diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 045c9db7..9c1348c4 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -31,5 +31,8 @@ Testing and documentation do not need to be complete in order for this PR to be +- [ ] Gosec scans + + ### How to test changes / Special notes to the reviewer: diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 7dbb94cf..40e53385 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -58,5 +58,21 @@ jobs: - name: Run Go Tests run: make test + - name: Run Gosec Security Scanner + run: | + go install github.com/securego/gosec/v2/cmd/gosec@latest + make gosec + if [[ $? != 0 ]] + then + echo "gosec scanner failed to run " + exit 1 + fi + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: gosec.sarif + - name: Upload coverage to Codecov uses: codecov/codecov-action@v2.1.0 \ No newline at end of file diff --git a/Makefile b/Makefile index 4e8ba2b6..f4c95d6c 100644 --- a/Makefile +++ b/Makefile @@ -31,13 +31,13 @@ ifneq ($(shell command -v addlicense 2> /dev/null),) @echo 'addlicense -v -f license_header.txt **/*.go' @addlicense -v -f license_header.txt $$(find . -name '*.go') else - $(error addlicense must be installed for this rule: go get -u github.com/google/addlicense) + $(error "addlicense must be installed for this command: go install github.com/google/addlicense@latest") endif ### check_fmt: Checks for missing licenses on files in repo check_license: ifeq ($(shell command -v addlicense 2> /dev/null),) - $(error "error addlicense must be installed for this rule: go get -u github.com/google/addlicense") + $(error "error addlicense must be installed for this command: go install github.com/google/addlicense@latest") endif if ! addlicense -check -f license_header.txt $$(find . -not -path '*/\.*' -name '*.go'); then \ @@ -45,3 +45,10 @@ check_license: fi \ + +### gosec - runs the gosec scanner for non-test files in this repo +.PHONY: gosec +gosec: + # Run this command to install gosec, if not installed: + # go install github.com/securego/gosec/v2/cmd/gosec@latest + gosec -no-fail -fmt=sarif -out=gosec.sarif -exclude-dir pkg/testingutil -exclude-dir tests ./... \ No newline at end of file diff --git a/pkg/devfile/parser/configurables.go b/pkg/devfile/parser/configurables.go index ffe426c3..83527517 100644 --- a/pkg/devfile/parser/configurables.go +++ b/pkg/devfile/parser/configurables.go @@ -105,7 +105,7 @@ func (d DevfileObj) SetMemory(memory string) error { for _, component := range components { if component.Container != nil { component.Container.MemoryLimit = memory - d.Data.UpdateComponent(component) + _ = d.Data.UpdateComponent(component) } } return d.WriteYamlDevfile() diff --git a/pkg/devfile/parser/data/v2/containers.go b/pkg/devfile/parser/data/v2/containers.go index e0ba9765..4d417f9b 100644 --- a/pkg/devfile/parser/data/v2/containers.go +++ b/pkg/devfile/parser/data/v2/containers.go @@ -36,7 +36,7 @@ func (d *DevfileV2) AddEnvVars(containerEnvMap map[string][]v1alpha2.EnvVar) err for _, component := range components { if component.Container != nil { component.Container.Env = merge(component.Container.Env, containerEnvMap[component.Name]) - d.UpdateComponent(component) + _ = d.UpdateComponent(component) } } return nil @@ -55,7 +55,7 @@ func (d *DevfileV2) RemoveEnvVars(containerEnvMap map[string][]string) error { if err != nil { return err } - d.UpdateComponent(component) + _ = d.UpdateComponent(component) } } return nil @@ -76,7 +76,7 @@ func (d *DevfileV2) SetPorts(containerPortsMap map[string][]string) error { } if component.Container != nil { component.Container.Endpoints = addEndpoints(component.Container.Endpoints, endpoints) - d.UpdateComponent(component) + _ = d.UpdateComponent(component) } } @@ -97,7 +97,7 @@ func (d *DevfileV2) RemovePorts(containerPortsMap map[string][]string) error { if err != nil { return err } - d.UpdateComponent(component) + _ = d.UpdateComponent(component) } } diff --git a/pkg/devfile/parser/parse.go b/pkg/devfile/parser/parse.go index 1c0db80f..5c0f8c1d 100644 --- a/pkg/devfile/parser/parse.go +++ b/pkg/devfile/parser/parse.go @@ -742,6 +742,7 @@ func parseKubeResourceFromURI(devObj DevfileObj) error { } for _, kubeComp := range kubeComponents { if kubeComp.Kubernetes != nil && kubeComp.Kubernetes.Uri != "" { + /* #nosec G601 -- not an issue, kubeComp is de-referenced in sequence*/ err := convertK8sLikeCompUriToInlined(&kubeComp, devObj.Ctx) if err != nil { return errors.Wrapf(err, "failed to convert Kubernetes Uri to inlined for component '%s'", kubeComp.Name) @@ -754,6 +755,7 @@ func parseKubeResourceFromURI(devObj DevfileObj) error { } for _, openshiftComp := range openshiftComponents { if openshiftComp.Openshift != nil && openshiftComp.Openshift.Uri != "" { + /* #nosec G601 -- not an issue, openshiftComp is de-referenced in sequence*/ err := convertK8sLikeCompUriToInlined(&openshiftComp, devObj.Ctx) if err != nil { return errors.Wrapf(err, "failed to convert Openshift Uri to inlined for component '%s'", openshiftComp.Name) diff --git a/pkg/util/util.go b/pkg/util/util.go index b6fe1a4c..659e7e80 100644 --- a/pkg/util/util.go +++ b/pkg/util/util.go @@ -494,7 +494,7 @@ func GetIgnoreRulesFromDirectory(directory string) ([]string, error) { } } - file, err := os.Open(pathIgnore) + file, err := os.Open(filepath.Clean(pathIgnore)) if err != nil { return nil, err } @@ -707,7 +707,7 @@ func HTTPGetFreePort() (int, error) { // shamelessly taken from: https://stackoverflow.com/questions/30697324/how-to-check-if-directory-on-path-is-empty // this helps detect any edge cases where an empty directory is copied over func IsEmpty(name string) (bool, error) { - f, err := os.Open(name) + f, err := os.Open(filepath.Clean(name)) if err != nil { return false, err } @@ -997,7 +997,7 @@ func Unzip(src, dest, pathToUnzip string) ([]string, error) { return filenames, err } - outFile, err := os.OpenFile(fpath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, ModeReadWriteFile) + outFile, err := os.OpenFile(filepath.Clean(fpath), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, ModeReadWriteFile) if err != nil { return filenames, err } @@ -1015,8 +1015,8 @@ func Unzip(src, dest, pathToUnzip string) ([]string, error) { _, err = io.Copy(outFile, limited) // Close the file without defer to close before next iteration of loop - outFile.Close() - rc.Close() + _ = outFile.Close() + _ = rc.Close() if err != nil { return filenames, err @@ -1214,14 +1214,14 @@ func CopyFile(srcPath string, dstPath string, info os.FileInfo) error { } // Open source file - srcFile, err := os.Open(srcPath) + srcFile, err := os.Open(filepath.Clean(srcPath)) if err != nil { return err } defer srcFile.Close() // #nosec G307 // Create destination file - dstFile, err := os.Create(dstPath) + dstFile, err := os.Create(filepath.Clean(dstPath)) if err != nil { return err } diff --git a/replaceSchemaFile.go b/replaceSchemaFile.go index 2457fc3f..ade02f84 100644 --- a/replaceSchemaFile.go +++ b/replaceSchemaFile.go @@ -38,7 +38,7 @@ func ReplaceSchemaFile() { fmt.Printf("Writing to file: %s\n", filePath) fileContent := fmt.Sprintf("package %s\n\n// %s\nconst %s = `%s\n`\n", packageVersion, schemaURL, jsonSchemaVersion, newSchema) - if err := ioutil.WriteFile(filePath, []byte(fileContent), 0755); err != nil { + if err := ioutil.WriteFile(filePath, []byte(fileContent), 0644); err != nil { printErr(err) os.Exit(1) }