Address gosec errors

Nordix · Feb 26, 2025 · e2efbf5 · e2efbf5
1 parent 941fdd1
commit e2efbf5
Show file tree

Hide file tree

Showing 13 changed files with 59 additions and 25 deletions.
diff --git a/default-gosec.mk b/default-gosec.mk
@@ -1,4 +1,4 @@
-#  Copyright 2023-2024 The Nephio Authors.
+#  Copyright 2023-2025 The Nephio Authors.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -12,16 +12,36 @@
 #  See the License for the specific language governing permissions and
 #  limitations under the License.
 
-GOSEC_VER ?= 2.21.4
 GIT_ROOT_DIR ?= $(dir $(lastword $(MAKEFILE_LIST)))
 include $(GIT_ROOT_DIR)/detect-container-runtime.mk
 
 # Install link at https://github.com/securego/gosec#install if not running inside a container
+
+# BUG: Current version of gosec (2.22.0) produces an invalid html output. 
+# Downgrade the babel-standalone <script> entry to - 
+# <script src="https://cdnjs.cloudflare.com/ajax/libs/babel-standalone/7.26.3/babel.min.js" integrity="sha512-NyQU9Gq/x36ldUUB9k8SEVCUUIJYxFjtwa7Ndz5h6noqqcSGx3nnmdK26bXiVWlo8ZU147EyJlydvFQEF97I/w==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
 .PHONY: gosec
 gosec: ## Inspect the source code for security problems by scanning the Go Abstract Syntax Tree
 ifeq ($(CONTAINER_RUNNABLE), 0)
-		$(RUN_CONTAINER_COMMAND) docker.io/securego/gosec:${GOSEC_VER} -fmt=html -out=gosec-results.html \
-		-stdout -verbose=text -exclude-dir=generated -exclude-dir=test -exclude-generated ./...
+		$(RUN_CONTAINER_COMMAND) docker.io/nephio/gotests:1885274380137664512 gosec \
+		-fmt=html \
+		-out=gosec-results.html \
+		-stdout -verbose=text \
+		-exclude-dir=generated \
+		-exclude-dir=test \
+		-exclude-dir=third_party \
+		-exclude-dir=examples \
+		-exclude-generated -severity=medium -exclude=G401,G501,G505 ./...
 else
-		gosec -fmt=html -out=gosec-results.html -stdout -verbose=text -exclude-dir=generated -exclude-dir=test -exclude-generated ./...
+		gosec -fmt=html -out=gosec-results.html -stdout -verbose=text \
+		-exclude-dir=generated \
+		-exclude-dir=third_party \
+		-exclude-dir=test \
+		-exclude-dir=examples \
+		-exclude-generated -severity=medium -exclude=G401,G501,G505 ./...
 endif
+
+# Excluding the following gosec rules:
+# G401 (CWE-328): Use of weak cryptographic primitive (Used internally for creating unique hashed object names)
+# G501 (CWE-327): Blocklisted import crypto/md5: weak cryptographic primitive (Used internally for creating unique hashed repo names)
+# G505 (CWE-327): Blocklisted import crypto/sha1: weak cryptographic primitive (Used internally for creating unique hashed object names)
diff --git a/deployments/local/makekeys.sh b/deployments/local/makekeys.sh
diff --git a/func/internal/podevaluator.go b/func/internal/podevaluator.go
@@ -715,6 +715,7 @@ func loadTLSConfig(caCertPath string) (*tls.Config, error) {
 	// Create a tls.Config with the CA pool
 	tlsConfig := &tls.Config{
 		RootCAs: caCertPool,
+		MinVersion: tls.VersionTLS12,
 	}
 	return tlsConfig, nil
 }

diff --git a/internal/kpt/fnruntime/nodejs.go b/internal/kpt/fnruntime/nodejs.go
@@ -34,7 +34,7 @@ type WasmNodejsFn struct {
 
 func NewNodejsFn(loader WasmLoader) (*WasmNodejsFn, error) {
 	cacheDir := filepath.Join(os.TempDir(), "kpt-wasm-fn")
-	err := os.MkdirAll(cacheDir, 0755)
+	err := os.MkdirAll(cacheDir, 0750)
 	if err != nil {
 		return nil, fmt.Errorf("unable to create cache dir: %w", err)
 	}
@@ -43,7 +43,7 @@ func NewNodejsFn(loader WasmLoader) (*WasmNodejsFn, error) {
 		return nil, fmt.Errorf("unable to create temp dir: %w", err)
 	}
 	jsPath := filepath.Join(tempDir, "kpt-fn-wasm-glue-runner.js")
-	if err = os.WriteFile(jsPath, []byte(golangWasmJSCode+glueCode), 0644); err != nil {
+	if err = os.WriteFile(jsPath, []byte(golangWasmJSCode+glueCode), 0600); err != nil {
 		return nil, fmt.Errorf("unable to write the js glue code file: %w", err)
 	}
 

