G304: Issue when passing in perm or flag as variable to os.OpenFile()

[eest]

For some reason gosec is happy with this code:

package main

import (
	"os"
	"path/filepath"
)

func open(fn string) {
	fh, err := os.OpenFile(filepath.Clean(fn), os.O_RDONLY, 0o600)
	if err != nil {
		panic(err)
	}
	defer fh.Close()
}

func main() {
	fn := "filename"
	open(fn)
}

while if it is changed to this I get a G304 error:

package main

import (
	"os"
	"path/filepath"
)

func open(fn string, perm os.FileMode) {
	fh, err := os.OpenFile(filepath.Clean(fn), os.O_RDONLY, perm)
	if err != nil {
		panic(err)
	}
	defer fh.Close()
}

func main() {
	fn := "filename"
	open(fn, 0o600)
}

The error:

[.../main.go:9] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    8: func open(fn string, perm os.FileMode) {
  > 9: 	fh, err := os.OpenFile(filepath.Clean(fn), os.O_RDONLY, perm)
    10: 	if err != nil {

There seems to be the same problem if passing in the flag:

package main

import (
	"os"
	"path/filepath"
)

func open(fn string, flag int) {
	fh, err := os.OpenFile(filepath.Clean(fn), flag, 0o600)
	if err != nil {
		panic(err)
	}
	defer fh.Close()
}

func main() {
	fn := "filename"
	open(fn, os.O_RDONLY)
}

[.../main.go:9] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    8: func open(fn string, flag int) {
  > 9: 	fh, err := os.OpenFile(filepath.Clean(fn), flag, 0o600)
    10: 	if err != nil {

Some additional information:

$ go version
go version go1.24.1 darwin/arm64

Probably not very helpful -version output (updated via go install github.com/securego/gosec/v2/cmd/gosec@latest just before opening the ticket)

$ gosec -version
Version: dev
Git tag:
Build date: