From dee210ce270aecadd59263e5ff37fa5d3ee44eee Mon Sep 17 00:00:00 2001 From: Fiachra Corcoran Date: Wed, 19 Feb 2025 09:42:28 +0000 Subject: [PATCH] Address gosec errors --- default-gosec.mk | 30 ++++++++++++++++++++++----- deployments/local/makekeys.sh | 0 func/internal/podevaluator.go | 1 + internal/kpt/fnruntime/nodejs.go | 4 ++-- internal/kpt/fnruntime/wasm.go | 2 +- internal/kpt/fnruntime/wasmtime.go | 5 ++++- internal/kpt/util/cmdutil/cmdutil.go | 2 +- pkg/apiserver/webhooks.go | 4 +++- pkg/cli/commands/rpkg/pull/command.go | 4 ++-- pkg/git/testing_repo.go | 10 ++++++--- pkg/registry/porch/wi/wi.go | 4 ++-- pkg/repository/testing.go | 6 ++++-- pkg/repository/update.go | 12 ++++++----- 13 files changed, 59 insertions(+), 25 deletions(-) mode change 100755 => 100644 deployments/local/makekeys.sh diff --git a/default-gosec.mk b/default-gosec.mk index 70c91dc9..e33b5a00 100644 --- a/default-gosec.mk +++ b/default-gosec.mk @@ -1,4 +1,4 @@ -# Copyright 2023-2024 The Nephio Authors. +# Copyright 2023-2025 The Nephio Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,16 +12,36 @@ # See the License for the specific language governing permissions and # limitations under the License. -GOSEC_VER ?= 2.21.4 GIT_ROOT_DIR ?= $(dir $(lastword $(MAKEFILE_LIST))) include $(GIT_ROOT_DIR)/detect-container-runtime.mk # Install link at https://github.com/securego/gosec#install if not running inside a container + +# BUG: Current version of gosec (2.22.0) produces an invalid html output. +# Downgrade the babel-standalone .PHONY: gosec gosec: ## Inspect the source code for security problems by scanning the Go Abstract Syntax Tree ifeq ($(CONTAINER_RUNNABLE), 0) - $(RUN_CONTAINER_COMMAND) docker.io/securego/gosec:${GOSEC_VER} -fmt=html -out=gosec-results.html \ - -stdout -verbose=text -exclude-dir=generated -exclude-dir=test -exclude-generated ./... + $(RUN_CONTAINER_COMMAND) docker.io/nephio/gotests:1885274380137664512 gosec \ + -fmt=html \ + -out=gosec-results.html \ + -stdout -verbose=text \ + -exclude-dir=generated \ + -exclude-dir=test \ + -exclude-dir=third_party \ + -exclude-dir=examples \ + -exclude-generated -severity=medium -exclude=G401,G501,G505 ./... else - gosec -fmt=html -out=gosec-results.html -stdout -verbose=text -exclude-dir=generated -exclude-dir=test -exclude-generated ./... + gosec -fmt=html -out=gosec-results.html -stdout -verbose=text \ + -exclude-dir=generated \ + -exclude-dir=third_party \ + -exclude-dir=test \ + -exclude-dir=examples \ + -exclude-generated -severity=medium -exclude=G401,G501,G505 ./... endif + +# Excluding the following gosec rules: +# G401 (CWE-328): Use of weak cryptographic primitive (Used internally for creating unique hashed object names) +# G501 (CWE-327): Blocklisted import crypto/md5: weak cryptographic primitive (Used internally for creating unique hashed repo names) +# G505 (CWE-327): Blocklisted import crypto/sha1: weak cryptographic primitive (Used internally for creating unique hashed object names) diff --git a/deployments/local/makekeys.sh b/deployments/local/makekeys.sh old mode 100755 new mode 100644 diff --git a/func/internal/podevaluator.go