Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lint: Enable gosec linter #1903

Merged
merged 5 commits into from
Oct 13, 2021
Merged

lint: Enable gosec linter #1903

merged 5 commits into from
Oct 13, 2021

Conversation

justaugustus
Copy link
Member

@justaugustus justaugustus commented Feb 10, 2021
edited
Loading

What type of PR is this?

/kind cleanup
/area security

What this PR does / why we need it:

Self-directed nerd-snipe: https://twitter.com/stephenaugustus/status/1359356181735755776?s=20
xref: #1694 (comment)

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

NONE

@k8s-ci-robot
Copy link
Contributor

@justaugustus: The label(s) area/security cannot be applied, because the repository doesn't have them

In response to this:

What type of PR is this?

/kind cleanup
/area security

What this PR does / why we need it:

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

NONE

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-priority labels Feb 10, 2021
@k8s-ci-robot k8s-ci-robot added area/release-eng Issues or PRs related to the Release Engineering subproject sig/release Categorizes an issue or PR as relevant to SIG Release. approved Indicates a PR has been approved by an approver from all required OWNERS files. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Feb 10, 2021
@justaugustus justaugustus mentioned this pull request Feb 10, 2021
Merged
@justaugustus
Copy link
Member Author

@justaugustus: The label(s) area/security cannot be applied, because the repository doesn't have them

kubernetes/test-infra#20815

hasheddan
hasheddan reviewed Feb 16, 2021
View reviewed changes
Copy link
Contributor

@hasheddan hasheddan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/area security
😉

@k8s-ci-robot
Copy link
Contributor

@hasheddan: The label(s) area/security cannot be applied, because the repository doesn't have them

In response to this:

/area security
😉

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@hasheddan
Copy link
Contributor

ahhh

/area release-eng/security

@k8s-ci-robot k8s-ci-robot added the area/release-eng/security Issues or PRs related to release engineering security label Feb 16, 2021
@saschagrunert
Copy link
Member

@justaugustus do you wanna fixup the gosec issues?

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 17, 2021
@cpanato
Copy link
Member

cpanato commented Jun 8, 2021

@justaugustus can I take this PR and push the commits to fix the linters, or you are planning to finish this? thanks!

@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 9, 2021
@justaugustus
Copy link
Member Author

(No changes yet; just a rebase.)

@jimangel
Copy link
Member

Boosting the failed test:

level=warning msg="[runner] The linter 'golint' is deprecated (since v1.41.0) due to: The repository of the linter has been archived by the owner. Replaced by revive."

Entire thing:

