gosec: G115 when casting from int to uint no longer caught

[adamhassel]

Welcome

• Yes, I'm using a binary release within 2 latest releases. Only such installations are supported.
• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've read the typecheck section of the FAQ.
• Yes, I've tried with the standalone linter if available (e.g., gocritic, go vet, etc.).
• I agree to follow this project's Code of Conduct

How did you install golangci-lint?

Official binary

Description of the problem

Between releases 2.6.2 and 2.7.0/2.7.1, gosec no longer reports G115 when casting a signed integer type to an unsigned.

Consider the following code:

    var i int64 = -1
    var j = uint64(i)
    // j is now 18446744073709551615

The below examples are using the default configuration

Running golangci-lint 2.6.2 reports:

$ golangci-lint --version
golangci-lint has version 2.6.2 built with go1.25.3 from dc16cf43 on 2025-11-14T13:00:52Z

$ golangci-lint run --enable=gosec
main.go:10:16: G115: integer overflow conversion int64 -> uint64 (gosec)
	var j = uint64(i)

Running golangci-lint 2.7.0 or 2.7.1 reports:

$ golangci-lint --version
golangci-lint has version 2.7.0 built with go1.25.4 from e6ebea01 on 2025-12-03T19:50:52Z

$ golangci-lint run  --enable=gosec
0 issues.

$ golangci-lint --version
golangci-lint has version 2.7.1 built with go1.25.4 from a4b55ebc on 2025-12-04T14:27:37Z

$ golangci-lint run  --enable=gosec
0 issues.

Running gosec directly reports:

$ bin/gosec /tmp/
[gosec] 2025/12/05 12:40:28 Including rules: default
[gosec] 2025/12/05 12:40:28 Excluding rules: default
[gosec] 2025/12/05 12:40:28 Including analyzers: default
[gosec] 2025/12/05 12:40:28 Excluding analyzers: default
[gosec] 2025/12/05 12:40:28 Import directory: /tmp
[gosec] 2025/12/05 12:40:28 Checking package: main
[gosec] 2025/12/05 12:40:28 Checking file: /tmp/main.go
Results:

[/tmp/main.go:10] - G115 (CWE-190): integer overflow conversion int64 -> uint64 (Confidence: MEDIUM, Severity: HIGH)
    9: 	var i int64 = -1
  > 10: 	var j = uint64(i)
    11: 	log.Println(j)

Autofix: 

Summary:
  Gosec  : 2.22.10
  Files  : 1
  Lines  : 12
  Nosec  : 0
  Issues : 1

According to go.mod, gosec is v2.22.10 in both releases:

$ pwd
/home/adam/Go/src/github.com/golangci/golangci-lint

$ grep gosec go.mod 
	github.com/securego/gosec/v2 v2.22.10

$ git diff -U0 v2.6.2 v2.7.1 go.mod | grep gosec
[empty output]

So, that leads me to the conclusion that something changed in golangci-lint that disabled this (and maybe other?) checks, but git diff-ing the two tags doesn't show anything that's obvious to me...

Version of golangci-lint

$ golangci-lint --version
golangci-lint has version 2.7.1 built with go1.25.4 from a4b55ebc on 2025-12-04T14:27:37Z

Configuration

empty config, flag:  --enable=gosec

Go environment

$ go version && go env
go version go1.25.3 linux/amd64
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/home/adam/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/home/adam/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3185327155=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/home/adam/Go/src/github.com/golangci/golangci-lint/go.mod'
GOMODCACHE='/home/adam/Go/pkg/mod'
GOOS='linux'
GOPATH='/home/adam/Go'
GOPRIVATE='gitlab.greenwavereality.com'
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/home/adam/godist/go1.25.3/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/home/adam/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/home/adam/godist/go1.25.3/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.25.3'
GOWORK=''
PKG_CONFIG='pkg-config'

