Skip to content

Commit

Permalink
bump gosec to 2.20.0
Browse files Browse the repository at this point in the history
Signed-off-by: zhangzujian <[email protected]>
  • Loading branch information
zhangzujian committed May 15, 2024
1 parent 6924c4e commit b303120
Show file tree
Hide file tree
Showing 16 changed files with 39 additions and 35 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/build-windows.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ concurrency:

env:
GO_VERSION: ''
GOSEC_VERSION: '2.19.0'
GOSEC_VERSION: '2.20.0'

jobs:
filter:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/build-x86-image.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ concurrency:
env:
GO_VERSION: ''
KIND_VERSION: v0.23.0
GOSEC_VERSION: '2.19.0'
GOSEC_VERSION: '2.20.0'
HELM_VERSION: v3.14.4
SUBMARINER_VERSION: '0.17.1'

Expand Down
8 changes: 4 additions & 4 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -978,7 +978,7 @@ lint:
echo "Code differs from gofmt's style" 1>&2 && exit 1; \
fi
@GOOS=linux go vet ./...
@GOOS=linux gosec -exclude=G204,G306,G402,G404,G601,G301 -exclude-dir=test -exclude-dir=pkg/client ./...
@GOOS=linux gosec -exclude-dir=test -exclude-dir=pkg/client ./...

.PHONY: gofumpt
gofumpt:
Expand All @@ -987,9 +987,9 @@ gofumpt:
.PHONY: lint-windows
lint-windows:
@GOOS=windows go vet ./cmd/windows/...
@GOOS=windows gosec -exclude=G204,G601,G301 ./pkg/util
@GOOS=windows gosec -exclude=G204,G601,G301 ./pkg/request
@GOOS=windows gosec -exclude=G204,G601,G301 ./cmd/cni
@GOOS=windows gosec ./pkg/util
@GOOS=windows gosec ./pkg/request
@GOOS=windows gosec ./cmd/cni

.PHONY: scan
scan:
Expand Down
2 changes: 0 additions & 2 deletions cmd/cmdmain.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,6 @@ func dumpProfile() {
}
return
}
defer f.Close() // #nosec G307
time.Sleep(30 * time.Second)
pprof.StopCPUProfile()
if err = f.Close(); err != nil {
Expand Down Expand Up @@ -87,7 +86,6 @@ func dumpProfile() {
klog.Errorf("failed to close file %q: %v", path, err)
return
}
defer f.Close() // #nosec G307
}
}()
}
Expand Down
5 changes: 2 additions & 3 deletions cmd/daemon/cniserver.go
Original file line number Diff line number Diff line change
Expand Up @@ -128,15 +128,14 @@ func CmdMain() {
}

func mvCNIConf(configDir, configFile, confName string) error {
// #nosec
data, err := os.ReadFile(configFile)
data, err := os.ReadFile(configFile) // #nosec G304
if err != nil {
klog.Errorf("failed to read cni config file %s, %v", configFile, err)
return err
}

cniConfPath := filepath.Join(configDir, confName)
return os.WriteFile(cniConfPath, data, 0o644)
return os.WriteFile(cniConfPath, data, 0o644) // #nosec G306
}

func Retry(attempts, sleep int, f func(configuration *daemon.Configuration) error, ctrl *daemon.Configuration) (err error) {
Expand Down
3 changes: 2 additions & 1 deletion pkg/controller/vpc_dns.go
Original file line number Diff line number Diff line change
Expand Up @@ -534,7 +534,8 @@ func (c *Controller) resyncVpcDNSConfig() {
klog.V(3).Infof("use the cluster default coredns image version, %s", corednsImage)
}

if err := os.WriteFile(CorednsTemplateDep, corednsTemplateContent, 0o644); err != nil {
err = os.WriteFile(CorednsTemplateDep, corednsTemplateContent, 0o644) // #nosec G306
if err != nil {
klog.Errorf("failed to wirite local coredns-template.yaml file, %v", err)
return
}
Expand Down
2 changes: 2 additions & 0 deletions pkg/daemon/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -389,6 +389,7 @@ func (config *Configuration) initKubeClient() error {
}

func setEncapIP(ip string) error {
// #nosec G204
raw, err := exec.Command(
"ovs-vsctl", "set", "open", ".", fmt.Sprintf("external-ids:ovn-encap-ip=%s", ip)).CombinedOutput()
if err != nil {
Expand All @@ -398,6 +399,7 @@ func setEncapIP(ip string) error {
}

func disableChecksum() error {
// #nosec G204
raw, err := exec.Command(
"ovs-vsctl", "set", "open", ".", "external-ids:ovn-encap-csum=false").CombinedOutput()
if err != nil {
Expand Down
2 changes: 1 addition & 1 deletion pkg/daemon/handler_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ func createShortSharedDir(pod *v1.Pod, volumeName, socketConsumption, kubeletDir
defer syscall.Umask(mask)
if _, err = os.Stat(newSharedDir); err != nil {
if os.IsNotExist(err) {
err = os.MkdirAll(newSharedDir, 0o777)
err = os.MkdirAll(newSharedDir, 0o777) // #nosec G301

