I'm not sure how deep gosec is trying to handle checking code, but this code errors.
package code
import (
"encoding/json"
)
type Credentials struct {
Username string
Password string `json:"-"`
}
func (c Credentials) MarshalJSON() ([]byte, error) {
type Aux struct {
Username string
Password string
}
return json.Marshal(Aux{
Username: c.Username,
Password: mask(c.Password),
})
}
func mask(input string) string {
return "****" // in real code this may reveal the first/last character, but not the full value
}gosec_G117.go:17:9: G117: Marshaled struct field "Password" (JSON key "Password") matches secret pattern (gosec)
return json.Marshal(Aux{
Username: c.Username,
Password: mask(c.Password),
})
I'm not sure how deep gosec is trying to handle checking code, but this code errors.