From ed0cf74512205cd8a0af647bab52181669e78573 Mon Sep 17 00:00:00 2001
From: zhangzujian <zhangzujian.7@gmail.com>
Date: Wed, 15 May 2024 02:30:55 +0000
Subject: [PATCH] bump gosec to 2.20.0

Signed-off-by: zhangzujian <zhangzujian.7@gmail.com>
---
 .github/workflows/build-windows.yaml       |  2 +-
 .github/workflows/build-x86-image.yaml     |  2 +-
 Makefile                                   |  8 ++++----
 cmd/cmdmain.go                             |  2 --
 cmd/daemon/cniserver.go                    |  5 ++---
 pkg/controller/vpc_dns.go                  |  3 ++-
 pkg/daemon/config.go                       |  2 ++
 pkg/daemon/handler_linux.go                |  2 +-
 pkg/daemon/ovs_linux.go                    |  7 ++++---
 pkg/ovn_ic_controller/ovn_ic_controller.go |  2 ++
 pkg/ovn_leader_checker/ovn.go              | 16 +++++++++-------
 pkg/ovnmonitor/util.go                     |  8 ++++----
 pkg/ovsdb/client/client.go                 |  3 +--
 pkg/pinger/ovn.go                          |  4 ++--
 pkg/pinger/util.go                         |  4 ++--
 pkg/util/arp.go                            |  4 ++--
 16 files changed, 39 insertions(+), 35 deletions(-)

diff --git a/.github/workflows/build-windows.yaml b/.github/workflows/build-windows.yaml
index de80cf7f7c64..7a78ac508679 100644
--- a/.github/workflows/build-windows.yaml
+++ b/.github/workflows/build-windows.yaml
@@ -23,7 +23,7 @@ concurrency:
 
 env:
   GO_VERSION: ''
-  GOSEC_VERSION: '2.19.0'
+  GOSEC_VERSION: '2.20.0'
 
 jobs:
   filter:
diff --git a/.github/workflows/build-x86-image.yaml b/.github/workflows/build-x86-image.yaml
index 1444a1052892..e6ecd086a91f 100644
--- a/.github/workflows/build-x86-image.yaml
+++ b/.github/workflows/build-x86-image.yaml
@@ -23,7 +23,7 @@ concurrency:
 env:
   GO_VERSION: ''
   KIND_VERSION: v0.23.0
-  GOSEC_VERSION: '2.19.0'
+  GOSEC_VERSION: '2.20.0'
   HELM_VERSION: v3.14.4
   SUBMARINER_VERSION: '0.17.1'
 
diff --git a/Makefile b/Makefile
index fede3488a77a..345e223429c6 100644
--- a/Makefile
+++ b/Makefile
@@ -978,7 +978,7 @@ lint:
 		echo "Code differs from gofmt's style" 1>&2 && exit 1; \
 	fi
 	@GOOS=linux go vet ./...
-	@GOOS=linux gosec -exclude=G204,G306,G402,G404,G601,G301 -exclude-dir=test -exclude-dir=pkg/client ./...
+	@GOOS=linux gosec -exclude-dir=test -exclude-dir=pkg/client ./...
 
 .PHONY: gofumpt
 gofumpt:
@@ -987,9 +987,9 @@ gofumpt:
 .PHONY: lint-windows
 lint-windows:
 	@GOOS=windows go vet ./cmd/windows/...
-	@GOOS=windows gosec -exclude=G204,G601,G301 ./pkg/util
-	@GOOS=windows gosec -exclude=G204,G601,G301 ./pkg/request
-	@GOOS=windows gosec -exclude=G204,G601,G301 ./cmd/cni
+	@GOOS=windows gosec ./pkg/util
+	@GOOS=windows gosec ./pkg/request
+	@GOOS=windows gosec ./cmd/cni
 
