analyzer: do not analyze generated go files

odeke-em · odeke-em · commit 00d45f6adca7 · 2022-09-20T18:32:50.000-07:00
This change filters out code that contains the Go standardized generated code header ^// Code generated .* DO NOT EDIT\. per golang/go#13560. Fixes #30
diff --git a/analyzer.go b/analyzer.go
@@ -26,8 +26,10 @@ import (
 	"path"
 	"path/filepath"
 	"regexp"
+	"runtime" // #nosec
 	"sort"
 	"strconv"
+	"sync"
 
 	"strings"
 
@@ -157,6 +159,69 @@ func (gosec *Analyzer) Process(buildTags []string, packagePaths ...string) error
 	return nil
 }
 
+var reGeneratedGoFile = regexp.MustCompile(`^// Code generated .* DO NOT EDIT\.`)
+
+// filterOutGeneratedGoFiles parallelizes the proocess of checking the contents
+// of the files in fullPaths for the presence of generated Go headers to avoid
+// reporting on generated code, per https://github.com/cosmos/gosec/issues/30
+func filterOutGeneratedGoFiles(fullPaths []string) (filtered []string) {
+	// position stores the order "pos" which will later be
+	// used to sort the paths to maintain original order
+	// despite the concurrent filtering that'll take place.
+	type position struct {
+		pos      int
+		fullPath string
+	}
+
+	posCh := make(chan *position, 10)
+	go func() {
+		defer close(posCh)
+		for i, fullPath := range fullPaths {
+			posCh <- &position{pos: i, fullPath: fullPath}
+		}
+	}()
+
+	filteredCh := make(chan *position, 10)
+	var wg sync.WaitGroup
+	// Spin up NumCPU goroutines that'll each open up a file
+	// for as long as there is one to be read on posCh.
+	for i := 0; i < runtime.NumCPU(); i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			for pi := range posCh {
+				blob, err := os.ReadFile(pi.fullPath)
+				if err != nil {
+					panic(err)
+				}
+				if !reGeneratedGoFile.Match(blob) {
+					filteredCh <- pi
+				}
+			}
+		}()
+	}
+
+	go func() {
+		wg.Wait()
+		close(filteredCh)
+	}()
+
+	ordered := make([]*position, 0, len(fullPaths))
+	for nonGeneratedGoFilePath := range filteredCh {
+		ordered = append(ordered, nonGeneratedGoFilePath)
+	}
+	sort.Slice(ordered, func(i, j int) bool {
+		oi, oj := ordered[i], ordered[j]
+		return oi.pos < oj.pos
+	})
+
+	filtered = make([]string, 0, len(ordered))
+	for _, oi := range ordered {
+		filtered = append(filtered, oi.fullPath)
+	}
+	return filtered
+}
+
 func (gosec *Analyzer) load(pkgPath string, conf *packages.Config) ([]*packages.Package, error) {
 	abspath, err := GetPkgAbsPath(pkgPath)
 	if err != nil {
@@ -183,9 +248,9 @@ func (gosec *Analyzer) load(pkgPath string, conf *packages.Config) ([]*packages.
 		}
 	}
 
-	// step 1/3 create build context.
+	// step 1/4 create build context.
 	buildD := build.Default
-	// step 2/3: add build tags to get env dependent files into basePackage.
+	// step 2/4: add build tags to get env dependent files into basePackage.
 	buildD.BuildTags = conf.BuildFlags
 	buildD.Dir = absGoModPath
 	basePackage, err := buildD.ImportDir(abspath, build.ImportComment)
@@ -197,6 +262,7 @@ func (gosec *Analyzer) load(pkgPath string, conf *packages.Config) ([]*packages.
 	for _, filename := range basePackage.GoFiles {
 		packageFiles = append(packageFiles, path.Join(abspath, filename))
 	}
+
 	for _, filename := range basePackage.CgoFiles {
 		packageFiles = append(packageFiles, path.Join(abspath, filename))
 	}
@@ -210,7 +276,12 @@ func (gosec *Analyzer) load(pkgPath string, conf *packages.Config) ([]*packages.
 		}
 	}
 
-	// step 3/3 remove build tags from conf to proceed build correctly.
+	// step 3/4: now filter out generated go files as we definitely don't
+	// want to report on generated code, which is out of our direct control.
+	// Please see: https://github.com/cosmos/gosec/issues/30
+	packageFiles = filterOutGeneratedGoFiles(packageFiles)
+
+	// step 4/4: remove build tags from conf to proceed build correctly.
 	conf.BuildFlags = nil
 	conf.Dir = absGoModPath
 	pkgs, err := packages.Load(conf, packageFiles...)
diff --git a/analyzer_skip_generated_go_test.go b/analyzer_skip_generated_go_test.go
@@ -0,0 +1,40 @@
+package gosec
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+)
+
+func TestUnitFilterOutGeneratedGoFiles(t *testing.T) {
+	f, err := os.Open("./testdata")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer f.Close()
+
+	fiL, err := f.Readdir(-1)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	goFiles := make([]string, 0, 10)
+	for _, fi := range fiL {
+		if !fi.IsDir() && strings.HasSuffix(fi.Name(), ".go") {
+			goFiles = append(goFiles, filepath.Join(f.Name(), fi.Name()))
+		}
+	}
+
+	filtered := filterOutGeneratedGoFiles(goFiles)
+	want := []string{
+		"testdata/without_generated_header.go",
+                "testdata/with_cgo_import_no_generated_code.go",
+                "testdata/with_regular_code_comment_about_generated.go",
+	}
+	if diff := cmp.Diff(filtered, want); diff != "" {
+		t.Fatalf("Result mismatch: got - want +\n%s", diff)
+	}
+}
diff --git a/testdata/with_cgo_import_generated_code.go b/testdata/with_cgo_import_generated_code.go
diff --git a/testdata/with_cgo_import_no_generated_code.go b/testdata/with_cgo_import_no_generated_code.go
@@ -0,0 +1,5 @@
+package test
+
+import "C"
+
+type fooC = C.int
diff --git a/testdata/with_generated_header.go b/testdata/with_generated_header.go
diff --git a/testdata/with_regular_code_comment_about_generated.go b/testdata/with_regular_code_comment_about_generated.go
@@ -0,0 +1,3 @@
+package test
+
+// This is a comment about "// Code generated by. DO NOT EDIT."
diff --git a/testdata/without_generated_header.go b/testdata/without_generated_header.go
@@ -0,0 +1,5 @@
+package test
+
+import "io"
+
+type r = io.Reader

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+package test`
	`2`	`+`
	`3`	`+// This is a comment about "// Code generated by. DO NOT EDIT."`