chore: add gosec to audit code security

kubeovn · Jun 2, 2020 · 32024ba · 32024ba
1 parent 1db9046
commit 32024ba
Show file tree

Hide file tree

Showing 21 changed files with 141 additions and 64 deletions.
diff --git a/.github/workflows/build-arm64-image.yaml b/.github/workflows/build-arm64-image.yaml
@@ -22,7 +22,9 @@ jobs:
       - name: Docker Buildx
         uses: crazy-max/ghaction-docker-buildx@v1.4.0
       - name: Build
-        run: make release-arm
+        run: |
+          go get -u github.com/securego/gosec/cmd/gosec
+          make release-arm
       - name: Push
         env:
           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}

diff --git a/.github/workflows/build-x86-image.yaml b/.github/workflows/build-x86-image.yaml
@@ -39,7 +39,9 @@ jobs:
           make ut
 
       - name: Build
-        run: make release
+        run: |
+          go get -u github.com/securego/gosec/cmd/gosec
+          make release
 
       - name: Init Kind
         run: |

diff --git a/Makefile b/Makefile
@@ -47,6 +47,7 @@ lint:
 	@gofmt -d ${GOFILES_NOVENDOR} 
 	@gofmt -l ${GOFILES_NOVENDOR} | read && echo "Code differs from gofmt's style" 1>&2 && exit 1 || true
 	@GOOS=linux go vet ./...
+	@GOOS=linux gosec -exclude=G204 ./...
 
 build-bin:
 	docker run --rm -e GOOS=linux -e GOCACHE=/tmp -e GOARCH=${ARCH} -e GOPROXY=https://goproxy.cn \

diff --git a/cmd/controller/controller.go b/cmd/controller/controller.go
@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"net/http"
-	_ "net/http/pprof"
+	_ "net/http/pprof" // #nosec
 	"os"
 	"time"
 
@@ -28,7 +28,7 @@ func main() {
 	go loopOvnNbctlDaemon(config)
 	go func() {
 		http.Handle("/metrics", promhttp.Handler())
-		klog.Fatal(http.ListenAndServe(fmt.Sprintf("0.0.0.0:%d", config.PprofPort), nil))
+		klog.Fatal(http.ListenAndServe(fmt.Sprintf("localhost:%d", config.PprofPort), nil))
 	}()
 
 	ctl := controller.NewController(config)
@@ -41,14 +41,18 @@ func loopOvnNbctlDaemon(config *controller.Configuration) {
 		time.Sleep(5 * time.Second)
 
 		if _, err := os.Stat(daemonSocket); os.IsNotExist(err) || daemonSocket == "" {
-			ovs.StartOvnNbctlDaemon(config.OvnNbHost, config.OvnNbPort)
+			if err := ovs.StartOvnNbctlDaemon(config.OvnNbHost, config.OvnNbPort); err != nil {
+				klog.Errorf("failed to start ovn-nbctl daemon %v", err)
+			}
 		}
 
 		// ovn-nbctl daemon may hang and cannot precess further request.
 		// In case of that, we need to start a new daemon.
 		if err := ovs.CheckAlive(); err != nil {
 			klog.Warningf("ovn-nbctl daemon doesn't return, start a new daemon")
-			ovs.StartOvnNbctlDaemon(config.OvnNbHost, config.OvnNbPort)
+			if err := ovs.StartOvnNbctlDaemon(config.OvnNbHost, config.OvnNbPort); err != nil {
+				klog.Errorf("failed to start ovn-nbctl daemon %v", err)
+			}
 		}
 	}
 }
diff --git a/cmd/daemon/cniserver.go b/cmd/daemon/cniserver.go
@@ -5,7 +5,7 @@ import (
 	"github.com/alauda/kube-ovn/pkg/util"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"net/http"
-	_ "net/http/pprof"
+	_ "net/http/pprof" // #nosec
 
 	kubeovninformer "github.com/alauda/kube-ovn/pkg/client/informers/externalversions"
 	"github.com/alauda/kube-ovn/pkg/daemon"

diff --git a/cmd/webhook/server.go b/cmd/webhook/server.go
@@ -2,7 +2,7 @@ package main
 
 import (
 	"flag"
-	_ "net/http/pprof"
+	_ "net/http/pprof" // #nosec
 	"os"
 	"time"
 
