security: changed sha1 calls to sha256 (#147)

Co-authored-by: Sheldon Hull <[email protected]>

.changes/unreleased/ci-and-build-20240718-110224.yaml

@@ -0,0 +1,3 @@
+kind: ci-and-build
+body: Update changie to newest format. Golangci-lint config file is also now converted to the latest.
+time: 2024-07-18T11:02:24.016458-05:00

.changes/unreleased/🎉 New Product Feature-20240530-132405.yaml → .changes/unreleased/new-product-feature-20240530-132405.yaml

@@ -1,4 +1,4 @@
-kind: "\U0001F389 New Product Feature"
+kind: 'new-product-feature'
 body: |-
   Added support for multiple Azure MSI profiles. When selecting Azure as the profile auth-provider the user is prompted to enter the clientID for the MSI (managed identity) they would like to use for this profile. The clientID is stored in the profile config file i.e. .dsv.yml.
   the clientID is retrieved from the config when ever azure authentication is required.

.changes/unreleased/security-20240718-081820.yaml

@@ -0,0 +1,3 @@
+kind: 'security'
+body: Changed sha1 function calls to sha256
+time: 2024-07-18T08:18:20.013668-07:00

.changie.yaml

@@ -4,30 +4,40 @@ headerPath: header.tpl.md
 changelogPath: CHANGELOG.md
 versionExt: md
 versionFormat: '## {{.Version}} - {{.Time.Format "2006-01-02"}}'
-kindFormat: '### {{.Kind}}'
-changeFormat: '- {{ .Body -}}'
+kindFormat: ''
+changeFormat: '- _{{.Kind}}_: {{ .Body -}}'
 body:
   block: true
 kinds:
-  - label: 🤖 CI & Build
-    auto: patch
-  - label: 🎉 New Product Feature
+  - key: ci-and-build
+    label: 🤖 CI & Build
+    auto: none
+  - key: new-product-feature
+    label: 🎉 New Product Feature
     auto: minor
-  - label: ⬇️ Deprecated
+  - key: deprecated
+    label: ⬇️ Deprecated
     auto: minor
-  - label: 🧪 Tests
+  - key: tests
+    label: 🧪 Tests
     auto: patch
-  - label: 🔨 Refactor
+  - key: refactor
+    label: 🔨 Refactor
     auto: patch
-  - label: 🐛 Bug Fix
+  - key: bug-fix
+    label: 🐛 Bug Fix
     auto: patch
-  - label: 🔥 Breaking Change
+  - key: breaking-change
+    label: 🔥 Breaking Change
     auto: minor
-  - label: 🔒 Security
+  - key: security
+    label: 🔒 Security
     auto: patch
-  - label: ⬆️ Dependencies
+  - key: dependencies
+    label: ⬆️ Dependencies
     auto: patch
-  - label: 🔥 Major Version Change (Breaking Changes)
+  - key: major-version-change-breaking-changes
+    label: 🔥 Major Version Change (Breaking Changes)
     auto: major
 newlines:
   afterChange: 0

.golangci.yaml

@@ -1,22 +1,17 @@
 ---
 output:
-  format: tab
+  formats:
+    - format: tab
 linters-settings:
   misspell:
     locale: US
-  gomnd:
-    settings:
-      mnd:
-        checks: [argument, case, condition, return]
-        ignored-functions: strconv.ParseFloat,rsa.GenerateKey
+
   nolintlint:
     allow-unused: false
-    allow-leading-space: true
     allow-no-explanation: []
     require-explanation: true
     require-specific: true
   gofumpt:
-    lang-version: '1.18'
     extra-rules: true
   godox:
     keywords:
@@ -33,45 +28,45 @@ linters-settings:
       - ^[ ]*@
     capital: true
   depguard:
-    list-type: blacklist
-    include-go-root: true
-    includeGoStdLib: true
-    packages:
-      - github.com/sirupsen/logrus
-    packages-with-error-message:
-      - github.com/sirupsen/logrus: logging is allowed only by zerolog. Please use zerolog
-      - io/ioutil: 'io/ioutil was deprecated in Go 1.16: https://tip.golang.org/doc/go1.16'
-    gomodguard:
-      blocked:
-        modules:
-          - github.com/sirupsen/logrus:
-              recommendations:
-                - internal/logging
-              reason: logging is allowed only by zerolog. Please use zerolog
-        local_replace_directives: false
+    rules:
+      main:
+        deny:
+          - pkg: 'github.com/sirupsen/logrus'
+            desc: use zerolog
+          - pkg: log
+            desc: use zerolog
+          - pkg: 'github.com/pkg/errors'
+            desc: Should be replaced by standard lib errors package
+
+    # gomodguard:
+    #   blocked:
+    #     modules:
+    #       - github.com/sirupsen/logrus:
+    #           recommendations:
+    #             - internal/logging
+    #           reason: logging is allowed only by zerolog. Please use zerolog
+    #     local_replace_directives: false
   tagliatelle:
     case:
       use-field-name: true
       rules:
-        json: camel # CUSTOMIZED: preexisting format, leave. 2022-10-27 - sheldon
-        yaml: camel # CUSTOMIZED: preexisting format, leave. 2022-10-27 - sheldon
+        json: snake
+        yaml: kebab
         xml: camel
         bson: camel
         avro: snake
         mapstructure: kebab
-    errcheck:
-      check-type-assertions: true
-      check-blank: false
-      ignore: fmt:.*,io/ioutil:^Read.*
-      exclude-functions:
-        - io/ioutil.ReadFile
-        - io.Copy(*bytes.Buffer)
-        - io.Copy(os.Stdout)
-        - io.Closer.Close
-        - io.Closer.Body.Close
+  errcheck:
+    check-type-assertions: true
+    check-blank: false
+    exclude-functions:
+      - io/ioutil.ReadFile
+      - io.Copy(*bytes.Buffer)
+      - io.Copy(os.Stdout)
+      - io.Closer.Close
+      - io.Closer.Body.Close
   govet:
     enable-all: true
-    check-shadowing: true
     disable:
       - fieldalignment
     settings:
@@ -99,22 +94,22 @@ linters-settings:
       - ok
       - zl
       - fs
-    disable:
-      - fieldalignment
+
   revive:
     ignore-generated-header: true
-    enableAllRules: true
-    exclude:
-      - .*_test.go
+    enable-all-rules: true
     rules:
       - name: var-naming
         severity: error
-  # ireturn:
-  #   allow:
-  #     - github.com\/mitchellh\/cli # CUSTOMIZED: cli command is common interfacer in this project
+      - name: line-length-limit
+        severity: warning
+        arguments:
+          - 400
+      - name: function-length
+        severity: warning
+        arguments: [20, 5000]
 
