Use 'gosec' for static scans (#264)

* add gosec

Signed-off-by: Gabor Nyiri <gabor.nyiri@ibm.com>

* fix gosec issues

Signed-off-by: Gabor Nyiri <gabor.nyiri@ibm.com>

* lint-fix

Signed-off-by: Gabor Nyiri <gabor.nyiri@ibm.com>

Co-authored-by: Gabor Nyiri <gabor.nyiri@ibm.com>

.golangci.yml

@@ -7,5 +7,4 @@ linters:
     # Default linters plus these:
     - golint
     - gofmt
-    - gosec
     - goimports

.gosec.json

@@ -0,0 +1,6 @@
+{
+  "G101": {
+    "_justification": "Too many false positives with default 'hard-coded secret' configuration.",
+    "entropy_threshold": "80.0"
+  }
+}

Makefile

@@ -3,6 +3,7 @@ export KUBEBUILDER_ASSETS = ${PWD}/cache/kubebuilder_${KUBEBUILDER_VERSION}/bin
 CONTROLLER_GEN_VERSION = 0.2.5
 CONTROLLER_GEN=${PWD}/cache/controller-gen_${CONTROLLER_GEN_VERSION}/controller-gen
 LINT_VERSION = 1.28.3
+GOSEC_VERSION="v2.9.2"
 KUBEVAL_VERSION= 0.15.0
 KUBEVAL_KUBE_VERSION=1.18.1
 # Set PATH to pick up cached tools. The additional 'sed' is required for cross-platform support of quoting the args to 'env'
@@ -129,10 +130,15 @@ lint-deps:
 		set -ex; curl -fsSL https://github.com/koalaman/shellcheck/releases/download/stable/shellcheck-stable.$$(uname).x86_64.tar.xz | tar -xJv --strip-components=1 shellcheck-stable/shellcheck; \
 		mv shellcheck $(shell go env GOPATH)/bin/shellcheck; chmod +x $(shell go env GOPATH)/bin/shellcheck; \
 	fi
+	@if ! which gosec >/dev/null || [[ "$$(gosec --version)" != *${GOSEC_VERSION}* ]]; then \
+		set -o pipefail; \
+		go install github.com/securego/gosec/v2/cmd/gosec@${GOSEC_VERSION}; \
+	fi
 
 .PHONY: lint
 lint: lint-deps
 	golangci-lint run
+	gosec -conf .gosec.json ./...
 	find . -name '*.*sh' | xargs shellcheck --color
 	go list -json -m all | docker run --rm -i sonatypecommunity/nancy:latest sleuth
 

internal/cmd/fixcrd/main.go

@@ -28,17 +28,19 @@ func run(args []string) error {
 	}
 
 	for _, arg := range args {
-		f, err := os.Open(arg)
+		f, err := os.Open(arg) // #nosec G304 comes from user input
 		if err != nil {
 			return err
 		}
-		defer f.Close()
+		defer func() {
+			_ = f.Close()
+		}() // #nosec G307 we cannot handle this error in other way then just simply ignore it
 		var buf bytes.Buffer
 		err = mutateYaml(f, &buf)
 		if err != nil {
 			return err
 		}
-		err = ioutil.WriteFile(arg, buf.Bytes(), 0644) // nolint:gosec // mimics original file permissions from kubebuilder
+		err = ioutil.WriteFile(arg, buf.Bytes(), 0644) // #nosec mimics original file permissions from kubebuilder
 		if err != nil {
 			return err
 		}

internal/cmd/genolm/crd.go

@@ -42,7 +42,7 @@ type Descriptor struct {
 func getCRDs(repoRoot string) ([]CRD, error) {
 	var crds []CRD
 	var bindingCRD apiextensionsv1beta1.CustomResourceDefinition
-	bindingCRDBytes, err := ioutil.ReadFile(filepath.Join(repoRoot, "out/apiextensions.k8s.io_v1beta1_customresourcedefinition_bindings.ibmcloud.ibm.com.yaml"))
+	bindingCRDBytes, err := ioutil.ReadFile(filepath.Join(repoRoot, "out/apiextensions.k8s.io_v1beta1_customresourcedefinition_bindings.ibmcloud.ibm.com.yaml")) // #nosec G304 repoRoot comes from user input
 	if err != nil {
 		return nil, errors.Wrap(err, "Error reading generated CRD file. Did kustomize run yet?")
 	}
@@ -64,7 +64,7 @@ func getCRDs(repoRoot string) ([]CRD, error) {
 	))
 
