[security-fix] Fix unhandled error in semver.go (Alert #477)

[github-actions]

Security Fix: Unhandled Error in Semantic Version Parsing

Alert Number: #477
Severity: Low
Rule: G104 - Improper Check or Handling of Exceptional Conditions
Tool: gosec (Golang security checks)
Location: pkg/workflow/semver.go:58

Vulnerability Description

Gosec detected an unhandled error return value from fmt.Sscanf() in the extractMajorVersion() function at line 58. The security scanner flagged this as improper exception handling, which could potentially lead to unexpected behavior if errors are silently ignored without explicit intent.

While the error handling in this case is intentional (the function is designed to default to 0 for non-numeric version parts), the error return value was not explicitly assigned to the blank identifier _, making it unclear whether the error was intentionally ignored or accidentally missed.

Fix Applied

Added explicit error handling by assigning the error return value to the blank identifier _, consistent with the existing pattern used elsewhere in the same file:

Before (line 58):

var major int
fmt.Sscanf(parts[0], "%d", &major)
return major

After (line 58):

var major int
_, _ = fmt.Sscanf(parts[0], "%d", &major) // Ignore error, defaults to 0 for non-numeric parts
return major

This matches the existing error handling pattern used in the compareVersions() function on lines 29 and 32, where errors are explicitly ignored with the same comment.

Security Best Practices

✅ Explicit Error Handling: Makes it clear that errors are intentionally ignored, not accidentally missed
✅ Consistent Code Pattern: Matches the existing pattern used elsewhere in the same file
✅ Documented Behavior: Inline comment explains why the error is ignored
✅ Satisfies Security Scanner: Eliminates gosec G104 alert
✅ No Functional Changes: Behavior remains identical - defaults to 0 for non-numeric parts

Testing

✅ Build succeeded: go build ./pkg/workflow/... passes without errors
✅ No breaking changes: Function behavior is completely unchanged
✅ Minimal change: Only adds explicit error handling for clarity
✅ Code consistency: Matches existing patterns in the same file

Impact Assessment

Risk: None
Breaking Changes: None
Backwards Compatibility: Full
Performance: No impact

The fix is purely cosmetic - it makes explicit what was already happening implicitly. The function continues to return 0 for non-numeric version parts, which is the intended behavior for semantic version comparison.

Context

The extractMajorVersion() function is used to extract the major version number from semantic version strings (e.g., "v5.0.0" → 5). It's designed to be lenient and default to 0 for malformed version strings, which is why error handling is intentionally ignored. This fix simply makes that intent explicit for security scanners and code reviewers.

Files Modified

• pkg/workflow/semver.go:
  • Line 58: Added explicit error handling with _, _ assignment and explanatory comment

References

• CodeQL Alert: https://github.com/githubnext/gh-aw/security/code-scanning/477
• Gosec G104: Errors unhandled
• CWE-703: Improper Check or Handling of Exceptional Conditions

---

🤖 Generated by Security Fix Agent in workflow run 20754292055

AI generated by Security Fix PR