Skip to content

Commit

Permalink
lint: enable gosec G402 (minimum TLS version)
Browse files Browse the repository at this point in the history 
Signed-off-by: Alexandre Perrin <alex@isovalent.com>
  • Loading branch information
@kaworu @ldelossa
kaworu authored and ldelossa committed Jan 24, 2023
1 parent 54fa995 commit ca890a4
Show file tree
Hide file tree
Showing 5 changed files with 18 additions and 4 deletions.
4 changes: 4 additions & 0 deletions .golangci.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,9 @@ linters-settings:
template: |-
SPDX-License-Identifier: Apache-2.0
Copyright Authors of {{ PROJECT }}
gosec:
includes:
- G402

issues:
# Excluding configuration per-path, per-linter, per-text and per-source
Expand Down Expand Up @@ -89,6 +92,7 @@ linters:
- unused
- varcheck
- goheader
- gosec

# To enable later if makes sense
# - deadcode
Expand Down
6 changes: 5 additions & 1 deletion pkg/crypto/certloader/server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,8 +116,12 @@ func (c *WatchedServerConfig) ServerConfig(base *tls.Config) *tls.Config {
}
}
c.log.WithField("keypair-sn", keypairId(keypair)).
Debugf("Server tls handshake")
Debug("Server tls handshake")
return tlsConfig, nil
},
// NOTE: this MinVersion is not used as this tls.Config will be
// overridden by the one returned by GetConfigForClient. The effective
// MinVersion must be set by the provided base TLS configuration.
MinVersion: tls.VersionTLS13,
}
}
4 changes: 3 additions & 1 deletion pkg/hubble/peer/types/client.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,9 @@ func (b RemoteClientBuilder) Client(target string) (Client, error) {
if b.TLSConfig == nil {
opts = append(opts, grpc.WithTransportCredentials(insecure.NewCredentials()))
} else {
tlsConfig := b.TLSConfig.ClientConfig(&tls.Config{
// NOTE: gosec is unable to resolve the constant and warns about "TLS
// MinVersion too low".
tlsConfig := b.TLSConfig.ClientConfig(&tls.Config{ //nolint:gosec
ServerName: b.TLSServerName,
MinVersion: hubbleopts.MinTLSVersion,
})
Expand Down
4 changes: 3 additions & 1 deletion pkg/hubble/relay/pool/client.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,9 @@ func (b GRPCClientConnBuilder) ClientConn(target, hostname string) (poolTypes.Cl
if b.TLSConfig == nil {
opts = append(opts, grpc.WithInsecure())
} else {
tlsConfig := b.TLSConfig.ClientConfig(&tls.Config{
// NOTE: gosec is unable to resolve the constant and warns about "TLS
// MinVersion too low".
tlsConfig := b.TLSConfig.ClientConfig(&tls.Config{ //nolint:gosec
ServerName: hostname,
MinVersion: hubbleopts.MinTLSVersion,
})
Expand Down
4 changes: 3 additions & 1 deletion pkg/hubble/server/server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,9 @@ func (s *Server) newGRPCServer() (*grpc.Server, error) {
opts = append(opts, grpc.StreamInterceptor(interceptor))
}
if s.opts.ServerTLSConfig != nil {
tlsConfig := s.opts.ServerTLSConfig.ServerConfig(&tls.Config{
// NOTE: gosec is unable to resolve the constant and warns about "TLS
// MinVersion too low".
tlsConfig := s.opts.ServerTLSConfig.ServerConfig(&tls.Config{ //nolint:gosec
MinVersion: serveroption.MinTLSVersion,
})
opts = append(opts, grpc.Creds(credentials.NewTLS(tlsConfig)))
Expand Down

0 comments on commit ca890a4

Please sign in to comment.