gosec #741
gosec #741
Conversation
yuvalk
commented
Sep 28, 2021
yuvalk
commented
- add gosec to verify target
- fix CWE-22
- fix all CWE-118 issues
- fix CWE-276
- fix CWE-703
- ignore unchecked os.Unsetenv from gosec reports
- fix CWE-703
- ignore G204 in latency_testing
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: yuvalk The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Pull Request Test Coverage Report for Build 2050
💛 - Coveralls |
|
Probably we need to set GOARCH and compiler variables under our CI. |
openshift-ci
bot
added
the
needs-rebase
openshift-ci
bot
removed
the
needs-rebase
yuvalk
force-pushed
the
gosec
branch
5 times, most recently
from
33b1401
to
30e0948
Compare
hack/gosec.sh
Outdated
| go get -u github.com/securego/gosec/v2/cmd/gosec | ||
| fi | ||
|
|
||
| time GO111MODULE=off gosec -conf gosec.conf.json ./... |
There was a problem hiding this comment.
I've added this GO111MODULE to make it work under prow
but I dont know WHY it work (without it, we're seeing could not determine GOARCH and Go compiler error )
if anyone can explain...
@fromanirh @cynepco3hahue maybe?
There was a problem hiding this comment.
so with the GO111MODULE=on it works in the context of go modules and GO111MODULE=off in the context of GOPATH, so I am assuming something is configured on the PATH level that not configured on the module level(probably because of the CI)
There was a problem hiding this comment.
Did you try to run
time GOARCH=<> GOOS=<> gosec -conf gosec.conf.json ./...?
| @@ -36,7 +36,7 @@ func ExecAndLogCommandWithStderr(name string, arg ...string) ([]byte, []byte, er | |||
|
|
|||
| var stdout bytes.Buffer | |||
| var stderr bytes.Buffer | |||
| cmd := exec.CommandContext(ctx, name, arg...) | |||
| cmd := exec.CommandContext(ctx, name, arg...) // #nosec G204 | |||
There was a problem hiding this comment.
@fromanirh I'm not actually sure this is a good,
do you have any idea how to make this from a closed list?
There was a problem hiding this comment.
Hardly. The whole purpose of this API is to run arbitrary commands on arbitrary nodes. Having and maintaining a allow list would be quite a big burden. So yes, the main defense here is carefully review HOW we use this API.
openshift-ci
bot
added
the
needs-rebase
this will ensure code is always secured and does not include security vunerabilities. this will be verified by running gosec on all our sources added placeholder for future gosec configs in gosec.conf.json
applying filepath.Clean, will make sure filename is not abused
removed all refernces to loop iterator variable
reducing permissions to 600
explicitly close the file and handle errors. Close is considered unsafe to defer, because it might fail
it seems that, yes, we dont check for errors, but the function always return nil err. this is to avoid CWE-703 on os.Unsetenv
Handle all error cases. for the future, if error is very rare and unlikely to happen on any normal (supported) user case, it's ok to use `panic(err)` in other cases, it's better to propageate error up back to user and logs
This is ignored temporarily as gosec resolver doesnt properly support Call Expressions https://github.com/securego/gosec/blob/master/resolve.go#L70
Ignored as general purpose command execution function
openshift-ci
bot
removed
the
needs-rebase
|
@yuvalk: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@yuvalk: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
added
the
needs-rebase
|
@yuvalk please close this PR and open a new one on the NTO repo if needed. |
