Incorrect default for gosec -tests flag with no way to override

[AngusGMorrison]

Welcome

• Yes, I'm using a binary release within 2 latest major releases. Only such installations are supported.
• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've read the typecheck section of the FAQ (https://golangci-lint.run/usage/faq/#why-do-you-have-typecheck-errors).
• Yes, I've tried with the standalone linter if available (e.g., gocritic, go vet, etc.). (https://golangci-lint.run/usage/linters/)

Description of the problem

By default, gosec omits _test.go files when run as a standalone linter. This is controlled by the -tests flag.

golangci-lint sets this flag to true, and provides no option to override it, resulting in unexpected security errors for test files which must be manually suppressed.

This code sets the -tests flag. It seems like this was introduced in #681, and is unrelated to the comment about concurrency.

If you agree that this isn't the intended behaviour, I'm happy to open a PR to change the default to false and expose the -tests setting to golangci-lint users.

Version of golangci-lint

$ golangci-lint --version
golangci-lint has version v1.53.3 built with go1.20.4 from (unknown, mod sum: "h1:CUcRafczT4t1F+mvdkUm6KuOpxUZTl0yWN/rSU6sSMo=") on (unknown)

Configuration

run:
  timeout: "1m"
  modules-download-mode: "readonly"

issues:
  exclude-use-default: false
  exclude-rules:
    - path: '(.+)_test\.go'
      linters:
        - "wrapcheck"
  max-issues-per-linter: 0
  max-same-issues: 0

linters: # https://golangci-lint.run/usage/linters/
  enable:
    - "errcheck"
    - "exhaustive"
    - "gocheckcompilerdirectives"
    - "gosec"
    - "gosimple"
    - "govet"
    - "ineffassign"
    - "nilerr"
    - "nilnil"
    - "noctx"
    - "paralleltest"
    - "prealloc"
    - "reassign"
    - "rowserrcheck"
    - "sqlclosecheck"
    - "staticcheck"
    - "thelper"
    - "unconvert"
    - "unparam"
    - "unused"
    - "usestdlibvars"
    - "whitespace"
    - "wrapcheck"

linters-settings:
  exhaustive:
    default-signifies-exhaustive: true

  wrapcheck:
    ignoreSigs:
      - ".Errorf("
      - "response.New("
      - "response.Unwrap("
      - "response.Join("
      - ".Wrap("
      - ".Wrapf("
      - ".WithMessage("
      - ".WithMessagef("
      - ".WithStack("
      - "user.New"
      - "user.Parse"
    ignoreInterfaceRegexps:
      - "Presenter"
    ignorePackageGlobs:
      - "errors"
      - "github.com/gofiber/fiber/*"
      - "github.com/angusgmorrison/realworld-go/internal/domain/**"
      - "github.com/angusgmorrison/realworld-go/internal/inbound/rest/api/**"

Go environment

$ go version && go env
go version go1.21.0 darwin/arm64
GO111MODULE='on'
GOARCH='arm64'
GOBIN='/Users/angus/go/bin'
GOCACHE='/Users/angus/Library/Caches/go-build'
GOENV='/Users/angus/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMODCACHE='/Users/angus/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/angus/go'
GOPRIVATE=''
GOPROXY='proxy.golang.org'
GOROOT='/opt/homebrew/Cellar/go/1.21.0/libexec'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/opt/homebrew/Cellar/go/1.21.0/libexec/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.21.0'
GCCGO='gccgo'
AR='ar'
CC='cc'
CXX='c++'
CGO_ENABLED='1'
GOMOD='/Users/angus/code/github.nosync/angusgmorrison/realworld-go/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/8_/4b9chjfx11n1_mj6wv9sx27m0000gp/T/go-build3115859895=/tmp/go-build -gno-record-gcc-switches -fno-common'

Verbose output of running

$ golangci-lint cache clean
$ golangci-lint run -v
INFO [config_reader] Config search paths: [./ /Users/angus/code/github.nosync/angusgmorrison/realworld-go /Users/angus/code/github.nosync/angusgmorrison /Users/angus/code/github.nosync /Users/angus/code /Users/angus /Users /]
INFO [config_reader] Used config file .golangci.yml
INFO [lintersdb] Active 24 linters: [errcheck exhaustive gocheckcompilerdirectives gosec gosimple govet ineffassign nilerr nilnil noctx paralleltest prealloc reassign rowserrcheck sqlclosecheck staticcheck thelper typecheck unconvert unparam unused usestdlibvars whitespace wrapcheck]
INFO [loader] Go packages loading at mode 575 (types_sizes|exports_file|files|imports|name|compiled_files|deps) took 2.108587625s
INFO [runner/filename_unadjuster] Pre-built 0 adjustments in 2.258292ms
INFO [linters_context/goanalysis] analyzers took 10.985466336s with top 10 stages: buildir: 6.535029545s, exhaustive: 853.420046ms, fact_deprecated: 569.494706ms, printf: 532.655617ms, ctrlflow: 436.88563ms, fact_purity: 368.255714ms, nilness: 363.79758ms, inspect: 342.462336ms, typedness: 316.843836ms, SA5012: 313.505629ms
INFO [runner] Issues before processing: 13, after processing: 5
INFO [runner] Processors filtering stat (out/in): fixer: 5/5, cgo: 13/13, autogenerated_exclude: 8/13, exclude-rules: 8/8, source_code: 5/5, max_same_issues: 5/5, path_shortener: 5/5, severity-rules: 5/5, path_prefixer: 5/5, path_prettifier: 13/13, exclude: 8/8, nolint: 5/8, diff: 5/5, identifier_marker: 8/8, sort_results: 5/5, max_per_file_from_linter: 5/5, max_from_linter: 5/5, filename_unadjuster: 13/13, skip_files: 13/13, skip_dirs: 13/13, uniq_by_line: 5/5
INFO [runner] processing took 2.11546ms with stages: nolint: 1.122874ms, autogenerated_exclude: 516.749µs, path_prettifier: 182.458µs, source_code: 129.376µs, identifier_marker: 92.583µs, skip_dirs: 58.084µs, exclude-rules: 6.334µs, uniq_by_line: 1.958µs, cgo: 1.125µs, path_shortener: 959ns, filename_unadjuster: 542ns, fixer: 459ns, max_per_file_from_linter: 417ns, max_same_issues: 416ns, severity-rules: 292ns, sort_results: 250ns, exclude: 208ns, skip_files: 125ns, max_from_linter: 125ns, diff: 84ns, path_prefixer: 42ns
INFO [runner] linters took 4.089380667s with stages: goanalysis_metalinter: 4.08719325s
internal/config/config.go:86:19: G304: Potential file inclusion via variable (gosec)
        pemBytes, err := os.ReadFile(path)
                         ^
internal/domain/user/helpers_test.go:20:12: G404: Use of weak random number generator (math/rand instead of crypto/rand) (gosec)
        length := rand.Intn(PasswordMaxLen-PasswordMinLen) + PasswordMinLen
                  ^
internal/domain/user/helpers_test.go:26:16: G404: Use of weak random number generator (math/rand instead of crypto/rand) (gosec)
        paragraphs := rand.Intn(4) + 1
                      ^
internal/domain/user/helpers_test.go:27:15: G404: Use of weak random number generator (math/rand instead of crypto/rand) (gosec)
        sentences := rand.Intn(2) + 1
                     ^
internal/domain/user/helpers_test.go:28:11: G404: Use of weak random number generator (math/rand instead of crypto/rand) (gosec)
        words := rand.Intn(10) + 1
                 ^
INFO File cache stats: 2 entries of total size 4.5KiB
INFO Memory: 65 samples, avg is 305.7MB, max is 626.8MB
INFO Execution took 6.306986875s

A minimal reproducible example or link to a public repository

See branch `parse-dont-validate` in https://github.com/AngusGMorrison/realworld-go

Validation

• Yes, I've included all information above (version, config, etc.).

[boring-cyborg]

Hey, thank you for opening your first Issue ! 🙂 If you would like to contribute we have a guide for contributors.

[ldez]

Hello,

the tests file are handled globally, golangci-lint shares the analysis between linter.
So the option test for one linter will not work, you should use the global option.
With the global option enabled you use issue.path-except to exclude all tests files expect for one linter.

https://golangci-lint.run/usage/configuration/#issues-configuration

[AngusGMorrison]

Great, thanks for clarifying 🙏