@@ -558,66 +558,71 @@ func (gosec *Analyzer) AppendError(file string, err error) {
558558
559559// ignore a node (and sub-tree) if it is tagged with a nosec tag comment
560560func (gosec * Analyzer ) ignore (n ast.Node ) map [string ]issue.SuppressionInfo {
561- if groups , ok := gosec .context .Comments [n ]; ok && ! gosec .ignoreNosec {
561+ if gosec .ignoreNosec {
562+ return nil
563+ }
564+ groups , ok := gosec .context .Comments [n ]
565+ if ! ok {
566+ return nil
567+ }
562568
563- // Checks if an alternative for #nosec is set and, if not, uses the default.
564- noSecDefaultTag , err := gosec .config .GetGlobal (Nosec )
565- if err != nil {
566- noSecDefaultTag = NoSecTag (string (Nosec ))
567- } else {
568- noSecDefaultTag = NoSecTag (noSecDefaultTag )
569- }
570- noSecAlternativeTag , err := gosec .config .GetGlobal (NoSecAlternative )
571- if err != nil {
572- noSecAlternativeTag = noSecDefaultTag
573- } else {
574- noSecAlternativeTag = NoSecTag (noSecAlternativeTag )
575- }
569+ // Checks if an alternative for #nosec is set and, if not, uses the default.
570+ noSecDefaultTag , err := gosec .config .GetGlobal (Nosec )
571+ if err != nil {
572+ noSecDefaultTag = NoSecTag (string (Nosec ))
573+ } else {
574+ noSecDefaultTag = NoSecTag (noSecDefaultTag )
575+ }
576+ noSecAlternativeTag , err := gosec .config .GetGlobal (NoSecAlternative )
577+ if err != nil {
578+ noSecAlternativeTag = noSecDefaultTag
579+ } else {
580+ noSecAlternativeTag = NoSecTag (noSecAlternativeTag )
581+ }
576582
577- for _ , group := range groups {
578- comment := strings .TrimSpace (group .Text ())
579- foundDefaultTag := strings .HasPrefix (comment , noSecDefaultTag ) || regexp .MustCompile ("\n *" + noSecDefaultTag ).MatchString (comment )
580- foundAlternativeTag := strings .HasPrefix (comment , noSecAlternativeTag ) || regexp .MustCompile ("\n *" + noSecAlternativeTag ).MatchString (comment )
583+ for _ , group := range groups {
584+ comment := strings .TrimSpace (group .Text ())
585+ foundDefaultTag := strings .HasPrefix (comment , noSecDefaultTag ) || regexp .MustCompile ("\n *" + noSecDefaultTag ).MatchString (comment )
586+ foundAlternativeTag := strings .HasPrefix (comment , noSecAlternativeTag ) || regexp .MustCompile ("\n *" + noSecAlternativeTag ).MatchString (comment )
581587
582- if foundDefaultTag || foundAlternativeTag {
583- gosec .stats .NumNosec ++
588+ if foundDefaultTag || foundAlternativeTag {
589+ gosec .stats .NumNosec ++
584590
585- // Discard what's in front of the nosec tag.
586- if foundDefaultTag {
587- comment = strings .SplitN (comment , noSecDefaultTag , 2 )[1 ]
588- } else {
589- comment = strings .SplitN (comment , noSecAlternativeTag , 2 )[1 ]
590- }
591+ // Discard what's in front of the nosec tag.
592+ if foundDefaultTag {
593+ comment = strings .SplitN (comment , noSecDefaultTag , 2 )[1 ]
594+ } else {
595+ comment = strings .SplitN (comment , noSecAlternativeTag , 2 )[1 ]
596+ }
591597
592- // Extract the directive and the justification.
593- justification := ""
594- commentParts := regexp .MustCompile (`-{2,}` ).Split (comment , 2 )
595- directive := commentParts [0 ]
596- if len (commentParts ) > 1 {
597- justification = strings .TrimSpace (strings .TrimRight (commentParts [1 ], "\n " ))
598- }
598+ // Extract the directive and the justification.
599+ justification := ""
600+ commentParts := regexp .MustCompile (`-{2,}` ).Split (comment , 2 )
601+ directive := commentParts [0 ]
602+ if len (commentParts ) > 1 {
603+ justification = strings .TrimSpace (strings .TrimRight (commentParts [1 ], "\n " ))
604+ }
599605
600- // Pull out the specific rules that are listed to be ignored.
601- re := regexp .MustCompile (`(G\d{3})` )
602- matches := re .FindAllStringSubmatch (directive , - 1 )
606+ // Pull out the specific rules that are listed to be ignored.
607+ re := regexp .MustCompile (`(G\d{3})` )
608+ matches := re .FindAllStringSubmatch (directive , - 1 )
603609
604- suppression := issue.SuppressionInfo {
605- Kind : "inSource" ,
606- Justification : justification ,
607- }
610+ suppression := issue.SuppressionInfo {
611+ Kind : "inSource" ,
612+ Justification : justification ,
613+ }
608614
609- // Find the rule IDs to ignore.
610- ignores := make (map [string ]issue.SuppressionInfo )
611- for _ , v := range matches {
612- ignores [v [1 ]] = suppression
613- }
615+ // Find the rule IDs to ignore.
616+ ignores := make (map [string ]issue.SuppressionInfo )
617+ for _ , v := range matches {
618+ ignores [v [1 ]] = suppression
619+ }
614620
615- // If no specific rules were given, ignore everything.
616- if len (matches ) == 0 {
617- ignores [aliasOfAllRules ] = suppression
618- }
619- return ignores
621+ // If no specific rules were given, ignore everything.
622+ if len (matches ) == 0 {
623+ ignores [aliasOfAllRules ] = suppression
620624 }
625+ return ignores
621626 }
622627 }
623628 return nil
0 commit comments