chore(deps): update module github.com/securego/gosec/v2 to v2.23.0 (#7899)

renovate[bot] · web-flow · commit 0f1a22484ec5 · 2026-02-28T21:51:27.000+01:00
diff --git a/bridge/opentracing/mock.go b/bridge/opentracing/mock.go
@@ -52,6 +52,7 @@ var (
 
 func newMockTracer() *mockTracer {
 	u := rand.Uint32()
+	// nolint:gosec // Intentional byte extraction from uint32
 	seed := [32]byte{byte(u), byte(u >> 8), byte(u >> 16), byte(u >> 24)}
 	return &mockTracer{
 		FinishedSpans:         nil,
diff --git a/exporters/otlp/otlplog/otlploghttp/client.go b/exporters/otlp/otlplog/otlploghttp/client.go
@@ -165,6 +165,7 @@ func (c *httpClient) uploadLogs(ctx context.Context, data []*logpb.ResourceLogs)
 		}
 
 		request.reset(iCtx)
+		// nolint:gosec // URL is constructed from validated OTLP endpoint configuration
 		resp, err := c.client.Do(request.Request)
 		var urlErr *url.Error
 		if errors.As(err, &urlErr) && urlErr.Temporary() {
diff --git a/exporters/otlp/otlpmetric/otlpmetrichttp/client.go b/exporters/otlp/otlpmetric/otlpmetrichttp/client.go
@@ -146,6 +146,7 @@ func (c *client) UploadMetrics(ctx context.Context, protoMetrics *metricpb.Resou
 		}
 
 		request.reset(iCtx)
+		// nolint:gosec // URL is constructed from validated OTLP endpoint configuration
 		resp, err := c.httpClient.Do(request.Request)
 		var urlErr *url.Error
 		if errors.As(err, &urlErr) && urlErr.Temporary() {
diff --git a/exporters/otlp/otlptrace/otlptracehttp/client.go b/exporters/otlp/otlptrace/otlptracehttp/client.go
@@ -174,6 +174,7 @@ func (d *client) UploadTraces(ctx context.Context, protoSpans []*tracepb.Resourc
 		}
 
 		request.reset(ctx)
+		// nolint:gosec // URL is constructed from validated OTLP endpoint configuration
 		resp, err := d.client.Do(request.Request)
 		var urlErr *url.Error
 		if errors.As(err, &urlErr) && urlErr.Temporary() {
diff --git a/exporters/zipkin/zipkin.go b/exporters/zipkin/zipkin.go
@@ -153,7 +153,7 @@ func (e *Exporter) ExportSpans(ctx context.Context, spans []sdktrace.ReadOnlySpa
 		}
 	}
 
