enable gosec (#969)

kim-tsao · web-flow · commit 0d163445376d · 2022-10-19T11:58:59.000-04:00
* enable gosec

Signed-off-by: Kim Tsao &lt;ktsao@redhat.com&gt;

* Fix G601 errors

Signed-off-by: Kim Tsao &lt;ktsao@redhat.com&gt;

* Fix warnings

Signed-off-by: Kim Tsao &lt;ktsao@redhat.com&gt;

* Add newline

Signed-off-by: Kim Tsao &lt;ktsao@redhat.com&gt;

Signed-off-by: Kim Tsao &lt;ktsao@redhat.com&gt;
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -70,3 +70,20 @@ jobs:
         run: |
           go fmt -x ./...
           git diff --exit-code || { echo 'Go sources need to be formatted. Execute "go fmt -x ./..." locally in the 'generator' folder and commit changes to fix an issue'; exit 1; }
+
+      - name: Run Gosec Security Scanner
+        run: |
+          export PATH=$PATH:$(go env GOPATH)/bin
+          go install github.com/securego/gosec/v2/cmd/gosec@latest
+          ./run_gosec.sh
+          if [[ $? != 0 ]]
+          then
+            echo "gosec scanner failed to run "
+            exit 1
+          fi   
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: gosec.sarif
diff --git a/pkg/apis/workspaces/v1alpha1/component_plugin_conversion.go b/pkg/apis/workspaces/v1alpha1/component_plugin_conversion.go
@@ -27,6 +27,7 @@ func convertPluginComponentTo_v1alpha2(srcComponent *Component, destComponent *v
 	destComponent.Name = pluginKey
 
 	for _, srcCommand := range src.Commands {
+		srcCommand := srcCommand
 		if srcCommand.Custom != nil {
 			// v1alpha2 does not support Plugin Custom commands, so we have to drop them here
 			continue
@@ -40,6 +41,7 @@ func convertPluginComponentTo_v1alpha2(srcComponent *Component, destComponent *v
 	}
 
 	for _, srcComponent := range src.Components {
+		srcComponent := srcComponent
 		destComponent := v1alpha2.ComponentPluginOverride{}
 		err := convertPluginComponentSubComponentTo_v1alpha2(&srcComponent, &destComponent)
 		if err != nil {
@@ -101,6 +103,7 @@ func convertPluginComponentFrom_v1alpha2(srcComponent *v1alpha2.Component, destC
 	destComponent.Plugin.Name = srcComponent.Name
 
 	for _, srcCommand := range src.Commands {
+		srcCommand := srcCommand
 		destCommand := Command{}
 		err := convertPluginComponentCommandFrom_v1alpha2(&srcCommand, &destCommand)
 		if err != nil {
@@ -110,6 +113,7 @@ func convertPluginComponentFrom_v1alpha2(srcComponent *v1alpha2.Component, destC
 	}
 