level=warning msg="[runner] The linter 'golint' is deprecated (since v1.41.0) due to: The repository of the linter has been archived by the owner.  Replaced by revive."
pkg/license/download.go:20:2: G505: Blocklisted import crypto/sha1: weak cryptographic primitive (gosec)
	"crypto/sha1"
	^
pkg/license/download.go:186:48: G401: Use of weak cryptographic primitive (gosec)
		ddi.Options.CacheDir, fmt.Sprintf("%x.json", sha1.Sum([]byte(url))),
		                                             ^
cmd/schedule-builder/cmd/root.go:127:10: G306: Expect WriteFile permissions to be 0600 or less (gosec)
		err := os.WriteFile(opts.outputFile, []byte(scheduleOut), 0644)
		       ^
pkg/spdx/document.go:21:2: G505: Blocklisted import crypto/sha1: weak cryptographic primitive (gosec)
	"crypto/sha1"
	^
pkg/spdx/document.go:236:8: G401: Use of weak cryptographic primitive (gosec)
		h := sha1.New()
		     ^
pkg/spdx/imageanalyzer_distroless.go:125:17: G110: Potential DoS vulnerability via decompression bomb (gosec)
			if _, err := io.Copy(f, tr); err != nil {
			             ^
pkg/spdx/imageanalyzer_distroless.go:266:16: G110: Potential DoS vulnerability via decompression bomb (gosec)
			if _, err = io.Copy(b, tr); err != nil {
			            ^
pkg/spdx/implementation.go:107:17: G305: File traversal when extracting zip/tar archive (gosec)
		targetFile := filepath.Join(tmpDir, hdr.Name)
		              ^
pkg/spdx/implementation.go:114:16: G110: Potential DoS vulnerability via decompression bomb (gosec)
		if _, err := io.Copy(f, tr); err != nil {
		             ^
pkg/spdx/object.go:20:2: G505: Blocklisted import crypto/sha1: weak cryptographic primitive (gosec)
	"crypto/sha1"
	^
pkg/spdx/object.go:92:36: G401: Use of weak cryptographic primitive (gosec)
	s1, err := hash.ForFile(filePath, sha1.New())
	                                  ^
pkg/github/github.go:41:2: G101: Potential hardcoded credentials (gosec)
	TokenEnvKey = "GITHUB_TOKEN"
	^
pkg/announce/announce.go:138:12: G306: Expect WriteFile permissions to be 0600 or less (gosec)
	if err := os.WriteFile(
		subjectFile, []byte(subject), 0o755,
	); err != nil {
pkg/announce/announce.go:148:12: G306: Expect WriteFile permissions to be 0600 or less (gosec)
	if err := os.WriteFile(
		announcementFile, []byte(message), 0o755,
	); err != nil {
cmd/gh2gcs/cmd/root.go:246:37: G601: Implicit memory aliasing in for loop. (gosec)
		if err := gh2gcs.DownloadReleases(&releaseCfg, gh, opts.outputDir); err != nil {
		                                  ^
cmd/gh2gcs/cmd/root.go:252:28: G601: Implicit memory aliasing in for loop. (gosec)
			if err := gh2gcs.Upload(&releaseCfg, gh, opts.outputDir); err != nil {
			                        ^
make: *** [Makefile:55: verify-golangci-lint] Error 1

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Oct 2, 2021
@justaugustus
Copy link
Member Author

/retest-required

@justaugustus
Copy link
Member Author

@justaugustus can I take this PR and push the commits to fix the linters, or you are planning to finish this? thanks!

@cpanato -- Missed this note! If you'd like to carry this across the finish line, go for it :)
/assign @cpanato

@justaugustus @cpanato
golangci-lint: Enable gosec linter
4de2fd3 
Signed-off-by: Stephen Augustus <foo@auggie.dev>
@justaugustus @cpanato
lint(gosec): Add TODOs to review file permissions
df4a45e 
Triggered in G306: Expect WriteFile permissions to be 0600 or less

Signed-off-by: Stephen Augustus <foo@auggie.dev>
@justaugustus @cpanato
lint(gosec): Add nolints for SHA1 file integrity usage
6f463b6 
Signed-off-by: Stephen Augustus <foo@auggie.dev>
@justaugustus @cpanato
lint(gosec): Guard against decompression bombs when using io.Copy
940181b 
Signed-off-by: Stephen Augustus <foo@auggie.dev>
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Oct 13, 2021
edited
Loading

@justaugustus: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-release-image-releng-ci 7d757fc link /test pull-release-image-releng-ci
pull-release-image-k8s-ci-builder 7d757fc link /test pull-release-image-k8s-ci-builder
pull-release-image-kubepkg 7d757fc link /test pull-release-image-kubepkg
pull-release-image-kpromo 37c7999 link /test pull-release-image-kpromo

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@cpanato
Copy link
Member

cpanato commented Oct 13, 2021

done! @justaugustus @puerco @saschagrunert PTAL

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 13, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: justaugustus, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [justaugustus,saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 4283f7f into kubernetes:master Oct 13, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.23 milestone Oct 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hasheddan hasheddan hasheddan left review comments

@saschagrunert saschagrunert saschagrunert approved these changes

@cpanato cpanato Awaiting requested review from cpanato

@jimangel jimangel Awaiting requested review from jimangel

Assignees

@saschagrunert saschagrunert

@cpanato cpanato

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/release-eng/security Issues or PRs related to release engineering security area/release-eng Issues or PRs related to the Release Engineering subproject cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority release-note-none Denotes a PR that doesn't merit a release note. sig/release Categorizes an issue or PR as relevant to SIG Release. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.23
Development

Successfully merging this pull request may close these issues.
6 participants
@justaugustus @k8s-ci-robot @hasheddan @saschagrunert @cpanato @jimangel