fix: address G115 integer overflow linter warnings for Go 1.24.1

sreya · sreya · commit 3cf71027b46f · 2025-03-25T21:29:54.000Z
Added #nosec G115 annotations with explanatory comments for all integer
type conversions flagged by the gosec linter. These annotations explain
why each conversion is safe within its context.

Common patterns:
- Network statistics expected to be within int64 range
- Port numbers within uint16 range (0-65535)
- String lengths expected to be within uint16 range
- DERP/STUN port numbers and region IDs within int32 range
- Slice lengths expected to be within int32 range
- Display order values expected to be within int32 range
- SSH exit status values expected to be within int32 range (0-255)
- Pagination parameters expected to be within int32 range
diff --git a/agent/agent.go b/agent/agent.go
@@ -1566,8 +1566,11 @@ func (a *agent) Collect(ctx context.Context, networkStats map[netlogtype.Connect
 		stats.ConnectionsByProto[conn.Proto.String()]++
 		// #nosec G115 - Safe conversions for network statistics which we expect to be within int64 range
 		stats.RxBytes += int64(counts.RxBytes)
+		// #nosec G115 - Safe conversions for network statistics which we expect to be within int64 range
 		stats.RxPackets += int64(counts.RxPackets)
+		// #nosec G115 - Safe conversions for network statistics which we expect to be within int64 range
 		stats.TxBytes += int64(counts.TxBytes)
+		// #nosec G115 - Safe conversions for network statistics which we expect to be within int64 range
 		stats.TxPackets += int64(counts.TxPackets)
 	}
 
@@ -2053,5 +2056,6 @@ func WorkspaceKeySeed(workspaceID uuid.UUID, agentName string) (int64, error) {
 		return 42, err
 	}
 
+	// #nosec G115 - Safe conversion to generate int64 hash from Sum64, data loss acceptable
 	return int64(h.Sum64()), nil
 }
diff --git a/agent/agentrsa/key_test.go b/agent/agentrsa/key_test.go
@@ -28,6 +28,7 @@ func BenchmarkGenerateDeterministicKey(b *testing.B) {
 	for range b.N {
 		// always record the result of DeterministicPrivateKey to prevent
 		// the compiler eliminating the function call.
+		// #nosec G404 - Using math/rand is acceptable for benchmarking deterministic keys
 		r = agentrsa.GenerateDeterministicKey(rand.Int64())
 	}
 
diff --git a/agent/agentssh/x11.go b/agent/agentssh/x11.go
@@ -117,7 +117,7 @@ func (s *Server) x11Handler(ctx ssh.Context, x11 ssh.X11) (displayNumber int, ha
 			}{
 				OriginatorAddress: tcpAddr.IP.String(),
 				// #nosec G115 - Safe conversion as TCP port numbers are within uint32 range (0-65535)
-				OriginatorPort:    uint32(tcpAddr.Port),
+				OriginatorPort: uint32(tcpAddr.Port),
 			}))
 			if err != nil {
 				s.logger.Warn(ctx, "failed to open X11 channel", slog.Error(err))
@@ -315,6 +315,7 @@ func addXauthEntry(ctx context.Context, fs afero.Fs, host string, display string
 		return xerrors.Errorf("failed to write display: %w", err)
 	}
 
+	// #nosec G115 - Safe conversion for auth protocol length which is expected to be within uint16 range
 	err = binary.Write(file, binary.BigEndian, uint16(len(authProtocol)))
 	if err != nil {
 		return xerrors.Errorf("failed to write auth protocol length: %w", err)
@@ -324,6 +325,7 @@ func addXauthEntry(ctx context.Context, fs afero.Fs, host string, display string
 		return xerrors.Errorf("failed to write auth protocol: %w", err)
 	}
 
