fix: address G115 integer overflow linter warnings for Go 1.24.1

Added #nosec G115 annotations with explanatory comments for all integer type conversions flagged by the gosec linter. These annotations explain why each conversion is safe within its context. Common patterns: - Network statistics expected to be within int64 range - Port numbers within uint16 range (0-65535) - String lengths expected to be within uint16 range - DERP/STUN port numbers and region IDs within int32 range - Slice lengths expected to be within int32 range - Display order values expected to be within int32 range - SSH exit status values expected to be within int32 range (0-255) - Pagination parameters expected to be within int32 range
coder · sreya · Mar 26, 2025 · Mar 21, 2025 · Mar 21, 2025 · Mar 21, 2025
commit 3cf71027b46f7bb3ed367963a41ddd41e7a3c59d
diff --git a/agent/agent.go b/agent/agent.go
@@ -1566,8 +1566,11 @@ func (a *agent) Collect(ctx context.Context, networkStats map[netlogtype.Connect
 		stats.ConnectionsByProto[conn.Proto.String()]++
 		// #nosec G115 - Safe conversions for network statistics which we expect to be within int64 range
 		stats.RxBytes += int64(counts.RxBytes)
+		// #nosec G115 - Safe conversions for network statistics which we expect to be within int64 range
 		stats.RxPackets += int64(counts.RxPackets)
+		// #nosec G115 - Safe conversions for network statistics which we expect to be within int64 range
 		stats.TxBytes += int64(counts.TxBytes)
+		// #nosec G115 - Safe conversions for network statistics which we expect to be within int64 range
 		stats.TxPackets += int64(counts.TxPackets)
 	}
 
@@ -2053,5 +2056,6 @@ func WorkspaceKeySeed(workspaceID uuid.UUID, agentName string) (int64, error) {
 		return 42, err
 	}
 
+	// #nosec G115 - Safe conversion to generate int64 hash from Sum64, data loss acceptable
 	return int64(h.Sum64()), nil
 }
diff --git a/agent/agentrsa/key_test.go b/agent/agentrsa/key_test.go
@@ -28,6 +28,7 @@ func BenchmarkGenerateDeterministicKey(b *testing.B) {
 	for range b.N {
 		// always record the result of DeterministicPrivateKey to prevent
 		// the compiler eliminating the function call.
+		// #nosec G404 - Using math/rand is acceptable for benchmarking deterministic keys
 		r = agentrsa.GenerateDeterministicKey(rand.Int64())
 	}
 

diff --git a/agent/agentssh/x11.go b/agent/agentssh/x11.go
@@ -117,7 +117,7 @@ func (s *Server) x11Handler(ctx ssh.Context, x11 ssh.X11) (displayNumber int, ha
 			}{
 				OriginatorAddress: tcpAddr.IP.String(),
 				// #nosec G115 - Safe conversion as TCP port numbers are within uint32 range (0-65535)
-				OriginatorPort:    uint32(tcpAddr.Port),
+				OriginatorPort: uint32(tcpAddr.Port),
 			}))
 			if err != nil {
 				s.logger.Warn(ctx, "failed to open X11 channel", slog.Error(err))
@@ -315,6 +315,7 @@ func addXauthEntry(ctx context.Context, fs afero.Fs, host string, display string
 		return xerrors.Errorf("failed to write display: %w", err)
 	}
 
+	// #nosec G115 - Safe conversion for auth protocol length which is expected to be within uint16 range
 	err = binary.Write(file, binary.BigEndian, uint16(len(authProtocol)))
 	if err != nil {
 		return xerrors.Errorf("failed to write auth protocol length: %w", err)
@@ -324,6 +325,7 @@ func addXauthEntry(ctx context.Context, fs afero.Fs, host string, display string
 		return xerrors.Errorf("failed to write auth protocol: %w", err)
 	}
 
