cleanup: address gosec warnings

gosec warns about security problems by scanning the
Go AST.

Issues Reported:
G101 (CWE-798): Potential hardcoded credentials (Confidence: LOW, Severity: HIGH)
G204 (CWE-78): Subprocess launched with variable (Confidence: HIGH, Severity: MEDIUM)
G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)

Signed-off-by: Yug <yuggupta27@gmail.com>

e2e/utils.go

@@ -31,17 +31,18 @@ import (
 	testutils "k8s.io/kubernetes/test/utils"
 )
 
+/* #nosec:G101, values not credententials, just a reference to the location.*/
 const (
 	defaultNs     = "default"
-	vaultSecretNs = "/secret/ceph-csi/" // nolint: gosec
+	vaultSecretNs = "/secret/ceph-csi/"
 
 	// rook created cephfs user
-	cephfsNodePluginSecretName  = "rook-csi-cephfs-node"        // nolint: gosec
+	cephfsNodePluginSecretName  = "rook-csi-cephfs-node"
-	cephfsProvisionerSecretName = "rook-csi-cephfs-provisioner" // nolint: gosec
+	cephfsProvisionerSecretName = "rook-csi-cephfs-provisioner"
 
 	// rook created rbd user
-	rbdNodePluginSecretName  = "rook-csi-rbd-node"        // nolint: gosec
+	rbdNodePluginSecretName  = "rook-csi-rbd-node"
-	rbdProvisionerSecretName = "rook-csi-rbd-provisioner" // nolint: gosec
+	rbdProvisionerSecretName = "rook-csi-rbd-provisioner"
 
 	rookTolBoxPodLabel = "app=rook-ceph-tools"
 	rbdmountOptions    = "mountOptions"

internal/cephfs/util.go

@@ -34,7 +34,7 @@ type volumeID string
 
 func execCommand(ctx context.Context, program string, args ...string) (stdout, stderr []byte, err error) {
 	var (
-		cmd           = exec.Command(program, args...) // nolint: gosec, #nosec
+		cmd           = exec.Command(program, args...) // #nosec:G204, not called with user specified parameters.
 		sanitizedArgs = util.StripSecretInArgs(args)
 		stdoutBuf     bytes.Buffer
 		stderrBuf     bytes.Buffer

internal/util/cephcmds.go

@@ -33,7 +33,7 @@ const InvalidPoolID int64 = -1
 // ExecCommand executes passed in program with args and returns separate stdout and stderr streams.
 func ExecCommand(program string, args ...string) (stdout, stderr []byte, err error) {
 	var (
-		cmd           = exec.Command(program, args...) // nolint: gosec, #nosec
+		cmd           = exec.Command(program, args...) // #nosec:G204, commands executing not vulnerable.
 		sanitizedArgs = StripSecretInArgs(args)
 		stdoutBuf     bytes.Buffer
 		stderrBuf     bytes.Buffer

internal/util/conn_pool.go

@@ -96,7 +96,7 @@ func (cp *ConnPool) Destroy() {
 
 func (cp *ConnPool) generateUniqueKey(monitors, user, keyfile string) (string, error) {
 	// the keyfile can be unique for operations, contents will be the same
-	key, err := ioutil.ReadFile(keyfile) // nolint: gosec, #nosec
+	key, err := ioutil.ReadFile(keyfile) // #nosec:G304, file inclusion via variable.
 	if err != nil {
 		return "", fmt.Errorf("could not open keyfile %s: %w", keyfile, err)
 	}

internal/util/cryptsetup.go

@@ -46,7 +46,7 @@ func LuksStatus(mapperFile string) (stdout, stderr []byte, err error) {
 func execCryptsetupCommand(stdin *string, args ...string) (stdout, stderr []byte, err error) {
 	var (
 		program       = "cryptsetup"
-		cmd           = exec.Command(program, args...) // nolint: gosec, #nosec
+		cmd           = exec.Command(program, args...) // #nosec:G204, commands executing not vulnerable.
 		sanitizedArgs = StripSecretInArgs(args)
 		stdoutBuf     bytes.Buffer
 		stderrBuf     bytes.Buffer

internal/util/csiconfig_test.go

@@ -53,7 +53,7 @@ func TestCSIConfig(t *testing.T) {
 	}
 
 	data = ""
-	err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644)
+	err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600)
 	if err != nil {
 		t.Errorf("Test setup error %s", err)
 	}
@@ -65,7 +65,7 @@ func TestCSIConfig(t *testing.T) {
 	}
 
 	data = "[{\"clusterIDBad\":\"" + clusterID2 + "\",\"monitors\":[\"mon1\",\"mon2\",\"mon3\"]}]"
-	err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644)
+	err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600)
 	if err != nil {
 		t.Errorf("Test setup error %s", err)
 	}
@@ -77,7 +77,7 @@ func TestCSIConfig(t *testing.T) {
 	}
 
 	data = "[{\"clusterID\":\"" + clusterID2 + "\",\"monitorsBad\":[\"mon1\",\"mon2\",\"mon3\"]}]"
-	err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644)
+	err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600)
 	if err != nil {
 		t.Errorf("Test setup error %s", err)
 	}
@@ -89,7 +89,7 @@ func TestCSIConfig(t *testing.T) {
 	}
 
 	data = "[{\"clusterID\":\"" + clusterID2 + "\",\"monitors\":[\"mon1\",2,\"mon3\"]}]"
-	err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644)
+	err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600)
 	if err != nil {
 		t.Errorf("Test setup error %s", err)
 	}
@@ -101,7 +101,7 @@ func TestCSIConfig(t *testing.T) {
 	}
 
 	data = "[{\"clusterID\":\"" + clusterID2 + "\",\"monitors\":[\"mon1\",\"mon2\",\"mon3\"]}]"
-	err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644)
+	err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600)
 	if err != nil {
 		t.Errorf("Test setup error %s", err)
 	}
@@ -120,7 +120,7 @@ func TestCSIConfig(t *testing.T) {
 
 	data = "[{\"clusterID\":\"" + clusterID2 + "\",\"monitors\":[\"mon1\",\"mon2\",\"mon3\"]}," +
 		"{\"clusterID\":\"" + clusterID1 + "\",\"monitors\":[\"mon4\",\"mon5\",\"mon6\"]}]"
-	err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644)
+	err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600)
 	if err != nil {
 		t.Errorf("Test setup error %s", err)
 	}

internal/util/vault.go

@@ -41,7 +41,7 @@ const (
 	vaultDefaultPassphrasePath = ""
 
 	// vault request headers
-	vaultTokenHeader     = "X-Vault-Token" // nolint: gosec, #nosec
+	vaultTokenHeader     = "X-Vault-Token" // #nosec:G101, value not credential, just references token.
 	vaultNamespaceHeader = "X-Vault-Namespace"
 )