-	resp, err := e.client.Do(req) // nolint:bodyclose  // False-positive.
+	resp, err := e.client.Do(req) // nolint:bodyclose,gosec  // False-positive.
 	if err != nil {
 		return e.errf("request to %s failed: %v", e.url, err)
 	}
diff --git a/internal/tools/go.mod b/internal/tools/go.mod
@@ -186,7 +186,7 @@ require (
 	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect
 	github.com/sashamelentyev/interfacebloat v1.1.0 // indirect
 	github.com/sashamelentyev/usestdlibvars v1.29.0 // indirect
-	github.com/securego/gosec/v2 v2.22.11 // indirect
+	github.com/securego/gosec/v2 v2.23.0 // indirect
 	github.com/sergi/go-diff v1.4.0 // indirect
 	github.com/sirupsen/logrus v1.9.4 // indirect
 	github.com/sivchari/containedctx v1.0.3 // indirect
diff --git a/internal/tools/go.sum b/internal/tools/go.sum
@@ -234,8 +234,8 @@ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6 h1:EEHtgt9IwisQ2AZ4pIsMjahcegHh6rmhqxzIRQIyepY=
-github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6/go.mod h1:I6V7YzU0XDpsHqbsyrghnFZLO1gwK6NPTNvmetQIk9U=
+github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 h1:z2ogiKUYzX5Is6zr/vP9vJGqPwcdqsWjOt+V8J7+bTc=
+github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83/go.mod h1:MxpfABSjhmINe3F1It9d+8exIHFvUqtLIRCdOGNXqiI=
 github.com/google/renameio v0.1.0 h1:GOZbcHa3HfsPKPlmyPyN2KEohoMXOhdMbHrvbpl2QaA=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/gordonklaus/ineffassign v0.2.0 h1:Uths4KnmwxNJNzq87fwQQDDnbNb7De00VOk9Nu0TySs=
@@ -362,10 +362,10 @@ github.com/nishanths/predeclared v0.2.2 h1:V2EPdZPliZymNAn79T8RkNApBjMmVKh5XRpLm
 github.com/nishanths/predeclared v0.2.2/go.mod h1:RROzoN6TnGQupbC+lqggsOlcgysk3LMK/HI84Mp280c=
 github.com/nunnatsa/ginkgolinter v0.22.0 h1:o9g7JN6efdBxAHhejvPkodEjWsOBze9zDnPePsvC/Qg=
 github.com/nunnatsa/ginkgolinter v0.22.0/go.mod h1:zIFAk36fhcHQIiYOGXLbrGTXz7cvpufhRYem6ToCVnY=
-github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns=
-github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
-github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
-github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/onsi/ginkgo/v2 v2.28.1 h1:S4hj+HbZp40fNKuLUQOYLDgZLwNUVn19N3Atb98NCyI=
+github.com/onsi/ginkgo/v2 v2.28.1/go.mod h1:CLtbVInNckU3/+gC8LzkGUb9oF+e8W8TdUsxPwvdOgE=
+github.com/onsi/gomega v1.39.1 h1:1IJLAad4zjPn2PsnhH70V4DKRFlrCzGBNrNaru+Vf28=
+github.com/onsi/gomega v1.39.1/go.mod h1:hL6yVALoTOxeWudERyfppUcZXjMwIMLnuSfruD2lcfg=
 github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw=
 github.com/otiai10/copy v1.14.1 h1:5/7E6qsUMBaH5AnQ0sSLzzTg1oTECmcCmT6lvF45Na8=
 github.com/otiai10/copy v1.14.1/go.mod h1:oQwrEDDOci3IM8dJF0d8+jnbfPDllW6vUjNc3DoZm9I=
@@ -425,8 +425,8 @@ github.com/sashamelentyev/interfacebloat v1.1.0 h1:xdRdJp0irL086OyW1H/RTZTr1h/tM
 github.com/sashamelentyev/interfacebloat v1.1.0/go.mod h1:+Y9yU5YdTkrNvoX0xHc84dxiN1iBi9+G8zZIhPVoNjQ=
 github.com/sashamelentyev/usestdlibvars v1.29.0 h1:8J0MoRrw4/NAXtjQqTHrbW9NN+3iMf7Knkq057v4XOQ=
 github.com/sashamelentyev/usestdlibvars v1.29.0/go.mod h1:8PpnjHMk5VdeWlVb4wCdrB8PNbLqZ3wBZTZWkrpZZL8=
-github.com/securego/gosec/v2 v2.22.11 h1:tW+weM/hCM/GX3iaCV91d5I6hqaRT2TPsFM1+USPXwg=
-github.com/securego/gosec/v2 v2.22.11/go.mod h1:KE4MW/eH0GLWztkbt4/7XpyH0zJBBnu7sYB4l6Wn7Mw=
+github.com/securego/gosec/v2 v2.23.0 h1:h4TtF64qFzvnkqvsHC/knT7YC5fqyOCItlVR8+ptEBo=
+github.com/securego/gosec/v2 v2.23.0/go.mod h1:qRHEgXLFuYUDkI2T7W7NJAmOkxVhkR0x9xyHOIcMNZ0=
 github.com/sergi/go-diff v1.4.0 h1:n/SP9D5ad1fORl+llWyN+D6qoUETXNZARKjyY2/KVCw=
 github.com/sergi/go-diff v1.4.0/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk=
diff --git a/sdk/log/batch.go b/sdk/log/batch.go
@@ -335,7 +335,7 @@ func (q *queue) TryDequeue(buf []Record, write func([]Record) bool) int {
 
 	n := min(len(buf), q.len)
 	for i := range n {
-		buf[i] = q.read.Value
+		buf[i] = q.read.Value // nolint:gosec // n is bounded by len(buf)
 		q.read = q.read.Next()
 	}
 
