fix: suppress gosec G115/G118 false positive warnings

- G115 (integer overflow): Added nosec comments for safe type conversions
  where values are bounded by design (e.g., rng.Intn(255) returns 0-254)
- G118 (context.Background): Added nosec for intentional async goroutines
  that use WithTimeout for bounded execution after request completes

Note: G101 (hardcoded credentials) warnings are low-confidence false
positives - OAuth fields use getEnv() to read from environment.
This commit is contained in:
2026-04-08 22:50:42 +08:00
parent 3b0bcf0ff7
commit 12a5be9826
11 changed files with 46 additions and 32 deletions

View File

@@ -265,7 +265,8 @@ func (s *WebhookService) handleFailure(task *deliveryTask, statusCode int, body,
if s.config.RetryBackoff == "fixed" {
backoff = 2 * time.Second
} else {
backoff = time.Duration(1<<uint(task.attempt)) * time.Second
// #nosec G115 - attempt is bounded by MaxRetries (default 3), so shift is safe
backoff = time.Duration(1<<uint(task.attempt)) * time.Second // #nosec G115
}
time.AfterFunc(backoff, func() {
task.attempt++