enable gosec #969
Merged
enable gosec #969
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Kim Tsao <ktsao@redhat.com>
Codecov ReportBase: 35.51% // Head: 35.63% // Increases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## main #969 +/- ##
==========================================
+ Coverage 35.51% 35.63% +0.11%
==========================================
Files 52 52
Lines 6653 6671 +18
==========================================
+ Hits 2363 2377 +14
- Misses 4145 4149 +4
Partials 145 145
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
Signed-off-by: Kim Tsao <ktsao@redhat.com>
Signed-off-by: Kim Tsao <ktsao@redhat.com>
kim-tsao
requested review from
amisevsk,
yangcao77 and
johnmcollier
as code owners
amisevsk
reviewed
Oct 19, 2022
| @@ -27,6 +27,7 @@ func convertPluginComponentTo_v1alpha2(srcComponent *Component, destComponent *v | |||
| destComponent.Name = pluginKey | |||
|
|
|||
| for _, srcCommand := range src.Commands { | |||
| srcCommand := srcCommand | |||
There was a problem hiding this comment.
This line appears to be a no-op?
There was a problem hiding this comment.
it ensures the address is not reused. It's one of the approaches you can use to fix this issue (the other is to use an index) according to this discussion: https://stackoverflow.com/questions/62446118/implicit-memory-aliasing-in-for-loop.
There was a problem hiding this comment.
Ah makes sense, I didn't realize we used &srcCommand below.
run_gosec.sh
Outdated
| echo "error gosec must be installed with this command: go install github.com/securego/gosec/v2/cmd/gosec@latest" && exit 1 | ||
| fi | ||
|
|
||
| gosec -no-fail -fmt=sarif -out=gosec.sarif -exclude-dir test -exclude-dir generator ./... |
There was a problem hiding this comment.
Trailling newline missing.
amisevsk
approved these changes
Oct 19, 2022
Signed-off-by: Kim Tsao <ktsao@redhat.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: amisevsk, kim-tsao The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
yangcao77
added a commit
that referenced
this pull request
Oct 11, 2023
* 2.2.0 release cut Signed-off-by: Stephanie <yangcao@redhat.com> * enable gosec (#969) * enable gosec Signed-off-by: Kim Tsao <ktsao@redhat.com> * Fix G601 errors Signed-off-by: Kim Tsao <ktsao@redhat.com> * Fix warnings Signed-off-by: Kim Tsao <ktsao@redhat.com> * Add newline Signed-off-by: Kim Tsao <ktsao@redhat.com> Signed-off-by: Kim Tsao <ktsao@redhat.com> * Update the devfile spec to 2.2.1 alpha (#980) Signed-off-by: Paul Schultz <pschultz@pobox.com> * Bump kubernetes-client/gen revision to fix git dubious ownership error (#1045) * bump kubernetes-client/gen revision to fix git dubious ownership error Signed-off-by: Michael Valdron <mvaldron@redhat.com> * whitespace changes. Signed-off-by: Michael Valdron <mvaldron@redhat.com> * set openapi generator ref to version which supports typescript generation. Signed-off-by: Michael Valdron <mvaldron@redhat.com> --------- Signed-off-by: Michael Valdron <mvaldron@redhat.com> * Fix Dependabot issues (#1047) * fix dependabot issues, requires a bump in k8s versions Signed-off-by: Kim Tsao <ktsao@redhat.com> * re-generated devworkspace files Signed-off-by: Kim Tsao <ktsao@redhat.com> * Vendor updates Signed-off-by: Kim Tsao <ktsao@redhat.com> --------- Signed-off-by: Kim Tsao <ktsao@redhat.com> * fix gosec v2.14.0 (#1034) Signed-off-by: Michael Valdron <mvaldron@redhat.com> * Update python runtime version for `release-typescript-models` job (#1051) * bump python runtime version for 'release-typescript-models' job. Signed-off-by: Michael Valdron <mvaldron@redhat.com> * bump setup-python action to v4 for 'release-typescript-models' job. Signed-off-by: Michael Valdron <mvaldron@redhat.com> --------- Signed-off-by: Michael Valdron <mvaldron@redhat.com> * Add workflow for managing stale issues & PRs (#1055) Adds a GitHub