[chore] Add gosec via golangci-lint (#4645)

open-telemetry · Oct 19, 2023 · 5b28921 · 5b28921
1 parent 78ea001
commit 5b28921
Show file tree

Hide file tree

Showing 10 changed files with 40 additions and 35 deletions.
diff --git a/.github/workflows/gosec.yml b/.github/workflows/gosec.yml
diff --git a/.golangci.yml b/.golangci.yml
@@ -14,6 +14,7 @@ linters:
     - godot
     - gofumpt
     - goimports
+    - gosec
     - gosimple
     - govet
     - ineffassign
@@ -53,6 +54,20 @@ issues:
       text: "calls to (.+) only in main[(][)] or init[(][)] functions"
       linters:
         - revive
+    # It's okay to not run gosec in a test.
+    - path: _test\.go
+      linters:
+        - gosec
+    # Igonoring gosec G404: Use of weak random number generator (math/rand instead of crypto/rand)
+    # as we commonly use it in tests and examples.
+    - text: "G404:"
+      linters:
+        - gosec
+    # Igonoring gosec G402: TLS MinVersion too low
+    # as the https://pkg.go.dev/crypto/tls#Config handles MinVersion default well.
+    - text: "G402: TLS MinVersion too low."
+      linters:
+        - gosec
   include:
     # revive exported should have comment or be unexported.
     - EXC0012

diff --git a/example/prometheus/main.go b/example/prometheus/main.go
@@ -91,7 +91,7 @@ func main() {
 func serveMetrics() {
 	log.Printf("serving metrics at localhost:2223/metrics")
 	http.Handle("/metrics", promhttp.Handler())
-	err := http.ListenAndServe(":2223", nil)
+	err := http.ListenAndServe(":2223", nil) //nolint:gosec // Ignoring G114: Use of net/http serve function that has no support for setting timeouts.
 	if err != nil {
 		fmt.Printf("error serving http: %v", err)
 		return

diff --git a/example/view/main.go b/example/view/main.go
@@ -90,7 +90,7 @@ func main() {
 func serveMetrics() {
 	log.Printf("serving metrics at localhost:2222/metrics")
 	http.Handle("/metrics", promhttp.Handler())
-	err := http.ListenAndServe(":2222", nil)
+	err := http.ListenAndServe(":2222", nil) //nolint:gosec // Ignoring G114: Use of net/http serve function that has no support for setting timeouts.
 	if err != nil {
 		fmt.Printf("error serving http: %v", err)
 		return

diff --git a/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/otest/collector.go b/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/otest/collector.go
@@ -242,7 +242,11 @@ func NewHTTPCollector(endpoint string, resultCh <-chan ExportResult) (*HTTPColle
 
 	mux := http.NewServeMux()
 	mux.Handle(u.Path, http.HandlerFunc(c.handler))
-	c.srv = &http.Server{Handler: mux}
+	c.srv = &http.Server{
+		Handler:      mux,
+		ReadTimeout:  10 * time.Second,
+		WriteTimeout: 10 * time.Second,
+	}
 	if u.Scheme == "https" {
 		cert, err := weakCertificate()
 		if err != nil {

diff --git a/exporters/otlp/otlpmetric/otlpmetrichttp/internal/otest/collector.go b/exporters/otlp/otlpmetric/otlpmetrichttp/internal/otest/collector.go
@@ -242,7 +242,11 @@ func NewHTTPCollector(endpoint string, resultCh <-chan ExportResult) (*HTTPColle
 
 	mux := http.NewServeMux()
 	mux.Handle(u.Path, http.HandlerFunc(c.handler))
-	c.srv = &http.Server{Handler: mux}
+	c.srv = &http.Server{
+		Handler:      mux,
+		ReadTimeout:  10 * time.Second,
+		WriteTimeout: 10 * time.Second,
+	}
 	if u.Scheme == "https" {
 		cert, err := weakCertificate()
 		if err != nil {

diff --git a/exporters/otlp/otlptrace/otlptracehttp/mock_collector_test.go b/exporters/otlp/otlptrace/otlptracehttp/mock_collector_test.go
@@ -25,6 +25,7 @@ import (
 	"net/http"
 	"sync"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -241,7 +242,9 @@ func runMockCollector(t *testing.T, cfg mockCollectorConfig) *mockCollector {
 	mux := http.NewServeMux()
 	mux.Handle(cfg.TracesURLPath, http.HandlerFunc(m.serveTraces))
 	server := &http.Server{
-		Handler: mux,
+		Handler:      mux,
+		ReadTimeout:  10 * time.Second,
+		WriteTimeout: 10 * time.Second,
 	}
 	if cfg.WithTLS {
 		pem, err := generateWeakCertificate()

diff --git a/exporters/zipkin/zipkin_test.go b/exporters/zipkin/zipkin_test.go
@@ -120,7 +120,9 @@ func startMockZipkinCollector(t *testing.T) *mockZipkinCollector {
 	require.NoError(t, err)
 	collector.url = fmt.Sprintf("http://%s", listener.Addr().String())
 	server := &http.Server{
-		Handler: http.HandlerFunc(collector.handler),
+		Handler:      http.HandlerFunc(collector.handler),
+		ReadTimeout:  10 * time.Second,
+		WriteTimeout: 10 * time.Second,
 	}
 	collector.server = server
 	wg := &sync.WaitGroup{}

diff --git a/internal/shared/otlp/otlpmetric/otest/collector.go.tmpl b/internal/shared/otlp/otlpmetric/otest/collector.go.tmpl
@@ -242,7 +242,11 @@ func NewHTTPCollector(endpoint string, resultCh <-chan ExportResult) (*HTTPColle
 
 	mux := http.NewServeMux()
 	mux.Handle(u.Path, http.HandlerFunc(c.handler))
-	c.srv = &http.Server{Handler: mux}
+	c.srv = &http.Server{
+		Handler:      mux,
+		ReadTimeout:  10 * time.Second,
+		WriteTimeout: 10 * time.Second,
+	}
 	if u.Scheme == "https" {
 		cert, err := weakCertificate()
 		if err != nil {

diff --git a/sdk/resource/env.go b/sdk/resource/env.go
@@ -28,7 +28,7 @@ import (
 
 const (
 	// resourceAttrKey is the environment variable name OpenTelemetry Resource information will be read from.
-	resourceAttrKey = "OTEL_RESOURCE_ATTRIBUTES"
+	resourceAttrKey = "OTEL_RESOURCE_ATTRIBUTES" //nolint:gosec // False positive G101: Potential hardcoded credentials
 
 	// svcNameKey is the environment variable name that Service Name information will be read from.
 	svcNameKey = "OTEL_SERVICE_NAME"