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
.
if err != nil {
klog.Error(err)
return fmt.Errorf("createSharedDir: Failed to create dir (%s): %v", newSharedDir, err)
Expand Down
7 changes: 4 additions & 3 deletions pkg/daemon/ovs_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -607,6 +607,7 @@ func (c *Controller) checkNodeGwNicInNs(nodeExtIP, ip, gw string, gwNS ns.NetNS)
}
for _, eip := range ovnEips {
if eip.Status.Ready {
// #nosec G204
cmd := exec.Command("sh", "-c", fmt.Sprintf("bfdd-control status remote %s local %s", eip.Spec.V4Ip, nodeExtIP))
var outb bytes.Buffer
cmd.Stdout = &outb
Expand All @@ -615,7 +616,7 @@ func (c *Controller) checkNodeGwNicInNs(nodeExtIP, ip, gw string, gwNS ns.NetNS)
klog.V(3).Info(out)
if strings.Contains(out, "No session") {
// not exist
cmd = exec.Command("sh", "-c", fmt.Sprintf("bfdd-control allow %s", eip.Spec.V4Ip))
cmd = exec.Command("sh", "-c", fmt.Sprintf("bfdd-control allow %s", eip.Spec.V4Ip)) // #nosec G204
if err := cmd.Run(); err != nil {
err := fmt.Errorf("failed to add lrp %s ip %s into bfd listening list, %v", eip.Name, eip.Status.V4Ip, err)
klog.Error(err)
Expand Down Expand Up @@ -822,7 +823,7 @@ func (c *Controller) loopOvnExt0Check() {
gwNS, err := ns.GetNS(util.NodeGwNsPath)
if err != nil {
// ns not exist, create node external gw ns
cmd := exec.Command("sh", "-c", fmt.Sprintf("/usr/sbin/ip netns add %s", util.NodeGwNs))
cmd := exec.Command("sh", "-c", fmt.Sprintf("/usr/sbin/ip netns add %s", util.NodeGwNs)) // #nosec G204
if err := cmd.Run(); err != nil {
err := fmt.Errorf("failed to get create gw ns %s, %v", util.NodeGwNs, err)
klog.Error(err)
Expand Down Expand Up @@ -1670,7 +1671,7 @@ func setVfMac(deviceID string, vfIndex int, mac string) error {
func turnOffNicTxChecksum(nicName string) (err error) {
start := time.Now()
args := []string{"-K", nicName, "tx", "off"}
output, err := exec.Command("ethtool", args...).CombinedOutput()
output, err := exec.Command("ethtool", args...).CombinedOutput() // #nosec G204
elapsed := float64((time.Since(start)) / time.Millisecond)
klog.V(4).Infof("command %s %s in %vms", "ethtool", strings.Join(args, " "), elapsed)
if err != nil {
Expand Down
2 changes: 2 additions & 0 deletions pkg/ovn_ic_controller/ovn_ic_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -403,13 +403,15 @@ func (c *Controller) acquireLrpAddress(ts string) (string, error) {
}

func (c *Controller) startOVNIC(icHost, icNbPort, icSbPort string) error {
// #nosec G204
cmd := exec.Command("/usr/share/ovn/scripts/ovn-ctl",
fmt.Sprintf("--ovn-ic-nb-db=%s", genHostAddress(icHost, icNbPort)),
fmt.Sprintf("--ovn-ic-sb-db=%s", genHostAddress(icHost, icSbPort)),
fmt.Sprintf("--ovn-northd-nb-db=%s", c.config.OvnNbAddr),
fmt.Sprintf("--ovn-northd-sb-db=%s", c.config.OvnSbAddr),
"start_ic")
if os.Getenv("ENABLE_SSL") == "true" {
// #nosec G204
cmd = exec.Command("/usr/share/ovn/scripts/ovn-ctl",
fmt.Sprintf("--ovn-ic-nb-db=%s", genHostAddress(icHost, icNbPort)),
fmt.Sprintf("--ovn-ic-sb-db=%s", genHostAddress(icHost, icSbPort)),
Expand Down
16 changes: 9 additions & 7 deletions pkg/ovn_leader_checker/ovn.go
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@ func getCmdExitCode(cmd *exec.Cmd) int {
func checkOvnIsAlive() bool {
components := [...]string{"northd", "ovnnb", "ovnsb"}
for _, component := range components {
cmd := exec.Command("/usr/share/ovn/scripts/ovn-ctl", fmt.Sprintf("status_%s", component))
cmd := exec.Command("/usr/share/ovn/scripts/ovn-ctl", fmt.Sprintf("status_%s", component)) // #nosec G204
if err := getCmdExitCode(cmd); err != 0 {
klog.Errorf("CheckOvnIsAlive: %s is not alive", component)
return false
Expand All @@ -165,7 +165,7 @@ func isDBLeader(dbName string, port int) bool {
}
}