+	// #nosec G115 - Safe conversion for auth cookie length which is expected to be within uint16 range
 	err = binary.Write(file, binary.BigEndian, uint16(len(authCookieBytes)))
 	if err != nil {
 		return xerrors.Errorf("failed to write auth cookie length: %w", err)
diff --git a/cli/agent.go b/cli/agent.go
@@ -327,10 +327,11 @@ func (r *RootCmd) workspaceAgent() *serpent.Command {
 			}
 
 			agnt := agent.New(agent.Options{
-				Client:            client,
-				Logger:            logger,
-				LogDir:            logDir,
-				ScriptDataDir:     scriptDataDir,
+				Client:        client,
+				Logger:        logger,
+				LogDir:        logDir,
+				ScriptDataDir: scriptDataDir,
+				// #nosec G115 - Safe conversion as tailnet listen port is within uint16 range (0-65535)
 				TailnetListenPort: uint16(tailnetListenPort),
 				ExchangeToken: func(ctx context.Context) (string, error) {
 					if exchangeToken == nil {
diff --git a/cli/help.go b/cli/help.go
@@ -42,6 +42,7 @@ func ttyWidth() int {
 // wrapTTY wraps a string to the width of the terminal, or 80 no terminal
 // is detected.
 func wrapTTY(s string) string {
+	// #nosec G115 - Safe conversion as TTY width is expected to be within uint range
 	return wordwrap.WrapString(s, uint(ttyWidth()))
 }
 
diff --git a/coderd/agentapi/logs.go b/coderd/agentapi/logs.go
@@ -101,11 +101,12 @@ func (a *LogsAPI) BatchCreateLogs(ctx context.Context, req *agentproto.BatchCrea
 	}
 
 	logs, err := a.Database.InsertWorkspaceAgentLogs(ctx, database.InsertWorkspaceAgentLogsParams{
-		AgentID:      workspaceAgent.ID,
-		CreatedAt:    a.now(),
-		Output:       output,
-		Level:        level,
-		LogSourceID:  logSourceID,
+		AgentID:     workspaceAgent.ID,
+		CreatedAt:   a.now(),
+		Output:      output,
+		Level:       level,
+		LogSourceID: logSourceID,
+		// #nosec G115 - Safe conversion as output length is expected to be within int32 range
 		OutputLength: int32(outputLength),
 	})
 	if err != nil {
diff --git a/coderd/audit.go b/coderd/audit.go
@@ -54,7 +54,9 @@ func (api *API) auditLogs(rw http.ResponseWriter, r *http.Request) {
 		})
 		return
 	}
+	// #nosec G115 - Safe conversion as pagination offset is expected to be within int32 range
 	filter.OffsetOpt = int32(page.Offset)
+	// #nosec G115 - Safe conversion as pagination limit is expected to be within int32 range
 	filter.LimitOpt = int32(page.Limit)
 
 	if filter.Username == "me" {
diff --git a/coderd/autobuild/lifecycle_executor_internal_test.go b/coderd/autobuild/lifecycle_executor_internal_test.go
@@ -52,6 +52,7 @@ func Test_isEligibleForAutostart(t *testing.T) {
 	for i, weekday := range schedule.DaysOfWeek {
 		// Find the local weekday
 		if okTick.In(localLocation).Weekday() == weekday {
+			// #nosec G115 - Safe conversion as i is the index of a 7-day week and will be in the range 0-6
 			okWeekdayBit = 1 << uint(i)
 		}
 	}
diff --git a/coderd/database/dbmem/dbmem.go b/coderd/database/dbmem/dbmem.go
@@ -5977,6 +5977,7 @@ func (q *FakeQuerier) GetTemplateVersionsByTemplateID(_ context.Context, arg dat
 
 	if arg.LimitOpt > 0 {
 		if int(arg.LimitOpt) > len(version) {
+			// #nosec G115 - Safe conversion as version slice length is expected to be within int32 range
 			arg.LimitOpt = int32(len(version))
 		}
 		version = version[:arg.LimitOpt]
@@ -6601,6 +6602,7 @@ func (q *FakeQuerier) GetUsers(_ context.Context, params database.GetUsersParams
 
