G602 (CWE-118): slice index out of range false positive

[dev-gto]

Hello all,

the gosec v2.22.10 (released yesterday) started to complain regarding false positives for G602 (CWE-118): slice index out of range

for instance, the following code shouldn't generate warning, should it?

package main

func main() {
	value := "1234567890"
	weight := []int{2, 3, 4, 5, 6, 7}
	wLen := len(weight)
	l := len(value) - 1

	addr := make([]any, 7)
	sum := 0
	weight[2] = 3
	for i := l; i >= 0; i-- {
		v := int(value[i] - '0')
		if v < 0 || v > 9 {
			println("invalid number at column", i+1)
			break
		}
		addr[2] = v
		sum += v * weight[(l-i)%wLen]
	}
	println(sum)
}

[/{redacted}/main.go:21] - G602 (CWE-118): slice index out of range (Confidence: HIGH, Severity: LOW)
    20: 		addr[2] = v
  > 21: 		sum += v * weight[(l-i)%wLen]
    22: 	}

Autofix: 

[/{redacted}/main.go:20] - G602 (CWE-118): slice index out of range (Confidence: HIGH, Severity: LOW)
    19: 		}
  > 20: 		addr[2] = v
    21: 		sum += v * weight[(l-i)%wLen]

Autofix: 

Summary:
  Gosec  : dev
  Files  : 1
  Lines  : 24
  Nosec  : 0
  Issues : 2

Can you please evaluate this?

Kind regards,

[ainar-g]

We also have lots of false positives when working with switches and arrays in our package netutil in AdguardTeam/golibs. For example:

    86  func isLocallyServedV6(ip [16]byte) (ok bool) {
    87          switch ip[0] {
    88          case 0x00:
    89                  return string(ip[1:15]) == "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" &&
    90                          ip[15]&0xFE == 0x00
    91          case 0x20:
    92                  return string(ip[1:4]) == "\x01\x0D\xB8"
    93          case 0xFE:
    94                  return ip[1]&0xC0 == 0x80  // False positive here.
    95          default:
    96                  return ip[0] == 0xFD       // False positive here.
    97          }
    98  }

[ccojocar]

@kondratev please could you have a look at this issue? I think is related to #1396. Thanks