如何禁用“TLS InsecureSkipVerify 可能为真”错误

Question

我有这样的代码：

if cfg.GetRedisTLS() {
    clientOpts.TLSConfig = &tls.Config{
        MinVersion: tls.VersionTLS12,
        //nolint:gosec // need insecure TLS option for testing and development
        InsecureSkipVerify: cfg.GetRedisInsecure(),
    }
}

当我运行时，golangci-lint run它会识别该nolint指令并忽略该错误，但是当 Sonarqube 运行时，它会不断失败并显示消息“TLS InsecureSkipVerify 可能为真”

此问题https://github.com/securego/gosec/issues/278讨论了#nosec在评论中使用来禁用该错误。这里讨论了在声明的特定部分中使用它https://github.com/securego/gosec/issues/278#issuecomment-745209803

所以我尝试过：

if cfg.GetRedisTLS() {
    clientOpts.TLSConfig = &tls.Config{
        MinVersion: tls.VersionTLS12,
        //nolint:gosec // need insecure TLS option for testing and development
        // NOSONAR #nosec 
        InsecureSkipVerify: cfg.GetRedisInsecure(),
    }
}

和

if cfg.GetRedisTLS() {
    clientOpts.TLSConfig = &tls.Config{
        MinVersion: tls.VersionTLS12,
        //nolint:gosec // need insecure TLS option for testing and development
        InsecureSkipVerify: cfg.GetRedisInsecure(), // NOSONAR #nosec 
    }
}

和

if cfg.GetRedisTLS() {
    clientOpts.TLSConfig = &tls.Config{
        MinVersion: tls.VersionTLS12,
        //nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
        InsecureSkipVerify: cfg.GetRedisInsecure(),
    }
}

和

if cfg.GetRedisTLS() {
    clientOpts.TLSConfig = &tls.Config{
        MinVersion: tls.VersionTLS12,
        //nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
        InsecureSkipVerify: cfg.GetRedisInsecure(), /* #nosec */
    }
}

和

if cfg.GetRedisTLS() {
    clientOpts.TLSConfig = &tls.Config{
        MinVersion: tls.VersionTLS12,
        //nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
        /* #nosec */ InsecureSkipVerify: cfg.GetRedisInsecure(), /* #nosec */
    }
}

和

if cfg.GetRedisTLS() {
    clientOpts.TLSConfig = &tls.Config{
        MinVersion: tls.VersionTLS12,
        //nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
        /* #nosec */ InsecureSkipVerify: cfg.GetRedisInsecure() /* #nosec */, /* #nosec */
    }
}

和

if cfg.GetRedisTLS() {
    clientOpts.TLSConfig = &tls.Config{
        MinVersion: tls.VersionTLS12,
        //nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
        /* #nosec */ InsecureSkipVerify: /* #nosec */ cfg.GetRedisInsecure() /* #nosec */, /* #nosec */
    }
}

和

if cfg.GetRedisTLS() {
    clientOpts.TLSConfig = &tls.Config{
        MinVersion: tls.VersionTLS12,
        //nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
        /* #nosec */ InsecureSkipVerify /* #nosec */ :/* #nosec */ cfg.GetRedisInsecure(), /* #nosec */
    }
}

我在 gosec 项目中打开了这个问题https://github.com/securego/gosec/issues/780

我还能做什么来忽略 gosec 中的这一点？

Answer 1

正如@rodolfo所建议的，我复制了Github上提到的解决方案，因为它可能对其他人有帮助。

显然，在声明// #nosec G402 的同一行上使用if可以解决问题：

if cfg.GetRedisTLS() { // #nosec G402
    clientOpts.TLSConfig = &tls.Config{
        MinVersion: tls.VersionTLS12,
        InsecureSkipVerify: cfg.GetRedisInsecure(),
    }
}