b/func/internal/podevaluator.go index 643c7d1a..bd9c9ae4 100644 --- a/func/internal/podevaluator.go +++ b/func/internal/podevaluator.go @@ -715,6 +715,7 @@ func loadTLSConfig(caCertPath string) (*tls.Config, error) { // Create a tls.Config with the CA pool tlsConfig := &tls.Config{ RootCAs: caCertPool, + MinVersion: tls.VersionTLS12, } return tlsConfig, nil } diff --git a/internal/kpt/fnruntime/nodejs.go b/internal/kpt/fnruntime/nodejs.go index 92a94bbe..08e3367f 100644 --- a/internal/kpt/fnruntime/nodejs.go +++ b/internal/kpt/fnruntime/nodejs.go @@ -34,7 +34,7 @@ type WasmNodejsFn struct { func NewNodejsFn(loader WasmLoader) (*WasmNodejsFn, error) { cacheDir := filepath.Join(os.TempDir(), "kpt-wasm-fn") - err := os.MkdirAll(cacheDir, 0755) + err := os.MkdirAll(cacheDir, 0750) if err != nil { return nil, fmt.Errorf("unable to create cache dir: %w", err) } @@ -43,7 +43,7 @@ func NewNodejsFn(loader WasmLoader) (*WasmNodejsFn, error) { return nil, fmt.Errorf("unable to create temp dir: %w", err) } jsPath := filepath.Join(tempDir, "kpt-fn-wasm-glue-runner.js") - if err = os.WriteFile(jsPath, []byte(golangWasmJSCode+glueCode), 0644); err != nil { + if err = os.WriteFile(jsPath, []byte(golangWasmJSCode+glueCode), 0600); err != nil { return nil, fmt.Errorf("unable to write the js glue code file: %w", err) } diff --git a/internal/kpt/fnruntime/wasm.go b/internal/kpt/fnruntime/wasm.go index eae9f482..2ede33c1 100644 --- a/internal/kpt/fnruntime/wasm.go +++ b/internal/kpt/fnruntime/wasm.go @@ -131,7 +131,7 @@ func (o *OciLoader) getFilePath() (string, error) { return "", fmt.Errorf("unable to create temp dir in %v: %w", o.cacheDir, err) } wasmFile := filepath.Join(o.tempDir, "fn.wasm") - err = os.WriteFile(wasmFile, data, 0644) + err = os.WriteFile(wasmFile, data, 0600) if err != nil { return "", fmt.Errorf("unable to write wasm content to %v: %w", wasmFile, err) } diff --git a/internal/kpt/fnruntime/wasmtime.go b/internal/kpt/fnruntime/wasmtime.go index 06df08b5..2faf44c1 100644 --- a/internal/kpt/fnruntime/wasmtime.go +++ b/internal/kpt/fnruntime/wasmtime.go @@ -194,7 +194,10 @@ func (f *WasmtimeFn) GetSP() (uint32, error) { return 0, fmt.Errorf("getsp: %T: expected an int32 return value", sp) } - return uint32(sp), nil + if sp >= 0 { + return uint32(sp), nil + } + return 0, fmt.Errorf("getsp: %T: expected a positive return value", sp) } func (f *WasmtimeFn) Resume() error { diff --git a/internal/kpt/util/cmdutil/cmdutil.go b/internal/kpt/util/cmdutil/cmdutil.go index edece955..c9308c98 100644 --- a/internal/kpt/util/cmdutil/cmdutil.go +++ b/internal/kpt/util/cmdutil/cmdutil.go @@ -81,7 +81,7 @@ func WriteFnOutput(dest, content string, fromStdin bool, w io.Writer) error { func WriteToOutput(r io.Reader, w io.Writer, outDir string) error { var outputs []kio.Writer if outDir != "" { - err := os.MkdirAll(outDir, 0755) + err := os.MkdirAll(outDir, 0750) if err != nil { return fmt.Errorf("failed to create output directory %q: %q", outDir, err.Error()) } diff --git a/pkg/apiserver/webhooks.go b/pkg/apiserver/webhooks.go index c80b111e..c9caa5bc 100644 --- a/pkg/apiserver/webhooks.go +++ b/pkg/apiserver/webhooks.go @@ -242,7 +242,7 @@ func createCerts(cfg *WebhookConfig) ([]byte, error) { Bytes: x509.MarshalPKCS1PrivateKey(serverPrivateKey), }) - err = os.MkdirAll(cfg.CertStorageDir, 0777) + err = os.MkdirAll(cfg.CertStorageDir, 0750) if err != nil { return nil, err } @@ -424,7 +424,9 @@ func runWebhookServer(ctx context.Context, cfg *WebhookConfig) error { Addr: fmt.Sprintf(":%d", cfg.Port), TLSConfig: &tls.Config{ GetCertificate: getCertificate, + MinVersion: tls.VersionTLS12, }, + ReadHeaderTimeout: 10 * time.Second, } go func() { err = server.ListenAndServeTLS("", "") diff --git a/pkg/cli/commands/rpkg/pull/command.go b/pkg/cli/commands/rpkg/pull/command.go index 0eb357d6..8699e853 100644 --- a/pkg/cli/commands/rpkg/pull/command.go +++ b/pkg/cli/commands/rpkg/pull/command.go @@ -133,14 +133,14 @@ func writeToDir(resources map[string]string, dir string) error { if err := cmdutil.CheckDirectoryNotPresent(dir); err != nil { return err } - if err := os.MkdirAll(dir, 0755); err != nil { + if err := os.MkdirAll(dir, 0750); err != nil { return err } for k, v := range resources { f := filepath.Join(dir, k) d := filepath.Dir(f) - if err := os.MkdirAll(d, 0755); err != nil { + if err := os.MkdirAll(d, 0750); err != nil { return err } if err := os.WriteFile(f, []byte(v), 0644); err != nil { diff --git a/pkg/git/testing_repo.go b/pkg/git/testing_repo.go index dd23a5e0..cec47e95 100644 --- a/pkg/git/testing_repo.go +++ b/pkg/git/testing_repo.go @@ -1,4 +1,4 @@ -// Copyright 2022 The kpt and Nephio Authors +// Copyright 2022-2025 The kpt and Nephio Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -170,7 +170,7 @@ func ServeExistingRepository(t *testing.T, git *gogit.Repository) string { func extractTar(t *testing.T, tarfile string, dir string) { t.Helper() - reader, err := os.Open(tarfile) + reader, err := os.Open(tarfile) // #nosec G304 if err != nil { t.Fatalf("Open(%q) failed: %v", tarfile, err) } @@ -186,16 +186,20 @@ func extractTar(t *testing.T, tarfile string, dir string) { t.Fatalf("Reading tar file %q failed: %v", tarfile, err) } if hdr.FileInfo().IsDir() { + // #nosec G305 path := filepath.Join(dir, hdr.Name) + // #nosec G301 if err := os.MkdirAll(path, 0755); err != nil { t.Fatalf("MkdirAll(%q) failed: %v", path, err) } continue } path := filepath.Join(dir, filepath.Dir(hdr.Name)) + // #nosec G301 if err := os.MkdirAll(path, 0755); err != nil { t.Fatalf("MkdirAll(%q) failed: %v", path, err) } + // #nosec G305 path = filepath.Join(dir, hdr.Name) saveToFile(t, path, tr) } @@ -204,7 +208,7 @@ func extractTar(t *testing.T, tarfile string, dir string) { func saveToFile(t *testing.T, path string, src io.Reader) { t.Helper() - dst, err := os.Create(path) + dst, err := os.Create(path) // #nosec G304 if err != nil { t.Fatalf("Create(%q) failed; %v", path, err) } diff --git a/pkg/registry/porch/wi/wi.go b/pkg/registry/porch/wi/wi.go index a68c0569..47070b26 100644 --- a/pkg/registry/porch/wi/wi.go +++ b/pkg/registry/porch/wi/wi.go @@ -1,4 +1,4 @@ -// Copyright 2022 The kpt and Nephio Authors +// Copyright 2022, 2025 The kpt and Nephio Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -68,7 +68,7 @@ func (w *WITokenExchanger) findWorkloadIdentityPool(ctx context.Context, kubeSer // First, see if we have a valid token mounted locally in our pod { - const tokenFilePath = "/var/run/secrets/kubernetes.io/serviceaccount/token" + const tokenFilePath = "/var/run/secrets/kubernetes.io/serviceaccount/token" // #nosec G101 tokenBytes, err := os.ReadFile(tokenFilePath) if err != nil { diff --git a/pkg/repository/testing.go b/pkg/repository/testing.go index 54af916f..e3755c1c 100644 --- a/pkg/repository/testing.go +++ b/pkg/repository/testing.go @@ -1,4 +1,4 @@ -// Copyright 2022, 2024 The kpt and Nephio Authors +// Copyright 2022-2025 The kpt and Nephio Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -38,7 +38,7 @@ func ReadPackage(t *testing.T, packageDir string) PackageResources { if err != nil { return fmt.Errorf("failed to get relative path from %q to %q: %w", packageDir, p, err) } - contents, err := os.ReadFile(p) + contents, err := os.ReadFile(p) // #nosec G304 if err != nil { return fmt.Errorf("failed to open the source file %q: %w", p, err) } @@ -56,9 +56,11 @@ func WritePackage(t *testing.T, packageDir string, contents PackageResources) { for k, v := range contents.Contents { abs := filepath.Join(packageDir, k) dir := filepath.Dir(abs) + // #nosec G301 if err := os.MkdirAll(dir, 0755); err != nil { t.Fatalf("Failed to crete directory %q: %v", dir, err) } + // #nosec G306 if err := os.WriteFile(abs, []byte(v), 0644); err != nil { t.Errorf("Failed to write package file %q: %v", abs, err) } diff --git a/pkg/repository/update.go b/pkg/repository/update.go index 64d3290d..cacac534 100644 --- a/pkg/repository/update.go +++ b/pkg/repository/update.go @@ -1,4 +1,4 @@ -// Copyright 2022, 2024 The kpt and Nephio Authors +// Copyright 2022-2025 The kpt and Nephio Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -24,6 +24,8 @@ import ( "github.com/nephio-project/porch/internal/kpt/util/update" ) +const LocalUpdateDir = "kpt-pkg-update-*" + // defaultPackageUpdater implements packageUpdater interface. type DefaultPackageUpdater struct{} @@ -33,19 +35,19 @@ func (m *DefaultPackageUpdater) Update( originalResources, upstreamResources PackageResources) (updatedResources PackageResources, err error) { - localDir, err := os.MkdirTemp("", "kpt-pkg-update-*") + localDir, err := os.MkdirTemp("", LocalUpdateDir) if err != nil { return PackageResources{}, err } defer os.RemoveAll(localDir) - originalDir, err := os.MkdirTemp("", "kpt-pkg-update-*") + originalDir, err := os.MkdirTemp("", LocalUpdateDir) if err != nil { return PackageResources{}, err } defer os.RemoveAll(originalDir) - upstreamDir, err := os.MkdirTemp("", "kpt-pkg-update-*") + upstreamDir, err := os.MkdirTemp("", LocalUpdateDir) if err != nil { return PackageResources{}, err } @@ -97,7 +99,7 @@ func writeResourcesToDirectory(dir string, resources PackageResources) error { for k, v := range resources.Contents { p := filepath.Join(dir, k) dir := filepath.Dir(p) - if err := os.MkdirAll(dir, 0755); err != nil { + if err := os.MkdirAll(dir, 0750); err != nil { return fmt.Errorf("failed to create directory %q: %w", dir, err) } if err := os.WriteFile(p, []byte(v), 0644); err != nil {