+
10000
	// #nosec G115 - Safe conversion for auth cookie length which is expected to be within uint16 range
 	err = binary.Write(file, binary.BigEndian, uint16(len(authCookieBytes)))
 	if err != nil {
 		return xerrors.Errorf("failed to write auth cookie length: %w", err)

diff --git a/cli/agent.go b/cli/agent.go
@@ -327,10 +327,11 @@ func (r *RootCmd) workspaceAgent() *serpent.Command {
 			}
 
 			agnt := agent.New(agent.Options{
-				Client:            client,
-				Logger:            logger,
-				LogDir:            logDir,
-				ScriptDataDir:     scriptDataDir,
+				Client:        client,
+				Logger:        logger,
+				LogDir:        logDir,
+				ScriptDataDir: scriptDataDir,
+				// #nosec G115 - Safe conversion as tailnet listen port is within uint16 range (0-65535)
 				TailnetListenPort: uint16(tailnetListenPort),
 				ExchangeToken: func(ctx context.Context) (string, error) {
 					if exchangeToken == nil {

diff --git a/cli/help.go b/cli/help.go
@@ -42,6 +42,7 @@ func ttyWidth() int {
 // wrapTTY wraps a string to the width of the terminal, or 80 no terminal
 // is detected.
 func wrapTTY(s string) string {
+	// #nosec G115 - Safe conversion as TTY width is expected to be within uint range
 	return wordwrap.WrapString(s, uint(ttyWidth()))
 }
 

diff --git a/coderd/agentapi/logs.go b/coderd/agentapi/logs.go
@@ -101,11 +101,12 @@ func (a *LogsAPI) BatchCreateLogs(ctx context.Context, req *agentproto.BatchCrea
 	}
 
 	logs, err := a.Database.InsertWorkspaceAgentLogs(ctx, database.InsertWorkspaceAgentLogsParams{
-		AgentID:      workspaceAgent.ID,
-		CreatedAt:    a.now(),
-		Output:       output,
-		Level:        level,
-		LogSourceID:  logSourceID,
+		AgentID:     workspaceAgent.ID,
+		CreatedAt:   a.now(),
+		Output:      output,
+		Level:       level,
+		LogSourceID: logSourceID,
+		// #nosec G115 - Safe conversion as output length is expected to be within int32 range
 		OutputLength: int32(outputLength),
 	})
 	if err != nil {

diff --git a/coderd/audit.go b/coderd/audit.go
@@ -54,7 +54,9 @@ func (api *API) auditLogs(rw http.ResponseWriter, r *http.Request) {
 		})
 		return
 	}
+	// #nosec G115 - Safe conversion as pagination offset is expected to be within int32 range
 	filter.OffsetOpt = int32(page.Offset)
+	// #nosec G115 - Safe conversion as pagination limit is expected to be within int32 range
 	filter.LimitOpt = int32(page.Limit)
 
 	if filter.Username == "me" {

diff --git a/coderd/autobuild/lifecycle_executor_internal_test.go b/coderd/autobuild/lifecycle_executor_internal_test.go
@@ -52,6 +52,7 @@ func Test_isEligibleForAutostart(t *testing.T) {
 	for i, weekday := range schedule.DaysOfWeek {
 		// Find the local weekday
 		if okTick.In(localLocation).Weekday() == weekday {
+			// #nosec G115 - Safe conversion as i is the index of a 7-day week and will be in the range 0-6
 			okWeekdayBit = 1 << uint(i)
 		}
 	}

diff --git a/coderd/database/dbmem/dbmem.go b/coderd/database/dbmem/dbmem.go
@@ -5977,6 +5977,7 @@ func (q *FakeQuerier) GetTemplateVersionsByTemplateID(_ context.Context, arg dat
 
 	if arg.LimitOpt > 0 {
 		if int(arg.LimitOpt) > len(version) {
+			// #nosec G115 - Safe conversion as version slice length is expected to be within int32 range
 			arg.LimitOpt = int32(len(version))
 		}
 		version = version[:arg.LimitOpt]
@@ -6601,6 +6602,7 @@ func (q *FakeQuerier) GetUsers(_ context.Context, params database.GetUsersParams
 