 .PHONY: scan
 scan:
diff --git a/cmd/cmdmain.go b/cmd/cmdmain.go
index 61abeed97d83..a832f9a0f5fc 100644
--- a/cmd/cmdmain.go
+++ b/cmd/cmdmain.go
@@ -57,7 +57,6 @@ func dumpProfile() {
 				}
 				return
 			}
-			defer f.Close() // #nosec G307
 			time.Sleep(30 * time.Second)
 			pprof.StopCPUProfile()
 			if err = f.Close(); err != nil {
@@ -87,7 +86,6 @@ func dumpProfile() {
 				klog.Errorf("failed to close file %q: %v", path, err)
 				return
 			}
-			defer f.Close() // #nosec G307
 		}
 	}()
 }
diff --git a/cmd/daemon/cniserver.go b/cmd/daemon/cniserver.go
index b2b409271d63..22a1425c886d 100644
--- a/cmd/daemon/cniserver.go
+++ b/cmd/daemon/cniserver.go
@@ -128,15 +128,14 @@ func CmdMain() {
 }
 
 func mvCNIConf(configDir, configFile, confName string) error {
-	// #nosec
-	data, err := os.ReadFile(configFile)
+	data, err := os.ReadFile(configFile) // #nosec G304
 	if err != nil {
 		klog.Errorf("failed to read cni config file %s, %v", configFile, err)
 		return err
 	}
 
 	cniConfPath := filepath.Join(configDir, confName)
-	return os.WriteFile(cniConfPath, data, 0o644)
+	return os.WriteFile(cniConfPath, data, 0o644) // #nosec G306
 }
 
 func Retry(attempts, sleep int, f func(configuration *daemon.Configuration) error, ctrl *daemon.Configuration) (err error) {
diff --git a/pkg/controller/vpc_dns.go b/pkg/controller/vpc_dns.go
index 63efe0ce1c3f..f56385003016 100644
--- a/pkg/controller/vpc_dns.go
+++ b/pkg/controller/vpc_dns.go
@@ -534,7 +534,8 @@ func (c *Controller) resyncVpcDNSConfig() {
 		klog.V(3).Infof("use the cluster default coredns image version, %s", corednsImage)
 	}
 
-	if err := os.WriteFile(CorednsTemplateDep, corednsTemplateContent, 0o644); err != nil {
+	err = os.WriteFile(CorednsTemplateDep, corednsTemplateContent, 0o644) // #nosec G306
+	if err != nil {
 		klog.Errorf("failed to wirite local coredns-template.yaml file, %v", err)
 		return
 	}
diff --git a/pkg/daemon/config.go b/pkg/daemon/config.go
index 9de9e97d92ee..96daa47cbfde 100644
--- a/pkg/daemon/config.go
+++ b/pkg/daemon/config.go
@@ -389,6 +389,7 @@ func (config *Configuration) initKubeClient() error {
 }
 
 func setEncapIP(ip string) error {
+	// #nosec G204
 	raw, err := exec.Command(
 		"ovs-vsctl", "set", "open", ".", fmt.Sprintf("external-ids:ovn-encap-ip=%s", ip)).CombinedOutput()
 	if err != nil {
@@ -398,6 +399,7 @@ func setEncapIP(ip string) error {
 }
 
