mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-23 21:40:20 +00:00
cleanup: address gosec warnings
gosec warns about security problems by scanning the Go AST. Issues Reported: G101 (CWE-798): Potential hardcoded credentials (Confidence: LOW, Severity: HIGH) G204 (CWE-78): Subprocess launched with variable (Confidence: HIGH, Severity: MEDIUM) G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM) Signed-off-by: Yug <yuggupta27@gmail.com>
This commit is contained in:
parent
48fa43270f
commit
e73fe64a0d
11
e2e/utils.go
11
e2e/utils.go
@ -31,17 +31,18 @@ import (
|
||||
testutils "k8s.io/kubernetes/test/utils"
|
||||
)
|
||||
|
||||
/* #nosec:G101, values not credententials, just a reference to the location.*/
|
||||
const (
|
||||
defaultNs = "default"
|
||||
vaultSecretNs = "/secret/ceph-csi/" // nolint: gosec
|
||||
vaultSecretNs = "/secret/ceph-csi/"
|
||||
|
||||
// rook created cephfs user
|
||||
cephfsNodePluginSecretName = "rook-csi-cephfs-node" // nolint: gosec
|
||||
cephfsProvisionerSecretName = "rook-csi-cephfs-provisioner" // nolint: gosec
|
||||
cephfsNodePluginSecretName = "rook-csi-cephfs-node"
|
||||
cephfsProvisionerSecretName = "rook-csi-cephfs-provisioner"
|
||||
|
||||
// rook created rbd user
|
||||
rbdNodePluginSecretName = "rook-csi-rbd-node" // nolint: gosec
|
||||
rbdProvisionerSecretName = "rook-csi-rbd-provisioner" // nolint: gosec
|
||||
rbdNodePluginSecretName = "rook-csi-rbd-node"
|
||||
rbdProvisionerSecretName = "rook-csi-rbd-provisioner"
|
||||
|
||||
rookTolBoxPodLabel = "app=rook-ceph-tools"
|
||||
rbdmountOptions = "mountOptions"
|
||||
|
@ -34,7 +34,7 @@ type volumeID string
|
||||
|
||||
func execCommand(ctx context.Context, program string, args ...string) (stdout, stderr []byte, err error) {
|
||||
var (
|
||||
cmd = exec.Command(program, args...) // nolint: gosec, #nosec
|
||||
cmd = exec.Command(program, args...) // #nosec:G204, not called with user specified parameters.
|
||||
sanitizedArgs = util.StripSecretInArgs(args)
|
||||
stdoutBuf bytes.Buffer
|
||||
stderrBuf bytes.Buffer
|
||||
|
@ -33,7 +33,7 @@ const InvalidPoolID int64 = -1
|
||||
// ExecCommand executes passed in program with args and returns separate stdout and stderr streams.
|
||||
func ExecCommand(program string, args ...string) (stdout, stderr []byte, err error) {
|
||||
var (
|
||||
cmd = exec.Command(program, args...) // nolint: gosec, #nosec
|
||||
cmd = exec.Command(program, args...) // #nosec:G204, commands executing not vulnerable.
|
||||
sanitizedArgs = StripSecretInArgs(args)
|
||||
stdoutBuf bytes.Buffer
|
||||
stderrBuf bytes.Buffer
|
||||
|
@ -96,7 +96,7 @@ func (cp *ConnPool) Destroy() {
|
||||
|
||||
func (cp *ConnPool) generateUniqueKey(monitors, user, keyfile string) (string, error) {
|
||||
// the keyfile can be unique for operations, contents will be the same
|
||||
key, err := ioutil.ReadFile(keyfile) // nolint: gosec, #nosec
|
||||
key, err := ioutil.ReadFile(keyfile) // #nosec:G304, file inclusion via variable.
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("could not open keyfile %s: %w", keyfile, err)
|
||||
}
|
||||
|
@ -46,7 +46,7 @@ func LuksStatus(mapperFile string) (stdout, stderr []byte, err error) {
|
||||
func execCryptsetupCommand(stdin *string, args ...string) (stdout, stderr []byte, err error) {
|
||||
var (
|
||||
program = "cryptsetup"
|
||||
cmd = exec.Command(program, args...) // nolint: gosec, #nosec
|
||||
cmd = exec.Command(program, args...) // #nosec:G204, commands executing not vulnerable.
|
||||
sanitizedArgs = StripSecretInArgs(args)
|
||||
stdoutBuf bytes.Buffer
|
||||
stderrBuf bytes.Buffer
|
||||
|
@ -53,7 +53,7 @@ func TestCSIConfig(t *testing.T) {
|
||||
}
|
||||
|
||||
data = ""
|
||||
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644)
|
||||
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600)
|
||||
if err != nil {
|
||||
t.Errorf("Test setup error %s", err)
|
||||
}
|
||||
@ -65,7 +65,7 @@ func TestCSIConfig(t *testing.T) {
|
||||
}
|
||||
|
||||
data = "[{\"clusterIDBad\":\"" + clusterID2 + "\",\"monitors\":[\"mon1\",\"mon2\",\"mon3\"]}]"
|
||||
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644)
|
||||
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600)
|
||||
if err != nil {
|
||||
t.Errorf("Test setup error %s", err)
|
||||
}
|
||||
@ -77,7 +77,7 @@ func TestCSIConfig(t *testing.T) {
|
||||
}
|
||||
|
||||
data = "[{\"clusterID\":\"" + clusterID2 + "\",\"monitorsBad\":[\"mon1\",\"mon2\",\"mon3\"]}]"
|
||||
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644)
|
||||
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600)
|
||||
if err != nil {
|
||||
t.Errorf("Test setup error %s", err)
|
||||
}
|
||||
@ -89,7 +89,7 @@ func TestCSIConfig(t *testing.T) {
|
||||
}
|
||||
|
||||
data = "[{\"clusterID\":\"" + clusterID2 + "\",\"monitors\":[\"mon1\",2,\"mon3\"]}]"
|
||||
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644)
|
||||
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600)
|
||||
if err != nil {
|
||||
t.Errorf("Test setup error %s", err)
|
||||
}
|
||||
@ -101,7 +101,7 @@ func TestCSIConfig(t *testing.T) {
|
||||
}
|
||||
|
||||
data = "[{\"clusterID\":\"" + clusterID2 + "\",\"monitors\":[\"mon1\",\"mon2\",\"mon3\"]}]"
|
||||
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644)
|
||||
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600)
|
||||
if err != nil {
|
||||
t.Errorf("Test setup error %s", err)
|
||||
}
|
||||
@ -120,7 +120,7 @@ func TestCSIConfig(t *testing.T) {
|
||||
|
||||
data = "[{\"clusterID\":\"" + clusterID2 + "\",\"monitors\":[\"mon1\",\"mon2\",\"mon3\"]}," +
|
||||
"{\"clusterID\":\"" + clusterID1 + "\",\"monitors\":[\"mon4\",\"mon5\",\"mon6\"]}]"
|
||||
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644)
|
||||
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600)
|
||||
if err != nil {
|
||||
t.Errorf("Test setup error %s", err)
|
||||
}
|
||||
|
@ -41,7 +41,7 @@ const (
|
||||
vaultDefaultPassphrasePath = ""
|
||||
|
||||
// vault request headers
|
||||
vaultTokenHeader = "X-Vault-Token" // nolint: gosec, #nosec
|
||||
vaultTokenHeader = "X-Vault-Token" // #nosec:G101, value not credential, just references token.
|
||||
vaultNamespaceHeader = "X-Vault-Namespace"
|
||||
)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user