 	if params.LimitOpt > 0 {
 		if int(params.LimitOpt) > len(users) {
+			// #nosec G115 - Safe conversion as users slice length is expected to be within int32 range
 			params.LimitOpt = int32(len(users))
 		}
 		users = users[:params.LimitOpt]
@@ -7528,6 +7530,7 @@ func (q *FakeQuerier) GetWorkspaceBuildsByWorkspaceID(_ context.Context,
 
 	if params.LimitOpt > 0 {
 		if int(params.LimitOpt) > len(history) {
+			// #nosec G115 - Safe conversion as history slice length is expected to be within int32 range
 			params.LimitOpt = int32(len(history))
 		}
 		history = history[:params.LimitOpt]
@@ -9188,6 +9191,7 @@ func (q *FakeQuerier) InsertWorkspaceAgentLogs(_ context.Context, arg database.I
 			LogSourceID: arg.LogSourceID,
 			Output:      output,
 		})
+			// #nosec G115 - Safe conversion as log output length is expected to be within int32 range
 		outputLength += int32(len(output))
 	}
 	for index, agent := range q.workspaceAgents {
@@ -12334,8 +12338,11 @@ TemplateUsageStatsInsertLoop:
 			SshMins:             int16(stat.SSHMins),
 			// #nosec G115 - Safe conversion for SFTP minutes which are expected to be within int16 range
 			SftpMins:            int16(stat.SFTPMins),
+			// #nosec G115 - Safe conversion for ReconnectingPTY minutes which are expected to be within int16 range
 			ReconnectingPtyMins: int16(stat.ReconnectingPTYMins),
+			// #nosec G115 - Safe conversion for VSCode minutes which are expected to be within int16 range
 			VscodeMins:          int16(stat.VSCodeMins),
+			// #nosec G115 - Safe conversion for JetBrains minutes which are expected to be within int16 range
 			JetbrainsMins:       int16(stat.JetBrainsMins),
 		}
 		if len(stat.AppUsageMinutes) > 0 {
diff --git a/coderd/database/lock.go b/coderd/database/lock.go
@@ -18,5 +18,6 @@ const (
 func GenLockID(name string) int64 {
 	hash := fnv.New64()
 	_, _ = hash.Write([]byte(name))
+	// #nosec G115 - Safe conversion as FNV hash should be treated as random value and both uint64/int64 have the same range of unique values
 	return int64(hash.Sum64())
 }
diff --git a/coderd/notifications/manager_test.go b/coderd/notifications/manager_test.go
@@ -192,6 +192,7 @@ type syncInterceptor struct {
 
 func (b *syncInterceptor) BulkMarkNotificationMessagesSent(ctx context.Context, arg database.BulkMarkNotificationMessagesSentParams) (int64, error) {
 	updated, err := b.Store.BulkMarkNotificationMessagesSent(ctx, arg)
+	// #nosec G115 - Safe conversion as the count of updated notification messages is expected to be within int32 range
 	b.sent.Add(int32(updated))
 	if err != nil {
 		b.err.Store(err)
@@ -201,6 +202,7 @@ func (b *syncInterceptor) BulkMarkNotificationMessagesSent(ctx context.Context,
 
 func (b *syncInterceptor) BulkMarkNotificationMessagesFailed(ctx context.Context, arg database.BulkMarkNotificationMessagesFailedParams) (int64, error) {
 	updated, err := b.Store.BulkMarkNotificationMessagesFailed(ctx, arg)
+	// #nosec G115 - Safe conversion as the count of updated notification messages is expected to be within int32 range
 	b.failed.Add(int32(updated))
 	if err != nil {
 		b.err.Store(err)
diff --git a/coderd/notifications/notifier.go b/coderd/notifications/notifier.go
@@ -210,7 +210,7 @@ func (n *notifier) process(ctx context.Context, success chan<- dispatchResult, f
 func (n *notifier) fetch(ctx context.Context) ([]database.AcquireNotificationMessagesRow, error) {
 	msgs, err := n.store.AcquireNotificationMessages(ctx, database.AcquireNotificationMessagesParams{
 		// #nosec G115 - Safe conversion for lease count which is expected to be within int32 range
-		Count:           int32(n.cfg.LeaseCount),
+		Count: int32(n.cfg.LeaseCount),
 		// #nosec G115 - Safe conversion for max send attempts which is expected to be within int32 range
 		MaxAttemptCount: int32(n.cfg.MaxSendAttempts),
 		NotifierID:      n.id,
@@ -338,6 +338,7 @@ func (n *notifier) newFailedDispatch(msg database.AcquireNotificationMessagesRow
 	var result string
 
