Search code examples
golintgosec

How can I disable "TLS InsecureSkipVerify may be true" error

I have a code like this:

if cfg.GetRedisTLS() {
    clientOpts.TLSConfig = &tls.Config{
        MinVersion: tls.VersionTLS12,
        //nolint:gosec // need insecure TLS option for testing and development
        InsecureSkipVerify: cfg.GetRedisInsecure(),
    }
}

When I run golangci-lint run it recognizes the nolint directive and ignores that error, but when Sonarqube runs it keeps failing with a message "TLS InsecureSkipVerify may be true"

This issue https://github.com/securego/gosec/issues/278 talks about using #nosec in the comment to disable that error. Here it talks about using it in specific parts of the statement https://github.com/securego/gosec/issues/278#issuecomment-745209803

So I've tried:

if cfg.GetRedisTLS() {
    clientOpts.TLSConfig = &tls.Config{
        MinVersion: tls.VersionTLS12,
        //nolint:gosec // need insecure TLS option for testing and development
        // NOSONAR #nosec 
        InsecureSkipVerify: cfg.GetRedisInsecure(),
    }
}

And

if cfg.GetRedisTLS() {
    clientOpts.TLSConfig = &tls.Config{
        MinVersion: tls.VersionTLS12,
        //nolint:gosec // need insecure TLS option for testing and development
        InsecureSkipVerify: cfg.GetRedisInsecure(), // NOSONAR #nosec 
    }
}

And

if cfg.GetRedisTLS() {
    clientOpts.TLSConfig = &tls.Config{
        MinVersion: tls.VersionTLS12,
        //nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
        InsecureSkipVerify: cfg.GetRedisInsecure(),
    }
}

And

if cfg.GetRedisTLS() {
    clientOpts.TLSConfig = &tls.Config{
        MinVersion: tls.VersionTLS12,
        //nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
        InsecureSkipVerify: cfg.GetRedisInsecure(), /* #nosec */
    }
}

And

if cfg.GetRedisTLS() {
    clientOpts.TLSConfig = &tls.Config{
        MinVersion: tls.VersionTLS12,
        //nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
        /* #nosec */ InsecureSkipVerify: cfg.GetRedisInsecure(), /* #nosec */
    }
}

And

if cfg.GetRedisTLS() {
    clientOpts.TLSConfig = &tls.Config{
        MinVersion: tls.VersionTLS12,
        //nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
        /* #nosec */ InsecureSkipVerify: cfg.GetRedisInsecure() /* #nosec */, /* #nosec */
    }
}

And

if cfg.GetRedisTLS() {
    clientOpts.TLSConfig = &tls.Config{
        MinVersion: tls.VersionTLS12,
        //nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
        /* #nosec */ InsecureSkipVerify: /* #nosec */ cfg.GetRedisInsecure() /* #nosec */, /* #nosec */
    }
}

And

if cfg.GetRedisTLS() {
    clientOpts.TLSConfig = &tls.Config{
        MinVersion: tls.VersionTLS12,
        //nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
        /* #nosec */ InsecureSkipVerify /* #nosec */ :/* #nosec */ cfg.GetRedisInsecure(), /* #nosec */
    }
}

I have open this issue in the gosec project https://github.com/securego/gosec/issues/780

What else can I do to ignore this in gosec?

Solution

  • As @rodolfo has suggested, I reproduce the solution mentioned on Github as it might help someone else.

    Apparently using // #nosec G402 on the same line as the if statement fixes the problem:

    if cfg.GetRedisTLS() { // #nosec G402
    clientOpts.TLSConfig = &tls.Config{
        MinVersion: tls.VersionTLS12,
        InsecureSkipVerify: cfg.GetRedisInsecure(),
    }
}