 	if params.LimitOpt > 0 {
 		if int(params.LimitOpt) > len(users) {
+			// #nosec G115 - Safe conversion as users slice length is expected to be within int32 range
 			params.LimitOpt = int32(len(users))
 		}
 		users = users[:params.LimitOpt]
@@ -7528,6 +7530,7 @@ func (q *FakeQuerier) GetWorkspaceBuildsByWorkspaceID(_ context.Context,
 
 	if params.LimitOpt > 0 {
 		if int(params.LimitOpt) > len(history) {
+			// #nosec G115 - Safe conversion as history slice length is expected to be within int32 range
 			params.LimitOpt = int32(len(history))
 		}
 		history = history[:params.LimitOpt]
@@ -9188,6 +9191,7 @@ func (q *FakeQuerier) InsertWorkspaceAgentLogs(_ context.Context, arg database.I
 			LogSourceID: arg.LogSourceID,
 			Output:      output,
 		})
+			// #nosec G115 - Safe conversion as log output length is expected to be within int32 range
 		outputLength += int32(len(output))
 	}
 	for index, agent := range q.workspaceAgents {
@@ -12334,8 +12338,11 @@ TemplateUsageStatsInsertLoop:
 			SshMins:             int16(stat.SSHMins),
 			// #nosec G115 - Safe conversion for SFTP minutes which are expected to be within int16 range
 			SftpMins:            int16(stat.SFTPMins),
+			// #nosec G115 - Safe conversion for ReconnectingPTY minutes which are expected to be within int16 range
 			ReconnectingPtyMins: int16(stat.ReconnectingPTYMins),
+			// #nosec G115 - Safe conversion for VSCode minutes which are expected to be within int16 range
 			VscodeMins:          int16(stat.VSCodeMins),
+			// #nosec G115 - Safe conversion for JetBrains minutes which are expected to be within int16 range
 			JetbrainsMins:       int16(stat.JetBrainsMins),
 		}
 		if len(stat.AppUsageMinutes) > 0 {

diff --git a/coderd/database/lock.go b/coderd/database/lock.go
@@ -18,5 +18,6 @@ const (
 func GenLockID(name string) int64 {
 	hash := fnv.New64()
 	_, _ = hash.Write([]byte(name))
+	// #nosec G115 - Safe conversion as FNV hash should be treated as random value and both uint64/int64 have the same range of unique values
 	return int64(hash.Sum64())
 }
diff --git a/coderd/notifications/manager_test.go b/coderd/notifications/manager_test.go
@@ -192,6 +192,7 @@ type syncInterceptor struct {
 
 func (b *syncInterceptor) BulkMarkNotificationMessagesSent(ctx context.Context, arg database.BulkMarkNotificationMessagesSentParams) (int64, error) {
 	updated, err := b.Store.BulkMarkNotificationMessagesSent(ctx, arg)
+	// #nosec G115 - Safe conversion as the count of updated notification messages is expected to be within int32 range
 	b.sent.Add(int32(updated))
 	if err != nil {
 		b.err.Store(err)
@@ -201,6 +202,7 @@ func (b *syncInterceptor) BulkMarkNotificationMessagesSent(ctx context.Context,
 
 func (b *syncInterceptor) BulkMarkNotificationMessagesFailed(ctx context.Context, arg database.BulkMarkNotificationMessagesFailedParams) (int64, error) {
 	updated, err := b.Store.BulkMarkNotificationMessagesFailed(ctx, arg)
+	// #nosec G115 - Safe conversion as the count of updated notification messages is expected to be within int32 range
 	b.failed.Add(int32(updated))
 	if err != nil {
 		b.err.Store(err)

