Panic in gosec 2.21.3 conversion overflow analyzer #1229
Description
Summary
We started getting panic on some of our routine gosec scans. I'm not certain as to what exactly triggers it, but it happens when scanning a large project.
panic: unexpected constant value: <nil>
goroutine 1 [running]:
golang.org/x/tools/go/ssa.(*Const).Uint64(0xc0098c2300)
golang.org/x/tools@v0.25.0/go/ssa/const.go:214 +0x105
github.com/securego/gosec/v2/analyzers.updateExplicitValues(0xc00124b250, 0xc0098c2300)
github.com/securego/gosec/v2@v2.21.3/analyzers/conversion_overflow.go:398 +0xce
github.com/securego/gosec/v2/analyzers.updateResultFromBinOp(0xc00124b250, 0xc008eee1c0, 0xc00124b550?, 0x0)
github.com/securego/gosec/v2@v2.21.3/analyzers/conversion_overflow.go:378 +0x110
github.com/securego/gosec/v2/analyzers.getResultRange(0xc004f6acd8, 0xc0030c7130, 0xc00124b550)
github.com/securego/gosec/v2@v2.21.3/analyzers/conversion_overflow.go:322 +0x305
github.com/securego/gosec/v2/analyzers.hasExplicitRangeCheck(0xc0030c7130, {0xc0011a78d8?, 0x6?})
github.com/securego/gosec/v2@v2.21.3/analyzers/conversion_overflow.go:270 +0x279
github.com/securego/gosec/v2/analyzers.isSafeConversion(0xc0030c7130)
github.com/securego/gosec/v2@v2.21.3/analyzers/conversion_overflow.go:187 +0xaa
github.com/securego/gosec/v2/analyzers.runConversionOverflow(0xc005cb6460)
github.com/securego/gosec/v2@v2.21.3/analyzers/conversion_overflow.go:81 +0x27e
github.com/securego/gosec/v2.(*Analyzer).CheckAnalyzers(0xc000e9c480, 0xc000f14000)
github.com/securego/gosec/v2@v2.21.3/analyzer.go:446 +0x4a2
github.com/securego/gosec/v2.(*Analyzer).Process(0xc000e9c480, {0x0, 0x0, 0x0}, {0xc0002cd6c0, 0xd, 0x3d?})
github.com/securego/gosec/v2@v2.21.3/analyzer.go:317 +0x488
main.main()
github.com/securego/gosec/v2@v2.21.3/cmd/gosec/main.go:476 +0xde5
Steps to reproduce the behavior
Scan a directory using:
gosec -concurrency=1 -verbose -nosec=false -confidence=high -severity=high
gosec version
2.21.3
Go version (output of 'go version')
1.22.4
Operating system / Environment
Linux