diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index d980c34e6..7210dd461 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -70,3 +70,20 @@ jobs: run: | go fmt -x ./... git diff --exit-code || { echo 'Go sources need to be formatted. Execute "go fmt -x ./..." locally in the 'generator' folder and commit changes to fix an issue'; exit 1; } + + - name: Run Gosec Security Scanner + run: | + export PATH=$PATH:$(go env GOPATH)/bin + go install github.com/securego/gosec/v2/cmd/gosec@latest + ./run_gosec.sh + if [[ $? != 0 ]] + then + echo "gosec scanner failed to run " + exit 1 + fi + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: gosec.sarif \ No newline at end of file diff --git a/pkg/apis/workspaces/v1alpha1/component_plugin_conversion.go b/pkg/apis/workspaces/v1alpha1/component_plugin_conversion.go index 91d11c560..1d6eedcff 100644 --- a/pkg/apis/workspaces/v1alpha1/component_plugin_conversion.go +++ b/pkg/apis/workspaces/v1alpha1/component_plugin_conversion.go @@ -27,6 +27,7 @@ func convertPluginComponentTo_v1alpha2(srcComponent *Component, destComponent *v destComponent.Name = pluginKey for _, srcCommand := range src.Commands { + srcCommand := srcCommand if srcCommand.Custom != nil { // v1alpha2 does not support Plugin Custom commands, so we have to drop them here continue @@ -40,6 +41,7 @@ func convertPluginComponentTo_v1alpha2(srcComponent *Component, destComponent *v } for _, srcComponent := range src.Components { + srcComponent := srcComponent destComponent := v1alpha2.ComponentPluginOverride{} err := convertPluginComponentSubComponentTo_v1alpha2(&srcComponent, &destComponent) if err != nil { @@ -101,6 +103,7 @@ func convertPluginComponentFrom_v1alpha2(srcComponent *v1alpha2.Component, destC destComponent.Plugin.Name = srcComponent.Name for _, srcCommand := range src.Commands { + srcCommand := srcCommand destCommand := Command{} err := convertPluginComponentCommandFrom_v1alpha2(&srcCommand, &destCommand) if err != nil { @@ -110,6 +113,7 @@ func convertPluginComponentFrom_v1alpha2(srcComponent *v1alpha2.Component, destC } for _, srcComponent := range src.Components { + srcComponent := srcComponent destComponent := PluginComponentsOverride{} err := convertPluginComponentSubComponentFrom_v1alpha2(&srcComponent, &destComponent) if err != nil { diff --git a/pkg/apis/workspaces/v1alpha1/conversion.go b/pkg/apis/workspaces/v1alpha1/conversion.go index f244d80a6..2aa6dd9f6 100644 --- a/pkg/apis/workspaces/v1alpha1/conversion.go +++ b/pkg/apis/workspaces/v1alpha1/conversion.go @@ -55,6 +55,7 @@ func convertDevWorkspaceTemplateSpecTo_v1alpha2(src *DevWorkspaceTemplateSpec, d } } for _, srcComponent := range src.Components { + srcComponent := srcComponent destComponent := v1alpha2.Component{} err := convertComponentTo_v1alpha2(&srcComponent, &destComponent) if err != nil { @@ -63,6 +64,7 @@ func convertDevWorkspaceTemplateSpecTo_v1alpha2(src *DevWorkspaceTemplateSpec, d dest.Components = append(dest.Components, destComponent) } for _, srcProject := range src.Projects { + srcProject := srcProject destProject := v1alpha2.Project{} err := convertProjectTo_v1alpha2(&srcProject, &destProject) if err != nil { @@ -71,6 +73,7 @@ func convertDevWorkspaceTemplateSpecTo_v1alpha2(src *DevWorkspaceTemplateSpec, d dest.Projects = append(dest.Projects, destProject) } for _, srcStarterProject := range src.StarterProjects { + srcStarterProject := srcStarterProject destStarterProject := v1alpha2.StarterProject{} err := convertStarterProjectTo_v1alpha2(&srcStarterProject, &destStarterProject) if err != nil { @@ -79,6 +82,7 @@ func convertDevWorkspaceTemplateSpecTo_v1alpha2(src *DevWorkspaceTemplateSpec, d dest.StarterProjects = append(dest.StarterProjects, destStarterProject) } for _, srcCommand := range src.Commands { + srcCommand := srcCommand destCommand := v1alpha2.Command{} err := convertCommandTo_v1alpha2(&srcCommand, &destCommand) if err != nil { @@ -105,6 +109,7 @@ func convertDevWorkspaceTemplateSpecFrom_v1alpha2(src *v1alpha2.DevWorkspaceTemp } } for _, srcComponent := range src.Components { + srcComponent := srcComponent destComponent := Component{} err := convertComponentFrom_v1alpha2(&srcComponent, &destComponent) if err != nil { @@ -113,6 +118,7 @@ func convertDevWorkspaceTemplateSpecFrom_v1alpha2(src *v1alpha2.DevWorkspaceTemp dest.Components = append(dest.Components, destComponent) } for _, srcProject := range src.Projects { + srcProject := srcProject destProject := Project{} err := convertProjectFrom_v1alpha2(&srcProject, &destProject) if err != nil { @@ -121,6 +127,7 @@ func convertDevWorkspaceTemplateSpecFrom_v1alpha2(src *v1alpha2.DevWorkspaceTemp dest.Projects = append(dest.Projects, destProject) } for _, srcStarterProject := range src.StarterProjects { + srcStarterProject := srcStarterProject destStarterProject := StarterProject{} err := convertStarterProjectFrom_v1alpha2(&srcStarterProject, &destStarterProject) if err != nil { @@ -129,6 +136,7 @@ func convertDevWorkspaceTemplateSpecFrom_v1alpha2(src *v1alpha2.DevWorkspaceTemp dest.StarterProjects = append(dest.StarterProjects, destStarterProject) } for _, srcCommand := range src.Commands { + srcCommand := srcCommand destCommand := Command{} err := convertCommandFrom_v1alpha2(&srcCommand, &destCommand) if err != nil { diff --git a/pkg/apis/workspaces/v1alpha1/parent_conversion.go b/pkg/apis/workspaces/v1alpha1/parent_conversion.go index d1f5b5383..7d06f4c58 100644 --- a/pkg/apis/workspaces/v1alpha1/parent_conversion.go +++ b/pkg/apis/workspaces/v1alpha1/parent_conversion.go @@ -17,6 +17,7 @@ func convertParentTo_v1alpha2(src *Parent, dest *v1alpha2.Parent) error { } for _, srcCommand := range src.Commands { + srcCommand := srcCommand if srcCommand.Custom != nil { // v1alpha2 does not support Parent Custom commands, so we have to drop them here continue @@ -30,6 +31,7 @@ func convertParentTo_v1alpha2(src *Parent, dest *v1alpha2.Parent) error { } for _, srcComponent := range src.Components { + srcComponent := srcComponent if srcComponent.Custom != nil { // v1alpha2 does not support Parent Custom Components, so we have to drop them here continue @@ -43,6 +45,7 @@ func convertParentTo_v1alpha2(src *Parent, dest *v1alpha2.Parent) error { } for _, srcProject := range src.Projects { + srcProject := srcProject destProject := v1alpha2.Project{} err := convertProjectTo_v1alpha2(&srcProject, &destProject) if err != nil { @@ -61,6 +64,7 @@ func convertParentTo_v1alpha2(src *Parent, dest *v1alpha2.Parent) error { } for _, srcProject := range src.StarterProjects { + srcProject := srcProject destProject := v1alpha2.StarterProject{} err := convertStarterProjectTo_v1alpha2(&srcProject, &destProject) if err != nil { @@ -146,6 +150,7 @@ func convertParentFrom_v1alpha2(src *v1alpha2.Parent, dest *Parent) error { dest.Kubernetes = &kube } for _, srcCommand := range src.Commands { + srcCommand := srcCommand destCommand := Command{} err := convertParentCommandFrom_v1alpha2(&srcCommand, &destCommand) if err != nil { @@ -155,6 +160,7 @@ func convertParentFrom_v1alpha2(src *v1alpha2.Parent, dest *Parent) error { } for _, srcComponent := range src.Components { + srcComponent := srcComponent destComponent := Component{} err := convertParentComponentFrom_v1alpha2(&srcComponent, &destComponent) if err != nil { diff --git a/pkg/apis/workspaces/v1alpha1/union_implementation.go b/pkg/apis/workspaces/v1alpha1/union_implementation.go index 600c7d871..6114fac2b 100644 --- a/pkg/apis/workspaces/v1alpha1/union_implementation.go +++ b/pkg/apis/workspaces/v1alpha1/union_implementation.go @@ -34,7 +34,7 @@ func visitUnion(union interface{}, visitor interface{}) (err error) { } func simplifyUnion(union Union, visitorType reflect.Type) { - normalizeUnion(union, visitorType) + _ = normalizeUnion(union, visitorType) *union.discriminator() = "" } diff --git a/pkg/apis/workspaces/v1alpha2/union_implementation.go b/pkg/apis/workspaces/v1alpha2/union_implementation.go index d82ba4f26..9a01552e8 100644 --- a/pkg/apis/workspaces/v1alpha2/union_implementation.go +++ b/pkg/apis/workspaces/v1alpha2/union_implementation.go @@ -34,7 +34,7 @@ func visitUnion(union interface{}, visitor interface{}) (err error) { } func simplifyUnion(union Union, visitorType reflect.Type) { - normalizeUnion(union, visitorType) + _ = normalizeUnion(union, visitorType) *union.discriminator() = "" } diff --git a/pkg/utils/unions/normalize.go b/pkg/utils/unions/normalize.go index 96d6e486e..e819f7814 100644 --- a/pkg/utils/unions/normalize.go +++ b/pkg/utils/unions/normalize.go @@ -16,7 +16,7 @@ func (n *normalizer) Struct(s reflect.Value) error { if addr.CanInterface() { i := addr.Interface() if u, ok := i.(dw.Union); ok { - u.Normalize() + _ = u.Normalize() } } } diff --git a/run_gosec.sh b/run_gosec.sh new file mode 100755 index 000000000..be699db1d --- /dev/null +++ b/run_gosec.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# This script runs the gosec scanner locally + +if ! command -v gosec 2> /dev/null +then + echo "error gosec must be installed with this command: go install github.com/securego/gosec/v2/cmd/gosec@latest" && exit 1 +fi + +gosec -no-fail -fmt=sarif -out=gosec.sarif -exclude-dir test -exclude-dir generator ./...