 	var serviceCRD apiextensionsv1beta1.CustomResourceDefinition
-	serviceCRDBytes, err := ioutil.ReadFile(filepath.Join(repoRoot, "out/apiextensions.k8s.io_v1beta1_customresourcedefinition_services.ibmcloud.ibm.com.yaml"))
+	serviceCRDBytes, err := ioutil.ReadFile(filepath.Join(repoRoot, "out/apiextensions.k8s.io_v1beta1_customresourcedefinition_services.ibmcloud.ibm.com.yaml")) // #nosec G304 repoRoot comes from user input
 	if err != nil {
 		return nil, errors.Wrap(err, "Error reading generated CRD file. Did kustomize run yet?")
 	}

internal/cmd/genolm/deployments.go

@@ -16,7 +16,7 @@ type Deployment struct {
 
 func getDeployments(output string) ([]Deployment, error) {
 	var deployment appsv1.Deployment
-	deploymentBytes, err := ioutil.ReadFile(filepath.Join(output, "apps_v1_deployment_ibmcloud-operator-controller-manager.yaml"))
+	deploymentBytes, err := ioutil.ReadFile(filepath.Join(output, "apps_v1_deployment_ibmcloud-operator-controller-manager.yaml")) // #nosec G304 output path comes from user input
 	if err != nil {
 		return nil, errors.Wrap(err, "Error reading generated deployment file. Did kustomize run yet?")
 	}

internal/cmd/genolm/main.go

@@ -85,11 +85,13 @@ func run(output, repoRoot, versionStr string) error {
 		return err
 	}
 
-	readmeFile, err := os.Open(filepath.Join(repoRoot, "README.md"))
+	readmeFile, err := os.Open(filepath.Join(repoRoot, "README.md")) // #nosec G304 repo root comes from user input
 	if err != nil {
 		return err
 	}
-	defer readmeFile.Close()
+	defer func() {
+		_ = readmeFile.Close()
+	}() // #nosec G307 we cannot handle this error in other way then just simply ignore it
 	readme := prepREADME(readmeFile)
 
 	samples, err := getSamples(repoRoot)
@@ -149,7 +151,9 @@ func writeFile(path string, tmpl *template.Template, data interface{}) error {
 	if err != nil {
 		return err
 	}
-	defer f.Close()
+	defer func() {
+		_ = f.Close()
+	}() // #nosec G307 we cannot handle this error in other way then just simply ignore it
 
 	return tmpl.Execute(f, data)
 }
@@ -196,7 +200,7 @@ func getRBAC(output string) (clusterRoles, roles roleRules, err error) {
 		return roleRules{}, roleRules{}, err
 	}
 	for _, path := range rbacFiles {
-		buf, err := ioutil.ReadFile(path)
+		buf, err := ioutil.ReadFile(path) // #nosec G304 output path defined as user input
 		if err != nil {
 			return roleRules{}, roleRules{}, err
 		}
@@ -255,7 +259,7 @@ func getRBAC(output string) (clusterRoles, roles roleRules, err error) {
 func getSamples(repoRoot string) ([]runtime.RawExtension, error) {
 	var samples []runtime.RawExtension
 	for _, name := range []string{"translator.yaml", "translator-binding.yaml"} {
-		sample, err := ioutil.ReadFile(filepath.Join(repoRoot, "config/samples", name))
+		sample, err := ioutil.ReadFile(filepath.Join(repoRoot, "config/samples", name)) // #nosec G304 points to hardcoded yaml file located in a directory specified by user as input parameter
 		if err != nil {
 			return nil, err
 		}

internal/cmd/release/main.go

@@ -145,7 +145,7 @@ func run(args Args, deps Deps) error {
 			for _, crd := range crds {
 				crd := crd // loop-local copy for closure
 				ops = append(ops, func() error {
-					contents, err := ioutil.ReadFile(crd)
+					contents, err := ioutil.ReadFile(crd) // #nosec G304 comes from user input points to a concrete CRD
 					crdContents[filepath.Base(crd)] = contents
 					return errors.Wrap(err, "failed to read CRD file")
 				})

internal/config/ibm.go

@@ -94,7 +94,7 @@ func readBluemixConfig() (config bluemixConfig, ok bool, err error) {
 	if err != nil {
 		return config, false, err
 	}
-	buf, err := ioutil.ReadFile(filepath.Join(bxHome, "config.json"))
+	buf, err := ioutil.ReadFile(filepath.Join(bxHome, "config.json")) // #nosec G304 user home relative path of config file
 	if os.IsNotExist(err) {
 		return config, false, nil
 	}
@@ -137,7 +137,7 @@ func readCFConfig() (config cfConfig, ok bool, err error) {
 	if err != nil {
 		return config, false, err
 	}
-	buf, err := ioutil.ReadFile(filepath.Join(bxHome, ".cf", "config.json"))
+	buf, err := ioutil.ReadFile(filepath.Join(bxHome, ".cf", "config.json")) // #nosec G304 user home relative path of config file
 	if os.IsNotExist(err) {
 		return config, false, nil
 	}