output, err := exec.Command("ovsdb-client", cmd...).CombinedOutput()
output, err := exec.Command("ovsdb-client", cmd...).CombinedOutput() // #nosec G204
if err != nil {
klog.Errorf("failed to execute cmd %q: err=%v, msg=%v", strings.Join(cmd, " "), err, string(output))
return false
Expand Down Expand Up @@ -193,7 +193,7 @@ func checkNorthdActive() bool {
fmt.Sprintf("/var/run/ovn/ovn-northd.%s.ctl", strings.TrimSpace(string(pid))),
"status",
}
output, err := exec.Command("ovs-appctl", command...).CombinedOutput()
output, err := exec.Command("ovs-appctl", command...).CombinedOutput() // #nosec G204
if err != nil {
klog.Errorf("checkNorthdActive execute err %v error msg %v", err, string(output))
return false
Expand Down Expand Up @@ -239,7 +239,7 @@ func stealLock() {
}
}

output, err := exec.Command("ovsdb-client", command...).CombinedOutput()
output, err := exec.Command("ovsdb-client", command...).CombinedOutput() // #nosec G204
if err != nil {
klog.Errorf("stealLock err %v", err)
return
Expand Down Expand Up @@ -329,7 +329,7 @@ func compactOvnDatabase(db string) {
"ovsdb-server/compact",
}

output, err := exec.Command("ovn-appctl", command...).CombinedOutput()
output, err := exec.Command("ovn-appctl", command...).CombinedOutput() // #nosec G204
if err != nil {
if !strings.Contains(string(output), "not storing a duplicate snapshot") {
klog.Errorf("failed to compact ovn%s database: %s", db, string(output))
Expand Down Expand Up @@ -475,10 +475,12 @@ func updateTS() error {
if err != nil {
return err
}
// #nosec G204
cmd := exec.Command("ovn-ic-nbctl",
ovs.MayExist, "ts-add", tsName,
"--", "set", "Transit_Switch", tsName, fmt.Sprintf(`external_ids:subnet="%s"`, subnet))
if os.Getenv("ENABLE_SSL") == "true" {
// #nosec G204
cmd = exec.Command("ovn-ic-nbctl",
"--private-key=/var/run/tls/key",
"--certificate=/var/run/tls/cert",
Expand All @@ -494,9 +496,9 @@ func updateTS() error {
} else {
for i := existTSCount - 1; i >= expectTSCount; i-- {
tsName := getTSName(i)
cmd := exec.Command("ovn-ic-nbctl",
"ts-del", tsName)
cmd := exec.Command("ovn-ic-nbctl", "ts-del", tsName) // #nosec G204
if os.Getenv("ENABLE_SSL") == "true" {
// #nosec G204
cmd = exec.Command("ovn-ic-nbctl",
"--private-key=/var/run/tls/key",
"--certificate=/var/run/tls/cert",
Expand Down
8 changes: 4 additions & 4 deletions pkg/ovnmonitor/util.go
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ func (e *Exporter) getOvnStatus() map[string]int {
} else {
cmdstr := fmt.Sprintf("ovs-appctl -t /var/run/ovn/ovn-northd.%s.ctl status", strings.Trim(string(pid), "\n"))
klog.V(3).Infof("cmd is %v", cmdstr)
cmd := exec.Command("sh", "-c", cmdstr)
cmd := exec.Command("sh", "-c", cmdstr) // #nosec G204
output, err := cmd.CombinedOutput()
if err != nil {
klog.Errorf("get ovn-northd status failed, err %v", err)
Expand Down Expand Up @@ -103,7 +103,7 @@ func (e *Exporter) getOvnStatusContent() map[string]string {

func getClusterEnableState(dbName string) (bool, error) {
cmdstr := fmt.Sprintf("ovsdb-tool db-is-clustered %s", dbName)
cmd := exec.Command("sh", "-c", cmdstr)
cmd := exec.Command("sh", "-c", cmdstr) // #nosec G204
_, err := cmd.CombinedOutput()
if err != nil {
klog.Error(err)
Expand Down Expand Up @@ -181,7 +181,7 @@ func getClusterInfo(direction, dbName string) (*OVNDBClusterStatus, error) {
var err error

