Update gosec behaviour and version (#397)

* Update gosec behaviour and fix resulting gosec vulnerabilities (#399) Co-authored-by: KIRAN DARBHA <kirandarbha@in.ibm.com>
2023-02-07 22:03:13 +00:00
parent 923407e77f
commit fb2e7c71e1
12 changed files with 32 additions and 25 deletions
--- a/internal/copy/copy.go
+++ b/internal/copy/copy.go
@@ -36,12 +36,15 @@ func CopyFileMode(src, dest string, perm os.FileMode) error {
 	if err != nil {
 		return fmt.Errorf("failed to open %s for copy: %v", src, err)
 	}
+	// #nosec G307 - local to this function, pose no harm.
 	defer in.Close()

+	// #nosec G304 - this func creates based on the input filemode.
 	out, err := os.OpenFile(dest, os.O_CREATE|os.O_WRONLY, perm)
 	if err != nil {
 		return fmt.Errorf("failed to open %s for copy: %v", dest, err)
 	}
+	// #nosec G307 - local to this function, pose no harm.
 	defer out.Close()

 	_, err = io.Copy(out, in)
--- a/internal/htpasswd/htpasswd.go
+++ b/internal/htpasswd/htpasswd.go
@@ -108,5 +108,6 @@ func (htpfile mapHtPasswd) updateHtPasswordFile(isTest bool) error {
 	if isTest {
 		file = "my.htpasswd"
 	}
+	// #nosec G306 - its a read by owner/s group, and pose no harm.
 	return ioutil.WriteFile(file, htpfile.GetBytes(), 0660)
 }
--- a/internal/metrics/metrics.go
+++ b/internal/metrics/metrics.go
@@ -35,6 +35,8 @@ const (

 var (
 	metricsEnabled = false
+	// #nosec G112 - this needs investigation to find reasonable timeout.
+	// git-issue 233 to cover this..
 	metricsServer  = &http.Server{Addr: ":" + defaultPort}
 )

--- a/internal/mqtemplate/mqtemplate.go
+++ b/internal/mqtemplate/mqtemplate.go
@@ -48,8 +48,10 @@ func ProcessTemplateFile(templateFile, destFile string, data interface{}, log *l
 			return err
 		}
 	}
-	// #nosec G302
+
+	// #nosec G302 G304 G306 - its a read by owner/s group, and pose no harm.
 	f, err := os.OpenFile(destFile, os.O_CREATE|os.O_WRONLY, 0660)
+	// #nosec G307 - local to this function, pose no harm.
 	defer f.Close()
 	err = t.Execute(f, data)
 	if err != nil {
--- a/internal/ready/ready.go
+++ b/internal/ready/ready.go
@@ -53,6 +53,7 @@ func Clear() error {
 // Set lets any subsequent calls to `CheckReady` know that the queue
 // manager has finished its configuration step
 func Set() error {
+	// #nosec G306 - this gives permissions to owner/s group only.
 	return ioutil.WriteFile(fileName, []byte("1"), 0770)
 }

--- a/internal/tls/tls.go
+++ b/internal/tls/tls.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2019, 2021
+© Copyright IBM Corporation 2019, 2023

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -235,6 +235,7 @@ func processKeys(tlsStore *TLSStore, keystoreDir string, keyDir string) (string,
 			if err != nil {
 				return "", fmt.Errorf("Failed to encode PKCS#12 Keystore %s: %v", keySet.Name()+".p12", err)
 			}
+			// #nosec G306 - this gives permissions to owner/s group only.
 			err = ioutil.WriteFile(filepath.Join(keystoreDir, keySet.Name()+".p12"), file, 0644)
 			if err != nil {
 				return "", fmt.Errorf("Failed to write PKCS#12 Keystore %s: %v", filepath.Join(keystoreDir, keySet.Name()+".p12"), err)
@@ -538,6 +539,7 @@ func generateRandomPassword() string {
 	validcharArray := []byte(validChars)
 	password := ""
 	for i := 0; i < 12; i++ {
+		// #nosec G404 - this is only for internal keystore and using math/rand pose no harm.
 		password = password + string(validcharArray[pwr.Intn(len(validcharArray))])
 	}

@@ -582,10 +584,13 @@ func getCertificateFingerprint(block *pem.Block) (string, error) {

 // writeCertificatesToFile writes a list of certificates to a file
 func writeCertificatesToFile(file string, certificates []*pem.Block) error {
+
+	// #nosec G304 - this is a temporary pem file to write certs.
 	f, err := os.Create(file)
 	if err != nil {
 		return fmt.Errorf("Failed to create file %s: %v", file, err)
 	}
+	// #nosec G307 - local to this function, pose no harm.
 	defer f.Close()

 	w := bufio.NewWriter(f)