 linters:
-  exclude-use-default: false
   enable-all: true
   disable:
     - scopelint
@@ -147,21 +142,12 @@ linters:
     - rowserrcheck # disabled due to generics, can enable in future if needed
     - sqlclosecheck # disabled due to generics, can enable in future if needed
     - wastedassign # disabled due to generics, can enable in future if needed
+    - funlen #OVERRIDE: ok using for bot, lots of quick long commands i worked on
+    - cyclop #OVERRIDE: ok using for bot, lots of quick long commands i worked on
+    - gocognit #OVERRIDE: ok using for bot, lots of quick long commands i worked on
 
-    - funlen # CUSTOMIZED: preexisting many larger functions, remove to avoid excessive noise, leave. 2022-10-27 - sheldon
-    - cyclop # CUSTOMIZED: preexisting many larger functions, remove to avoid excessive noise, leave. 2022-10-27 - sheldon
-    - gocognit # CUSTOMIZED: preexisting many larger functions, remove to avoid excessive noise, leave. 2022-10-27 - sheldon
-    - testpackage # CUSTOMIZED: existing tests don't use this approach, too many false positives, remove to avoid excessive noise, leave. 2022-10-27 - sheldon
-    - ireturn # CUSTOMIZED:  used in this project with cli calls a lot, leave. 2022-10-27 - sheldon
 run:
-  skip-dirs-use-default: true
-  skip-dirs:
-    - build
-    - artifacts
-    - _tools
-    - vendor
-    - vendor$
-    - tests/fake
+  timeout: 5m
   build-tags:
     - mage
     - tools
@@ -182,7 +168,7 @@ issues:
     - linters:
         - goerr113
       text: do not define dynamic errors
-    - path: magefiles/*
+    - path: magefiles
       linters:
         - goerr113
         - wrapcheck
@@ -193,7 +179,6 @@ issues:
         - maintidx
         - deadcode
         - gochecknoglobals
-        - unused
     - path: magefile.go
       linters:
         - goerr113
@@ -216,8 +201,13 @@ issues:
       linters:
         - godot
       text: mocked files do not need to be checked
-    - path: commands/ # CUSTOMIZED: current cli framework uses this return of functions so not checking those
-      text: current cli framework uses this return of functions so not checking those
-      linters:
-        - ireturn
   whole-files: false
+  exclude-dirs:
+    - build
+    - .artifacts
+    - .cache
+    - artifacts
+    - .trunk
+    - _tools
+    - vendor
+    - vendor$

.snyk

@@ -0,0 +1,8 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.0
+ignore: {}
+patch: {}
+exclude:
+  global:
+    - vendor/
+    - .devcontainer/

commands/secret.go

@@ -1,7 +1,7 @@
 package cmd
 
 import (
-	"crypto/sha1"
+	"crypto/sha256"
 	"encoding/json"
 	"fmt"
 	"log"
@@ -1014,12 +1014,12 @@ func getSecretFromServer(vcli vaultcli.CLI, secretType string, path string, id s
 
 func getSecretCachePrefix() string {
 	profile := viper.GetString(cst.Profile)
-	return fmt.Sprintf("%s-%x", cst.SecretRoot, sha1.Sum([]byte(profile)))
+	return fmt.Sprintf("%s-%x", cst.SecretRoot, sha256.Sum256([]byte(profile)))
 }
 
 func getSecretDescCachePrefix() string {
 	profile := viper.GetString(cst.Profile)
-	return fmt.Sprintf("%s-%x", cst.SecretDescriptionRoot, sha1.Sum([]byte(profile)))
+	return fmt.Sprintf("%s-%x", cst.SecretDescriptionRoot, sha256.Sum256([]byte(profile)))
 }
 
 func getSecretCacheKey(path string, id string, requestSuffix string) string {
@@ -1037,7 +1037,7 @@ func getSecretCacheKey(path string, id string, requestSuffix string) string {
 		cacheKey = id
 	}
 	cacheKey = strings.ReplaceAll(cacheKey, ":", "/")
-	cacheKey = fmt.Sprintf("%s-%x", prefix, sha1.Sum([]byte(cacheKey)))
+	cacheKey = fmt.Sprintf("%s-%x", prefix, sha256.Sum256([]byte(cacheKey)))
 	return cacheKey
 }
 

pipelines/tests.end-to-end.azure-pipelines.yml

@@ -4,7 +4,8 @@ pr:
   autoCancel: true
   drafts: false
   branches:
-    - main
+    include:
+      - main
   paths:
     exclude:
       - .devcontainer/*