Background: This recent article https://blog.trailofbits.com/2025/06/17/unexpected-security-footguns-in-gos-parsers/ describes (among other things) a number of security weaknesses in Go's encoding/json package. Some of these could be mitigated by better static checking of struct field tags; indeed, the author of the post links to two semgrep rules that enforce these checks. Specifically:
semgrep -c r/trailofbits.go.unmarshal-tag-is-dashsemgrep -c r/trailofbits.go.unmarshal-tag-is-omitempty
Proposal: Let's add these two checks to the structtag analyzer so that users get immediate feedback in their LSP-enabled editor, and whenever they run go vet.
Comment From: aclements
This proposal has been added to the active column of the proposals project and will now be reviewed at the weekly proposal review meetings. — aclements for the proposal review group
Comment From: aclements
Based on the discussion above, this proposal seems like a likely accept. — aclements for the proposal review group
The proposal details are in https://github.com/golang/go/issues/74376#issue-3176290012