Fix G602 analyzer panic that kills gosec process (#1491)

* update go version to 1.25.7

* Fix G602 analyzer panic that kills gosec process

* guard against nil block

* add tests for nil guard fixes

Author: ravisastryk

analyzers/slice_bounds.go

@@ -138,7 +138,14 @@ func (s *sliceBoundsState) Reset() {
 	clear(s.trackCache)
 }
 
-func runSliceBounds(pass *analysis.Pass) (any, error) {
+func runSliceBounds(pass *analysis.Pass) (result any, err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			result = nil
+			err = nil // Return nil error to allow other analyzers to continue
+		}
+	}()
+
 	ssaResult, err := getSSAResult(pass)
 	if err != nil {
 		return nil, err
@@ -201,6 +208,9 @@ func runSliceBounds(pass *analysis.Pass) (any, error) {
 						}
 					}
 				case *ssa.IndexAddr:
+					if instr.X == nil {
+						break
+					}
 					switch indexInstr := instr.X.(type) {
 					case *ssa.Const:
 						if _, ok := indexInstr.Type().Underlying().(*types.Slice); ok {
@@ -257,7 +267,12 @@ func runSliceBounds(pass *analysis.Pass) (any, error) {
 			}
 		}
 
-		for i, block := range ifref.Block().Succs {
+		// Guard against nil Block()
+		ifBlock := ifref.Block()
+		if ifBlock == nil {
+			continue
+		}
+		for i, block := range ifBlock.Succs {
 			if i == 1 {
 				bound = invBound(bound)
 			}
@@ -312,8 +327,11 @@ func runSliceBounds(pass *analysis.Pass) (any, error) {
 							}
 						}
 					} else if nestedIfInstr, ok := instr.(*ssa.If); ok {
-						for _, nestedBlock := range nestedIfInstr.Block().Succs {
-							processBlock(nestedBlock, depth)
+						// Guard against nil Block()
+						if nestedIfBlock := nestedIfInstr.Block(); nestedIfBlock != nil {
+							for _, nestedBlock := range nestedIfBlock.Succs {
+								processBlock(nestedBlock, depth)
+							}
 						}
 					}
 				}
@@ -336,6 +354,9 @@ func runSliceBounds(pass *analysis.Pass) (any, error) {
 // extractLenBound checks if the binop is of form "Var < Len + Offset" or equivalent patterns
 // (including offsets on the left-hand side like "(Var + Const) < Len")
 func extractLenBound(binop *ssa.BinOp) (ssa.Value, int, bool) {
+	if binop == nil {
+		return nil, 0, false
+	}
 	// Only handle Less Than for now
 	if binop.Op != token.LSS {
 		return nil, 0, false
@@ -564,6 +585,10 @@ func (s *sliceBoundsState) extractIntValueIndexAddr(refinstr *ssa.IndexAddr, sli
 		var hasStart bool
 		var next ssa.Value
 		for _, edge := range p.Edges {
+			// Guard against nil edges
+			if edge == nil {
+				continue
+			}
 			eBase, eOffset := decomposeIndex(edge)
 			if val, ok := GetConstantInt64(eBase); ok {
 				start = int(val) + eOffset
@@ -797,6 +822,9 @@ func invBound(bound bound) bound {
 var errExtractBinOp = errors.New("unable to extract constant from binop")
 
 func extractBinOpBound(binop *ssa.BinOp) (bound, int, error) {
+	if binop == nil {
+		return lowerUnbounded, 0, errExtractBinOp
+	}
 	if binop.X != nil {
 		if x, ok := binop.X.(*ssa.Const); ok {
 			if x.Value == nil {

analyzers/slice_bounds_test.go

@@ -0,0 +1,108 @@
+// (c) Copyright gosec's authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package analyzers
+
+import (
+	"go/token"
+	"testing"
+
+	"golang.org/x/tools/go/ssa"
+)
+
+// TestExtractBinOpBound_NilGuards tests nil safety in extractBinOpBound
+func TestExtractBinOpBound_NilGuards(t *testing.T) {
+	// Test nil binop
+	bound, value, err := extractBinOpBound(nil)
+	if err == nil {
+		t.Error("expected error for nil binop")
+	}
+	if bound != lowerUnbounded {
+		t.Errorf("expected lowerUnbounded, got %v", bound)
+	}
+	if value != 0 {
+		t.Errorf("expected value 0, got %d", value)
+	}
+}
+
+// TestExtractLenBound_NilGuards tests nil safety in extractLenBound
+func TestExtractLenBound_NilGuards(t *testing.T) {
+	// Test nil binop
+	val, offset, ok := extractLenBound(nil)
+	if ok {
+		t.Error("expected false for nil binop")
+	}
+	if val != nil {
+		t.Errorf("expected nil value, got %v", val)
+	}
+	if offset != 0 {
+		t.Errorf("expected offset 0, got %d", offset)
+	}
+}
+
+// TestSliceBoundsNilSafety tests that the analyzer doesn't crash on nil values
+func TestSliceBoundsNilSafety(t *testing.T) {
+	t.Run("extractBinOpBound with nil", func(t *testing.T) {
+		defer func() {
+			if r := recover(); r != nil {
+				t.Errorf("extractBinOpBound panicked on nil input: %v", r)
+			}
+		}()
+		_, _, _ = extractBinOpBound(nil)
+	})
+
+	t.Run("extractLenBound with nil", func(t *testing.T) {
+		defer func() {
+			if r := recover(); r != nil {
+				t.Errorf("extractLenBound panicked on nil input: %v", r)
+			}
+		}()
+		_, _, _ = extractLenBound(nil)
+	})
+
+	t.Run("extractBinOpBound with binop having nil X and Y", func(t *testing.T) {
+		defer func() {
+			if r := recover(); r != nil {
+				t.Errorf("extractBinOpBound panicked on binop with nil X/Y: %v", r)
+			}
+		}()
+		binop := &ssa.BinOp{Op: token.LSS}
+		// X and Y are nil by default
+		_, _, _ = extractBinOpBound(binop)
+	})
+}
+
+// TestInvBound tests the invBound function
+func TestInvBound(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    bound
+		expected bound
+	}{
+		{"lowerUnbounded", lowerUnbounded, upperUnbounded},
+		{"upperUnbounded", upperUnbounded, lowerUnbounded},
+		{"upperBounded", upperBounded, unbounded},
+		{"unbounded", unbounded, upperBounded},
+		{"bounded", bounded, bounded},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := invBound(tt.input)
+			if result != tt.expected {
+				t.Errorf("invBound(%v) = %v, want %v", tt.input, result, tt.expected)
+			}
+		})
+	}
+}