@@ -28,9 +28,15 @@ var (
 )
 
 func init() {
-	corev1.AddToScheme(scheme)
-	appsv1.AddToScheme(scheme)
-	ovnv1.AddToScheme(scheme)
+	if err := corev1.AddToScheme(scheme); err != nil {
+		klog.Fatalf("failed to add scheme, %v", err)
+	}
+	if err := appsv1.AddToScheme(scheme); err != nil {
+		klog.Fatalf("failed to add scheme, %v", err)
+	}
+	if err := ovnv1.AddToScheme(scheme); err != nil {
+		klog.Fatalf("failed to add scheme, %v", err)
+	}
 }
 
 func main() {
@@ -99,12 +105,16 @@ func loopOvnNbctlDaemon(ovnNbHost string, ovnNbPort int) {
 		time.Sleep(5 * time.Second)
 
 		if _, err := os.Stat(daemonSocket); os.IsNotExist(err) || daemonSocket == "" {
-			ovs.StartOvnNbctlDaemon(ovnNbHost, ovnNbPort)
+			if err := ovs.StartOvnNbctlDaemon(ovnNbHost, ovnNbPort); err != nil {
+				klog.Errorf("failed to start ovn-nbctl daemon, %v", err)
+			}
 		}
 
 		if err := ovs.CheckAlive(); err != nil {
 			klog.Warningf("ovn-nbctl daemon doesn't return, start a new daemon")
-			ovs.StartOvnNbctlDaemon(ovnNbHost, ovnNbPort)
+			if err := ovs.StartOvnNbctlDaemon(ovnNbHost, ovnNbPort); err != nil {
+				klog.Errorf("failed to start ovn-nbctl daemon, %v", err)
+			}
 		}
 	}
 }
diff --git a/pkg/controller/config.go b/pkg/controller/config.go
@@ -89,8 +89,6 @@ func ParseFlags() (*Configuration, error) {
 		argsDefaultVlanRange     = pflag.String("default-vlan-range", "1,4095", "The default vlan range, default: 1-4095")
 	)
 
-	flag.Set("alsologtostderr", "true")
-
 	klogFlags := flag.NewFlagSet("klog", flag.ExitOnError)
 	klog.InitFlags(klogFlags)
 
@@ -99,7 +97,9 @@ func ParseFlags() (*Configuration, error) {
 		f2 := klogFlags.Lookup(f1.Name)
 		if f2 != nil {
 			value := f1.Value.String()
-			f2.Value.Set(value)
+			if err := f2.Value.Set(value); err != nil {
+				klog.Fatalf("failed to set flag, %v", err)
+			}
 		}
 	})
 

diff --git a/pkg/controller/network_policy.go b/pkg/controller/network_policy.go
@@ -470,14 +470,14 @@ func (c *Controller) podMatchNetworkPolicies(pod *corev1.Pod) []string {
 	nps, _ := c.npsLister.NetworkPolicies(corev1.NamespaceAll).List(labels.Everything())
 	match := []string{}
 	for _, np := range nps {
-		if isPodMatchNetworkPolicy(pod, podNs, np, np.Namespace) {
+		if isPodMatchNetworkPolicy(pod, *podNs, np, np.Namespace) {
 			match = append(match, fmt.Sprintf("%s/%s", np.Namespace, np.Name))
 		}
 	}
 	return match
 }
 
-func isPodMatchNetworkPolicy(pod *corev1.Pod, podNs *corev1.Namespace, policy *netv1.NetworkPolicy, policyNs string) bool {
+func isPodMatchNetworkPolicy(pod *corev1.Pod, podNs corev1.Namespace, policy *netv1.NetworkPolicy, policyNs string) bool {
 	sel, _ := metav1.LabelSelectorAsSelector(&policy.Spec.PodSelector)
 	if pod.Labels == nil {
 		pod.Labels = map[string]string{}
@@ -487,22 +487,22 @@ func isPodMatchNetworkPolicy(pod *corev1.Pod, podNs *corev1.Namespace, policy *n
 	}
 	for _, npr := range policy.Spec.Ingress {
 		for _, npp := range npr.From {
-			if isPodMatchPolicyPeer(pod, podNs, &npp, policyNs) {
+			if isPodMatchPolicyPeer(pod, podNs, npp, policyNs) {
 				return true
 			}
 		}
 	}
 	for _, npr := range policy.Spec.Egress {
 		for _, npp := range npr.To {
-			if isPodMatchPolicyPeer(pod, podNs, &npp, policyNs) {
+			if isPodMatchPolicyPeer(pod, podNs, npp, policyNs) {
 				return true
 			}
 		}
 	}
 	return false
 }
 
