enable gosec #969
Merged
enable gosec #969
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Kim Tsao <[email protected]>
Codecov ReportBase: 35.51% // Head: 35.63% // Increases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## main #969 +/- ##
==========================================
+ Coverage 35.51% 35.63% +0.11%
==========================================
Files 52 52
Lines 6653 6671 +18
==========================================
+ Hits 2363 2377 +14
- Misses 4145 4149 +4
Partials 145 145
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
Signed-off-by: Kim Tsao <[email protected]>
Signed-off-by: Kim Tsao <[email protected]>
kim-tsao
requested review from
amisevsk,
yangcao77 and
johnmcollier
as code owners
amisevsk
reviewed
Oct 19, 2022
| @@ -27,6 +27,7 @@ func convertPluginComponentTo_v1alpha2(srcComponent *Component, destComponent *v | |||
| destComponent.Name = pluginKey | |||
|
|
|||
| for _, srcCommand := range src.Commands { | |||
| srcCommand := srcCommand | |||
There was a problem hiding this comment.
This line appears to be a no-op?
There was a problem hiding this comment.
it ensures the address is not reused. It's one of the approaches you can use to fix this issue (the other is to use an index) according to this discussion: https://stackoverflow.com/questions/62446118/implicit-memory-aliasing-in-for-loop.
There was a problem hiding this comment.
Ah makes sense, I didn't realize we used &srcCommand below.
run_gosec.sh
Outdated
| echo "error gosec must be installed with this command: go install github.com/securego/gosec/v2/cmd/gosec@latest" && exit 1 | ||
| fi | ||
|
|
||
| gosec -no-fail -fmt=sarif -out=gosec.sarif -exclude-dir test -exclude-dir generator ./... |
There was a problem hiding this comment.
Trailling newline missing.
amisevsk
approved these changes
Oct 19, 2022
Signed-off-by: Kim Tsao <[email protected]>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: amisevsk, kim-tsao The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
yangcao77
added a commit
that referenced
this pull request
Oct 11, 2023
* 2.2.0 release cut Signed-off-by: Stephanie <[email protected]> * enable gosec (#969) * enable gosec Signed-off-by: Kim Tsao <[email protected]> * Fix G601 errors Signed-off-by: Kim Tsao <[email protected]> * Fix warnings Signed-off-by: Kim Tsao <[email protected]> * Add newline Signed-off-by: Kim Tsao <[email protected]> Signed-off-by: Kim Tsao <[email protected]> * Update the devfile spec to 2.2.1 alpha (#980) Signed-off-by: Paul Schultz <[email protected]> * Bump kubernetes-client/gen revision to fix git dubious ownership error (#1045) * bump kubernetes-client/gen revision to fix git dubious ownership error Signed-off-by: Michael Valdron <[email protected]> * whitespace changes. Signed-off-by: Michael Valdron <[email protected]> * set openapi generator ref to version which supports typescript generation. Signed-off-by: Michael Valdron <[email protected]> --------- Signed-off-by: Michael Valdron <[email protected]> * Fix Dependabot issues (#1047) * fix dependabot issues, requires a bump in k8s versions Signed-off-by: Kim Tsao <[email protected]> * re-generated devworkspace files Signed-off-by: Kim Tsao <[email protected]> * Vendor updates Signed-off-by: Kim Tsao <[email protected]> --------- Signed-off-by: Kim Tsao <[email protected]> * fix gosec v2.14.0 (#1034) Signed-off-by: Michael Valdron <[email protected]> * Update python runtime version for `release-typescript-models` job (#1051) * bump python runtime version for 'release-typescript-models' job. Signed-off-by: Michael Valdron <[email protected]> * bump setup-python action to v4 for 'release-typescript-models' job. Signed-off-by: Michael Valdron <[email protected]> --------- Signed-off-by: Michael Valdron <[email protected]> * Add workflow for managing stale issues & PRs (#1055) Adds a GitHub workflow for managing stale & rotten issues and PRs. Issues & PRs are marked stale after 90 days of inactivity. After 60 further days, they are marked as rotten and closed. * Clarify hotReloadCapable field (#1091) * Clarify hotReloadCapable field Signed-off-by: Philippe Martin <[email protected]> * Auto-generated Signed-off-by: Philippe Martin <[email protected]> * Specify isDefault Signed-off-by: Philippe Martin <[email protected]> * Clarify description Signed-off-by: Philippe Martin <[email protected]> --------- Signed-off-by: Philippe Martin <[email protected]> * update kubernetes/openshift endpoint validation (#1098) * update endpoint validation Signed-off-by: Stephanie <[email protected]> * update unit test Signed-off-by: Stephanie <[email protected]> * update the test error check to be more clear Signed-off-by: Stephanie <[email protected]> * add unit test for two kube components Signed-off-by: Stephanie <[email protected]> --------- Signed-off-by: Stephanie <[email protected]> * Update release doc (#1110) Signed-off-by: Kim Tsao <[email protected]> * Update directly executed scripts inside workflows (#1107) * Update directly executed scripts on workflows Signed-off-by: thepetk <[email protected]> * Update directly executed scripts on bash scripts Signed-off-by: thepetk <[email protected]> --------- Signed-off-by: thepetk <[email protected]> * Add area alizer label to all issue templates (#1149) Signed-off-by: thepetk <[email protected]> * Update deprecated github actions to latest version (#1231) * Update deprecated github actions Signed-off-by: thepetk <[email protected]> * Remove jsonschema dep from validate samples Signed-off-by: thepetk <[email protected]> --------- Signed-off-by: thepetk <[email protected]> * Add license header file and script (#1256) * add license header file Signed-off-by: Michael Valdron <[email protected]> * addlicense script Signed-off-by: Michael Valdron <[email protected]> * update README with instructions on adding license headers Signed-off-by: Michael Valdron <[email protected]> * update license headers under source files Signed-off-by: Michael Valdron <[email protected]> * remove license header from generated source Signed-off-by: Michael Valdron <[email protected]> * add_license.sh ignores zz_generated.* source files Signed-off-by: Michael Valdron <[email protected]> * check license headers script added Signed-off-by: Michael Valdron <[email protected]> * check license headers script added to CI workflow Signed-off-by: Michael Valdron <[email protected]> --------- Signed-off-by: Michael Valdron <[email protected]> * add signoff Signed-off-by: Stephanie <[email protected]> --------- Signed-off-by: Stephanie <[email protected]> Signed-off-by: Kim Tsao <[email protected]> Signed-off-by: Paul Schultz <[email protected]> Signed-off-by: Michael Valdron <[email protected]> Signed-off-by: Philippe Martin <[email protected]> Signed-off-by: thepetk <[email protected]> Co-authored-by: Kim Tsao <[email protected]> Co-authored-by: Paul Schultz <[email protected]> Co-authored-by: Michael Valdron <[email protected]> Co-authored-by: Michael Valdron <[email protected]> Co-authored-by: John Collier <[email protected]> Co-authored-by: Philippe Martin <[email protected]> Co-authored-by: Theofanis Petkos <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Kim Tsao [email protected]
What does this PR do?:
enables the gosec scanner and addresses any high sev findings
Which issue(s) this PR fixes:
#937
PR acceptance criteria:
Testing and documentation do not need to be complete in order for this PR to be approved. We just need to ensure tracking issues are opened.
Unit/Functional tests
QE Integration test
Documentation
Client Impact
How to test changes / Special notes to the reviewer: