Add semgrep buildkite task for published rules (#4402)

msorens · srenatus · web-flow · commit 0d14694bcd9f · 2020-10-14T17:54:06.000-07:00
Co-authored-by: Stephan Renatus &lt;srenatus@chef.io&gt;
diff --git a/.expeditor/verify.pipeline.yml b/.expeditor/verify.pipeline.yml
@@ -61,7 +61,7 @@ steps:
             - HAB_STUDIO_SUP=false
             - HAB_NONINTERACTIVE=true
 
-  - label: ":semgrep: Semgrep"
+  - label: ":semgrep: Custom"
     expeditor:
       executor:
         docker:
@@ -73,6 +73,24 @@ steps:
             "/go/src/github.com/chef/automate"
           ]
 
+  - label: ":semgrep: Published"
+    expeditor:
+      executor:
+        docker:
+          image: returntocorp/semgrep:latest
+          entrypoint: semgrep
+          command: [
+            "--error",
+            "--exclude", "third_party",
+            "--exclude", "*_test.go",
+            "--exclude", "*.pb.go",
+            "--exclude", "*.bindata.go",
+            "--exclude", "*.spec.ts",
+            "--timeout", "120",
+            "--config", "https://semgrep.dev/p/r2c-ci",
+            "/go/src/github.com/chef/automate"
+          ]
+
   #
   # Static & Unit tests
   #
diff --git a/Makefile.common_go b/Makefile.common_go
@@ -50,13 +50,13 @@ spell:
 # NB: "third_party" only exists for automate-gateway, but no harm having it for other dirs here.
 semgrep:
 # uncomment if custom rules beyond automate-ui ever get added
-#	semgrep --config $(REPOROOT)/semgrep --exclude third_party
-	semgrep --config https://semgrep.dev/p/r2c-ci --exclude third_party --autofix
+#	semgrep --config $(REPOROOT)/semgrep --exclude third_party --exclude *_test.go --exclude *.pb.go --exclude *.bindata.go
+	semgrep --config https://semgrep.dev/p/r2c-ci --exclude third_party --exclude *_test.go --exclude *.pb.go --exclude *.bindata.go
 
 #: Security validation via semgrep; autofix where possible
 semgrep-and-fix:
 # uncomment if custom rules beyond automate-ui ever get added
-#	semgrep --config $(REPOROOT)/semgrep --exclude third_party --autofix
-	semgrep --config https://semgrep.dev/p/r2c-ci --exclude third_party --autofix
+#	semgrep --config $(REPOROOT)/semgrep --exclude third_party --exclude *_test.go --exclude *.pb.go --exclude *.bindata.go --autofix
+	semgrep --config https://semgrep.dev/p/r2c-ci --exclude third_party --exclude *_test.go --exclude *.pb.go --exclude *.bindata.go --autofix
 
 .PHONY: lint fmt fmt-check golang_version_check semgrep semgrep-and-fix
diff --git a/api/config/cs_nginx/config_request.go b/api/config/cs_nginx/config_request.go
@@ -174,6 +174,6 @@ func (c *ConfigRequest) PrepareSystemConfig(creds *ac.TLSCredentials) (ac.Prepar
 //  Digest::MD5.base64digest
 //
 func CalculateContentMD5(data []byte) string {
-	md5sum := md5.Sum(data)
+	md5sum := md5.Sum(data) // nosem
 	return base64.StdEncoding.EncodeToString(md5sum[:])
 }
diff --git a/components/automate-deployment/pkg/airgap/bundle_creator.go b/components/automate-deployment/pkg/airgap/bundle_creator.go
@@ -100,13 +100,14 @@ func (dl *netHabDownloader) DownloadHabBinary(version string, release string, w
 		return errors.Errorf("Could not get hab binary. Got status %s", resp.Status)
 	}
 
-	gzipReader, err := gzip.NewReader(resp.Body)
-
+	// NOTE: We're downloading this via HTTPS from a location that's trusted.
+	gzipReader, err := gzip.NewReader(resp.Body) // nosem: go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb
 	if err != nil {
 		return errors.Wrap(err, "Failed to download hab binary. Could not open gzip")
 	}
 
-	tarReader := tar.NewReader(gzipReader)
+	// NOTE: See above.
+	tarReader := tar.NewReader(gzipReader) // nosem: go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb
 	for {
 		hdr, err := tarReader.Next()
 		if err == io.EOF {
diff --git a/components/automate-deployment/pkg/backup/artifact_repo.go b/components/automate-deployment/pkg/backup/artifact_repo.go
@@ -629,7 +629,8 @@ func (repo *ArtifactRepo) openGzipFile(ctx context.Context, name string) (*os.Fi
 		return nil, "", err
 	}
 
-	g, err := gzip.NewReader(reader)
+	// NOTE: This reads a backup archive, provided by an admin. It's trusted input.
+	g, err := gzip.NewReader(reader) // nosem: go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb
 	if err != nil {
 		logClose(tmpFile, "failed to close temp file")
 		return nil, "", err
diff --git a/components/automate-deployment/pkg/server/server.go b/components/automate-deployment/pkg/server/server.go
@@ -744,7 +744,7 @@ func (s *server) ConfigureDeployment(ctx context.Context,
 	}
 
 	deploymentStatus := s.deployment.Status()
-	configSHA1 := sha1.Sum([]byte(overrideConfig.String()))
+	configSHA1 := sha1.Sum([]byte(overrideConfig.String())) // nosem
 
 	logrus.WithFields(logrus.Fields{
 		"config_sha1": fmt.Sprintf("%x", configSHA1),
diff --git a/components/automate-gateway/pkg/nullbackend/backend.go b/components/automate-gateway/pkg/nullbackend/backend.go
@@ -34,7 +34,9 @@ import (
 
 // NewServer returns a pointer to a new instance of the null backend server
 func NewServer() *grpc.Server {
-	s := grpc.NewServer()
+	// The nullbackend only listens on a unix socket. And it doesn't deal with interesting data,
+	// but only "no implemented" responses.
+	s := grpc.NewServer() // nosem: go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection
 
 	applications.RegisterApplicationsServiceServer(s, &applications.UnimplementedApplicationsServiceServer{})
 	cds.RegisterCdsServer(s, &cds.UnimplementedCdsServer{})
diff --git a/components/cereal-service/cmd/cereal-service/cmd.go b/components/cereal-service/cmd/cereal-service/cmd.go
@@ -146,7 +146,7 @@ func serve(*cobra.Command, []string) error {
 	}
 
 	if C.Service.DisableTLS {
-		grpcServer = grpc.NewServer(grpcServerOpts...)
+		grpcServer = grpc.NewServer(grpcServerOpts...) // nosem: go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection
 	} else {
 		serviceCerts, err := C.TLS.ReadCerts()
 		if err != nil {
diff --git a/components/compliance-service/reporting/util/zip.go b/components/compliance-service/reporting/util/zip.go
@@ -18,7 +18,10 @@ import (
 
 // Zip2Path extracts a zip file on disk to a destination folder on disk.
 func Zip2Path(zipPath string, extractPath string) error {
-	reader, err := zip.OpenReader(zipPath)
+	// TODO(sr): This is not entirely ignorable, but worse things can happen
+	// when a user uploads an inspec profile. So, let's keep it in mind but
+	// move on.
+	reader, err := zip.OpenReader(zipPath) // nosem: go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb
 	if err != nil {
 		return err
 	}
diff --git a/lib/grpc/secureconn/factory.go b/lib/grpc/secureconn/factory.go
@@ -85,7 +85,8 @@ func (f *Factory) DialContext(
 // NewServer is a wrapper for grpc.NewServer that adds server options to verify clients using
 // the factory's root CA
 func (f *Factory) NewServer(opt ...grpc.ServerOption) *grpc.Server {
-	s := grpc.NewServer(append(f.ServerOptions(), opt...)...)
+	// f.ServerOptions() includes TLS settings, so this is not insecure (semgrep thinks so)
+	s := grpc.NewServer(append(f.ServerOptions(), opt...)...) // nosem: go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection
 
 	if !f.DisableDebugServer {
 		debug_api.RegisterDebugServer(s, debug.NewDebugServer(f.DebugServerOpts...))
diff --git a/tools/cereal-scaffold/main.go b/tools/cereal-scaffold/main.go
@@ -234,7 +234,7 @@ func runResetDB(_ *cobra.Command, args []string) error {
 
 func getBackend() cereal.Driver {
 	if opts.Endpoint != "" {
-		conn, err := grpc.Dial(opts.Endpoint, grpc.WithInsecure(), grpc.WithMaxMsgSize(64*1024*1024))
+		conn, err := grpc.Dial(opts.Endpoint, grpc.WithInsecure(), grpc.WithMaxMsgSize(64*1024*1024)) // nosem: go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection
 		if err != nil {
 			panic(err)
 		}

Original file line number	Diff line number	Diff line change
`@@ -174,6 +174,6 @@ func (c ConfigRequest) PrepareSystemConfig(creds ac.TLSCredentials) (ac.Prepar`
`174`	`174`	`// Digest::MD5.base64digest`
`175`	`175`	`//`
`176`	`176`	`func CalculateContentMD5(data []byte) string {`
`177`		`- md5sum := md5.Sum(data)`
	`177`	`+ md5sum := md5.Sum(data) // nosem`
`178`	`178`	`return base64.StdEncoding.EncodeToString(md5sum[:])`
`179`	`179`	`}`
Original file line number	Diff line number	Diff line change
`@@ -629,7 +629,8 @@ func (repo ArtifactRepo) openGzipFile(ctx context.Context, name string) (os.Fi`
`629`	`629`	`return nil, "", err`
`630`	`630`	`}`
`631`	`631`
`632`		`- g, err := gzip.NewReader(reader)`
	`632`	`+ // NOTE: This reads a backup archive, provided by an admin. It's trusted input.`
	`633`	`+ g, err := gzip.NewReader(reader) // nosem: go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb`
`633`	`634`	`if err != nil {`
`634`	`635`	`logClose(tmpFile, "failed to close temp file")`
`635`	`636`	`return nil, "", err`
Original file line number	Diff line number	Diff line change
`@@ -744,7 +744,7 @@ func (s *server) ConfigureDeployment(ctx context.Context,`
`744`	`744`	`}`
`745`	`745`
`746`	`746`	`deploymentStatus := s.deployment.Status()`
`747`		`- configSHA1 := sha1.Sum([]byte(overrideConfig.String()))`
	`747`	`+ configSHA1 := sha1.Sum([]byte(overrideConfig.String())) // nosem`
`748`	`748`
`749`	`749`	`logrus.WithFields(logrus.Fields{`
`750`	`750`	`"config_sha1": fmt.Sprintf("%x", configSHA1),`
Original file line number	Diff line number	Diff line change
`@@ -146,7 +146,7 @@ func serve(*cobra.Command, []string) error {`
`146`	`146`	`}`
`147`	`147`
`148`	`148`	`if C.Service.DisableTLS {`
`149`		`- grpcServer = grpc.NewServer(grpcServerOpts...)`
	`149`	`+ grpcServer = grpc.NewServer(grpcServerOpts...) // nosem: go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection`
`150`	`150`	`} else {`
`151`	`151`	`serviceCerts, err := C.TLS.ReadCerts()`
`152`	`152`	`if err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -234,7 +234,7 @@ func runResetDB(_ *cobra.Command, args []string) error {`
`234`	`234`
`235`	`235`	`func getBackend() cereal.Driver {`
`236`	`236`	`if opts.Endpoint != "" {`
`237`		`- conn, err := grpc.Dial(opts.Endpoint, grpc.WithInsecure(), grpc.WithMaxMsgSize(6410241024))`
	`237`	`+ conn, err := grpc.Dial(opts.Endpoint, grpc.WithInsecure(), grpc.WithMaxMsgSize(6410241024)) // nosem: go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection`
`238`	`238`	`if err != nil {`
`239`	`239`	`panic(err)`
`240`	`240`	`}`