G304: Issue when passing in perm or flag as variable to os.OpenFile()

[eshentials]

What
-Limit G304 to analyze only the path argument (arg[0]) for file APIs (os.Open, os.OpenFile, os.ReadFile, ioutil.ReadFile, os.Create).
-Ignore flag/perm variables to avoid false positives when non-path args are variable.
-Track filepath.Clean to treat cleaned identifiers as safe.
-Recognize safe joins: filepath.Join(const|resolvedBase, Clean(var)|cleanedIdent).
-Record Join(...) assigned to an identifier and consider it safe if that identifier is later cleaned.
-Fix a nil-context panic in trackJoinAssignStmt.

Why
-Prior behavior flagged G304 when perm or flag were variables, even though only the first argument is the file path. This caused false positives like:
-os.OpenFile(filepath.Clean(fn), os.O_RDONLY, perm)
-os.OpenFile(filepath.Clean(fn), flag, 0o600)Also fixed a panic where a nil analysis context was used in a call-list check.

How
-In readfile.Match, inspect only node.Args[0] (path).
-Add trackFilepathClean and isFilepathClean to respect filepath.Clean.
-Add isSafeJoin for filepath.Join(base, Clean(...)) or Join(constBase, cleanedIdent).
-Record Join(...) assignments via trackJoinAssignStmt and allow if the identifier is cleaned later.

Pass non-nil context to ContainsPkgCallExpr in trackJoinAssignStmt.

TestsRan rules suite: 42 passed, 0 failed.

Repro’d prior panic and confirmed it’s fixed.

Verified the three user examples:
-Static perm: OK, no G304.
-Var perm: OK, no G304.
-Var flag: OK, no G304.
-Still flags unsafe filepath.Join with variable path when not cleaned.

Impact
-Reduces false positives on G304 without weakening detection of unsafe path construction.
-Increases stability by removing nil-context panic.

Tests:
-go test ./rules -v

CLI:
-go build -o ./bin/gosec ./cmd/gosec
-./bin/gosec -include=G304 -fmt text -quiet /path/to/your/code
-JSON: ./bin/gosec -include=G304 -fmt json /path/to/your/code | jq .

fixes #1318

[eshentials]

@ccojocar please review

[ccojocar]

Can you add please the sample code for these use cases in https://github.com/securego/gosec/blob/master/testutils/g304_samples.go?

[eshentials]

@ccojocar I have added them, please do check.

[ccojocar]

Why this empty variable assignment needed here? This doesn't perform any action.

[ccojocar]

It seems that there are some lint issues. Please could you fix them?

[eshentials]

On it, I shall get back to you asap.

[eshentials]

@ccojocar I applied the changes, please check now.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 72.34043% with 26 lines in your changes missing coverage. Please review.
✅ Project coverage is 63.28%. Comparing base (1216c9b) to head (84e9b43).
⚠️ Report is 99 commits behind head on master.

Files with missing lines	Patch %	Lines
rules/readfile.go	72.34%	20 Missing and 6 partials ⚠️
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1383      +/-   ##
==========================================
- Coverage   68.49%   63.28%   -5.22%     
==========================================
  Files          75       74       -1     
  Lines        4384     5267     +883     
==========================================
+ Hits         3003     3333     +330     
- Misses       1233     1800     +567     
+ Partials      148      134      -14     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.