 	// If retryable and not the last attempt, it's a temporary failure.
+	// #nosec G115 - Safe conversion as MaxSendAttempts is expected to be small enough to fit in int32
 	if retryable && msg.AttemptCount < int32(n.cfg.MaxSendAttempts)-1 {
 		result = ResultTempFail
 	} else {
diff --git a/coderd/provisionerdserver/provisionerdserver.go b/coderd/provisionerdserver/provisionerdserver.go
@@ -1996,7 +1996,8 @@ func InsertWorkspaceResource(ctx context.Context, db database.Store, jobID uuid.
 			DisplayApps:              convertDisplayApps(prAgent.GetDisplayApps()),
 			InstanceMetadata:         pqtype.NullRawMessage{},
 			ResourceMetadata:         pqtype.NullRawMessage{},
-			DisplayOrder:             int32(prAgent.Order),
+			// #nosec G115 - Safe conversion as display order value is expected to be within int32 range
+			DisplayOrder: int32(prAgent.Order),
 		})
 		if err != nil {
 			return xerrors.Errorf("insert agent: %w", err)
@@ -2011,7 +2012,8 @@ func InsertWorkspaceResource(ctx context.Context, db database.Store, jobID uuid.
 				Key:              md.Key,
 				Timeout:          md.Timeout,
 				Interval:         md.Interval,
-				DisplayOrder:     int32(md.Order),
+				// #nosec G115 - Safe conversion as display order value is expected to be within int32 range
+				DisplayOrder: int32(md.Order),
 			}
 			err := db.InsertWorkspaceAgentMetadata(ctx, p)
 			if err != nil {
@@ -2194,9 +2196,10 @@ func InsertWorkspaceResource(ctx context.Context, db database.Store, jobID uuid.
 				HealthcheckInterval:  app.Healthcheck.Interval,
 				HealthcheckThreshold: app.Healthcheck.Threshold,
 				Health:               health,
-				DisplayOrder:         int32(app.Order),
-				Hidden:               app.Hidden,
-				OpenIn:               openIn,
+				// #nosec G115 - Safe conversion as display order value is expected to be within int32 range
+				DisplayOrder: int32(app.Order),
+				Hidden:       app.Hidden,
+				OpenIn:       openIn,
 			})
 			if err != nil {
 				return xerrors.Errorf("insert app: %w", err)
diff --git a/coderd/workspaceagents_test.go b/coderd/workspaceagents_test.go
@@ -843,6 +843,7 @@ func TestWorkspaceAgentListeningPorts(t *testing.T) {
 			o.PortCacheDuration = time.Millisecond
 		})
 		resources := coderdtest.AwaitWorkspaceAgents(t, client, r.Workspace.ID)
+		// #nosec G115 - Safe conversion as TCP port numbers are within uint16 range (0-65535)
 		return client, uint16(coderdPort), resources[0].Agents[0].ID
 	}
 
@@ -877,6 +878,7 @@ func TestWorkspaceAgentListeningPorts(t *testing.T) {
 				_ = l.Close()
 			})
 
