Skip to content

[PPSC-602] CWE-252: Unchecked fmt.Fprintln return #125

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
shb7628 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[PPSC-602] CWE-252: Unchecked fmt.Fprintln return #125

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion internal/cmd/context.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,9 @@
func handleScanError(ctx context.Context, err error) error {
_ = ctx // unused but kept for API consistency
if errors.Is(err, context.Canceled) {
_, _ = fmt.Fprintln(os.Stderr, "") // newline before warning; ignore write errors
// CWE-252 false positive: write errors for stderr formatting are intentionally
// discarded - no meaningful recovery for failed terminal writes.
_, _ = fmt.Fprintln(os.Stderr, "")

Check notice

Code scanning / Armis Security Scanner

The function `handleScanError` calls `fmt.Fprintln(os.Stderr, "")` and discards both the number of bytes written and the error return value Low

The function handleScanError calls fmt.Fprintln(os.Stderr, "") and discards both the number of bytes written and the error return value: The function handleScanError calls fmt.Fprintln(os.Stderr, "") and discards both the number of bytes written and the error return value. Ignoring the error means that a failure to write to the standard error stream (e.g., when stderr is redirected to a closed pipe or a full disk) will go unnoticed, and the program will continue without informing the user that the cancellation message could not be displayed. This matches CWE‑252: Unchecked Return Value. The code does not involve any external input or network exposure; it operates locally within a CLI tool, so the vulnerability is considered low exposure (static, internal usage). Consequently, the likelihood of exploitation is low, but the issue is a true positive because the unchecked return value is present.
cli.PrintWarning("Scan cancelled")
return ErrScanCancelled
}
Expand Down
Loading