 func disableChecksum() error {
+	// #nosec G204
 	raw, err := exec.Command(
 		"ovs-vsctl", "set", "open", ".", "external-ids:ovn-encap-csum=false").CombinedOutput()
 	if err != nil {
diff --git a/pkg/daemon/handler_linux.go b/pkg/daemon/handler_linux.go
index f026abc116e1..dc82c1aa41cd 100644
--- a/pkg/daemon/handler_linux.go
+++ b/pkg/daemon/handler_linux.go
@@ -43,7 +43,7 @@ func createShortSharedDir(pod *v1.Pod, volumeName, socketConsumption, kubeletDir
 	defer syscall.Umask(mask)
 	if _, err = os.Stat(newSharedDir); err != nil {
 		if os.IsNotExist(err) {
-			err = os.MkdirAll(newSharedDir, 0o777)
+			err = os.MkdirAll(newSharedDir, 0o777) // #nosec G301
 			if err != nil {
 				klog.Error(err)
 				return fmt.Errorf("createSharedDir: Failed to create dir (%s): %v", newSharedDir, err)
diff --git a/pkg/daemon/ovs_linux.go b/pkg/daemon/ovs_linux.go
index 8a56d2042d59..503dd6f9ac57 100644
--- a/pkg/daemon/ovs_linux.go
+++ b/pkg/daemon/ovs_linux.go
@@ -607,6 +607,7 @@ func (c *Controller) checkNodeGwNicInNs(nodeExtIP, ip, gw string, gwNS ns.NetNS)
 				}
 				for _, eip := range ovnEips {
 					if eip.Status.Ready {
+						// #nosec G204
 						cmd := exec.Command("sh", "-c", fmt.Sprintf("bfdd-control status remote %s local %s", eip.Spec.V4Ip, nodeExtIP))
 						var outb bytes.Buffer
 						cmd.Stdout = &outb
@@ -615,7 +616,7 @@ func (c *Controller) checkNodeGwNicInNs(nodeExtIP, ip, gw string, gwNS ns.NetNS)
 							klog.V(3).Info(out)
 							if strings.Contains(out, "No session") {
 								// not exist
-								cmd = exec.Command("sh", "-c", fmt.Sprintf("bfdd-control allow %s", eip.Spec.V4Ip))
+								cmd = exec.Command("sh", "-c", fmt.Sprintf("bfdd-control allow %s", eip.Spec.V4Ip)) // #nosec G204
 								if err := cmd.Run(); err != nil {
 									err := fmt.Errorf("failed to add lrp %s ip %s into bfd listening list, %v", eip.Name, eip.Status.V4Ip, err)
 									klog.Error(err)
@@ -822,7 +823,7 @@ func (c *Controller) loopOvnExt0Check() {
 	gwNS, err := ns.GetNS(util.NodeGwNsPath)
 	if err != nil {
 		// ns not exist, create node external gw ns
-		cmd := exec.Command("sh", "-c", fmt.Sprintf("/usr/sbin/ip netns add %s", util.NodeGwNs))
+		cmd := exec.Command("sh", "-c", fmt.Sprintf("/usr/sbin/ip netns add %s", util.NodeGwNs)) // #nosec G204
 		if err := cmd.Run(); err != nil {
 			err := fmt.Errorf("failed to get create gw ns %s, %v", util.NodeGwNs, err)
 			klog.Error(err)
@@ -1670,7 +1671,7 @@ func setVfMac(deviceID string, vfIndex int, mac string) error {
 func turnOffNicTxChecksum(nicName string) (err error) {
 	start := time.Now()
 	args := []string{"-K", nicName, "tx", "off"}
-	output, err := exec.Command("ethtool", args...).CombinedOutput()
+	output, err := exec.Command("ethtool", args...).CombinedOutput() // #nosec G204
 	elapsed := float64((time.Since(start)) / time.Millisecond)
 	klog.V(4).Infof("command %s %s in %vms", "ethtool", strings.Join(args, " "), elapsed)
 	if err != nil {
diff --git a/pkg/ovn_ic_controller/ovn_ic_controller.go b/pkg/ovn_ic_controller/ovn_ic_controller.go
index ceaf14df70ae..4fd9a780c55d 100644
--- a/pkg/ovn_ic_controller/ovn_ic_controller.go
+++ b/pkg/ovn_ic_controller/ovn_ic_controller.go
@@ -403,6 +403,7 @@ func (c *Controller) acquireLrpAddress(ts string) (string, error) {
 }
 
