tests: add case for gosec G118

[adamdecaf]

Issue: securego/gosec#1584

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new test file to validate the behavior of the gosec static analysis tool, specifically concerning its G118 rule. The new test case provides an example of database/sql.Open being used with a constant driver name, which should not trigger a security warning, thereby helping to confirm gosec's accurate detection of this particular vulnerability pattern.

Highlights

• New Test Case for Gosec G118: A new test file, tests/code/withcontext.go, has been added to specifically test the behavior of the gosec static analysis tool regarding its G118 rule.
• Gosec G118 Rule Validation: The added test case demonstrates the safe usage of database/sql.Open with a constant driver name, which is intended to ensure gosec correctly identifies non-vulnerable patterns and avoids false positives for the G118 rule (which warns against non-constant driver names).

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• tests/code/withcontext.go
  • Added a new Go file containing withcontext and initDatabase functions.
  • The initDatabase function demonstrates opening a SQLite database connection using sql.Open with a constant driver name.
  • Includes context handling and a shutdown mechanism for the database connection.

Activity

• No specific activity (comments, reviews, progress) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new test case for the gosec linter, specifically targeting rule G118. While a security analysis did not identify any vulnerabilities meeting the reporting criteria (medium severity or higher), the new withcontext.go file contains several issues. These include a critical nil pointer dereference, a high-severity resource leak with a context.Context, and various medium-severity issues related to code style and unused variables, which could lead to runtime panics and resource leaks. If these issues are intentional for the test case, please add comments to the code to clarify this and prevent accidental "fixes" in the future.

[gemini-code-assist]

There is a potential nil pointer dereference here. If env.Shutdown is nil when withcontext is called, prev will be nil, and the call to prev() inside the new shutdown function will cause a panic. You should add a nil check before calling prev.

Suggested change

	env.Shutdown = func() {
	prev()
	close()
	}
	env.Shutdown = func() {
	if prev != nil {
	prev()
	}
	close()
	}

[gemini-code-assist]

In case of an error from sql.Open, the cancelFunc created by context.WithCancel is not called, leading to a context leak. The cancelFunc should be called before returning the error, and you should return nil for the cleanup function in the error case.

		cancelFunc()
		return nil, nil, fmt.Errorf("opening database: %w", err)

[gemini-code-assist]

The env parameter in initDatabase is not used and should be removed to improve code clarity. You will also need to update the call to this function on line 15.

Suggested change

	func initDatabase(ctx context.Context, env *Env) (*sql.DB, func(), error) {
	func initDatabase(ctx context.Context) (*sql.DB, func(), error) {

[gemini-code-assist]

The ctx variable created here shadows the function parameter and is not used. This will be flagged by go vet. If the derived context is not needed, you can assign it to the blank identifier _ to make it explicit.

Suggested change

	ctx, cancelFunc := context.WithCancel(ctx)
	_, cancelFunc := context.WithCancel(ctx)