From a1c42bf8fe9bd6241bb912c3bffe62465fe1ab4a Mon Sep 17 00:00:00 2001
From: Spencer Schrock <sschrock@google.com>
Date: Tue, 22 Aug 2023 17:48:21 -0700
Subject: [PATCH] :bug: Fix loop aliasing errors causing linter to fail.
 (#3414)

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
---
 checks/evaluation/permissions/permissions.go | 14 ++++++++++++--
 clients/git/client_test.go                   |  4 ++--
 clients/gitlabrepo/issues_test.go            |  4 ----
 clients/gitlabrepo/workflows.go              |  7 ++++++-
 pkg/json_raw_results.go                      |  6 +++---
 5 files changed, 23 insertions(+), 12 deletions(-)

diff --git a/checks/evaluation/permissions/permissions.go b/checks/evaluation/permissions/permissions.go
index 8f0c1be5d2b..b8ca06796aa 100644
--- a/checks/evaluation/permissions/permissions.go
+++ b/checks/evaluation/permissions/permissions.go
@@ -63,6 +63,16 @@ func TokenPermissions(name string, c *checker.CheckRequest, r *checker.TokenPerm
 		"GitHub workflow tokens follow principle of least privilege")
 }
 
+// avoid memory aliasing by returning a new copy.
+func newUint(u uint) *uint {
+	return &u
+}
+
+// avoid memory aliasing by returning a new copy.
+func newStr(s string) *string {
+	return &s
+}
+
 func applyScorePolicy(results *checker.TokenPermissionsData, c *checker.CheckRequest) (int, error) {
 	// See list https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/.
 	// Note: there are legitimate reasons to use some of the permissions like checks, deployments, etc.
@@ -83,10 +93,10 @@ func applyScorePolicy(results *checker.TokenPermissionsData, c *checker.CheckReq
 			loc = &finding.Location{
 				Type:      r.File.Type,
 				Path:      r.File.Path,
-				LineStart: &r.File.Offset,
+				LineStart: newUint(r.File.Offset),
 			}
 			if r.File.Snippet != "" {
-				loc.Snippet = &r.File.Snippet
+				loc.Snippet = newStr(r.File.Snippet)
 			}
 		}
 
diff --git a/clients/git/client_test.go b/clients/git/client_test.go
index a51c5445120..98e132b9c9f 100644
--- a/clients/git/client_test.go
+++ b/clients/git/client_test.go
@@ -77,7 +77,7 @@ func createTestRepo(t *testing.T) (path string) {
 	return dir
 }
 
-//nolint:testparallel
+//nolint:paralleltest
 func TestInitRepo(t *testing.T) {
 	tests := []struct { //nolint:govet
 		name        string
@@ -147,7 +147,7 @@ func TestListCommits(t *testing.T) {
 	}
 }
 
-//nolint:testparallel
+//nolint:paralleltest
 func TestSearch(t *testing.T) {
 	testCases := []struct {
 		name     string
diff --git a/clients/gitlabrepo/issues_test.go b/clients/gitlabrepo/issues_test.go
index 09008842827..f61ee63fb0d 100644
--- a/clients/gitlabrepo/issues_test.go
+++ b/clients/gitlabrepo/issues_test.go
@@ -50,10 +50,6 @@ func (s suffixStubTripper) RoundTrip(r *http.Request) (*http.Response, error) {
 	}, nil
 }
 
-func strptr(s string) *string {
-	return &s
-}
-
 func associationptr(r clients.RepoAssociation) *clients.RepoAssociation {
 	return &r
 }
diff --git a/clients/gitlabrepo/workflows.go b/clients/gitlabrepo/workflows.go
index e90ef5e86d0..ff558b56d36 100644
--- a/clients/gitlabrepo/workflows.go
+++ b/clients/gitlabrepo/workflows.go
@@ -44,6 +44,11 @@ func (handler *workflowsHandler) listSuccessfulWorkflowRuns(filename string) ([]
 	return workflowsRunsFrom(jobs, filename), nil
 }
 
+// avoid memory aliasing by returning a new copy.
+func strptr(s string) *string {
+	return &s
+}
+
 func workflowsRunsFrom(data []*gitlab.Job, filename string) []clients.WorkflowRun {
 	var workflowRuns []clients.WorkflowRun
 	for _, job := range data {
@@ -51,7 +56,7 @@ func workflowsRunsFrom(data []*gitlab.Job, filename string) []clients.WorkflowRu
 		for _, artifact := range job.Artifacts {
 			if strings.EqualFold(artifact.Filename, filename) {
 				workflowRuns = append(workflowRuns, clients.WorkflowRun{
-					HeadSHA: &job.Pipeline.Sha,
+					HeadSHA: strptr(job.Pipeline.Sha),
 					URL:     job.WebURL,
 				})
 				continue
diff --git a/pkg/json_raw_results.go b/pkg/json_raw_results.go
index 4be011aabd7..629bee123b9 100644
--- a/pkg/json_raw_results.go
+++ b/pkg/json_raw_results.go
@@ -331,7 +331,7 @@ func (r *jsonScorecardRawResult) addTokenPermissionsRawResults(tp *checker.Token
 				Offset: t.File.Offset,
 			}
 			if t.File.Snippet != "" {
-				p.File.Snippet = &t.File.Snippet
+				p.File.Snippet = asPointer(t.File.Snippet)
 			}
 		}
 
@@ -361,7 +361,7 @@ func (r *jsonScorecardRawResult) addPackagingRawResults(pk *checker.PackagingDat
 		}
 
 		if p.File.Snippet != "" {
-			jpk.File.Snippet = &p.File.Snippet
+			jpk.File.Snippet = asPointer(p.File.Snippet)
 		}
 
 		for _, run := range p.Runs {
@@ -419,7 +419,7 @@ func (r *jsonScorecardRawResult) addDangerousWorkflowRawResults(df *checker.Dang
 			Type: string(e.Type),
 		}
 		if e.File.Snippet != "" {
-			v.File.Snippet = &e.File.Snippet
+			v.File.Snippet = asPointer(e.File.Snippet)
 		}
 		if e.Job != nil {
 			v.Job = &jsonWorkflowJob{