academy/mq-container
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update gosec behaviour and version (#396)

Browse Source 
* Update gosec behaviour to fail if unable to install

* fixing gosec issues (#394)

Co-authored-by: KIRAN DARBHA <kirandarbha@in.ibm.com>
This commit is contained in:
Tom Jefferson
2023-02-06 14:33:59 +00:00
committed by GitHub Enterprise
parent 572e883841
commit 9c7f49d8d3
12 changed files with 31 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
Makefile
View File

@@ -533,29 +533,16 @@ lint: $(addsuffix /$(wildcard *.go), $(GO_PKG_DIRS))
.PHONY: gosec .PHONY: gosec
gosec: gosec:
$(info $(SPACER)$(shell printf "Running gosec test"$(END))) $(info $(SPACER)$(shell printf "Running gosec test"$(END)))
@gosec -fmt=json -out=gosec_results.json cmd/... internal/... 2> /dev/null ;\ @gosecrc=0; gosec -fmt=json -out=gosec_results.json cmd/... internal/... 2> /dev/null || gosecrc=$$?; \
cat "gosec_results.json" ;\ cat gosec_results.json | jq '{"GolangErrors": (.["Golang errors"]|length>0),"Issues":(.Issues|length>0)}' | grep 'true' >/dev/null ;\
cat gosec_results.json | grep HIGH | grep severity > /dev/null ;\ if [ $$? -eq 0 ] || [ $$gosecrc -ne 0 ]; then \
if [ $$? -eq 0 ]; then \ printf "FAILURE: Issues found running gosec - see gosec_results.json\n" ;\
printf "\nFAILURE: gosec found files containing HIGH severity issues - see results.json\n" ;\ cat "gosec_results.json" ;\
exit 1 ;\ exit 1 ;\
else \ else \
printf "\ngosec found no HIGH severity issues\n" ;\ printf "gosec found no issues\n" ;\
fi ;\ cat "gosec_results.json" ;\
cat gosec_results.json | grep MEDIUM | grep severity > /dev/null ;\ fi
if [ $$? -eq 0 ]; then \
printf "\nFAILURE: gosec found files containing MEDIUM severity issues - see results.json\n" ;\
exit 1 ;\
else \
printf "\ngosec found no MEDIUM severity issues\n" ;\
fi ;\
cat gosec_results.json | grep LOW | grep severity > /dev/null;\
if [ $$? -eq 0 ]; then \
printf "\nFAILURE: gosec found files containing LOW severity issues - see results.json\n" ;\
exit 1;\
else \
printf "\ngosec found no LOW severity issues\n" ;\
fi ;\
.PHONY: update-release-information .PHONY: update-release-information
update-release-information: update-release-information:

1
cmd/runmqdevserver/main.go
View File

@@ -91,6 +91,7 @@ func logTermination(args ...interface{}) {
// Write the message to the termination log. This is not the default place // Write the message to the termination log. This is not the default place
// that Kubernetes will look for termination information. // that Kubernetes will look for termination information.
log.Debugf("Writing termination message: %v", msg) log.Debugf("Writing termination message: %v", msg)
// #nosec G306 - its a read by owner/s group, and pose no harm.
err := ioutil.WriteFile("/run/termination-log", []byte(msg), 0660) err := ioutil.WriteFile("/run/termination-log", []byte(msg), 0660)
if err != nil { if err != nil {
log.Debug(err) log.Debug(err)

1
cmd/runmqserver/logging.go
View File

@@ -46,6 +46,7 @@ func logTermination(args ...interface{}) {
// Write the message to the termination log. This is not the default place // Write the message to the termination log. This is not the default place
// that Kubernetes will look for termination information. // that Kubernetes will look for termination information.
log.Debugf("Writing termination message: %v", msg) log.Debugf("Writing termination message: %v", msg)
// #nosec G306 - its a read by owner/s group, and pose no harm.
err := ioutil.WriteFile("/run/termination-log", []byte(msg), 0660) err := ioutil.WriteFile("/run/termination-log", []byte(msg), 0660)
if err != nil { if err != nil {
log.Debug(err) log.Debug(err)

