HS-LEAKS: False positive in go.sum (linkedin...)
stefanb opened this issue · comments
When a Go program uses a module from Linkedin (eg https://github.com/linkedin/goavro ) the name will be mentioned in go.sum
file followed by a hash on the same line, eg:
github.com/linkedin/goavro v2.1.0+incompatible/go.mod h1:bBCwI2eGYpUI/4820s67MElg9tdeLbINjLjiM2xZFYM=
github.com/linkedin/goavro/v2 v2.10.0/go.mod h1:UgQUb2N/pmueQYH9bfqFioWxzYCZXSfF8Jw03O5sjqA=
github.com/linkedin/goavro/v2 v2.10.1/go.mod h1:UgQUb2N/pmueQYH9bfqFioWxzYCZXSfF8Jw03O5sjqA=
github.com/linkedin/goavro/v2 v2.11.1/go.mod h1:UgQUb2N/pmueQYH9bfqFioWxzYCZXSfF8Jw03O5sjqA=
...which triggers a false positive via regexp in:
horusec/internal/services/engines/leaks/rules.go
Lines 171 to 187 in 873d410
This likely affects other LEAKS rulesc with loose regexp and companies publishing opensource libraries.