diff --git a/sdk/resource/host_id_readfile.go b/sdk/resource/host_id_readfile.go
@@ -8,7 +8,7 @@ package resource // import "go.opentelemetry.io/otel/sdk/resource"
 import "os"
 
 func readFile(filename string) (string, error) {
-	b, err := os.ReadFile(filename)
+	b, err := os.ReadFile(filename) // nolint:gosec // false positive
 	if err != nil {
 		return "", err
 	}
diff --git a/trace/tracestate.go b/trace/tracestate.go
@@ -61,6 +61,9 @@ func checkValue(val string) bool {
 func checkKeyRemain(key string) bool {
 	// ( lcalpha / DIGIT / "_" / "-"/ "*" / "/" )
 	for _, v := range key {
+		if v > 127 {
+			return false
+		}
 		if isAlphaNum(byte(v)) {
 			continue
 		}

Original file line number	Diff line number	Diff line change
`@@ -165,6 +165,7 @@ func (c httpClient) uploadLogs(ctx context.Context, data []logpb.ResourceLogs)`
`165`	`165`	`}`
`166`	`166`
`167`	`167`	`request.reset(iCtx)`
	`168`	`+ // nolint:gosec // URL is constructed from validated OTLP endpoint configuration`
`168`	`169`	`resp, err := c.client.Do(request.Request)`
`169`	`170`	`var urlErr *url.Error`
`170`	`171`	`if errors.As(err, &urlErr) && urlErr.Temporary() {`
Original file line number	Diff line number	Diff line change
`@@ -146,6 +146,7 @@ func (c client) UploadMetrics(ctx context.Context, protoMetrics metricpb.Resou`
`146`	`146`	`}`
`147`	`147`
`148`	`148`	`request.reset(iCtx)`
	`149`	`+ // nolint:gosec // URL is constructed from validated OTLP endpoint configuration`
`149`	`150`	`resp, err := c.httpClient.Do(request.Request)`
`150`	`151`	`var urlErr *url.Error`
`151`	`152`	`if errors.As(err, &urlErr) && urlErr.Temporary() {`
Original file line number	Diff line number	Diff line change
`@@ -174,6 +174,7 @@ func (d client) UploadTraces(ctx context.Context, protoSpans []tracepb.Resourc`
`174`	`174`	`}`
`175`	`175`
`176`	`176`	`request.reset(ctx)`
	`177`	`+ // nolint:gosec // URL is constructed from validated OTLP endpoint configuration`
`177`	`178`	`resp, err := d.client.Do(request.Request)`
`178`	`179`	`var urlErr *url.Error`
`179`	`180`	`if errors.As(err, &urlErr) && urlErr.Temporary() {`
Original file line number	Diff line number	Diff line change
`@@ -153,7 +153,7 @@ func (e *Exporter) ExportSpans(ctx context.Context, spans []sdktrace.ReadOnlySpa`
`153`	`153`	`}`
`154`	`154`	`}`
`155`	`155`
`156`		`- resp, err := e.client.Do(req) // nolint:bodyclose // False-positive.`
	`156`	`+ resp, err := e.client.Do(req) // nolint:bodyclose,gosec // False-positive.`
`157`	`157`	`if err != nil {`
`158`	`158`	`return e.errf("request to %s failed: %v", e.url, err)`
`159`	`159`	`}`
Original file line number	Diff line number	Diff line change
`@@ -335,7 +335,7 @@ func (q *queue) TryDequeue(buf []Record, write func([]Record) bool) int {`
`335`	`335`
`336`	`336`	`n := min(len(buf), q.len)`
`337`	`337`	`for i := range n {`
`338`		`- buf[i] = q.read.Value`
	`338`	`+ buf[i] = q.read.Value // nolint:gosec // n is bounded by len(buf)`
`339`	`339`	`q.read = q.read.Next()`
`340`	`340`	`}`
`341`	`341`
Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@ package resource // import "go.opentelemetry.io/otel/sdk/resource"`
`8`	`8`	`import "os"`
`9`	`9`
`10`	`10`	`func readFile(filename string) (string, error) {`
`11`		`- b, err := os.ReadFile(filename)`
	`11`	`+ b, err := os.ReadFile(filename) // nolint:gosec // false positive`
`12`	`12`	`if err != nil {`
`13`	`13`	`return "", err`
`14`	`14`	`}`