 	for _, srcComponent := range src.Components {
+		srcComponent := srcComponent
 		destComponent := PluginComponentsOverride{}
 		err := convertPluginComponentSubComponentFrom_v1alpha2(&srcComponent, &destComponent)
 		if err != nil {
diff --git a/pkg/apis/workspaces/v1alpha1/conversion.go b/pkg/apis/workspaces/v1alpha1/conversion.go
@@ -55,6 +55,7 @@ func convertDevWorkspaceTemplateSpecTo_v1alpha2(src *DevWorkspaceTemplateSpec, d
 		}
 	}
 	for _, srcComponent := range src.Components {
+		srcComponent := srcComponent
 		destComponent := v1alpha2.Component{}
 		err := convertComponentTo_v1alpha2(&srcComponent, &destComponent)
 		if err != nil {
@@ -63,6 +64,7 @@ func convertDevWorkspaceTemplateSpecTo_v1alpha2(src *DevWorkspaceTemplateSpec, d
 		dest.Components = append(dest.Components, destComponent)
 	}
 	for _, srcProject := range src.Projects {
+		srcProject := srcProject
 		destProject := v1alpha2.Project{}
 		err := convertProjectTo_v1alpha2(&srcProject, &destProject)
 		if err != nil {
@@ -71,6 +73,7 @@ func convertDevWorkspaceTemplateSpecTo_v1alpha2(src *DevWorkspaceTemplateSpec, d
 		dest.Projects = append(dest.Projects, destProject)
 	}
 	for _, srcStarterProject := range src.StarterProjects {
+		srcStarterProject := srcStarterProject
 		destStarterProject := v1alpha2.StarterProject{}
 		err := convertStarterProjectTo_v1alpha2(&srcStarterProject, &destStarterProject)
 		if err != nil {
@@ -79,6 +82,7 @@ func convertDevWorkspaceTemplateSpecTo_v1alpha2(src *DevWorkspaceTemplateSpec, d
 		dest.StarterProjects = append(dest.StarterProjects, destStarterProject)
 	}
 	for _, srcCommand := range src.Commands {
+		srcCommand := srcCommand
 		destCommand := v1alpha2.Command{}
 		err := convertCommandTo_v1alpha2(&srcCommand, &destCommand)
 		if err != nil {
@@ -105,6 +109,7 @@ func convertDevWorkspaceTemplateSpecFrom_v1alpha2(src *v1alpha2.DevWorkspaceTemp
 		}
 	}
 	for _, srcComponent := range src.Components {
+		srcComponent := srcComponent
 		destComponent := Component{}
 		err := convertComponentFrom_v1alpha2(&srcComponent, &destComponent)
 		if err != nil {
@@ -113,6 +118,7 @@ func convertDevWorkspaceTemplateSpecFrom_v1alpha2(src *v1alpha2.DevWorkspaceTemp
 		dest.Components = append(dest.Components, destComponent)
 	}
 	for _, srcProject := range src.Projects {
+		srcProject := srcProject
 		destProject := Project{}
 		err := convertProjectFrom_v1alpha2(&srcProject, &destProject)
 		if err != nil {
@@ -121,6 +127,7 @@ func convertDevWorkspaceTemplateSpecFrom_v1alpha2(src *v1alpha2.DevWorkspaceTemp
 		dest.Projects = append(dest.Projects, destProject)
 	}
 	for _, srcStarterProject := range src.StarterProjects {
+		srcStarterProject := srcStarterProject
 		destStarterProject := StarterProject{}
 		err := convertStarterProjectFrom_v1alpha2(&srcStarterProject, &destStarterProject)
 		if err != nil {
@@ -129,6 +136,7 @@ func convertDevWorkspaceTemplateSpecFrom_v1alpha2(src *v1alpha2.DevWorkspaceTemp
 		dest.StarterProjects = append(dest.StarterProjects, destStarterProject)
 	}
 	for _, srcCommand := range src.Commands {
+		srcCommand := srcCommand
 		destCommand := Command{}
 		err := convertCommandFrom_v1alpha2(&srcCommand, &destCommand)
 		if err != nil {
diff --git a/pkg/apis/workspaces/v1alpha1/parent_conversion.go b/pkg/apis/workspaces/v1alpha1/parent_conversion.go
@@ -17,6 +17,7 @@ func convertParentTo_v1alpha2(src *Parent, dest *v1alpha2.Parent) error {
 	}
 
 	for _, srcCommand := range src.Commands {
+		srcCommand := srcCommand
 		if srcCommand.Custom != nil {
 			// v1alpha2 does not support Parent Custom commands, so we have to drop them here
 			continue
@@ -30,6 +31,7 @@ func convertParentTo_v1alpha2(src *Parent, dest *v1alpha2.Parent) error {
 	}
 
 	for _, srcComponent := range src.Components {
+		srcComponent := srcComponent
 		if srcComponent.Custom != nil {
 			// v1alpha2 does not support Parent Custom Components, so we have to drop them here
 			continue
@@ -43,6 +45,7 @@ func convertParentTo_v1alpha2(src *Parent, dest *v1alpha2.Parent) error {
 	}
 
