From 319e07ee84ce077a671490b41bc40221b20fb81a Mon Sep 17 00:00:00 2001
From: Geoff Franks <geoff.franks@broadcom.com>
Date: Wed, 23 Oct 2024 13:57:28 +0000
Subject: [PATCH] ignore false positive on G407

---
 encryption/crypt.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/encryption/crypt.go b/encryption/crypt.go
index bdc66af6..3d70071c 100644
--- a/encryption/crypt.go
+++ b/encryption/crypt.go
@@ -72,5 +72,6 @@ func (d *cryptor) Decrypt(encrypted Encrypted) ([]byte, error) {
 		return nil, fmt.Errorf("Unable to create GCM-wrapped cipher: %q", err)
 	}
 
+	// #nosec G407 - G407 is incorrectly flagging Decrypt calls that use the nonce provided in the encrypted data. we randomize this for encryption, which is where it matters. https://github.com/securego/gosec/issues/1209
 	return aead.Open(nil, encrypted.Nonce, encrypted.CipherText, nil)
 }