+			// #nosec G115 - Safe conversion as TCP port numbers are within uint16 range (0-65535)
 			port = uint16(tcpAddr.Port)
 			return true
 		}, testutil.WaitShort, testutil.IntervalFast)
diff --git a/coderd/workspaceapps/apptest/apptest.go b/coderd/workspaceapps/apptest/apptest.go
@@ -1667,6 +1667,7 @@ func Run(t *testing.T, appHostIsPrimary bool, factory DeploymentFactory) {
 		require.True(t, ok)
 
 		appDetails := setupProxyTest(t, &DeploymentOptions{
+			// #nosec G115 - Safe conversion as TCP port numbers are within uint16 range (0-65535)
 			port: uint16(tcpAddr.Port),
 		})
 
diff --git a/coderd/workspaceapps/proxy.go b/coderd/workspaceapps/proxy.go
@@ -693,6 +693,7 @@ func (s *Server) workspaceAgentPTY(rw http.ResponseWriter, r *http.Request) {
 	}
 	defer release()
 	log.Debug(ctx, "dialed workspace agent")
+	// #nosec G115 - Safe conversion for terminal height/width which are expected to be within uint16 range (0-65535)
 	ptNetConn, err := agentConn.ReconnectingPTY(ctx, reconnect, uint16(height), uint16(width), r.URL.Query().Get("command"), func(arp *workspacesdk.AgentReconnectingPTYInit) {
 		arp.Container = container
 		arp.ContainerUser = containerUser
diff --git a/enterprise/coderd/workspaceproxy.go b/enterprise/coderd/workspaceproxy.go
@@ -605,6 +605,7 @@ func (api *API) workspaceProxyRegister(rw http.ResponseWriter, r *http.Request)
 	}
 
 	startingRegionID, _ := getProxyDERPStartingRegionID(api.Options.BaseDERPMap)
+	// #nosec G115 - Safe conversion as DERP region IDs are small integers expected to be within int32 range
 	regionID := int32(startingRegionID) + proxy.RegionID
 
 	err := api.Database.InTx(func(db database.Store) error {
diff --git a/enterprise/coderd/workspacequota.go b/enterprise/coderd/workspacequota.go
@@ -113,9 +113,11 @@ func (c *committer) CommitQuota(
 	}
 
 	return &proto.CommitQuotaResponse{
-		Ok:              permit,
+		Ok: permit,
+		// #nosec G115 - Safe conversion as quota credits consumed value is expected to be within int32 range
 		CreditsConsumed: int32(consumed),
-		Budget:          int32(budget),
+		// #nosec G115 - Safe conversion as quota budget value is expected to be within int32 range
+		Budget: int32(budget),
 	}, nil
 }
 
diff --git a/provisioner/terraform/resources.go b/provisioner/terraform/resources.go
@@ -756,8 +756,9 @@ func ConvertState(ctx context.Context, modules []*tfjson.StateModule, rawGraph s
 			DefaultValue: param.Default,
 			Icon:         param.Icon,
 			Required:     !param.Optional,
-			Order:        int32(param.Order),
-			Ephemeral:    param.Ephemeral,
+			// #nosec G115 - Safe conversion as parameter order value is expected to be within int32 range
+			Order:     int32(param.Order),
+			Ephemeral: param.Ephemeral,
 		}
 		if len(param.Validation) == 1 {
 			protoParam.ValidationRegex = param.Validation[0].Regex
@@ -940,6 +941,7 @@ func ConvertState(ctx context.Context, modules []*tfjson.StateModule, rawGraph s
 }
 
