly enumerate functions that don't propagate taint
- Refine handling of Defer and Go instructions.
- false negative when analyze the url parameters about gin framework HOT 5
- Handle standard library functions in the analysis engine HOT 1
- handle the unify-by-value semantics in the EAR pointer analysis
- Use more advanced call graph in inter-procedural analysis
- Separate the unit-tests for the two taint analyses
- Stack Overflow in internal/pkg/sourcetype/sourcetype.go HOT 3
- `utils.Dereference` can get stuck in an infinite loop
- Generics are not supported by analyzers
- Crashes when analyzing Go 1.19 standard libraries
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-flow-levee.