diff --git a/coderd/notifications/notifier.go b/coderd/notifications/notifier.go
@@ -210,7 +210,7 @@ func (n *notifier) process(ctx context.Context, success chan<- dispatchResult, f
 func (n *notifier) fetch(ctx context.Context) ([]database.AcquireNotificationMessagesRow, error) {
 	msgs, err := n.store.AcquireNotificationMessages(ctx, database.AcquireNotificationMessagesParams{
 		// #nosec G115 - Safe conversion for lease count which is expected to be within int32 range
-		Count:           int32(n.cfg.LeaseCount),
+		Count: int32(n.cfg.LeaseCount),
 		// #nosec G115 - Safe conversion for max send attempts which is expected to be within int32 range
 		MaxAttemptCount: int32(n.cfg.MaxSendAttempts),
 		NotifierID:      n.id,
@@ -338,6 +338,7 @@ func (n *notifier) newFailedDispatch(msg database.AcquireNotificationMessagesRow
 	var result string
 
 	// If retryable and not the last attempt, it's a temporary failure.
+	// #nosec G115 - Safe conversion as MaxSendAttempts is expected to be small enough to fit in int32
 	if retryable && msg.AttemptCount < int32(n.cfg.MaxSendAttempts)-1 {
 		result = ResultTempFail
 	} else {

diff --git a/coderd/provisionerdserver/provisionerdserver.go b/coderd/provisionerdserver/provisionerdserver.go
@@ -1996,7 +1996,8 @@ func InsertWorkspaceResource(ctx context.Context, db database.Store, jobID uuid.
 			DisplayApps:              convertDisplayApps(prAgent.GetDisplayApps()),
 			InstanceMetadata:         pqtype.NullRawMessage{},
 			ResourceMetadata:         pqtype.NullRawMessage{},
-			DisplayOrder:             int32(prAgent.Order),
+			// #nosec G115 - Safe conversion as display order value is expected to be within int32 range
+			DisplayOrder: int32(prAgent.Order),
 		})
 		if err != nil {
 			return xerrors.Errorf("insert agent: %w", err)
@@ -2011,7 +2012,8 @@ func InsertWorkspaceResource(ctx context.Context, db database.Store, jobID uuid.
 				Key:              md.Key,
 				Timeout:          md.Timeout,
 				Interval:         md.Interval,
-				DisplayOrder:     int32(md.Order),
+				// #nosec G115 - Safe conversion as display order value is expected to be within int32 range
+				DisplayOrder: int32(md.Order),
 			}
 			err := db.InsertWorkspaceAgentMetadata(ctx, p)
 			if err != nil {
@@ -2194,9 +2196,10 @@ func InsertWorkspaceResource(ctx context.Context, db database.Store, jobID uuid.
 				HealthcheckInterval:  app.Healthcheck.Interval,
 				HealthcheckThreshold: app.Healthcheck.Threshold,
 				Health:               health,
-				DisplayOrder:         int32(app.Order),
-				Hidden:               app.Hidden,
-				OpenIn:               openIn,
+				// #nosec G115 - Safe conversion as display order value is expected to be within int32 range
+				DisplayOrder: int32(app.Order),
+				Hidden:       app.Hidden,
+				OpenIn:       openIn,
 			})
 			if err != nil {
 				return xerrors.Errorf("insert app: %w", err)

diff --git a/coderd/workspaceagents_test.go b/coderd/workspaceagents_test.go
@@ -843,6 +843,7 @@ func TestWorkspaceAgentListeningPorts(t *testing.T) {
 			o.PortCacheDuration = time.Millisecond
 		})
 		resources := coderdtest.AwaitWorkspaceAgents(t, client, r.Workspace.ID)
+		// #nosec G115 - Safe conversion as TCP port numbers are within uint16 range (0-65535)
 		return client, uint16(coderdPort), resources[0].Agents[0].ID
 	}
 
@@ -877,6 +878,7 @@ func TestWorkspaceAgentListeningPorts(t *testing.T) {
 				_ = l.Close()
 			})
 
