cleanup: address gosec warnings

gosec warns about security problems by scanning the
Go AST.

Issues Reported:
G101 (CWE-798): Potential hardcoded credentials (Confidence: LOW, Severity: HIGH)
G204 (CWE-78): Subprocess launched with variable (Confidence: HIGH, Severity: MEDIUM)
G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)

Signed-off-by: Yug <yuggupta27@gmail.com>
This commit is contained in:
Yug 2020-07-20 18:19:05 +05:30 committed by mergify[bot]
parent 48fa43270f
commit e73fe64a0d
7 changed files with 17 additions and 16 deletions

View File

@ -31,17 +31,18 @@ import (
testutils "k8s.io/kubernetes/test/utils"
)
/* #nosec:G101, values not credententials, just a reference to the location.*/
const (
defaultNs = "default"
vaultSecretNs = "/secret/ceph-csi/" // nolint: gosec
vaultSecretNs = "/secret/ceph-csi/"
// rook created cephfs user
cephfsNodePluginSecretName = "rook-csi-cephfs-node" // nolint: gosec
cephfsProvisionerSecretName = "rook-csi-cephfs-provisioner" // nolint: gosec
cephfsNodePluginSecretName = "rook-csi-cephfs-node"
cephfsProvisionerSecretName = "rook-csi-cephfs-provisioner"
// rook created rbd user
rbdNodePluginSecretName = "rook-csi-rbd-node" // nolint: gosec
rbdProvisionerSecretName = "rook-csi-rbd-provisioner" // nolint: gosec
rbdNodePluginSecretName = "rook-csi-rbd-node"
rbdProvisionerSecretName = "rook-csi-rbd-provisioner"
rookTolBoxPodLabel = "app=rook-ceph-tools"
rbdmountOptions = "mountOptions"

View File

@ -34,7 +34,7 @@ type volumeID string
func execCommand(ctx context.Context, program string, args ...string) (stdout, stderr []byte, err error) {
var (
cmd = exec.Command(program, args...) // nolint: gosec, #nosec
cmd = exec.Command(program, args...) // #nosec:G204, not called with user specified parameters.
sanitizedArgs = util.StripSecretInArgs(args)
stdoutBuf bytes.Buffer
stderrBuf bytes.Buffer

View File

@ -33,7 +33,7 @@ const InvalidPoolID int64 = -1
// ExecCommand executes passed in program with args and returns separate stdout and stderr streams.
func ExecCommand(program string, args ...string) (stdout, stderr []byte, err error) {
var (
cmd = exec.Command(program, args...) // nolint: gosec, #nosec
cmd = exec.Command(program, args...) // #nosec:G204, commands executing not vulnerable.
sanitizedArgs = StripSecretInArgs(args)
stdoutBuf bytes.Buffer
stderrBuf bytes.Buffer

View File

@ -96,7 +96,7 @@ func (cp *ConnPool) Destroy() {
func (cp *ConnPool) generateUniqueKey(monitors, user, keyfile string) (string, error) {
// the keyfile can be unique for operations, contents will be the same
key, err := ioutil.ReadFile(keyfile) // nolint: gosec, #nosec
key, err := ioutil.ReadFile(keyfile) // #nosec:G304, file inclusion via variable.
if err != nil {
return "", fmt.Errorf("could not open keyfile %s: %w", keyfile, err)
}

View File

@ -46,7 +46,7 @@ func LuksStatus(mapperFile string) (stdout, stderr []byte, err error) {
func execCryptsetupCommand(stdin *string, args ...string) (stdout, stderr []byte, err error) {
var (
program = "cryptsetup"
cmd = exec.Command(program, args...) // nolint: gosec, #nosec
cmd = exec.Command(program, args...) // #nosec:G204, commands executing not vulnerable.
sanitizedArgs = StripSecretInArgs(args)
stdoutBuf bytes.Buffer
stderrBuf bytes.Buffer

View File

@ -53,7 +53,7 @@ func TestCSIConfig(t *testing.T) {
}
data = ""
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644)
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600)
if err != nil {
t.Errorf("Test setup error %s", err)
}
@ -65,7 +65,7 @@ func TestCSIConfig(t *testing.T) {
}
data = "[{\"clusterIDBad\":\"" + clusterID2 + "\",\"monitors\":[\"mon1\",\"mon2\",\"mon3\"]}]"
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644)
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600)
if err != nil {
t.Errorf("Test setup error %s", err)
}
@ -77,7 +77,7 @@ func TestCSIConfig(t *testing.T) {
}
data = "[{\"clusterID\":\"" + clusterID2 + "\",\"monitorsBad\":[\"mon1\",\"mon2\",\"mon3\"]}]"
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644)
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600)
if err != nil {
t.Errorf("Test setup error %s", err)
}
@ -89,7 +89,7 @@ func TestCSIConfig(t *testing.T) {
}
data = "[{\"clusterID\":\"" + clusterID2 + "\",\"monitors\":[\"mon1\",2,\"mon3\"]}]"
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644)
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600)
if err != nil {
t.Errorf("Test setup error %s", err)
}
@ -101,7 +101,7 @@ func TestCSIConfig(t *testing.T) {
}
data = "[{\"clusterID\":\"" + clusterID2 + "\",\"monitors\":[\"mon1\",\"mon2\",\"mon3\"]}]"
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644)
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600)
if err != nil {
t.Errorf("Test setup error %s", err)
}
@ -120,7 +120,7 @@ func TestCSIConfig(t *testing.T) {
data = "[{\"clusterID\":\"" + clusterID2 + "\",\"monitors\":[\"mon1\",\"mon2\",\"mon3\"]}," +
"{\"clusterID\":\"" + clusterID1 + "\",\"monitors\":[\"mon4\",\"mon5\",\"mon6\"]}]"
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644)
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600)
if err != nil {
t.Errorf("Test setup error %s", err)
}

View File

@ -41,7 +41,7 @@ const (
vaultDefaultPassphrasePath = ""
// vault request headers
vaultTokenHeader = "X-Vault-Token" // nolint: gosec, #nosec
vaultTokenHeader = "X-Vault-Token" // #nosec:G101, value not credential, just references token.
vaultNamespaceHeader = "X-Vault-Namespace"
)