academy/mq-container
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Implement GOSec for security scanning Fix vulnerabilities (#227)

Browse Source 
* Implement GOSec for security scanning Fix vulnerabilities

* Fix lint failure

* address PR comments and fix build break

* Fix test break in mqsc
This commit is contained in:
Rob Parker
2018-10-11 15:39:22 +01:00
committed by Arthur Barr
parent 6d11b0d8ae
commit 78ce84b3a1
20 changed files with 150 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
cmd/runmqserver/crtmqvol.go
View File

@@ -29,6 +29,7 @@ func createVolume(path string) error {
fi, err := os.Stat(dataPath)
if err != nil {
if os.IsNotExist(err) {
// #nosec G301
err = os.MkdirAll(dataPath, 0755)
if err != nil {
return err

1
cmd/runmqserver/license.go
View File

@@ -78,6 +78,7 @@ func checkLicense() (bool, error) {
return true, nil
case ok && lic == "view":
file := filepath.Join("/opt/mqm/licenses", resolveLicenseFile())
// #nosec G304
buf, err := ioutil.ReadFile(file)
if err != nil {
log.Println(err)

17
cmd/runmqserver/logging.go
View File

@@ -33,7 +33,7 @@ import (
// var debug = false
var log *logger.Logger
var collectDiagOnFail bool = false
var collectDiagOnFail = false
func logTerminationf(format string, args ...interface{}) {
logTermination(fmt.Sprintf(format, args))
@@ -108,8 +108,12 @@ func configureLogger(name string) (mirrorFunc, error) {
return func(msg string) {
// Parse the JSON message, and print a simplified version
var obj map[string]interface{}
json.Unmarshal([]byte(msg), &obj)
fmt.Printf(formatSimple(obj["ibm_datetime"].(string), obj["message"].(string)))
err := json.Unmarshal([]byte(msg), &obj)
if err != nil {
fmt.Printf("Failed to Unmarshall JSON - %v", err)
} else {
fmt.Printf(formatSimple(obj["ibm_datetime"].(string), obj["message"].(string)))
}
}, nil
default:
log, err = logger.NewLogger(os.Stdout, d, false, name)
@@ -124,20 +128,27 @@ func logDiagnostics() {
log.Debug("--- Start Diagnostics ---")
// show the directory ownership/permissions
// #nosec G104
out, _, _ := command.Run("ls", "-l", "/mnt/")
log.Debugf("/mnt/:\n%s", out)
// #nosec G104
out, _, _ = command.Run("ls", "-l", "/mnt/mqm")
log.Debugf("/mnt/mqm:\n%s", out)
// #nosec G104
out, _, _ = command.Run("ls", "-l", "/mnt/mqm/data")
log.Debugf("/mnt/mqm/data:\n%s", out)
// #nosec G104
out, _, _ = command.Run("ls", "-l", "/var/mqm")
log.Debugf("/var/mqm:\n%s", out)
// #nosec G104
out, _, _ = command.Run("ls", "-l", "/var/mqm/errors")
log.Debugf("/var/mqm/errors:\n%s", out)
// Print out summary of any FDCs
// #nosec G204
cmd := exec.Command("/opt/mqm/bin/ffstsummary")
cmd.Dir = "/var/mqm/errors"
// #nosec G104
outB, _ := cmd.CombinedOutput()
log.Debugf("ffstsummary:\n%s", string(outB))

12
cmd/runmqserver/main.go
View File

@@ -129,7 +129,11 @@ func doMain() error {
logTermination(err)
return err
}
configureQueueManager()
err = configureQueueManager()
if err != nil {
logTermination(err)
return err
}
enableMetrics := os.Getenv("MQ_ENABLE_METRICS")
if enableMetrics == "true" || enableMetrics == "1" {
@@ -145,7 +149,11 @@ func doMain() error {
// Reap zombies now, just in case we've already got some
signalControl <- reapNow
// Write a file to indicate that chkmqready should now work as normal
ready.Set()
err = ready.Set()
if err != nil {
logTermination(err)
return err
}
// Wait for terminate signal
<-signalControl
return nil

10
cmd/runmqserver/mirror.go
View File

@@ -139,7 +139,10 @@ func mirrorLog(ctx context.Context, wg *sync.WaitGroup, path string, fromStart b
// Always start at the beginning if we've been told to go from the start
if offset != 0 && !fromStart {
log.Debugf("Seeking offset %v in file %v", offset, path)
f.Seek(offset, 0)
_, err = f.Seek(offset, 0)
if err != nil {
log.Errorf("Unable to return to offset %v: %v", offset, err)
}
}
closing := false
for {
@@ -159,7 +162,10 @@ func mirrorLog(ctx context.Context, wg *sync.WaitGroup, path string, fromStart b
// could skip all those messages. This could happen with a very small
// MQ error log size.
mirrorAvailableMessages(f, mf)
f.Close()
err = f.Close()
if err != nil {
log.Errorf("Unable to close mirror file handle: %v", err)
}
// Re-open file
log.Debugf("Re-opening error log file %v", path)
f, err = os.OpenFile(path, os.O_RDONLY, 0)