+			// #nosec G115 - Safe conversion as TCP port numbers are within uint16 range (0-65535)
 			port = uint16(tcpAddr.Port)
 			return true
 		}, testutil.WaitShort, testutil.IntervalFast)

diff --git a/coderd/workspaceapps/apptest/apptest.go b/coderd/workspaceapps/apptest/apptest.go
@@ -1667,6 +1667,7 @@ func Run(t *testing.T, appHostIsPrimary bool, factory DeploymentFactory) {
 		require.True(t, ok)
 
 		appDetails := setupProxyTest(t, &DeploymentOptions{
+			// #nosec G115 - Safe conversion as TCP port numbers are within uint16 range (0-65535)
 			port: uint16(tcpAddr.Port),
 		})
 

diff --git a/coderd/workspaceapps/proxy.go b/coderd/workspaceapps/proxy.go
@@ -693,6 +693,7 @@ func (s *Server) workspaceAgentPTY(rw http.ResponseWriter, r *http.Request) {
 	}
 	defer release()
 	log.Debug(ctx, "dialed workspace agent")
+	// #nosec G115 - Safe conversion for terminal height/width which are expected to be within uint16 range (0-65535)
 	ptNetConn, err := agentConn.ReconnectingPTY(ctx, reconnect, uint16(height), uint16(width), r.URL.Query().Get("command"), func(arp *workspacesdk.AgentReconnectingPTYInit) {
 		arp.Container = container
 		arp.ContainerUser = containerUser

diff --git a/enterprise/coderd/workspaceproxy.go b/enterprise/coderd/workspaceproxy.go
@@ -605,6 +605,7 @@ func (api *API) workspaceProxyRegister(rw http.ResponseWriter, r *http.Request)
 	}
 
 	startingRegionID, _ := getProxyDERPStartingRegionID(api.Options.BaseDERPMap)
+	// #nosec G115 - Safe conversion as DERP region IDs are small integers expected to be within int32 range
 	regionID := int32(startingRegionID) + proxy.RegionID
 
 	err := api.Database.InTx(func(db database.Store) error {

diff --git a/enterprise/coderd/workspacequota.go b/enterprise/coderd/workspacequota.go
@@ -113,9 +113,11 @@ func (c *committer) CommitQuota(
 	}
 
 	return &proto.CommitQuotaResponse{
-		Ok:              permit,
+		Ok: permit,
+		// #nosec G115 - Safe conversion as quota credits consumed value is expected to be within int32 range
 		CreditsConsumed: int32(consumed),
-		Budget:          int32(budget),
+		// #nosec G115 - Safe conversion as quota budget value is expected to be within int32 range
+		Budget: int32(budget),
 	}, nil
 }
 

diff --git a/provisioner/terraform/resources.go b/provisioner/terraform/resources.go
@@ -756,8 +756,9 @@ func ConvertState(ctx context.Context, modules []*tfjson.StateModule, rawGraph s
 			DefaultValue: param.Default,
 			Icon:         param.Icon,
 			Required:     !param.Optional,
-			Order:        int32(param.Order),
-			Ephemeral:    param.Ephemeral,
+			// #nosec G115 - Safe conversion as parameter order value is expected to be within int32 range
+			Order:     int32(param.Order),
+			Ephemeral: param.Ephemeral,
 		}
 		if len(param.Validation) == 1 {
 			protoParam.ValidationRegex = param.Validation[0].Regex
@@ -940,6 +941,7 @@ func ConvertState(ctx context.Context, modules []*tfjson.StateModule, rawGraph s
 }
 
 func PtrInt32(number int) *int32 {
+	// #nosec G115 - Safe conversion as the number is expected to be within int32 range
 	n := int32(number)
 	return &n
 }

diff --git a/scaletest/workspacetraffic/conn.go b/scaletest/workspacetraffic/conn.go
@@ -218,6 +218,7 @@ func connectSSH(ctx context.Context, client *codersdk.Client, agentID uuid.UUID,
 					// The exit status is 255 when the command is
 					// interrupted by a signal. This is expected.
 					if exitErr.ExitStatus() != 255 {
+						// #nosec G115 - Safe conversion as SSH exit status is expected to be within int32 range (usually 0-255)
 						merr = errors.Join(merr, xerrors.Errorf("ssh session exited with unexpected status: %d", int32(exitErr.ExitStatus())))
 					}
 				} else {

