🐛 Fix loop aliasing errors causing linter to fail. (ossf#3414)

Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
kgangerlm · Nov 13, 2023 · a1c42bf · a1c42bf
1 parent 87429c6
commit a1c42bf
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 12 deletions.
diff --git a/checks/evaluation/permissions/permissions.go b/checks/evaluation/permissions/permissions.go
@@ -63,6 +63,16 @@ func TokenPermissions(name string, c *checker.CheckRequest, r *checker.TokenPerm
 		"GitHub workflow tokens follow principle of least privilege")
 }
 
+// avoid memory aliasing by returning a new copy.
+func newUint(u uint) *uint {
+	return &u
+}
+
+// avoid memory aliasing by returning a new copy.
+func newStr(s string) *string {
+	return &s
+}
+
 func applyScorePolicy(results *checker.TokenPermissionsData, c *checker.CheckRequest) (int, error) {
 	// See list https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/.
 	// Note: there are legitimate reasons to use some of the permissions like checks, deployments, etc.
@@ -83,10 +93,10 @@ func applyScorePolicy(results *checker.TokenPermissionsData, c *checker.CheckReq
 			loc = &finding.Location{
 				Type:      r.File.Type,
 				Path:      r.File.Path,
-				LineStart: &r.File.Offset,
+				LineStart: newUint(r.File.Offset),
 			}
 			if r.File.Snippet != "" {
-				loc.Snippet = &r.File.Snippet
+				loc.Snippet = newStr(r.File.Snippet)
 			}
 		}
 

diff --git a/clients/git/client_test.go b/clients/git/client_test.go
@@ -77,7 +77,7 @@ func createTestRepo(t *testing.T) (path string) {
 	return dir
 }
 
-//nolint:testparallel
+//nolint:paralleltest
 func TestInitRepo(t *testing.T) {
 	tests := []struct { //nolint:govet
 		name        string
@@ -147,7 +147,7 @@ func TestListCommits(t *testing.T) {
 	}
 }
 
-//nolint:testparallel
+//nolint:paralleltest
 func TestSearch(t *testing.T) {
 	testCases := []struct {
 		name     string

diff --git a/clients/gitlabrepo/issues_test.go b/clients/gitlabrepo/issues_test.go
@@ -50,10 +50,6 @@ func (s suffixStubTripper) RoundTrip(r *http.Request) (*http.Response, error) {
 	}, nil
 }
 
-func strptr(s string) *string {
-	return &s
-}
-
 func associationptr(r clients.RepoAssociation) *clients.RepoAssociation {
 	return &r
 }

diff --git a/clients/gitlabrepo/workflows.go b/clients/gitlabrepo/workflows.go
@@ -44,14 +44,19 @@ func (handler *workflowsHandler) listSuccessfulWorkflowRuns(filename string) ([]
 	return workflowsRunsFrom(jobs, filename), nil
 }
 
+// avoid memory aliasing by returning a new copy.
+func strptr(s string) *string {
+	return &s
+}
+
 func workflowsRunsFrom(data []*gitlab.Job, filename string) []clients.WorkflowRun {
 	var workflowRuns []clients.WorkflowRun
 	for _, job := range data {
 		// Find a better way to do this.
 		for _, artifact := range job.Artifacts {
 			if strings.EqualFold(artifact.Filename, filename) {
 				workflowRuns = append(workflowRuns, clients.WorkflowRun{
-					HeadSHA: &job.Pipeline.Sha,
+					HeadSHA: strptr(job.Pipeline.Sha),
 					URL:     job.WebURL,
 				})
 				continue

diff --git a/pkg/json_raw_results.go b/pkg/json_raw_results.go
@@ -331,7 +331,7 @@ func (r *jsonScorecardRawResult) addTokenPermissionsRawResults(tp *checker.Token
 				Offset: t.File.Offset,
 			}
 			if t.File.Snippet != "" {
-				p.File.Snippet = &t.File.Snippet
+				p.File.Snippet = asPointer(t.File.Snippet)
 			}
 		}
 
@@ -361,7 +361,7 @@ func (r *jsonScorecardRawResult) addPackagingRawResults(pk *checker.PackagingDat
 		}
 
 		if p.File.Snippet != "" {
-			jpk.File.Snippet = &p.File.Snippet
+			jpk.File.Snippet = asPointer(p.File.Snippet)
 		}
 
 		for _, run := range p.Runs {
@@ -419,7 +419,7 @@ func (r *jsonScorecardRawResult) addDangerousWorkflowRawResults(df *checker.Dang
 			Type: string(e.Type),
 		}
 		if e.File.Snippet != "" {
-			v.File.Snippet = &e.File.Snippet
+			v.File.Snippet = asPointer(e.File.Snippet)
 		}
 		if e.Job != nil {
 			v.Job = &jsonWorkflowJob{