It look like gosec can be told what version of Go it inspecting. The error sounds like it is saying that this package is not known to it, which would make sense if somewhere you have told it it is inspecting 1.23.6 as then this would be an unexpected package in that version of Go.
Have you updated goes and made sure that it is either getting the correct version of Go from your go.mod files or that you have not overridden that with the environment variable that does so? Jim > On Mar 7, 2025, at 07:19, Samuel Littley <slitt...@thoughtmachine.net> wrote: > > I've been working on upgrading my company's code repository from 1.23.6 to > 1.24.1, and have found that running gosec <https://github.com/securego/gosec> > now fails with an error like panic: golang.org/x/tools/go/packages: > unexpected new packages during load of <some module> (full output at the end > of this message). The module which fails changes on different runs; sometimes > it's a stdlib package, sometimes it's a third party module, sometimes it's a > first party module. The error comes from here > <https://cs.opensource.google/go/x/tools/+/refs/tags/v0.31.0:go/packages/packages.go;l=1547>. > > I rebuilt gosec with a doctored version of golang.org/x/tools to make it > actually report which package is unexpected; it is always > "internal/runtime/maps" which was only added in Go 1.24. This feels like at > least the smoke from a smoking gun, but it's unclear why that package is > unexpectedly getting loaded. > > Unfortunately I haven't managed to produce a minimal reproduction, as I don't > know what causes that module to be loaded (and what we're currently applying > gosec too has a huge amount of dependencies). > > We're using Please <https://please.build/> as our build system, which means > we're using its package driver > <https://github.com/please-build/go-rules/tree/master/tools/driver> to > actually locate all the modules. There is actually a test which runs gosec > <https://github.com/please-build/go-rules/blob/master/tools/driver/test/BUILD>, > but this seems to be working fine after upgrading that repository to 1.24.1 > (although that test is loading significantly less code than where gosec is > failing on our internal repository). > > I would appreciate some advice from an expert on either > golang.org/x/tools/go/packages or internal/runtime/maps > > Full gosec output: > > [gosec] 2025/03/07 12:38:16 Including rules: default > [gosec] 2025/03/07 12:38:16 Excluding rules: default > [gosec] 2025/03/07 12:38:16 Including analyzers: default > [gosec] 2025/03/07 12:38:16 Excluding analyzers: default > [gosec] 2025/03/07 12:38:16 Import directory: /tmp/plz_sandbox/[REDACTED] > [gosec] 2025/03/07 12:38:16 Import directory: /tmp/plz_sandbox/[REDACTED] > [gosec] 2025/03/07 12:38:16 Import directory: /tmp/plz_sandbox/[REDACTED] > [gosec] 2025/03/07 12:38:16 Import directory: /tmp/plz_sandbox/[REDACTED] > 2025/03/07 12:38:16 golang.org/x/tools/go/packages: unexpected new packages > during load of github.com/prometheus/client_golang/prometheus > panic: golang.org/x/tools/go/packages: unexpected new packages during load of > github.com/prometheus/client_golang/prometheus > > goroutine 282 [running]: > log.Panicf({0xfd8f44?, 0x2?}, {0xc000b53b30?, 0x1b?, 0xc000f75020?}) > /opt/tm/tools/go/1.24.1-20250305/usr/go/src/log/log.go:439 +0x65 > golang.org/x/tools/go/packages.(*loader).loadFromExportData(0xc000394000, > 0xc0019fdcc0) > /home/slittley/third_party/tools/go/packages/packages.go:1553 +0x97e > golang.org/x/tools/go/packages.(*loader).loadPackage(0xc000394000, > 0xc0019fdcc0) > /home/slittley/third_party/tools/go/packages/packages.go:1084 +0x4f1 > golang.org/x/tools/go/packages.(*loader).refine.func2.1() > /home/slittley/third_party/tools/go/packages/packages.go:954 +0x2d > golang.org/x/sync/errgroup.(*Group).Go.func1() > > /home/slittley/go/pkg/mod/golang.org/x/sync@v0.12.0/errgroup/errgroup.go:78 > +0x50 > created by golang.org/x/sync/errgroup.(*Group).Go in goroutine 280 > > /home/slittley/go/pkg/mod/golang.org/x/sync@v0.12.0/errgroup/errgroup.go:75 > +0x93 > > Thought Machine Group Limited, a company registered in England & Wales. > Registered number: 11114277. > Registered Office: 5 New Street Square, London EC4A 3TW > <https://maps.google.com/?q=5+New+Street+Square,+London+EC4A+3TW&entry=gmail&source=g>. > > The content of this email is confidential and intended for the recipient > specified in message only. It is strictly forbidden to share any part of this > message with any third party, without a written consent of the sender. If you > received this message by mistake, please reply to this message and follow > with its deletion, so that we can ensure such a mistake does not occur in the > future. > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com > <mailto:golang-nuts+unsubscr...@googlegroups.com>. > To view this discussion visit > https://groups.google.com/d/msgid/golang-nuts/27160045-f8a8-4191-81ac-040a9264ce01n%40googlegroups.com > > <https://groups.google.com/d/msgid/golang-nuts/27160045-f8a8-4191-81ac-040a9264ce01n%40googlegroups.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/D7181D18-C305-4729-BBEC-6A5B91483FFA%40idle.ws.