Verbose output of running

$ golangci-lint cache clean
$ golangci-lint  run --no-config --enable=gosec -v /tmp/main.go 
INFO golangci-lint has version 2.7.1 built with go1.25.4 from a4b55ebc on 2025-12-04T14:27:37Z 
INFO maxprocs: Leaving GOMAXPROCS=12: CPU quota undefined 
ERRO [formatter] gci: reading go.mod: read .: is a directory 
WARN [gomod_salt] Failed to calculate go.mod salt: failed to read go.mod: read .: is a directory 
INFO [goenv] Read go env for 4.369905ms: map[string]string{"GOCACHE":"/home/adam/.cache/go-build", "GOROOT":"/home/adam/godist/go1.25.3/go"} 
INFO [lintersdb] Active 6 linters: [errcheck gosec govet ineffassign staticcheck unused] 
INFO [loader] Go packages loading at mode 8767 (name|types_sizes|compiled_files|exports_file|deps|files|imports) took 88.804909ms 
INFO [runner/filename_unadjuster] Pre-built 0 adjustments in 112.881µs 
INFO [linters_context/goanalysis] analyzers took 1.332347947s with top 10 stages: buildir: 953.106021ms, ctrlflow: 74.703557ms, printf: 67.882336ms, fact_deprecated: 59.583551ms, SA5012: 40.890563ms, inspect: 39.447857ms, fact_purity: 37.469259ms, nilness: 32.24595ms, typedness: 15.055544ms, gosec: 1.449284ms 
INFO [runner] processing took 3.518µs with stages: max_same_issues: 497ns, exclusion_rules: 482ns, exclusion_paths: 290ns, max_from_linter: 286ns, nolint_filter: 258ns, path_absoluter: 212ns, diff: 195ns, path_relativity: 193ns, source_code: 187ns, filename_unadjuster: 178ns, max_per_file_from_linter: 103ns, path_prettifier: 80ns, invalid_issue: 80ns, fixer: 74ns, sort_results: 73ns, path_shortener: 72ns, cgo: 71ns, severity-rules: 63ns, uniq_by_line: 62ns, generated_file_filter: 62ns 
INFO [runner] linters took 860.719152ms with stages: goanalysis_metalinter: 860.683134ms 
0 issues.
INFO File cache stats: 0 entries of total size 0B 
INFO Memory: 11 samples, avg is 180.5MB, max is 293.5MB 
INFO Execution took 954.367289ms    


$ golangci-lint  run --enable=gosec -v /tmp/main.go
INFO golangci-lint has version 2.6.2 built with go1.25.3 from dc16cf43 on 2025-11-14T13:00:52Z 
INFO [config_reader] Config search paths: [./ /tmp / /home/adam] 
INFO maxprocs: Leaving GOMAXPROCS=12: CPU quota undefined 
ERRO [formatter] gci: reading go.mod: read .: is a directory 
WARN [gomod_salt] Failed to calculate go.mod salt: failed to read go.mod: read .: is a directory 
INFO [goenv] Read go env for 5.217918ms: map[string]string{"GOCACHE":"/home/adam/.cache/go-build", "GOROOT":"/home/adam/godist/go1.25.3/go"} 
INFO [lintersdb] Active 6 linters: [errcheck gosec govet ineffassign staticcheck unused] 
INFO [loader] Go packages loading at mode 8767 (deps|imports|types_sizes|exports_file|files|name|compiled_files) took 93.290295ms 
INFO [runner/filename_unadjuster] Pre-built 0 adjustments in 135.136µs 
INFO [linters_context/goanalysis] analyzers took 0s with no stages 
INFO [runner] Processors filtering stat (in/out): sort_results: 1/1, nolint_filter: 1/1, max_per_file_from_linter: 1/1, max_same_issues: 1/1, invalid_issue: 1/1, path_relativity: 1/1, generated_file_filter: 1/1, diff: 1/1, fixer: 1/1, uniq_by_line: 1/1, source_code: 1/1, severity-rules: 1/1, path_absoluter: 1/1, cgo: 1/1, exclusion_rules: 1/1, path_prettifier: 1/1, filename_unadjuster: 1/1, exclusion_paths: 1/1, max_from_linter: 1/1, path_shortener: 1/1 
INFO [runner] processing took 148.696µs with stages: nolint_filter: 68.488µs, generated_file_filter: 36.417µs, source_code: 24.752µs, uniq_by_line: 3.043µs, max_from_linter: 2.877µs, max_same_issues: 2.74µs, path_relativity: 1.67µs, sort_results: 1.644µs, path_shortener: 1.35µs, cgo: 971ns, invalid_issue: 902ns, fixer: 634ns, filename_unadjuster: 514ns, diff: 491ns, path_absoluter: 439ns, exclusion_rules: 439ns, max_per_file_from_linter: 408ns, exclusion_paths: 402ns, path_prettifier: 334ns, severity-rules: 181ns 
INFO [runner] linters took 42.55626ms with stages: goanalysis_metalinter: 42.312934ms 
main.go:10:16: G115: integer overflow conversion int64 -> uint64 (gosec)
	var j = uint64(i)
	              ^
1 issues:
* gosec: 1
INFO File cache stats: 1 entries of total size 133B 
INFO Memory: 3 samples, avg is 46.3MB, max is 63.6MB 
INFO Execution took 141.604395ms 

A minimal reproducible example or link to a public repository

// Package main is the program
package main

import (
    "log"
)

func main() {
    var i int64 = -1
    var j = uint64(i)
    log.Println(j)
}

Validation

• Yes, I've included all information above (version, config, etc.).

Supporter

• I am a sponsor/backer through GitHub or OpenCollective

[boring-cyborg]

Hey, thank you for opening your first Issue ! 🙂 If you would like to contribute we have a guide for contributors.

[ldez]

This is related to a change inside x/tools about SSA, I'm investigating.

It impacts:

• G115
• G602
• G407

[adamhassel]

We also probably wouldn't have caught this if it weren't for the nolintlint linter complaining directive `//nolint:gosec` is unused for linter "gosec", BTW...