diff --git a/internal/kpt/fnruntime/wasm.go b/internal/kpt/fnruntime/wasm.go
@@ -131,7 +131,7 @@ func (o *OciLoader) getFilePath() (string, error) {
 		return "", fmt.Errorf("unable to create temp dir in %v: %w", o.cacheDir, err)
 	}
 	wasmFile := filepath.Join(o.tempDir, "fn.wasm")
-	err = os.WriteFile(wasmFile, data, 0644)
+	err = os.WriteFile(wasmFile, data, 0600)
 	if err != nil {
 		return "", fmt.Errorf("unable to write wasm content to %v: %w", wasmFile, err)
 	}

diff --git a/internal/kpt/fnruntime/wasmtime.go b/internal/kpt/fnruntime/wasmtime.go
@@ -194,7 +194,10 @@ func (f *WasmtimeFn) GetSP() (uint32, error) {
 		return 0, fmt.Errorf("getsp: %T: expected an int32 return value", sp)
 	}
 
-	return uint32(sp), nil
+	if sp >= 0 {
+		return uint32(sp), nil
+	}
+	return 0, fmt.Errorf("getsp: %T: expected a positive return value", sp)
 }
 
 func (f *WasmtimeFn) Resume() error {

diff --git a/internal/kpt/util/cmdutil/cmdutil.go b/internal/kpt/util/cmdutil/cmdutil.go
@@ -81,7 +81,7 @@ func WriteFnOutput(dest, content string, fromStdin bool, w io.Writer) error {
 func WriteToOutput(r io.Reader, w io.Writer, outDir string) error {
 	var outputs []kio.Writer
 	if outDir != "" {
-		err := os.MkdirAll(outDir, 0755)
+		err := os.MkdirAll(outDir, 0750)
 		if err != nil {
 			return fmt.Errorf("failed to create output directory %q: %q", outDir, err.Error())
 		}

diff --git a/pkg/apiserver/webhooks.go b/pkg/apiserver/webhooks.go
@@ -242,7 +242,7 @@ func createCerts(cfg *WebhookConfig) ([]byte, error) {
 		Bytes: x509.MarshalPKCS1PrivateKey(serverPrivateKey),
 	})
 
-	err = os.MkdirAll(cfg.CertStorageDir, 0777)
+	err = os.MkdirAll(cfg.CertStorageDir, 0750)
 	if err != nil {
 		return nil, err
 	}
@@ -424,7 +424,9 @@ func runWebhookServer(ctx context.Context, cfg *WebhookConfig) error {
 		Addr: fmt.Sprintf(":%d", cfg.Port),
 		TLSConfig: &tls.Config{
 			GetCertificate: getCertificate,
+			MinVersion: tls.VersionTLS12,
 		},
+		ReadHeaderTimeout: 10 * time.Second,
 	}
 	go func() {
 		err = server.ListenAndServeTLS("", "")

diff --git a/pkg/cli/commands/rpkg/pull/command.go b/pkg/cli/commands/rpkg/pull/command.go
@@ -133,14 +133,14 @@ func writeToDir(resources map[string]string, dir string) error {
 	if err := cmdutil.CheckDirectoryNotPresent(dir); err != nil {
 		return err
 	}
-	if err := os.MkdirAll(dir, 0755); err != nil {
+	if err := os.MkdirAll(dir, 0750); err != nil {
 		return err
 	}
 
 	for k, v := range resources {
 		f := filepath.Join(dir, k)
 		d := filepath.Dir(f)
-		if err := os.MkdirAll(d, 0755); err != nil {
+		if err := os.MkdirAll(d, 0750); err != nil {
 			return err
 		}
 		if err := os.WriteFile(f, []byte(v), 0644); err != nil {

diff --git a/pkg/externalrepo/git/testing_repo.go b/pkg/externalrepo/git/testing_repo.go
@@ -1,4 +1,4 @@
-// Copyright 2022 The kpt and Nephio Authors
+// Copyright 2022-2025 The kpt and Nephio Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -170,7 +170,7 @@ func ServeExistingRepository(t *testing.T, git *gogit.Repository) string {
 func extractTar(t *testing.T, tarfile string, dir string) {
 	t.Helper()
 
-	reader, err := os.Open(tarfile)
+	reader, err := os.Open(tarfile) // #nosec G304
 	if err != nil {
 		t.Fatalf("Open(%q) failed: %v", tarfile, err)
 	}
@@ -186,16 +186,20 @@ func extractTar(t *testing.T, tarfile string, dir string) {
 			t.Fatalf("Reading tar file %q failed: %v", tarfile, err)
 		}
 		if hdr.FileInfo().IsDir() {
+			// #nosec G305
 			path := filepath.Join(dir, hdr.Name)
+			// #nosec G301
 			if err := os.MkdirAll(path, 0755); err != nil {
 				t.Fatalf("MkdirAll(%q) failed: %v", path, err)
 			}
 			continue
 		}
 		path := filepath.Join(dir, filepath.Dir(hdr.Name))
+		// #nosec G301
 		if err := os.MkdirAll(path, 0755); err != nil {
 			t.Fatalf("MkdirAll(%q) failed: %v", path, err)
 		}
+		// #nosec G305
 		path = filepath.Join(dir, hdr.Name)
 		saveToFile(t, path, tr)
 	}
@@ -204,7 +208,7 @@ func extractTar(t *testing.T, tarfile string, dir string) {
 func saveToFile(t *testing.T, path string, src io.Reader) {
 	t.Helper()
 