 func PtrInt32(number int) *int32 {
+	// #nosec G115 - Safe conversion as the number is expected to be within int32 range
 	n := int32(number)
 	return &n
 }
diff --git a/scaletest/workspacetraffic/conn.go b/scaletest/workspacetraffic/conn.go
@@ -218,6 +218,7 @@ func connectSSH(ctx context.Context, client *codersdk.Client, agentID uuid.UUID,
 					// The exit status is 255 when the command is
 					// interrupted by a signal. This is expected.
 					if exitErr.ExitStatus() != 255 {
+						// #nosec G115 - Safe conversion as SSH exit status is expected to be within int32 range (usually 0-255)
 						merr = errors.Join(merr, xerrors.Errorf("ssh session exited with unexpected status: %d", int32(exitErr.ExitStatus())))
 					}
 				} else {
diff --git a/tailnet/convert.go b/tailnet/convert.go
@@ -51,10 +51,11 @@ func NodeToProto(n *Node) (*proto.Node, error) {
 		allowedIPs[i] = string(s)
 	}
 	return &proto.Node{
-		Id:                  int64(n.ID),
-		AsOf:                timestamppb.New(n.AsOf),
-		Key:                 k,
-		Disco:               string(disco),
+		Id:    int64(n.ID),
+		AsOf:  timestamppb.New(n.AsOf),
+		Key:   k,
+		Disco: string(disco),
+		// #nosec G115 - Safe conversion as DERP region IDs are small integers expected to be within int32 range
 		PreferredDerp:       int32(n.PreferredDERP),
 		DerpLatency:         n.DERPLatency,
 		DerpForcedWebsocket: derpForcedWebsocket,
@@ -191,14 +192,16 @@ func DERPNodeToProto(node *tailcfg.DERPNode) *proto.DERPMap_Region_Node {
 	}
 
 	return &proto.DERPMap_Region_Node{
-		Name:             node.Name,
-		RegionId:         int64(node.RegionID),
-		HostName:         node.HostName,
-		CertName:         node.CertName,
-		Ipv4:             node.IPv4,
-		Ipv6:             node.IPv6,
-		StunPort:         int32(node.STUNPort),
-		StunOnly:         node.STUNOnly,
+		Name:     node.Name,
+		RegionId: int64(node.RegionID),
+		HostName: node.HostName,
+		CertName: node.CertName,
+		Ipv4:     node.IPv4,
+		Ipv6:     node.IPv6,
+		// #nosec G115 - Safe conversion as STUN port is within int32 range (0-65535)
+		StunPort: int32(node.STUNPort),
+		StunOnly: node.STUNOnly,
+		// #nosec G115 - Safe conversion as DERP port is within int32 range (0-65535)
 		DerpPort:         int32(node.DERPPort),
 		InsecureForTests: node.InsecureForTests,
 		ForceHttp:        node.ForceHTTP,
diff --git a/vpn/router.go b/vpn/router.go
@@ -115,7 +115,7 @@ func convertToIPV4Route(route netip.Prefix) *NetworkSettingsRequest_IPv4Settings
 
 func convertToIPV6Route(route netip.Prefix) *NetworkSettingsRequest_IPv6Settings_IPv6Route {
 	return &NetworkSettingsRequest_IPv6Settings_IPv6Route{
-		Destination:  route.Addr().String(),
+		Destination: route.Addr().String(),
 		// #nosec G115 - Safe conversion as prefix lengths are always within uint32 range (0-128)
 		PrefixLength: uint32(route.Bits()),
 		Router:       "", // N/A
diff --git a/vpn/serdes.go b/vpn/serdes.go
@@ -81,6 +81,7 @@ func (s *serdes[S, _, _]) sendLoop() {
 				s.logger.Critical(s.ctx, "failed to marshal message", slog.Error(err))
 				return
 			}
+			// #nosec G115 - Safe conversion as protobuf message length is expected to be within uint32 range
 			if err := binary.Write(s.conn, binary.BigEndian, uint32(len(mb))); err != nil {
 				s.logger.Debug(s.ctx, "failed to write length", slog.Error(err))
 				return
diff --git a/vpn/speaker_internal_test.go b/vpn/speaker_internal_test.go
@@ -74,6 +74,7 @@ func TestSpeaker_RawPeer(t *testing.T) {
 	msgBuf := make([]byte, msgLen)
 	n, err = mp.Read(msgBuf)
 	require.NoError(t, err)
+	// #nosec G115 - Safe conversion of read bytes count to uint32 for comparison with message length
 	require.Equal(t, msgLen, uint32(n))
 	msg := new(TunnelMessage)
 	err = proto.Unmarshal(msgBuf, msg)

