Thanks for the tip Jim. I made sure all the relevant go.mod files referenced version 1.24.1, tried setting the GOSECGOVERSION variable, and made sure there were no other suspicious-looking env variables in the build environment, but no luck :( it looks like gosec's version helper is only actually used in a couple of rules, and I don't think it's getting as far as running rules before it hits these errors.
On Fri, 7 Mar 2025 at 18:10, Jim Idle <j...@idle.ws> wrote: > It look like gosec can be told what version of Go it inspecting. The error > sounds like it is saying that this package is not known to it, which would > make sense if somewhere you have told it it is inspecting 1.23.6 as then > this would be an unexpected package in that version of Go. > > > Have you updated goes and made sure that it is either getting the correct > version of Go from your go.mod files or that you have not overridden that > with the environment variable that does so? > > Jim > > On Mar 7, 2025, at 07:19, Samuel Littley <slitt...@thoughtmachine.net> > wrote: > > I've been working on upgrading my company's code repository from 1.23.6 to > 1.24.1, and have found that running gosec > <https://github.com/securego/gosec> now fails with an error like panic: > golang.org/x/tools/go/packages: unexpected new packages during load of > <some module> (full output at the end of this message). The module which > fails changes on different runs; sometimes it's a stdlib package, sometimes > it's a third party module, sometimes it's a first party module. The error > comes from here > <https://cs.opensource.google/go/x/tools/+/refs/tags/v0.31.0:go/packages/packages.go;l=1547> > . > > I rebuilt gosec with a doctored version of golang.org/x/tools to make it > actually report which package is unexpected; it is always > "internal/runtime/maps" which was only added in Go 1.24. This feels like at > least the smoke from a smoking gun, but it's unclear why that package is > unexpectedly getting loaded. > > Unfortunately I haven't managed to produce a minimal reproduction, as I > don't know what causes that module to be loaded (and what we're currently > applying gosec too has a huge amount of dependencies). > > We're using Please <https://please.build/> as our build system, which > means we're using its package driver > <https://github.com/please-build/go-rules/tree/master/tools/driver> to > actually locate all the modules. There is actually a test which runs gosec > <https://github.com/please-build/go-rules/blob/master/tools/driver/test/BUILD>, > but this seems to be working fine after upgrading that repository to 1.24.1 > (although that test is loading significantly less code than where gosec is > failing on our internal repository). > > I would appreciate some advice from an expert on either > golang.org/x/tools/go/packages or internal/runtime/maps > > Full gosec output: > > [gosec] 2025/03/07 12:38:16 Including rules: default > [gosec] 2025/03/07 12:38:16 Excluding rules: default > [gosec] 2025/03/07 12:38:16 Including analyzers: default > [gosec] 2025/03/07 12:38:16 Excluding analyzers: default > [gosec] 2025/03/07 12:38:16 Import directory: /tmp/plz_sandbox/[REDACTED] > [gosec] 2025/03/07 12:38:16 Import directory: /tmp/plz_sandbox/[REDACTED] > [gosec] 2025/03/07 12:38:16 Import directory: /tmp/plz_sandbox/[REDACTED] > [gosec] 2025/03/07 12:38:16 Import directory: /tmp/plz_sandbox/[REDACTED] > 2025/03/07 12:38:16 golang.org/x/tools/go/packages: unexpected new > packages during load of github.com/prometheus/client_golang/prometheus > panic: golang.org/x/tools/go/packages: unexpected new packages during > load of github.com/prometheus/client_golang/prometheus > > goroutine 282 [running]: > log.Panicf({0xfd8f44?, 0x2?}, {0xc000b53b30?, 0x1b?, 0xc000f75020?}) > /opt/tm/tools/go/1.24.1-20250305/usr/go/src/log/log.go:439 +0x65 > golang.org/x/tools/go/packages.(*loader).loadFromExportData(0xc000394000, > 0xc0019fdcc0) > /home/slittley/third_party/tools/go/packages/packages.go:1553 > +0x97e > golang.org/x/tools/go/packages.(*loader).loadPackage(0xc000394000, > 0xc0019fdcc0) > /home/slittley/third_party/tools/go/packages/packages.go:1084 > +0x4f1 > golang.org/x/tools/go/packages.(*loader).refine.func2.1() > /home/slittley/third_party/tools/go/packages/packages.go:954 +0x2d > golang.org/x/sync/errgroup.(*Group).Go.func1() > /home/slittley/go/pkg/mod/ > golang.org/x/sync@v0.12.0/errgroup/errgroup.go:78 +0x50 > created by golang.org/x/sync/errgroup.(*Group).Go in goroutine 280 > /home/slittley/go/pkg/mod/ > golang.org/x/sync@v0.12.0/errgroup/errgroup.go:75 +0x93 > > Thought Machine Group Limited, a company registered in England & Wales. > Registered number: 11114277. > Registered Office: 5 New Street Square, London EC4A 3TW > <https://maps.google.com/?q=5+New+Street+Square,+London+EC4A+3TW&entry=gmail&source=g> > . > > The content of this email is confidential and intended for the recipient > specified in message only. It is strictly forbidden to share any part of > this message with any third party, without a written consent of the sender. > If you received this message by mistake, please reply to this message and > follow with its deletion, so that we can ensure such a mistake does not > occur in the future. > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > To view this discussion visit > https://groups.google.com/d/msgid/golang-nuts/27160045-f8a8-4191-81ac-040a9264ce01n%40googlegroups.com > <https://groups.google.com/d/msgid/golang-nuts/27160045-f8a8-4191-81ac-040a9264ce01n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > -- Thought Machine Group Limited, a company registered in England & Wales. Registered number: 11114277. Registered Office: 5 New Street Square, London EC4A 3TW <https://maps.google.com/?q=5+New+Street+Square,+London+EC4A+3TW&entry=gmail&source=g>. The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/CAFhR6xfAHhPE4eHEovxKeUSVKjtY1b_KdGJ_ppdQ%3DTYpC6S-zw%40mail.gmail.com.