 func (c *Controller) startOVNIC(icHost, icNbPort, icSbPort string) error {
+	// #nosec G204
 	cmd := exec.Command("/usr/share/ovn/scripts/ovn-ctl",
 		fmt.Sprintf("--ovn-ic-nb-db=%s", genHostAddress(icHost, icNbPort)),
 		fmt.Sprintf("--ovn-ic-sb-db=%s", genHostAddress(icHost, icSbPort)),
@@ -410,6 +411,7 @@ func (c *Controller) startOVNIC(icHost, icNbPort, icSbPort string) error {
 		fmt.Sprintf("--ovn-northd-sb-db=%s", c.config.OvnSbAddr),
 		"start_ic")
 	if os.Getenv("ENABLE_SSL") == "true" {
+		// #nosec G204
 		cmd = exec.Command("/usr/share/ovn/scripts/ovn-ctl",
 			fmt.Sprintf("--ovn-ic-nb-db=%s", genHostAddress(icHost, icNbPort)),
 			fmt.Sprintf("--ovn-ic-sb-db=%s", genHostAddress(icHost, icSbPort)),
diff --git a/pkg/ovn_leader_checker/ovn.go b/pkg/ovn_leader_checker/ovn.go
index ec7e3204cfd4..06a9aa7ee30a 100755
--- a/pkg/ovn_leader_checker/ovn.go
+++ b/pkg/ovn_leader_checker/ovn.go
@@ -139,7 +139,7 @@ func getCmdExitCode(cmd *exec.Cmd) int {
 func checkOvnIsAlive() bool {
 	components := [...]string{"northd", "ovnnb", "ovnsb"}
 	for _, component := range components {
-		cmd := exec.Command("/usr/share/ovn/scripts/ovn-ctl", fmt.Sprintf("status_%s", component))
+		cmd := exec.Command("/usr/share/ovn/scripts/ovn-ctl", fmt.Sprintf("status_%s", component)) // #nosec G204
 		if err := getCmdExitCode(cmd); err != 0 {
 			klog.Errorf("CheckOvnIsAlive: %s is not alive", component)
 			return false
@@ -165,7 +165,7 @@ func isDBLeader(dbName string, port int) bool {
 		}
 	}
 
-	output, err := exec.Command("ovsdb-client", cmd...).CombinedOutput()
+	output, err := exec.Command("ovsdb-client", cmd...).CombinedOutput() // #nosec G204
 	if err != nil {
 		klog.Errorf("failed to execute cmd %q: err=%v, msg=%v", strings.Join(cmd, " "), err, string(output))
 		return false
@@ -193,7 +193,7 @@ func checkNorthdActive() bool {
 		fmt.Sprintf("/var/run/ovn/ovn-northd.%s.ctl", strings.TrimSpace(string(pid))),
 		"status",
 	}
-	output, err := exec.Command("ovs-appctl", command...).CombinedOutput()
+	output, err := exec.Command("ovs-appctl", command...).CombinedOutput() // #nosec G204
 	if err != nil {
 		klog.Errorf("checkNorthdActive execute err %v error msg %v", err, string(output))
 		return false
@@ -239,7 +239,7 @@ func stealLock() {
 		}
 	}
 
-	output, err := exec.Command("ovsdb-client", command...).CombinedOutput()
+	output, err := exec.Command("ovsdb-client", command...).CombinedOutput() // #nosec G204
 	if err != nil {
 		klog.Errorf("stealLock err %v", err)
 		return
@@ -329,7 +329,7 @@ func compactOvnDatabase(db string) {
 		"ovsdb-server/compact",
 	}
 