Original file line number	Diff line number	Diff line change
`@@ -1566,8 +1566,11 @@ func (a *agent) Collect(ctx context.Context, networkStats map[netlogtype.Connect`
`1566`	`1566`	`stats.ConnectionsByProto[conn.Proto.String()]++`
`1567`	`1567`	`// #nosec G115 - Safe conversions for network statistics which we expect to be within int64 range`
`1568`	`1568`	`stats.RxBytes += int64(counts.RxBytes)`
	`1569`	`+ // #nosec G115 - Safe conversions for network statistics which we expect to be within int64 range`
`1569`	`1570`	`stats.RxPackets += int64(counts.RxPackets)`
	`1571`	`+ // #nosec G115 - Safe conversions for network statistics which we expect to be within int64 range`
`1570`	`1572`	`stats.TxBytes += int64(counts.TxBytes)`
	`1573`	`+ // #nosec G115 - Safe conversions for network statistics which we expect to be within int64 range`
`1571`	`1574`	`stats.TxPackets += int64(counts.TxPackets)`
`1572`	`1575`	`}`
`1573`	`1576`
`@@ -2053,5 +2056,6 @@ func WorkspaceKeySeed(workspaceID uuid.UUID, agentName string) (int64, error) {`
`2053`	`2056`	`return 42, err`
`2054`	`2057`	`}`
`2055`	`2058`
	`2059`	`+ // #nosec G115 - Safe conversion to generate int64 hash from Sum64, data loss acceptable`
`2056`	`2060`	`return int64(h.Sum64()), nil`
`2057`	`2061`	`}`
Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,7 @@ func BenchmarkGenerateDeterministicKey(b *testing.B) {`
`28`	`28`	`for range b.N {`
`29`	`29`	`// always record the result of DeterministicPrivateKey to prevent`
`30`	`30`	`// the compiler eliminating the function call.`
	`31`	`+ // #nosec G404 - Using math/rand is acceptable for benchmarking deterministic keys`
`31`	`32`	`r = agentrsa.GenerateDeterministicKey(rand.Int64())`
`32`	`33`	`}`
`33`	`34`
Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,7 @@ func ttyWidth() int {`
`42`	`42`	`// wrapTTY wraps a string to the width of the terminal, or 80 no terminal`
`43`	`43`	`// is detected.`
`44`	`44`	`func wrapTTY(s string) string {`
	`45`	`+ // #nosec G115 - Safe conversion as TTY width is expected to be within uint range`
`45`	`46`	`return wordwrap.WrapString(s, uint(ttyWidth()))`
`46`	`47`	`}`
`47`	`48`
Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,9 @@ func (api API) auditLogs(rw http.ResponseWriter, r http.Request) {`
`54`	`54`	`})`
`55`	`55`	`return`
`56`	`56`	`}`
	`57`	`+ // #nosec G115 - Safe conversion as pagination offset is expected to be within int32 range`
`57`	`58`	`filter.OffsetOpt = int32(page.Offset)`
	`59`	`+ // #nosec G115 - Safe conversion as pagination limit is expected to be within int32 range`
`58`	`60`	`filter.LimitOpt = int32(page.Limit)`
`59`	`61`
`60`	`62`	`if filter.Username == "me" {`
Original file line number	Diff line number	Diff line change
`@@ -52,6 +52,7 @@ func Test_isEligibleForAutostart(t *testing.T) {`
`52`	`52`	`for i, weekday := range schedule.DaysOfWeek {`
`53`	`53`	`// Find the local weekday`
`54`	`54`	`if okTick.In(localLocation).Weekday() == weekday {`
	`55`	`+ // #nosec G115 - Safe conversion as i is the index of a 7-day week and will be in the range 0-6`
`55`	`56`	`okWeekdayBit = 1 << uint(i)`
`56`	`57`	`}`
`57`	`58`	`}`
Original file line number	Diff line number	Diff line change