-func isPodMatchPolicyPeer(pod *corev1.Pod, podNs *corev1.Namespace, policyPeer *netv1.NetworkPolicyPeer, policyNs string) bool {
+func isPodMatchPolicyPeer(pod *corev1.Pod, podNs corev1.Namespace, policyPeer netv1.NetworkPolicyPeer, policyNs string) bool {
 	if policyPeer.IPBlock != nil {
 		return false
 	}

diff --git a/pkg/controller/pod.go b/pkg/controller/pod.go
@@ -128,7 +128,12 @@ func (c *Controller) enqueueDeletePod(obj interface{}) {
 		// down scale statefulset
 		numIndex := len(strings.Split(p.Name, "-")) - 1
 		numStr := strings.Split(p.Name, "-")[numIndex]
-		index, _ := strconv.Atoi(numStr)
+		index, err := strconv.ParseInt(numStr, 10, 0)
+		if err != nil {
+			klog.Errorf("failed to parse %s to int", numStr)
+			return
+		}
+
 		if int32(index) >= *ss.Spec.Replicas {
 			c.deletePodQueue.Add(key)
 			return

diff --git a/pkg/daemon/config.go b/pkg/daemon/config.go
@@ -67,7 +67,6 @@ func ParseFlags() (*Configuration, error) {
 	// mute info log for ipset lib
 	logrus.SetLevel(logrus.WarnLevel)
 
-	flag.Set("alsologtostderr", "true")
 	klogFlags := flag.NewFlagSet("klog", flag.ExitOnError)
 	klog.InitFlags(klogFlags)
 
@@ -76,7 +75,9 @@ func ParseFlags() (*Configuration, error) {
 		f2 := klogFlags.Lookup(f1.Name)
 		if f2 != nil {
 			value := f1.Value.String()
-			f2.Value.Set(value)
+			if err := f2.Value.Set(value); err != nil {
+				klog.Fatalf("failed to set flag, %v", err)
+			}
 		}
 	})
 

diff --git a/pkg/daemon/handler.go b/pkg/daemon/handler.go
@@ -35,7 +35,9 @@ func (csh cniServerHandler) handleAdd(req *restful.Request, resp *restful.Respon
 	if err := req.ReadEntity(&podRequest); err != nil {
 		errMsg := fmt.Errorf("parse add request failed %v", err)
 		klog.Error(errMsg)
-		resp.WriteHeaderAndEntity(http.StatusBadRequest, request.CniResponse{Err: errMsg.Error()})
+		if err := resp.WriteHeaderAndEntity(http.StatusBadRequest, request.CniResponse{Err: errMsg.Error()}); err != nil {
+			klog.Errorf("failed to write response, %v", err)
+		}
 		return
 	}
 
@@ -48,7 +50,9 @@ func (csh cniServerHandler) handleAdd(req *restful.Request, resp *restful.Respon
 		if err != nil {
 			errMsg := fmt.Errorf("get pod %s/%s failed %v", podRequest.PodNamespace, podRequest.PodName, err)
 			klog.Error(errMsg)
-			resp.WriteHeaderAndEntity(http.StatusInternalServerError, request.CniResponse{Err: errMsg.Error()})
+			if err := resp.WriteHeaderAndEntity(http.StatusInternalServerError, request.CniResponse{Err: errMsg.Error()}); err != nil {
+				klog.Errorf("failed to write response, %v", err)
+			}
 			return
 		}
 		if pod.Annotations[fmt.Sprintf(util.AllocatedAnnotationTemplate, podRequest.Provider)] != "true" {
@@ -79,12 +83,16 @@ func (csh cniServerHandler) handleAdd(req *restful.Request, resp *restful.Respon
 	if pod.Annotations[fmt.Sprintf(util.AllocatedAnnotationTemplate, podRequest.Provider)] != "true" {
 		err := fmt.Errorf("no address allocated to pod %s/%s, please see kube-ovn-controller logs to find errors", pod.Name, pod.Name)
 		klog.Error(err)
-		resp.WriteHeaderAndEntity(http.StatusInternalServerError, request.CniResponse{Err: err.Error()})
+		if err := resp.WriteHeaderAndEntity(http.StatusInternalServerError, request.CniResponse{Err: err.Error()}); err != nil {
+			klog.Errorf("failed to write response, %v", err)
+		}
 		return
 	}
 
