GO-S2307 False Positives

kgillette · January 18, 2023, 10:31pm

Hello!

GO-S2307 regularly shows up for conventional well written code when read-only closers are involved. Since read-only closers are the majority case (by far), this analyzer produces false positives a seeming majority of the time, and should be tweaked to have better understanding of the underlying code.

Consider some common cases:

I’m opening a file for reading: if file corruption exists, I will find out before closing, and thus any error that occurs on file close is of no consequence (I merely wish to free the resource).
I’ve got a ReadCloser pertaining to the read-side of a network connection: similarly, I will encounter an EOF or find out about any other issues merely through Read calls; there is no concept of a “read flush on close” and I, likewise, merely wish to free the resource when I’m done with it.

This is not worth signaling via a skipcq since code performing such read-only operations is not in the wrong. defer rc.Close() is perfectly conventional, and forcing error checking is also unreasonable in these cases.

Please improve this analyzer to only raise issues for io.WriteCloser (or io.Closer instances that aren’t identifiable as io.ReadCloser).

kgillette · January 18, 2023, 10:39pm

Special care should also be taken around os.File and other common use-cases. An os.File opened with os.Open should not be considered a true-positive for this check, while other constructors (such as os.Create) would be true-positives.

shmsr · January 24, 2023, 5:05am

Hey @kgillette! Thanks for taking the time to provide feedback for GO-S2307. Yes, I do agree with the points you have written. GO-S2307 needs to be improved. We’ll pick it up as soon as possible and let you know once it is fixed.

shmsr · February 17, 2023, 9:28am

Hey @kgillette!

We have rolled out a fix for GO-S2307. Now it won’t be raised for identifiers satisfying io.ReadCloser and io.ReadSeekCloser. We have made some more improvements.

Thank you for helping us make GO-S2307 better.

benwaffle · March 22, 2023, 9:40pm

Hi, I’m still seeing warnings today on defer rc.Close() for an rc io.ReadCloser. Did the bug re-surface?

akshit · March 23, 2023, 6:25am

Hi @benwaffle

Can you please paste the snippet where the issue is being raised. It will help us investigate this further.

tushar-deepsource · March 23, 2023, 6:55am

You can also mark an issue as False Positive on the DeepSource dashboard, and we can receive the required context that way.

Topic	Replies	Views
Go Analyzer Updates – May 2021 New in DeepSource go , analyzers , autofix	585	May 24, 2021
55 new issues added in the Go analyzer New in DeepSource	868	May 4, 2020
Go Analyzer Updates - March 2021 New in DeepSource go , analyzers , autofix	638	April 6, 2021
New Autofix, issues, reliability improvements, and more in the Go Analyzer New in DeepSource go , analyzers , autofix	606	February 28, 2022
Go Analyzer: Performance improvements, new issues, and more! New in DeepSource autofix , static-analysis	785	September 12, 2022

GO-S2307 False Positives

Related Topics