-	output, err := exec.Command("ovn-appctl", command...).CombinedOutput()
+	output, err := exec.Command("ovn-appctl", command...).CombinedOutput() // #nosec G204
 	if err != nil {
 		if !strings.Contains(string(output), "not storing a duplicate snapshot") {
 			klog.Errorf("failed to compact ovn%s database: %s", db, string(output))
@@ -475,10 +475,12 @@ func updateTS() error {
 			if err != nil {
 				return err
 			}
+			// #nosec G204
 			cmd := exec.Command("ovn-ic-nbctl",
 				ovs.MayExist, "ts-add", tsName,
 				"--", "set", "Transit_Switch", tsName, fmt.Sprintf(`external_ids:subnet="%s"`, subnet))
 			if os.Getenv("ENABLE_SSL") == "true" {
+				// #nosec G204
 				cmd = exec.Command("ovn-ic-nbctl",
 					"--private-key=/var/run/tls/key",
 					"--certificate=/var/run/tls/cert",
@@ -494,9 +496,9 @@ func updateTS() error {
 	} else {
 		for i := existTSCount - 1; i >= expectTSCount; i-- {
 			tsName := getTSName(i)
-			cmd := exec.Command("ovn-ic-nbctl",
-				"ts-del", tsName)
+			cmd := exec.Command("ovn-ic-nbctl", "ts-del", tsName) // #nosec G204
 			if os.Getenv("ENABLE_SSL") == "true" {
+				// #nosec G204
 				cmd = exec.Command("ovn-ic-nbctl",
 					"--private-key=/var/run/tls/key",
 					"--certificate=/var/run/tls/cert",
diff --git a/pkg/ovnmonitor/util.go b/pkg/ovnmonitor/util.go
index 391d5c6da300..1a803a5da09e 100644
--- a/pkg/ovnmonitor/util.go
+++ b/pkg/ovnmonitor/util.go
@@ -50,7 +50,7 @@ func (e *Exporter) getOvnStatus() map[string]int {
 	} else {
 		cmdstr := fmt.Sprintf("ovs-appctl -t /var/run/ovn/ovn-northd.%s.ctl status", strings.Trim(string(pid), "\n"))
 		klog.V(3).Infof("cmd is %v", cmdstr)
-		cmd := exec.Command("sh", "-c", cmdstr)
+		cmd := exec.Command("sh", "-c", cmdstr) // #nosec G204
 		output, err := cmd.CombinedOutput()
 		if err != nil {
 			klog.Errorf("get ovn-northd status failed, err %v", err)
@@ -103,7 +103,7 @@ func (e *Exporter) getOvnStatusContent() map[string]string {
 
 func getClusterEnableState(dbName string) (bool, error) {
 	cmdstr := fmt.Sprintf("ovsdb-tool db-is-clustered %s", dbName)
-	cmd := exec.Command("sh", "-c", cmdstr)
+	cmd := exec.Command("sh", "-c", cmdstr) // #nosec G204
 	_, err := cmd.CombinedOutput()
 	if err != nil {
 		klog.Error(err)
@@ -181,7 +181,7 @@ func getClusterInfo(direction, dbName string) (*OVNDBClusterStatus, error) {
 	var err error
 
 	cmdstr := fmt.Sprintf("ovs-appctl -t /var/run/ovn/ovn%s_db.ctl cluster/status %s", direction, dbName)
-	cmd := exec.Command("sh", "-c", cmdstr)
+	cmd := exec.Command("sh", "-c", cmdstr) // #nosec G204
 	output, err := cmd.CombinedOutput()
 	if err != nil {
 		return nil, fmt.Errorf("failed to retrieve cluster/status info for database %s: %v", dbName, err)
@@ -319,7 +319,7 @@ func getDBStatus(dbName string) (bool, error) {
 		cmdstr = fmt.Sprintf("ovn-appctl -t /var/run/ovn/ovnsb_db.ctl ovsdb-server/get-db-storage-status %s", dbName)
 	}
 