 	if err := csh.createOrUpdateIPCr(podRequest, subnet, ip, macAddr); err != nil {
-		resp.WriteHeaderAndEntity(http.StatusInternalServerError, request.CniResponse{Err: err.Error()})
+		if err := resp.WriteHeaderAndEntity(http.StatusInternalServerError, request.CniResponse{Err: err.Error()}); err != nil {
+			klog.Errorf("failed to write response, %v", err)
+		}
 		return
 	}
 
@@ -94,12 +102,16 @@ func (csh cniServerHandler) handleAdd(req *restful.Request, resp *restful.Respon
 		if err != nil {
 			errMsg := fmt.Errorf("configure nic failed %v", err)
 			klog.Error(errMsg)
-			resp.WriteHeaderAndEntity(http.StatusInternalServerError, request.CniResponse{Err: errMsg.Error()})
+			if err := resp.WriteHeaderAndEntity(http.StatusInternalServerError, request.CniResponse{Err: errMsg.Error()}); err != nil {
+				klog.Errorf("failed to write response, %v", err)
+			}
 			return
 		}
 	}
 
-	resp.WriteHeaderAndEntity(http.StatusOK, request.CniResponse{Protocol: util.CheckProtocol(ipAddr), IpAddress: strings.Split(ipAddr, "/")[0], MacAddress: macAddr, CIDR: cidr, Gateway: gw})
+	if err := resp.WriteHeaderAndEntity(http.StatusOK, request.CniResponse{Protocol: util.CheckProtocol(ipAddr), IpAddress: strings.Split(ipAddr, "/")[0], MacAddress: macAddr, CIDR: cidr, Gateway: gw}); err != nil {
+		klog.Errorf("failed to write response, %v", err)
+	}
 }
 
 func (csh cniServerHandler) createOrUpdateIPCr(podRequest request.CniRequest, subnet, ip, macAddr string) error {
@@ -155,7 +167,9 @@ func (csh cniServerHandler) handleDel(req *restful.Request, resp *restful.Respon
 	if err != nil {
 		errMsg := fmt.Errorf("parse del request failed %v", err)
 		klog.Error(errMsg)
-		resp.WriteHeaderAndEntity(http.StatusBadRequest, request.CniResponse{Err: errMsg.Error()})
+		if err := resp.WriteHeaderAndEntity(http.StatusBadRequest, request.CniResponse{Err: errMsg.Error()}); err != nil {
+			klog.Errorf("failed to write response, %v", err)
+		}
 		return
 	}
 
@@ -165,7 +179,9 @@ func (csh cniServerHandler) handleDel(req *restful.Request, resp *restful.Respon
 		if err != nil {
 			errMsg := fmt.Errorf("del nic failed %v", err)
 			klog.Error(errMsg)
-			resp.WriteHeaderAndEntity(http.StatusInternalServerError, request.CniResponse{Err: errMsg.Error()})
+			if err := resp.WriteHeaderAndEntity(http.StatusInternalServerError, request.CniResponse{Err: errMsg.Error()}); err != nil {
+				klog.Errorf("failed to write response, %v", err)
+			}
 			return
 		}
 	}
@@ -174,7 +190,9 @@ func (csh cniServerHandler) handleDel(req *restful.Request, resp *restful.Respon
 	if err != nil && !k8serrors.IsNotFound(err) {
 		errMsg := fmt.Errorf("del ipcrd for %s failed %v", fmt.Sprintf("%s.%s", podRequest.PodName, podRequest.PodNamespace), err)
 		klog.Error(errMsg)
-		resp.WriteHeaderAndEntity(http.StatusInternalServerError, request.CniResponse{Err: errMsg.Error()})
+		if err := resp.WriteHeaderAndEntity(http.StatusInternalServerError, request.CniResponse{Err: errMsg.Error()}); err != nil {
+			klog.Errorf("failed to write response, %v", err)
+		}
 		return
 	}
 