diff --git a/tailnet/convert.go b/tailnet/convert.go
@@ -51,10 +51,11 @@ func NodeToProto(n *Node) (*proto.Node, error) {
 		allowedIPs[i] = string(s)
 	}
 	return &proto.Node{
-		Id:                  int64(n.ID),
-		AsOf:                timestamppb.New(n.AsOf),
-		Key:                 k,
-		Disco:               string(disco),
+		Id:    int64(n.ID),
+		AsOf:  timestamppb.New(n.AsOf),
+		Key:   k,
+		Disco: string(disco),
+		// #nosec G115 - Safe conversion as DERP region IDs are small integers expected to be within int32 range
 		PreferredDerp:       int32(n.PreferredDERP),
 		DerpLatency:         n.DERPLatency,
 		DerpForcedWebsocket: derpForcedWebsocket,
@@ -191,14 +192,16 @@ func DERPNodeToProto(node *tailcfg.DERPNode) *proto.DERPMap_Region_Node {
 	}
 
 	return &proto.DERPMap_Region_Node{
-		Name:             node.Name,
-		RegionId:         int64(node.RegionID),
-		HostName:         node.HostName,
-		CertName:         node.CertName,
-		Ipv4:             node.IPv4,
-		Ipv6:             node.IPv6,
-		StunPort:         int32(node.STUNPort),
-		StunOnly:         node.STUNOnly,
+		Name:     node.Name,
+		RegionId: int64(node.RegionID),
+		HostName: node.HostName,
+		CertName: node.CertName,
+		Ipv4:     node.IPv4,
+		Ipv6:     node.IPv6,
+		// #nosec G115 - Safe conversion as STUN port is within int32 range (0-65535)
+		StunPort: int32(node.STUNPort),
+		StunOnly: node.STUNOnly,
+		// #nosec G115 - Safe conversion as DERP port is within int32 range (0-65535)
 		DerpPort:         int32(node.DERPPort),
 		InsecureForTests: node.InsecureForTests,
 		ForceHttp:        node.ForceHTTP,

diff --git a/vpn/router.go b/vpn/router.go
@@ -115,7 +115,7 @@ func convertToIPV4Route(route netip.Prefix) *NetworkSettingsRequest_IPv4Settings
 
 func convertToIPV6Route(route netip.Prefix) *NetworkSettingsRequest_IPv6Settings_IPv6Route {
 	return &NetworkSettingsRequest_IPv6Settings_IPv6Route{
-		Destination:  route.Addr().String(),
+		Destination: route.Addr().String(),
 		// #nosec G115 - Safe conversion as prefix lengths are always within uint32 range (0-128)
 		PrefixLength: uint32(route.Bits()),
 		Router:       "", // N/A

diff --git a/vpn/serdes.go b/vpn/serdes.go
@@ -81,6 +81,7 @@ func (s *serdes[S, _, _]) sendLoop() {
 				s.logger.Critical(s.ctx, "failed to marshal message", slog.Error(err))
 				return
 			}
+			// #nosec G115 - Safe conversion as protobuf message length is expected to be within uint32 range
 			if err := binary.Write(s.conn, binary.BigEndian, uint32(len(mb))); err != nil {
 				s.logger.Debug(s.ctx, "failed to write length", slog.Error(err))
 				return

diff --git a/vpn/speaker_internal_test.go b/vpn/speaker_internal_test.go
@@ -74,6 +74,7 @@ func TestSpeaker_RawPeer(t *testing.T) {
 	msgBuf := make([]byte, msgLen)
 	n, err = mp.Read(msgBuf)
 	require.NoError(t, err)
+	// #nosec G115 - Safe conversion of read bytes count to uint32 for comparison with message length
 	require.Equal(t, msgLen, uint32(n))
 	msg := new(TunnelMessage)
 	err = proto.Unmarshal(msgBuf, msg)