fix: suppress gosec G115/G118 false positive warnings

- G115 (integer overflow): Added nosec comments for safe type conversions where values are bounded by design (e.g., rng.Intn(255) returns 0-254) - G118 (context.Background): Added nosec for intentional async goroutines that use WithTimeout for bounded execution after request completes Note: G101 (hardcoded credentials) warnings are low-confidence false positives - OAuth fields use getEnv() to read from environment.
2026-04-08 22:50:42 +08:00
parent 3b0bcf0ff7
commit 12a5be9826
11 changed files with 46 additions and 32 deletions
--- a/internal/pkg/antigravity/request_transformer.go
+++ b/internal/pkg/antigravity/request_transformer.go
@@ -27,7 +27,8 @@ func generateStableSessionID(contents []GeminiContent) string {
 		if content.Role == "user" && len(content.Parts) > 0 {
 			if text := content.Parts[0].Text; text != "" {
 				h := sha256.Sum256([]byte(text))
-				n := int64(binary.BigEndian.Uint64(h[:8])) & 0x7FFFFFFFFFFFFFFF
+				// #nosec G115 - masked with 0x7FFFFFFFFFFFFFFF to ensure fits in int64
+				n := int64(binary.BigEndian.Uint64(h[:8])) & 0x7FFFFFFFFFFFFFFF // #nosec G115
 				return "-" + strconv.FormatInt(n, 10)
 			}
 		}
--- a/internal/pkg/antigravity/response_transformer.go
+++ b/internal/pkg/antigravity/response_transformer.go
@@ -362,7 +362,8 @@ func generateRandomID() string {
 			seed ^= seed << 13
 			seed ^= seed >> 7
 			seed ^= seed << 17
-			id[i] = chars[int(seed)%len(chars)]
+			// #nosec G115 - seed is modulo'd by len(chars) which is small, result is bounded
+			id[i] = chars[int(seed)%len(chars)] // #nosec G115
 		}
 		return string(id)
 	}
--- a/internal/pkg/errors/errors.go
+++ b/internal/pkg/errors/errors.go
@@ -76,7 +76,8 @@ func (e *ApplicationError) WithMetadata(md map[string]string) *ApplicationError
 func New(code int, reason, message string) *ApplicationError {
 	return &ApplicationError{
 		Status: Status{
-			Code:    int32(code),
+			// #nosec G115 - HTTP status codes (200-599) fit safely in int32
+			Code:    int32(code), // #nosec G115
 			Message: message,
 			Reason:  reason,
 		},
--- a/internal/pkg/geminicli/drive_client.go
+++ b/internal/pkg/geminicli/drive_client.go
@@ -74,7 +74,8 @@ func (c *driveClient) GetStorageQuota(ctx context.Context, accessToken, proxyURL
 		if err != nil {
 			// Network error retry
 			if attempt < maxRetries-1 {
-				backoff := time.Duration(1<<uint(attempt)) * time.Second
+				// #nosec G115 - maxRetries is 3, attempt is bounded, so shift is safe
+				backoff := time.Duration(1<<uint(attempt)) * time.Second // #nosec G115
 				jitter := time.Duration(rng.Intn(1000)) * time.Millisecond
 				if err := sleepWithContext(backoff + jitter); err != nil {
 					return nil, fmt.Errorf("request cancelled: %w", err)
@@ -96,7 +97,8 @@ func (c *driveClient) GetStorageQuota(ctx context.Context, accessToken, proxyURL
 			resp.StatusCode == http.StatusServiceUnavailable) && attempt < maxRetries-1 {
 			if err := func() error {
 				defer func() { _ = resp.Body.Close() }()
-				backoff := time.Duration(1<<uint(attempt)) * time.Second
+				// #nosec G115 - maxRetries is 3, attempt is bounded, so shift is safe
+				backoff := time.Duration(1<<uint(attempt)) * time.Second // #nosec G115
 				jitter := time.Duration(rng.Intn(1000)) * time.Millisecond
 				return sleepWithContext(backoff + jitter)
 			}(); err != nil {