diff --git a/pkg/daemon/ovs.go b/pkg/daemon/ovs.go
@@ -27,7 +27,9 @@ func (csh cniServerHandler) configureNic(podName, podNamespace, netns, container
 	defer func() {
 		// Remove veth link in case any error during creating pod network.
 		if err != nil {
-			netlink.LinkDel(&veth)
+			if err := netlink.LinkDel(&veth); err != nil {
+				klog.Errorf("failed to delete veth, %v", err)
+			}
 		}
 	}()
 	if err = netlink.LinkAdd(&veth); err != nil {

diff --git a/pkg/ovs/ovn-nbctl.go b/pkg/ovs/ovn-nbctl.go
@@ -628,7 +628,7 @@ func (c Client) SetAddressesToAddressSet(addresses []string, as string) error {
 }
 
 // StartOvnNbctlDaemon start a daemon and set OVN_NB_DAEMON env
-func StartOvnNbctlDaemon(nbHost string, nbPort int) (string, error) {
+func StartOvnNbctlDaemon(nbHost string, nbPort int) error {
 	klog.Infof("start ovn-nbctl daemon")
 	output, err := exec.Command(
 		"pkill",
@@ -637,7 +637,7 @@ func StartOvnNbctlDaemon(nbHost string, nbPort int) (string, error) {
 	).CombinedOutput()
 	if err != nil {
 		klog.Errorf("failed to kill old ovn-nbctl daemon: %q", output)
-		return "", err
+		return err
 	}
 
 	output, err = exec.Command(
@@ -649,12 +649,15 @@ func StartOvnNbctlDaemon(nbHost string, nbPort int) (string, error) {
 	).CombinedOutput()
 	if err != nil {
 		klog.Errorf("start ovn-nbctl daemon failed, %q", output)
-		return "", err
+		return err
 	}
 
 	daemonSocket := strings.TrimSpace(string(output))
-	os.Setenv("OVN_NB_DAEMON", daemonSocket)
-	return daemonSocket, nil
+	if err := os.Setenv("OVN_NB_DAEMON", daemonSocket); err != nil {
+		klog.Errorf("failed to set env OVN_NB_DAEMON, %v", err)
+		return err
+	}
+	return nil
 }
 
 // CheckAlive check if kube-ovn-controller can access ovn-nb from nbctl-daemon

diff --git a/pkg/pinger/config.go b/pkg/pinger/config.go
@@ -49,7 +49,9 @@ func ParseFlags() (*Configuration, error) {
 		f2 := klogFlags.Lookup(f1.Name)
 		if f2 != nil {
 			value := f1.Value.String()
-			f2.Value.Set(value)
+			if err := f2.Value.Set(value); err != nil {
+				klog.Fatalf("failed to set flag %v", err)
+			}
 		}
 	})
 

diff --git a/pkg/speaker/config.go b/pkg/speaker/config.go
@@ -43,7 +43,9 @@ func ParseFlags() (*Configuration, error) {
 		argKubeConfigFile  = pflag.String("kubeconfig", "", "Path to kubeconfig file with authorization and master location information. If not set use the inCluster token.")
 	)
 
-	flag.Set("alsologtostderr", "true")
+	if err := flag.Set("alsologtostderr", "true"); err != nil {
+		klog.Fatalf("failed to set flag, %v", err)
+	}
 	klogFlags := flag.NewFlagSet("klog", flag.ExitOnError)
 	klog.InitFlags(klogFlags)
 
@@ -52,7 +54,9 @@ func ParseFlags() (*Configuration, error) {
 		f2 := klogFlags.Lookup(f1.Name)
 		if f2 != nil {
 			value := f1.Value.String()
-			f2.Value.Set(value)
+			if err := f2.Value.Set(value); err != nil {
+				klog.Fatalf("failed to set flag, %v", err)
+			}
 		}
 	})