-	dst, err := os.Create(path)
+	dst, err := os.Create(path) // #nosec G304
 	if err != nil {
 		t.Fatalf("Create(%q) failed; %v", path, err)
 	}

diff --git a/pkg/registry/porch/wi/wi.go b/pkg/registry/porch/wi/wi.go
@@ -1,4 +1,4 @@
-// Copyright 2022 The kpt and Nephio Authors
+// Copyright 2022, 2025 The kpt and Nephio Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -68,7 +68,7 @@ func (w *WITokenExchanger) findWorkloadIdentityPool(ctx context.Context, kubeSer
 
 	// First, see if we have a valid token mounted locally in our pod
 	{
-		const tokenFilePath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+		const tokenFilePath = "/var/run/secrets/kubernetes.io/serviceaccount/token" // #nosec G101
 
 		tokenBytes, err := os.ReadFile(tokenFilePath)
 		if err != nil {

diff --git a/pkg/repository/testing.go b/pkg/repository/testing.go
@@ -1,4 +1,4 @@
-// Copyright 2022, 2024 The kpt and Nephio Authors
+// Copyright 2022-2025 The kpt and Nephio Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -38,7 +38,7 @@ func ReadPackage(t *testing.T, packageDir string) PackageResources {
 		if err != nil {
 			return fmt.Errorf("failed to get relative path from %q to %q: %w", packageDir, p, err)
 		}
-		contents, err := os.ReadFile(p)
+		contents, err := os.ReadFile(p) // #nosec G304
 		if err != nil {
 			return fmt.Errorf("failed to open the source file %q: %w", p, err)
 		}
@@ -56,9 +56,11 @@ func WritePackage(t *testing.T, packageDir string, contents PackageResources) {
 	for k, v := range contents.Contents {
 		abs := filepath.Join(packageDir, k)
 		dir := filepath.Dir(abs)
+		// #nosec G301
 		if err := os.MkdirAll(dir, 0755); err != nil {
 			t.Fatalf("Failed to crete directory %q: %v", dir, err)
 		}
+		// #nosec G306
 		if err := os.WriteFile(abs, []byte(v), 0644); err != nil {
 			t.Errorf("Failed to write package file %q: %v", abs, err)
 		}

diff --git a/pkg/repository/update.go b/pkg/repository/update.go
@@ -1,4 +1,4 @@
-// Copyright 2022, 2024 The kpt and Nephio Authors
+// Copyright 2022-2025 The kpt and Nephio Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -24,6 +24,8 @@ import (
 	"github.com/nephio-project/porch/internal/kpt/util/update"
 )
 
+const LocalUpdateDir = "kpt-pkg-update-*"
+
 // defaultPackageUpdater implements packageUpdater interface.
 type DefaultPackageUpdater struct{}
 
@@ -33,19 +35,19 @@ func (m *DefaultPackageUpdater) Update(
 	originalResources,
 	upstreamResources PackageResources) (updatedResources PackageResources, err error) {
 
-	localDir, err := os.MkdirTemp("", "kpt-pkg-update-*")
+	localDir, err := os.MkdirTemp("", LocalUpdateDir)
 	if err != nil {
 		return PackageResources{}, err
 	}
 	defer os.RemoveAll(localDir)
 
-	originalDir, err := os.MkdirTemp("", "kpt-pkg-update-*")
+	originalDir, err := os.MkdirTemp("", LocalUpdateDir)
 	if err != nil {
 		return PackageResources{}, err
 	}
 	defer os.RemoveAll(originalDir)
 
-	upstreamDir, err := os.MkdirTemp("", "kpt-pkg-update-*")
+	upstreamDir, err := os.MkdirTemp("", LocalUpdateDir)
 	if err != nil {
 		return PackageResources{}, err
 	}
@@ -97,7 +99,7 @@ func writeResourcesToDirectory(dir string, resources PackageResources) error {
 	for k, v := range resources.Contents {
 		p := filepath.Join(dir, k)
 		dir := filepath.Dir(p)
-		if err := os.MkdirAll(dir, 0755); err != nil {
+		if err := os.MkdirAll(dir, 0750); err != nil {
 			return fmt.Errorf("failed to create directory %q: %w", dir, err)
 		}
 		if err := os.WriteFile(p, []byte(v), 0644); err != nil {