Add G118 SSA analyzer for context propagation failures that can cause goroutine/resource leaks (#1516)

* Add G118 SSA analyzer for context propagation failures that can cause goroutine/resource leaks

This PR introduces G118, a new SSA-based gosec rule that detects
high-risk context misuse patterns: goroutines using
context.Background/TODO when request context exists, missing cancel()
calls from WithCancel/WithTimeout/WithDeadline, and unbounded blocking
loop regions without ctx.Done() guards.
These patterns can leak goroutines and I/O resources, leading to
resource exhaustion/DoS in production services.
The rule is mapped to CWE-400, integrated into analyzer registration and
docs, and includes positive/negative samples (including complex loop CFG
cases) to reduce false positives while preserving detection quality.

Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>

* Fix false pasitive

Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>

---------

Signed-off-by: Cosmin Cojocar <cosmin@cojocar.ch>

Author: ccojocar

README.md

@@ -196,6 +196,7 @@ directory you can supply `./...` as the input argument.
 - G115: Potential integer overflow when converting between integer types
 - G116: Detect Trojan Source attacks using bidirectional Unicode control characters
 - G117: Potential exposure of secrets via JSON marshaling
+- G118: Context propagation failure leading to goroutine/resource leaks
 - G201: SQL query construction using format string
 - G202: SQL query construction using string concatenation
 - G203: Use of unescaped data in HTML templates

analyzers/analyzers_test.go

@@ -51,6 +51,10 @@ var _ = Describe("gosec analyzers", func() {
 	})
 
 	Context("report correct errors for all samples", func() {
+		It("should detect context propagation failures", func() {
+			runner("G118", testutils.SampleCodeG118)
+		})
+
 		It("should detect HTTP request smuggling", func() {
 			runner("G113", testutils.SampleCodeG113)
 		})

analyzers/analyzerslist.go

@@ -113,6 +113,7 @@ func NewAnalyzerFilter(action bool, analyzerIDs ...string) AnalyzerFilter {
 }
 
 var defaultAnalyzers = []AnalyzerDefinition{
+	{"G118", "Context propagation failure leading to goroutine/resource leaks", newContextPropagationAnalyzer},
 	{"G113", "HTTP request smuggling via conflicting headers or bare LF in body parsing", newRequestSmugglingAnalyzer},
 	{"G115", "Type conversion which leads to integer overflow", newConversionOverflowAnalyzer},
 	{"G602", "Possible slice bounds out of range", newSliceBoundsAnalyzer},