{ "runs": [ { "results": [ { "fixes": [ { "artifactChanges": [ { "artifactLocation": { "description": { "text": "File requiring changes" } }, "replacements": [ { "deletedRegion": { "endColumn": 1, "endLine": 1, "startColumn": 1, "startLine": 1 } } ] } ], "description": { "markdown": "Consider using os.Root to scope file access under a fixed root (Go \u003e=1.24). Prefer root.Open/root.Stat over os.Open/os.Stat to prevent directory traversal.", "text": "Consider using os.Root to scope file access under a fixed root (Go \u003e=1.24). Prefer root.Open/root.Stat over os.Open/os.Stat to prevent directory traversal." } } ], "level": "error", "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "internal/config/config.go" }, "region": { "endColumn": 15, "endLine": 41, "snippet": { "text": "data, err := os.ReadFile(path)" }, "sourceLanguage": "go", "startColumn": 15, "startLine": 41 } } } ], "message": { "text": "Potential file inclusion via variable" }, "ruleId": "G304" } ], "taxonomies": [ { "downloadUri": "https://cwe.mitre.org/data/xml/cwec_v4.4.xml.zip", "guid": "f2856fc0-85b7-373f-83e7-6f8582243547", "informationUri": "https://cwe.mitre.org/data/published/cwe_v4.4.pdf/", "isComprehensive": true, "language": "en", "minimumRequiredLocalizedDataSemanticVersion": "4.4", "name": "CWE", "organization": "MITRE", "releaseDateUtc": "2021-03-15", "shortDescription": { "text": "The MITRE Common Weakness Enumeration" }, "taxa": [ { "fullDescription": { "text": "The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory." }, "guid": "3e718404-88bc-3f17-883e-e85e74078a76", "helpUri": "https://cwe.mitre.org/data/definitions/22.html", "id": "22", "shortDescription": { "text": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" } } ], "version": "4.4" } ], "tool": { "driver": { "guid": "8b518d5f-906d-39f9-894b-d327b1a421c5", "informationUri": "https://github.com/securego/gosec/", "name": "gosec", "rules": [ { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "Potential file inclusion via variable" }, "help": { "text": "Potential file inclusion via variable\nSeverity: MEDIUM\nConfidence: HIGH\n" }, "id": "G304", "name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "properties": { "precision": "high", "tags": [ "security", "MEDIUM" ] }, "relationships": [ { "kinds": [ "superset" ], "target": { "guid": "3e718404-88bc-3f17-883e-e85e74078a76", "id": "22", "toolComponent": { "guid": "f2856fc0-85b7-373f-83e7-6f8582243547", "name": "CWE" } } } ], "shortDescription": { "text": "Potential file inclusion via variable" } } ], "semanticVersion": "2.24.7", "supportedTaxonomies": [ { "guid": "f2856fc0-85b7-373f-83e7-6f8582243547", "name": "CWE" } ], "version": "2.24.7" } } } ], "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "version": "2.1.0" }