 	for _, srcProject := range src.Projects {
+		srcProject := srcProject
 		destProject := v1alpha2.Project{}
 		err := convertProjectTo_v1alpha2(&srcProject, &destProject)
 		if err != nil {
@@ -61,6 +64,7 @@ func convertParentTo_v1alpha2(src *Parent, dest *v1alpha2.Parent) error {
 	}
 
 	for _, srcProject := range src.StarterProjects {
+		srcProject := srcProject
 		destProject := v1alpha2.StarterProject{}
 		err := convertStarterProjectTo_v1alpha2(&srcProject, &destProject)
 		if err != nil {
@@ -146,6 +150,7 @@ func convertParentFrom_v1alpha2(src *v1alpha2.Parent, dest *Parent) error {
 		dest.Kubernetes = &kube
 	}
 	for _, srcCommand := range src.Commands {
+		srcCommand := srcCommand
 		destCommand := Command{}
 		err := convertParentCommandFrom_v1alpha2(&srcCommand, &destCommand)
 		if err != nil {
@@ -155,6 +160,7 @@ func convertParentFrom_v1alpha2(src *v1alpha2.Parent, dest *Parent) error {
 	}
 
 	for _, srcComponent := range src.Components {
+		srcComponent := srcComponent
 		destComponent := Component{}
 		err := convertParentComponentFrom_v1alpha2(&srcComponent, &destComponent)
 		if err != nil {
diff --git a/pkg/apis/workspaces/v1alpha1/union_implementation.go b/pkg/apis/workspaces/v1alpha1/union_implementation.go
@@ -34,7 +34,7 @@ func visitUnion(union interface{}, visitor interface{}) (err error) {
 }
 
 func simplifyUnion(union Union, visitorType reflect.Type) {
-	normalizeUnion(union, visitorType)
+	_ = normalizeUnion(union, visitorType)
 	*union.discriminator() = ""
 }
 
diff --git a/pkg/apis/workspaces/v1alpha2/union_implementation.go b/pkg/apis/workspaces/v1alpha2/union_implementation.go
@@ -34,7 +34,7 @@ func visitUnion(union interface{}, visitor interface{}) (err error) {
 }
 
 func simplifyUnion(union Union, visitorType reflect.Type) {
-	normalizeUnion(union, visitorType)
+	_ = normalizeUnion(union, visitorType)
 	*union.discriminator() = ""
 }
 
diff --git a/pkg/utils/unions/normalize.go b/pkg/utils/unions/normalize.go
@@ -16,7 +16,7 @@ func (n *normalizer) Struct(s reflect.Value) error {
 		if addr.CanInterface() {
 			i := addr.Interface()
 			if u, ok := i.(dw.Union); ok {
-				u.Normalize()
+				_ = u.Normalize()
 			}
 		}
 	}
diff --git a/run_gosec.sh b/run_gosec.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# This script runs the gosec scanner locally
+
+if ! command -v gosec 2> /dev/null
+then
+  echo "error gosec must be installed with this command: go install github.com/securego/gosec/v2/cmd/gosec@latest" && exit 1
+fi
+
+gosec -no-fail -fmt=sarif -out=gosec.sarif -exclude-dir test  -exclude-dir generator  ./...

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ func visitUnion(union interface{}, visitor interface{}) (err error) {`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`func simplifyUnion(union Union, visitorType reflect.Type) {`
`37`		`- normalizeUnion(union, visitorType)`
	`37`	`+ _ = normalizeUnion(union, visitorType)`
`38`	`38`	`*union.discriminator() = ""`
`39`	`39`	`}`
`40`	`40`
Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ func (n *normalizer) Struct(s reflect.Value) error {`
`16`	`16`	`if addr.CanInterface() {`
`17`	`17`	`i := addr.Interface()`
`18`	`18`	`if u, ok := i.(dw.Union); ok {`
`19`		`- u.Normalize()`
	`19`	`+ _ = u.Normalize()`
`20`	`20`	`}`
`21`	`21`	`}`
`22`	`22`	`}`