gosec: handling of global nosec option when it is false (#5228)

Author: alexandear

pkg/golinters/gosec/gosec.go

@@ -184,7 +184,15 @@ func convertGosecGlobals(globalOptionFromConfig any, conf gosec.Config) {
 	}
 
 	for k, v := range globalOptionMap {
-		conf.SetGlobal(gosec.GlobalOption(k), fmt.Sprintf("%v", v))
+		option := gosec.GlobalOption(k)
+
+		// Set nosec global option only if the value is true
+		// https://github.com/securego/gosec/blob/v2.21.4/analyzer.go#L572
+		if option == gosec.Nosec && v == false {
+			continue
+		}
+
+		conf.SetGlobal(option, fmt.Sprintf("%v", v))
 	}
 }
 

pkg/golinters/gosec/gosec_test.go

@@ -39,6 +39,22 @@ func Test_toGosecConfig(t *testing.T) {
 				},
 			},
 		},
+		{
+			desc: "with global settings nosec enabled",
+			settings: &config.GoSecSettings{
+				Config: map[string]any{
+					gosec.Globals: map[string]any{
+						string(gosec.Nosec): false,
+						string(gosec.Audit): "true",
+					},
+				},
+			},
+			expected: gosec.Config{
+				"global": map[gosec.GlobalOption]string{
+					"audit": "true",
+				},
+			},
+		},
 		{
 			desc: "rule specified setting",
 			settings: &config.GoSecSettings{

pkg/golinters/gosec/testdata/gosec_nosec.go

@@ -0,0 +1,14 @@
+//golangcitest:args -Egosec
+//golangcitest:config_path testdata/gosec_nosec.yml
+package testdata
+
+import (
+	"crypto/md5" // want "G501: Blocklisted import crypto/md5: weak cryptographic primitive"
+	"log"
+)
+
+func Gosec() {
+	// #nosec G401
+	h := md5.New()
+	log.Print(h)
+}

pkg/golinters/gosec/testdata/gosec_nosec.yml

@@ -0,0 +1,5 @@
+linters-settings:
+  gosec:
+    config:
+      global:
+        nosec: false