3
cmd/runmqserver/mirror.go
View File

@@ -95,6 +95,7 @@ func mirrorLog(ctx context.Context, wg *sync.WaitGroup, path string, fromStart b
// the file is open before the queue manager is created or started. // the file is open before the queue manager is created or started.
// Otherwise, there would be the potential for a nearly-full file to // Otherwise, there would be the potential for a nearly-full file to
// rotate before the goroutine had a chance to open it. // rotate before the goroutine had a chance to open it.
// #nosec G304 - no harm, we open readonly and check error.
f, err = os.OpenFile(path, os.O_RDONLY, 0) f, err = os.OpenFile(path, os.O_RDONLY, 0)
if err != nil { if err != nil {
return nil, err return nil, err
@@ -122,6 +123,7 @@ func mirrorLog(ctx context.Context, wg *sync.WaitGroup, path string, fromStart b
return return
} }
log.Debugf("File exists: %v, %v", path, fi.Size()) log.Debugf("File exists: %v, %v", path, fi.Size())
// #nosec G304 - no harm, we open readonly and check error.
f, err = os.OpenFile(path, os.O_RDONLY, 0) f, err = os.OpenFile(path, os.O_RDONLY, 0)
if err != nil { if err != nil {
log.Error(err) log.Error(err)
@@ -169,6 +171,7 @@ func mirrorLog(ctx context.Context, wg *sync.WaitGroup, path string, fromStart b
} }
// Re-open file // Re-open file
log.Debugf("Re-opening error log file %v", path) log.Debugf("Re-opening error log file %v", path)
// #nosec G304 - no harm, we open readonly and check error.
f, err = os.OpenFile(path, os.O_RDONLY, 0) f, err = os.OpenFile(path, os.O_RDONLY, 0)
if err != nil { if err != nil {
log.Error(err) log.Error(err)

3
cmd/runmqserver/qmgr.go
View File

@@ -328,7 +328,8 @@ func updateQMini(qmname string) error {
if strings.Contains(qminiConfigStr, "ServiceComponent:") { if strings.Contains(qminiConfigStr, "ServiceComponent:") {
var re = regexp.MustCompile(`(?m)^.*ServiceComponent.*$\s^.*Service.*$\s^.*Name.*$\s^.*Module.*$\s^.*ComponentDataSize.*$`) var re = regexp.MustCompile(`(?m)^.*ServiceComponent.*$\s^.*Service.*$\s^.*Name.*$\s^.*Module.*$\s^.*ComponentDataSize.*$`)
curFile := re.ReplaceAllString(qminiConfigStr, "") curFile := re.ReplaceAllString(qminiConfigStr, "")
// #nosec G304 - qmgrDir filepath is derived from dspmqinf // #nosec G304 G306 - qmgrDir filepath is derived from dspmqinf and
// its a read by owner/s group, and pose no harm.
err := ioutil.WriteFile(qmgrDir, []byte(curFile), 0660) err := ioutil.WriteFile(qmgrDir, []byte(curFile), 0660)
if err != nil { if err != nil {
return err return err

2
install-build-deps.sh
View File

@@ -25,4 +25,4 @@ sudo apt-get update || :
sudo apt-get install -y jq sudo apt-get install -y jq
go install golang.org/x/lint/golint@latest go install golang.org/x/lint/golint@latest
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $GOPATH/bin 2.14.0 || echo "Gosec not installed. Platform may not be supported." curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $GOPATH/bin v2.14.0 || echo "Gosec not installed. Platform may not be supported."

3
internal/copy/copy.go
View File

@@ -36,12 +36,15 @@ func CopyFileMode(src, dest string, perm os.FileMode) error {
if err != nil { if err != nil {
return fmt.Errorf("failed to open %s for copy: %v", src, err) return fmt.Errorf("failed to open %s for copy: %v", src, err)
} }
// #nosec G307 - local to this function, pose no harm.
defer in.Close() defer in.Close()
// #nosec G304 - this func creates based on the input filemode.
out, err := os.OpenFile(dest, os.O_CREATE|os.O_WRONLY, perm) out, err := os.OpenFile(dest, os.O_CREATE|os.O_WRONLY, perm)
if err != nil { if err != nil {
return fmt.Errorf("failed to open %s for copy: %v", dest, err) return fmt.Errorf("failed to open %s for copy: %v", dest, err)
} }
// #nosec G307 - local to this function, pose no harm.
defer out.Close() defer out.Close()
_, err = io.Copy(out, in) _, err = io.Copy(out, in)

