ignore false positive on G407 (#106)

geofffranks · web-flow · commit 8a3588f66f9d · 2024-10-23T09:59:22.000-04:00
diff --git a/encryption/crypt.go b/encryption/crypt.go
@@ -72,5 +72,6 @@ func (d *cryptor) Decrypt(encrypted Encrypted) ([]byte, error) {
 		return nil, fmt.Errorf("Unable to create GCM-wrapped cipher: %q", err)
 	}
 
+	// #nosec G407 - G407 is incorrectly flagging Decrypt calls that use the nonce provided in the encrypted data. we randomize this for encryption, which is where it matters. https://github.com/securego/gosec/issues/1209
 	return aead.Open(nil, encrypted.Nonce, encrypted.CipherText, nil)
 }

Original file line number	Diff line number	Diff line change
`@@ -72,5 +72,6 @@ func (d *cryptor) Decrypt(encrypted Encrypted) ([]byte, error) {`
`72`	`72`	`return nil, fmt.Errorf("Unable to create GCM-wrapped cipher: %q", err)`
`73`	`73`	`}`
`74`	`74`
	`75`	`+ // #nosec G407 - G407 is incorrectly flagging Decrypt calls that use the nonce provided in the encrypted data. we randomize this for encryption, which is where it matters. https://github.com/securego/gosec/issues/1209`
`75`	`76`	`return aead.Open(nil, encrypted.Nonce, encrypted.CipherText, nil)`
`76`	`77`	`}`