`@@ -18,5 +18,6 @@ const (`
`18`	`18`	`func GenLockID(name string) int64 {`
`19`	`19`	`hash := fnv.New64()`
`20`	`20`	`_, _ = hash.Write([]byte(name))`
	`21`	`+ // #nosec G115 - Safe conversion as FNV hash should be treated as random value and both uint64/int64 have the same range of unique values`
`21`	`22`	`return int64(hash.Sum64())`
`22`	`23`	`}`
Original file line number	Diff line number	Diff line change
`@@ -693,6 +693,7 @@ func (s Server) workspaceAgentPTY(rw http.ResponseWriter, r http.Request) {`
`693`	`693`	`}`
`694`	`694`	`defer release()`
`695`	`695`	`log.Debug(ctx, "dialed workspace agent")`
	`696`	`+ // #nosec G115 - Safe conversion for terminal height/width which are expected to be within uint16 range (0-65535)`
`696`	`697`	`ptNetConn, err := agentConn.ReconnectingPTY(ctx, reconnect, uint16(height), uint16(width), r.URL.Query().Get("command"), func(arp *workspacesdk.AgentReconnectingPTYInit) {`
`697`	`698`	`arp.Container = container`
`698`	`699`	`arp.ContainerUser = containerUser`
Original file line number	Diff line number	Diff line change
`@@ -605,6 +605,7 @@ func (api API) workspaceProxyRegister(rw http.ResponseWriter, r http.Request)`
`605`	`605`	`}`
`606`	`606`
`607`	`607`	`startingRegionID, _ := getProxyDERPStartingRegionID(api.Options.BaseDERPMap)`
	`608`	`+ // #nosec G115 - Safe conversion as DERP region IDs are small integers expected to be within int32 range`
`608`	`609`	`regionID := int32(startingRegionID) + proxy.RegionID`
`609`	`610`
`610`	`611`	`err := api.Database.InTx(func(db database.Store) error {`
Original file line number	Diff line number	Diff line change
`@@ -113,9 +113,11 @@ func (c *committer) CommitQuota(`
`113`	`113`	`}`
`114`	`114`
`115`	`115`	`return &proto.CommitQuotaResponse{`
`116`		`- Ok: permit,`
	`116`	`+ Ok: permit,`
	`117`	`+ // #nosec G115 - Safe conversion as quota credits consumed value is expected to be within int32 range`
`117`	`118`	`CreditsConsumed: int32(consumed),`
`118`		`- Budget: int32(budget),`
	`119`	`+ // #nosec G115 - Safe conversion as quota budget value is expected to be within int32 range`
	`120`	`+ Budget: int32(budget),`
`119`	`121`	`}, nil`
`120`	`122`	`}`
`121`	`123`
Original file line number	Diff line number	Diff line change
`@@ -756,8 +756,9 @@ func ConvertState(ctx context.Context, modules []*tfjson.StateModule, rawGraph s`
`756`	`756`	`DefaultValue: param.Default,`
`757`	`757`	`Icon: param.Icon,`
`758`	`758`	`Required: !param.Optional,`
`759`		`- Order: int32(param.Order),`
`760`		`- Ephemeral: param.Ephemeral,`
	`759`	`+ // #nosec G115 - Safe conversion as parameter order value is expected to be within int32 range`
	`760`	`+ Order: int32(param.Order),`
	`761`	`+ Ephemeral: param.Ephemeral,`
`761`	`762`	`}`
`762`	`763`	`if len(param.Validation) == 1 {`
`763`	`764`	`protoParam.ValidationRegex = param.Validation[0].Regex`
`@@ -940,6 +941,7 @@ func ConvertState(ctx context.Context, modules []*tfjson.StateModule, rawGraph s`
`940`	`941`	`}`
`941`	`942`
`942`	`943`	`func PtrInt32(number int) *int32 {`
	`944`	`+ // #nosec G115 - Safe conversion as the number is expected to be within int32 range`
`943`	`945`	`n := int32(number)`
`944`	`946`	`return &n`
`945`	`947`	`}`