1
internal/htpasswd/htpasswd.go
View File

@@ -108,5 +108,6 @@ func (htpfile mapHtPasswd) updateHtPasswordFile(isTest bool) error {
if isTest { if isTest {
file = "my.htpasswd" file = "my.htpasswd"
} }
// #nosec G306 - its a read by owner/s group, and pose no harm.
return ioutil.WriteFile(file, htpfile.GetBytes(), 0660) return ioutil.WriteFile(file, htpfile.GetBytes(), 0660)
} }

2
internal/metrics/metrics.go
View File

@@ -35,6 +35,8 @@ const (
var ( var (
metricsEnabled = false metricsEnabled = false
// #nosec G112 - this code is changing soon to use https.
// for now we will ignore the gosec.
metricsServer = &http.Server{Addr: ":" + defaultPort} metricsServer = &http.Server{Addr: ":" + defaultPort}
) )

4
internal/mqtemplate/mqtemplate.go
View File

@@ -48,8 +48,10 @@ func ProcessTemplateFile(templateFile, destFile string, data interface{}, log *l
return err return err
} }
} }
// #nosec G302
// #nosec G302 G304 G306 - its a read by owner/s group, and pose no harm.
f, err := os.OpenFile(destFile, os.O_CREATE|os.O_WRONLY, 0660) f, err := os.OpenFile(destFile, os.O_CREATE|os.O_WRONLY, 0660)
// #nosec G307 - local to this function, pose no harm.
defer f.Close() defer f.Close()
err = t.Execute(f, data) err = t.Execute(f, data)
if err != nil { if err != nil {

1
internal/ready/ready.go
View File

@@ -54,6 +54,7 @@ func Clear() error {
// Set lets any subsequent calls to `CheckReady` know that the queue // Set lets any subsequent calls to `CheckReady` know that the queue
// manager has finished its configuration step // manager has finished its configuration step
func Set() error { func Set() error {
// #nosec G306 - this gives permissions to owner/s group only.
return ioutil.WriteFile(fileName, []byte("1"), 0770) return ioutil.WriteFile(fileName, []byte("1"), 0770)
} }

5
internal/tls/tls.go
View File

@@ -267,6 +267,7 @@ func processKeys(tlsStore *TLSStore, keystoreDir string, keyDir string) (string,
if err != nil { if err != nil {
return "", fmt.Errorf("Failed to encode PKCS#12 Keystore %s: %v", keySet.Name()+".p12", err) return "", fmt.Errorf("Failed to encode PKCS#12 Keystore %s: %v", keySet.Name()+".p12", err)
} }
// #nosec G306 - this gives permissions to owner/s group only.
err = ioutil.WriteFile(filepath.Join(keystoreDir, keySet.Name()+".p12"), file, 0644) err = ioutil.WriteFile(filepath.Join(keystoreDir, keySet.Name()+".p12"), file, 0644)
if err != nil { if err != nil {
return "", fmt.Errorf("Failed to write PKCS#12 Keystore %s: %v", filepath.Join(keystoreDir, keySet.Name()+".p12"), err) return "", fmt.Errorf("Failed to write PKCS#12 Keystore %s: %v", filepath.Join(keystoreDir, keySet.Name()+".p12"), err)
@@ -570,6 +571,7 @@ func generateRandomPassword() string {
validcharArray := []byte(validChars) validcharArray := []byte(validChars)
password := "" password := ""
for i := 0; i < 12; i++ { for i := 0; i < 12; i++ {
// #nosec G404 - this is only for internal keystore and using math/rand pose no harm.
password = password + string(validcharArray[pwr.Intn(len(validcharArray))]) password = password + string(validcharArray[pwr.Intn(len(validcharArray))])
} }
@@ -614,10 +616,13 @@ func getCertificateFingerprint(block *pem.Block) (string, error) {
// writeCertificatesToFile writes a list of certificates to a file // writeCertificatesToFile writes a list of certificates to a file
func writeCertificatesToFile(file string, certificates []*pem.Block) error { func writeCertificatesToFile(file string, certificates []*pem.Block) error {
// #nosec G304 - this is a temporary pem file to write certs.
f, err := os.Create(file) f, err := os.Create(file)
if err != nil { if err != nil {
return fmt.Errorf("Failed to create file %s: %v", file, err) return fmt.Errorf("Failed to create file %s: %v", file, err)
} }
// #nosec G307 - local to this function, pose no harm.
defer f.Close() defer f.Close()
w := bufio.NewWriter(f) w := bufio.NewWriter(f)