cmdstr := fmt.Sprintf("ovs-appctl -t /var/run/ovn/ovn%s_db.ctl cluster/status %s", direction, dbName)
cmd := exec.Command("sh", "-c", cmdstr)
cmd := exec.Command("sh", "-c", cmdstr) // #nosec G204
output, err := cmd.CombinedOutput()
if err != nil {
return nil, fmt.Errorf("failed to retrieve cluster/status info for database %s: %v", dbName, err)
Expand Down Expand Up @@ -319,7 +319,7 @@ func getDBStatus(dbName string) (bool, error) {
cmdstr = fmt.Sprintf("ovn-appctl -t /var/run/ovn/ovnsb_db.ctl ovsdb-server/get-db-storage-status %s", dbName)
}

cmd := exec.Command("sh", "-c", cmdstr)
cmd := exec.Command("sh", "-c", cmdstr) // #nosec G204
output, err := cmd.CombinedOutput()
if err != nil {
klog.Errorf("get ovn-northbound status failed, err %v", err)
Expand Down
3 changes: 1 addition & 2 deletions pkg/ovsdb/client/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,11 +71,10 @@ func NewOvsDbClient(db, addr string, dbModel model.ClientDBModel, monitors []cli
}
certPool := x509.NewCertPool()
certPool.AppendCertsFromPEM(caCert)
// #nosec
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: certPool,
InsecureSkipVerify: true,
InsecureSkipVerify: true, // #nosec G402

Check failure

Code scanning / CodeQL

Disabled TLS certificate check High

InsecureSkipVerify should not be used in production code.
}
options = append(options, client.WithTLSConfig(tlsConfig))
}
Expand Down
4 changes: 2 additions & 2 deletions pkg/pinger/ovn.go
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@ func checkSBBindings(config *Configuration) ([]string, error) {
fmt.Sprintf("hostname=%s", config.NodeName),
}
}
output, err := exec.Command("ovn-sbctl", command...).CombinedOutput()
output, err := exec.Command("ovn-sbctl", command...).CombinedOutput() // #nosec G204
if err != nil {
klog.Errorf("failed to find chassis: %v, %s", err, string(output))
return nil, err
Expand Down Expand Up @@ -167,7 +167,7 @@ func checkSBBindings(config *Configuration) ([]string, error) {
fmt.Sprintf("chassis=%s", chassis),
}
}
output, err = exec.Command("ovn-sbctl", command...).CombinedOutput()
output, err = exec.Command("ovn-sbctl", command...).CombinedOutput() // #nosec G204
if err != nil {
klog.Errorf("failed to list port_binding in ovn-sb %v", err)
return nil, err
Expand Down
4 changes: 2 additions & 2 deletions pkg/pinger/util.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ func (e *Exporter) getOvsStatus() map[string]bool {
func (e *Exporter) getOvsDatapath() ([]string, error) {
var datapathsList []string
cmdstr := fmt.Sprintf("ovs-appctl -T %v dpctl/dump-dps", e.Client.Timeout)
cmd := exec.Command("sh", "-c", cmdstr)
cmd := exec.Command("sh", "-c", cmdstr) // #nosec G204
output, err := cmd.CombinedOutput()
if err != nil {
return nil, fmt.Errorf("failed to get output of dpctl/dump-dps: %v", err)
Expand All @@ -67,7 +67,7 @@ func (e *Exporter) getOvsDatapath() ([]string, error) {

func (e *Exporter) setOvsDpIfMetric(datapathName string) error {
cmdstr := fmt.Sprintf("ovs-appctl -T %v dpctl/show %s", e.Client.Timeout, datapathName)
cmd := exec.Command("sh", "-c", cmdstr)
cmd := exec.Command("sh", "-c", cmdstr) // #nosec G204
output, err := cmd.CombinedOutput()
if err != nil {
return fmt.Errorf("failed to get output of dpctl/show %s: %v", datapathName, err)
Expand Down
4 changes: 2 additions & 2 deletions pkg/util/arp.go
Original file line number Diff line number Diff line change
Expand Up @@ -114,12 +114,12 @@ func ArpDetectIPConflict(nic, ip string, mac net.HardwareAddr) (net.HardwareAddr
durations := make([]time.Duration, probeNum)
// wait for a random time interval selected uniformly in the range zero to
// PROBE_WAIT seconds
durations[0] = time.Duration(rand.Int64N(int64(probeWait)))
durations[0] = time.Duration(rand.Int64N(int64(probeWait))) // #nosec G404
deadline = deadline.Add(durations[0])
for i := 1; i < probeNum; i++ {
// send PROBE_NUM probe packets, each of these probe packets spaced
// randomly and uniformly, PROBE_MIN to PROBE_MAX seconds apart
durations[i] = probeMinmum + time.Duration(rand.Int64N(int64(probeMaxmum-probeMinmum)))
durations[i] = probeMinmum + time.Duration(rand.Int64N(int64(probeMaxmum-probeMinmum))) // #nosec G404
deadline = deadline.Add(durations[i])
}

Expand Down

0 comments on commit b303120

Please sign in to comment.