gosec #2766
gosec #2766
Conversation
|
@astefanutti @squakez I've done a quick scanning with I'm not sure if the change I made are the proper one but the intention is more to make them a little bit visible so we can agree on the path we want to follow in general. |
|
@astefanutti @squakez I've done a quick scanning with I'm not sure if the change I made are the proper one but the intention is more to make them a little bit visible so we can agree on the path we want to follow in general. As example one of the reported issue is about |
|
I've somehow fixed some of the issues reported by f, err := os.Open("/foo/bar.txt")
if err != nil {
return err
}
defer f.Close()The reason of this finding is that, when deferring the method call, we don't check if the file is really closed or not and in most of the case it is probably ok but it may cause very subtle bugs like we may leak file descriptor that may or may not impact the behavior of the application at some point (i.e. you may run out of file descriptors). So I think that when possible this problem should be addressed. However it is not very clear how to implement it. Some hint may be found in this blog post: https://www.joeshaw.org/dont-defer-close-on-writable-files. I've tried to implement what is written in that post but it does not seem to be applicable as a general rule so I ended up with some slightly different way (that also leverage some of the hints from the blog) that make use of closures. I'm not sure if that is the right approach or not so any feedback would be more that welcome. |
|
gosec action is not allowed, I've raised an issue: https://issues.apache.org/jira/browse/INFRA-22558 |
|
@lburgazzoli the closure pattern looks good. To be honest, even the "plain procedural" approach looks good to me: f, err := os.Create("path")
if err != nil {
return err
}
if err = io.WriteString(f, "hello world"); err != nil {
f.Close()
return err
}
return f.Close()Sometimes, no-pattern is the best pattern, and I find it a bit ironic the hype with |
I do agree on this point and I originally opted to use it, however there is a subtle issue in this block: if err = io.WriteString(f, "hello world"); err != nil {
f.Close()
return err
}Is it correct to swallow any error that may be detected while closing the file ? In my case I experimented with the I guess here what we need to find is the logical pattern we want to use to deal with this case and enforce with gosec/lint and when doing PR review rather than the specific coding patter (like the closure I introduced as exploration).
100% agree |
The author of the blog post indicates that the close error is ignored, because the write error takes precedence. I'm not sure how to interpret that, but I guess most importantly, an error is returned, and the caller error handling flow is triggered. Also |
I'm not really convinced about the wording used in the blog as the fact that write error takes precedence over the close error is an opinionated choice as we are talking about errors that may or may not be related (got bitten hard by a similar assumption in the past in the java land, so I'm a little bit sensitive about the problem). However I do agree that at least the caller is aware of an error. |
I agree it's hard to tell whether that's an opinion or a technical argument.
Sounds good. |
lburgazzoli
force-pushed
the
gosec
branch
3 times, most recently
from
5cd3982
to
8fb6308
Compare
| - forcetypeassert | ||
| - gocritic | ||
| - gofmt | ||
| enable-all: true |
There was a problem hiding this comment.
I changed in a previous commit here from enable-all (denylisting) to disable-all (allowlisting), because otherwise every time we try to upgrade golangci-lint it will introduce a new set of linters which weren't checked before and thus upgrading golangci-lint will become painful. I thought using disable-all and allowlisting makes upgrading the golangci-lint action easier.
So, do you think it's not a good idea and we should catch up with new additions to linters along with upgrade of the action?
There was a problem hiding this comment.
I can revert to the disable-all mode, I don't have any strong opinion here.
The reason I did it the other way is to be sure we are not missing any important lint (as example. the gosec one was missing) so I did try to run it with all the possible lints and then disabling those that are just noise.
@astefanutti @squakez @tadayosi since I'm not contributing to the project very often now, I let you decide
There was a problem hiding this comment.
On one hand with disable-all, it's less work to upgrade, but we would lag behind what would be the "default" / de-facto standard set of linters, and we would create a "debt" over time that would have to be pay by some larger one-time efforts, on the other hand with enable-all, there is some extra work possible each time we upgrade, which may biased us from not upgrading, but we would inherit from the "default", possibly better set of linters.
I'd be inclined toward trusting golangci-lint and trying with enable-all, so we dilute the possible overhead, keeping in mind that we can always revert to disable-all if that does not work.
There was a problem hiding this comment.
can we merge this PR then ?
There was a problem hiding this comment.
I think so, was waiting for your final confirmation :)
There was a problem hiding this comment.
Fair enough. Let's use enable-all and see how it works.
Release Note