workflow for managing stale & rotten issues and PRs. Issues & PRs are marked stale after 90 days of inactivity. After 60 further days, they are marked as rotten and closed. * Clarify hotReloadCapable field (#1091) * Clarify hotReloadCapable field Signed-off-by: Philippe Martin <phmartin@redhat.com> * Auto-generated Signed-off-by: Philippe Martin <phmartin@redhat.com> * Specify isDefault Signed-off-by: Philippe Martin <phmartin@redhat.com> * Clarify description Signed-off-by: Philippe Martin <phmartin@redhat.com> --------- Signed-off-by: Philippe Martin <phmartin@redhat.com> * update kubernetes/openshift endpoint validation (#1098) * update endpoint validation Signed-off-by: Stephanie <yangcao@redhat.com> * update unit test Signed-off-by: Stephanie <yangcao@redhat.com> * update the test error check to be more clear Signed-off-by: Stephanie <yangcao@redhat.com> * add unit test for two kube components Signed-off-by: Stephanie <yangcao@redhat.com> --------- Signed-off-by: Stephanie <yangcao@redhat.com> * Update release doc (#1110) Signed-off-by: Kim Tsao <ktsao@redhat.com> * Update directly executed scripts inside workflows (#1107) * Update directly executed scripts on workflows Signed-off-by: thepetk <thepetk@gmail.com> * Update directly executed scripts on bash scripts Signed-off-by: thepetk <thepetk@gmail.com> --------- Signed-off-by: thepetk <thepetk@gmail.com> * Add area alizer label to all issue templates (#1149) Signed-off-by: thepetk <thepetk@gmail.com> * Update deprecated github actions to latest version (#1231) * Update deprecated github actions Signed-off-by: thepetk <thepetk@gmail.com> * Remove jsonschema dep from validate samples Signed-off-by: thepetk <thepetk@gmail.com> --------- Signed-off-by: thepetk <thepetk@gmail.com> * Add license header file and script (#1256) * add license header file Signed-off-by: Michael Valdron <mvaldron@redhat.com> * addlicense script Signed-off-by: Michael Valdron <mvaldron@redhat.com> * update README with instructions on adding license headers Signed-off-by: Michael Valdron <mvaldron@redhat.com> * update license headers under source files Signed-off-by: Michael Valdron <mvaldron@redhat.com> * remove license header from generated source Signed-off-by: Michael Valdron <mvaldron@redhat.com> * add_license.sh ignores zz_generated.* source files Signed-off-by: Michael Valdron <mvaldron@redhat.com> * check license headers script added Signed-off-by: Michael Valdron <mvaldron@redhat.com> * check license headers script added to CI workflow Signed-off-by: Michael Valdron <mvaldron@redhat.com> --------- Signed-off-by: Michael Valdron <mvaldron@redhat.com> * add signoff Signed-off-by: Stephanie <yangcao@redhat.com> --------- Signed-off-by: Stephanie <yangcao@redhat.com> Signed-off-by: Kim Tsao <ktsao@redhat.com> Signed-off-by: Paul Schultz <pschultz@pobox.com> Signed-off-by: Michael Valdron <mvaldron@redhat.com> Signed-off-by: Philippe Martin <phmartin@redhat.com> Signed-off-by: thepetk <thepetk@gmail.com> Co-authored-by: Kim Tsao <84398375+kim-tsao@users.noreply.github.com> Co-authored-by: Paul Schultz <pschultz@pobox.com> Co-authored-by: Michael Valdron <michael.valdron@gmail.com> Co-authored-by: Michael Valdron <mvaldron@redhat.com> Co-authored-by: John Collier <jcollier@redhat.com> Co-authored-by: Philippe Martin <phmartin@redhat.com> Co-authored-by: Theofanis Petkos <thepetk@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Kim Tsao ktsao@redhat.com
What does this PR do?:
enables the gosec scanner and addresses any high sev findings
Which issue(s) this PR fixes:
#937
PR acceptance criteria:
Testing and documentation do not need to be complete in order for this PR to be approved. We just need to ensure tracking issues are opened.
Unit/Functional tests
QE Integration test
Documentation
Client Impact
How to test changes / Special notes to the reviewer: