fix: G602 false positive for array element access (#1499)

Fixes #1495

Author: ravisastryk

analyzers/slice_bounds.go

@@ -195,6 +195,10 @@ func runSliceBounds(pass *analysis.Pass) (result any, err error) {
 												issue.Low,
 												issue.High)
 										case *ssa.IndexAddr:
+											// Skip IndexAddr that directly accesses the original array (not the slice)
+											if s.X == instr {
+												continue
+											}
 											issues[s] = newIssue(
 												pass.Analyzer.Name,
 												"slice index out of range",
@@ -578,6 +582,8 @@ func (s *sliceBoundsState) extractIntValueIndexAddr(refinstr *ssa.IndexAddr, sli
 		if !isSliceIndexInsideBounds(sliceCap+sliceIncr, finalIdx) {
 			return finalIdx, nil
 		}
+		// Constant index is within bounds; avoid BFS exploring shared SSA constant referrers
+		return 0, errNoFound
 	}
 
 	// Case 2: Base is a Phi node (loop counter)

testutils/g602_samples.go

@@ -651,4 +651,49 @@ func main() {
 	fmt.Println(s[idx])
 }
 `}, 1, gosec.NewConfig()},
+	// Issue #1495: G602 false positive for array element access with coexisting slice expression
+	{[]string{`
+package main
+import (
+	"log/slog"
+	"runtime"
+	"time"
+)
+func main() {
+	var pcs [1]uintptr
+	runtime.Callers(2, pcs[:])
+	r := slog.NewRecord(time.Now(), slog.LevelError, "test", pcs[0])
+	_ = r
+}
+`}, 0, gosec.NewConfig()},
+	{[]string{`
+package main
+func main() {
+	var buf [4]byte
+	copy(buf[:], []byte("test"))
+	_ = buf[0]
+	_ = buf[1]
+	_ = buf[2]
+	_ = buf[3]
+}
+`}, 0, gosec.NewConfig()},
+	{[]string{`
+package main
+func main() {
+	var buf [2]byte
+	copy(buf[:], []byte("ab"))
+	idx := 3
+	_ = buf[idx]
+}
+`}, 1, gosec.NewConfig()},
+	{[]string{`
+package main
+func doWork(s []int) {}
+func main() {
+	var arr [5]int
+	doWork(arr[:])
+	_ = arr[0]
+	_ = arr[4]
+}
+`}, 0, gosec.NewConfig()},
 }