[scanner] fix: resolve gosec security findings in kb/rag (#19280)

clubanderson · web-flow · commit d456039ffc7e · 2026-06-20T05:41:08.000-04:00
Signed-off-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/pkg/kb/rag/embedder.go b/pkg/kb/rag/embedder.go
@@ -62,7 +62,8 @@ func Quantize(v []float32) []uint64 {
 	code := make([]uint64, (len(v)+63)/64)
 	for i, x := range v {
 		if x >= 0 {
-			code[i/64] |= 1 << uint(i%64)
+			// Safe conversion: i%64 is always in [0,63], well within uint range.
+			code[i/64] |= 1 << uint(i%64) // #nosec G115
 		}
 	}
 	return code
diff --git a/pkg/kb/rag/hashembedder.go b/pkg/kb/rag/hashembedder.go
@@ -100,7 +100,9 @@ func (e *HashEmbedder) addFeature(vec []float32, feature string, weight float64)
 	h := fnv.New64a()
 	_, _ = h.Write([]byte(feature))
 	sum := h.Sum64()
-	idx := int(sum % uint64(e.dim))
+	// Safe conversion: sum % uint64(e.dim) is always < e.dim (typically 512),
+	// well within int range even on 32-bit systems.
+	idx := int(sum % uint64(e.dim)) // #nosec G115
 	sign := float32(1)
 	if sum&(1<<63) != 0 {
 		sign = -1

Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,8 @@ func Quantize(v []float32) []uint64 {`
`62`	`62`	`code := make([]uint64, (len(v)+63)/64)`
`63`	`63`	`for i, x := range v {`
`64`	`64`	`if x >= 0 {`
`65`		`- code[i/64] \|= 1 << uint(i%64)`
	`65`	`+ // Safe conversion: i%64 is always in [0,63], well within uint range.`
	`66`	`+ code[i/64] \|= 1 << uint(i%64) // #nosec G115`
`66`	`67`	`}`
`67`	`68`	`}`
`68`	`69`	`return code`