-	cmd := exec.Command("sh", "-c", cmdstr)
+	cmd := exec.Command("sh", "-c", cmdstr) // #nosec G204
 	output, err := cmd.CombinedOutput()
 	if err != nil {
 		klog.Errorf("get ovn-northbound status failed, err %v", err)
diff --git a/pkg/ovsdb/client/client.go b/pkg/ovsdb/client/client.go
index 38371fa204c1..9ee2c5ef9022 100644
--- a/pkg/ovsdb/client/client.go
+++ b/pkg/ovsdb/client/client.go
@@ -71,11 +71,10 @@ func NewOvsDbClient(db, addr string, dbModel model.ClientDBModel, monitors []cli
 		}
 		certPool := x509.NewCertPool()
 		certPool.AppendCertsFromPEM(caCert)
-		// #nosec
 		tlsConfig := &tls.Config{
 			Certificates:       []tls.Certificate{cert},
 			RootCAs:            certPool,
-			InsecureSkipVerify: true,
+			InsecureSkipVerify: true, // #nosec G402
 		}
 		options = append(options, client.WithTLSConfig(tlsConfig))
 	}
diff --git a/pkg/pinger/ovn.go b/pkg/pinger/ovn.go
index f832a2efa59a..14311a77726e 100644
--- a/pkg/pinger/ovn.go
+++ b/pkg/pinger/ovn.go
@@ -128,7 +128,7 @@ func checkSBBindings(config *Configuration) ([]string, error) {
 			fmt.Sprintf("hostname=%s", config.NodeName),
 		}
 	}
-	output, err := exec.Command("ovn-sbctl", command...).CombinedOutput()
+	output, err := exec.Command("ovn-sbctl", command...).CombinedOutput() // #nosec G204
 	if err != nil {
 		klog.Errorf("failed to find chassis: %v, %s", err, string(output))
 		return nil, err
@@ -167,7 +167,7 @@ func checkSBBindings(config *Configuration) ([]string, error) {
 			fmt.Sprintf("chassis=%s", chassis),
 		}
 	}
-	output, err = exec.Command("ovn-sbctl", command...).CombinedOutput()
+	output, err = exec.Command("ovn-sbctl", command...).CombinedOutput() // #nosec G204
 	if err != nil {
 		klog.Errorf("failed to list port_binding in ovn-sb %v", err)
 		return nil, err
diff --git a/pkg/pinger/util.go b/pkg/pinger/util.go
index cd8d9c99fd21..9d04745fccf9 100644
--- a/pkg/pinger/util.go
+++ b/pkg/pinger/util.go
@@ -41,7 +41,7 @@ func (e *Exporter) getOvsStatus() map[string]bool {
 func (e *Exporter) getOvsDatapath() ([]string, error) {
 	var datapathsList []string
 	cmdstr := fmt.Sprintf("ovs-appctl -T %v dpctl/dump-dps", e.Client.Timeout)
-	cmd := exec.Command("sh", "-c", cmdstr)
+	cmd := exec.Command("sh", "-c", cmdstr) // #nosec G204
 	output, err := cmd.CombinedOutput()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get output of dpctl/dump-dps: %v", err)
@@ -67,7 +67,7 @@ func (e *Exporter) getOvsDatapath() ([]string, error) {
 
 func (e *Exporter) setOvsDpIfMetric(datapathName string) error {
 	cmdstr := fmt.Sprintf("ovs-appctl -T %v dpctl/show %s", e.Client.Timeout, datapathName)
-	cmd := exec.Command("sh", "-c", cmdstr)
+	cmd := exec.Command("sh", "-c", cmdstr) // #nosec G204
 	output, err := cmd.CombinedOutput()
 	if err != nil {
 		return fmt.Errorf("failed to get output of dpctl/show %s: %v", datapathName, err)
diff --git a/pkg/util/arp.go b/pkg/util/arp.go
index 646c5163ba1f..34338ef6b49a 100644
--- a/pkg/util/arp.go
+++ b/pkg/util/arp.go
@@ -114,12 +114,12 @@ func ArpDetectIPConflict(nic, ip string, mac net.HardwareAddr) (net.HardwareAddr
 	durations := make([]time.Duration, probeNum)
 	// wait for a random time interval selected uniformly in the range zero to
 	// PROBE_WAIT seconds
-	durations[0] = time.Duration(rand.Int64N(int64(probeWait)))
+	durations[0] = time.Duration(rand.Int64N(int64(probeWait))) // #nosec G404
 	deadline = deadline.Add(durations[0])
 	for i := 1; i < probeNum; i++ {
 		// send PROBE_NUM probe packets, each of these probe packets spaced
 		// randomly and uniformly, PROBE_MIN to PROBE_MAX seconds apart
-		durations[i] = probeMinmum + time.Duration(rand.Int64N(int64(probeMaxmum-probeMinmum)))
+		durations[i] = probeMinmum + time.Duration(rand.Int64N(int64(probeMaxmum-probeMinmum))) // #nosec G404
 		deadline = deadline.Add(durations[i])
 	}