30
cmd/runmqserver/mqconfig.go
View File

@@ -24,19 +24,20 @@ import (
"github.com/genuinetools/amicontained/container"
)
func logContainerRuntime() error {
func logContainerRuntime() {
r, err := container.DetectRuntime()
if err != nil {
return err
log.Printf("Failed to get container runtime: %v", err)
return
}
log.Printf("Container runtime: %v", r)
return nil
}
func logBaseImage() error {
func logBaseImage() {
buf, err := ioutil.ReadFile("/etc/os-release")
if err != nil {
return err
log.Printf("Failed to read /etc/os-release: %v", err)
return
}
lines := strings.Split(string(buf), "\n")
for _, l := range lines {
@@ -44,41 +45,40 @@ func logBaseImage() error {
words := strings.Split(l, "\"")
if len(words) >= 2 {
log.Printf("Base image: %v", words[1])
return nil
return
}
}
}
return nil
}
// logCapabilities logs the Linux capabilities (e.g. setuid, setgid). See https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
func logCapabilities() error {
func logCapabilities() {
caps, err := container.Capabilities()
if err != nil {
return err
log.Printf("Failed to get container capabilities: %v", err)
return
}
for k, v := range caps {
if len(v) > 0 {
log.Printf("Capabilities (%s set): %v", strings.ToLower(k), strings.Join(v, ","))
}
}
return nil
}
// logSeccomp logs the seccomp enforcing mode, which affects which kernel calls can be made
func logSeccomp() error {
func logSeccomp() {
s, err := container.SeccompEnforcingMode()
if err != nil {
return err
log.Printf("Failed to get container SeccompEnforcingMode: %v", err)
return
}
log.Printf("seccomp enforcing mode: %v", s)
return nil
}
// logSecurityAttributes logs the security attributes of the current process.
// The security attributes indicate whether AppArmor or SELinux are being used,
// and what the level of confinement is.
func logSecurityAttributes() error {
func logSecurityAttributes() {
a, err := readProc("/proc/self/attr/current")
// On some systems, if AppArmor or SELinux are not installed, you get an
// error when you try and read `/proc/self/attr/current`, even though the
@@ -87,10 +87,10 @@ func logSecurityAttributes() error {
a = "none"
}
log.Printf("Process security attributes: %v", a)
return nil
}
func readProc(filename string) (value string, err error) {
// #nosec G304
buf, err := ioutil.ReadFile(filename)
if err != nil {
return "", err

14
cmd/runmqserver/qmgr.go
View File

@@ -90,6 +90,7 @@ func configureQueueManager() error {
for _, file := range files {
if strings.HasSuffix(file.Name(), ".mqsc") {
abs := filepath.Join(configDir, file.Name())
// #nosec G204
cmd := exec.Command("runmqsc")
stdin, err := cmd.StdinPipe()
if err != nil {
@@ -97,6 +98,7 @@ func configureQueueManager() error {
return err
}
// Open the MQSC file for reading
// #nosec G304
f, err := os.Open(abs)
if err != nil {
log.Printf("Error opening %v: %v", abs, err)
@@ -104,10 +106,16 @@ func configureQueueManager() error {
// Copy the contents to stdin of the runmqsc process
_, err = io.Copy(stdin, f)
if err != nil {
log.Printf("Error reading %v: %v", abs, err)
log.Errorf("Error reading %v: %v", abs, err)
}
err = f.Close()
if err != nil {
log.Errorf("Failed to close MQSC file handle: %v", err)
}
err = stdin.Close()
if err != nil {
log.Errorf("Failed to close MQSC stdin: %v", err)
}
f.Close()
stdin.Close()
// Run the command and wait for completion
out, err := cmd.CombinedOutput()
if err != nil {

3
cmd/runmqserver/signals.go
View File

@@ -43,7 +43,8 @@ func signalHandler(qmgr string) chan int {
log.Printf("Signal received: %v", sig)
signal.Stop(reapSignals)
signal.Stop(stopSignals)
metrics.StopMetricsGathering()
metrics.StopMetricsGathering(log)
// #nosec G104
stopQueueManager(qmgr)
// One final reap
reapZombies()