Skip to content

Commit

Permalink
🌱 Remove gosec linter
Browse files Browse the repository at this point in the history
It yields a lot of false positives as seen by the number of nolint
directives this change removes.
  • Loading branch information
alvaroaleman committed Jan 8, 2025
1 parent c80ea33 commit 3b0b995
Show file tree
Hide file tree
Showing 19 changed files with 27 additions and 29 deletions.
1 change: 0 additions & 1 deletion .golangci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ linters:
- gofmt
- goimports
- goprintffuncname
- gosec
- gosimple
- govet
- importas
Expand Down
2 changes: 1 addition & 1 deletion pkg/cache/internal/informers.go
Original file line number Diff line number Diff line change
Expand Up @@ -585,7 +585,7 @@ func newGVKFixupWatcher(gvk schema.GroupVersionKind, watcher watch.Interface) wa
// hammer the apiserver with list requests simultaneously.
func calculateResyncPeriod(resync time.Duration) time.Duration {
// the factor will fall into [0.9, 1.1)
factor := rand.Float64()/5.0 + 0.9 //nolint:gosec
factor := rand.Float64()/5.0 + 0.9
return time.Duration(float64(resync.Nanoseconds()) * factor)
}

Expand Down
2 changes: 1 addition & 1 deletion pkg/client/config/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -191,7 +191,7 @@ func setConfigs(tc testCase, dir string) {

func createFiles(files map[string]string, dir string) error {
for path, data := range files {
if err := os.WriteFile(filepath.Join(dir, path), []byte(data), 0644); err != nil { //nolint:gosec
if err := os.WriteFile(filepath.Join(dir, path), []byte(data), 0644); err != nil {
return err
}
}
Expand Down
4 changes: 2 additions & 2 deletions pkg/controller/controllerutil/controllerutil_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -457,7 +457,7 @@ var _ = Describe("Controllerutil", func() {
BeforeEach(func() {
deploy = &appsv1.Deployment{
ObjectMeta: metav1.ObjectMeta{
Name: fmt.Sprintf("deploy-%d", rand.Int31()), //nolint:gosec
Name: fmt.Sprintf("deploy-%d", rand.Int31()),
Namespace: "default",
},
}
Expand Down Expand Up @@ -606,7 +606,7 @@ var _ = Describe("Controllerutil", func() {
BeforeEach(func() {
deploy = &appsv1.Deployment{
ObjectMeta: metav1.ObjectMeta{
Name: fmt.Sprintf("deploy-%d", rand.Int31()), //nolint:gosec
Name: fmt.Sprintf("deploy-%d", rand.Int31()),
Namespace: "default",
},
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/controller/priorityqueue/priorityqueue_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -356,7 +356,7 @@ var _ = Describe("Controllerworkqueue", func() {

for range 20 {
for i := range 1000 {
rn := rand.N(100) //nolint:gosec // We don't need cryptographically secure entropy here
rn := rand.N(100)
if rn < 10 {
q.AddWithOpts(AddOpts{After: time.Duration(rn) * time.Millisecond}, fmt.Sprintf("foo%d", i))
} else {
Expand Down
4 changes: 2 additions & 2 deletions pkg/envtest/webhook.go
Original file line number Diff line number Diff line change
Expand Up @@ -294,10 +294,10 @@ func (o *WebhookInstallOptions) setupCA() error {
return fmt.Errorf("unable to marshal webhook serving certs: %w", err)
}

if err := os.WriteFile(filepath.Join(localServingCertsDir, "tls.crt"), certData, 0640); err != nil { //nolint:gosec
if err := os.WriteFile(filepath.Join(localServingCertsDir, "tls.crt"), certData, 0640); err != nil {
return fmt.Errorf("unable to write webhook serving cert to disk: %w", err)
}
if err := os.WriteFile(filepath.Join(localServingCertsDir, "tls.key"), keyData, 0640); err != nil { //nolint:gosec
if err := os.WriteFile(filepath.Join(localServingCertsDir, "tls.key"), keyData, 0640); err != nil {
return fmt.Errorf("unable to write webhook serving key to disk: %w", err)
}

Expand Down
8 changes: 4 additions & 4 deletions pkg/internal/testing/controlplane/apiserver.go
Original file line number Diff line number Diff line change
Expand Up @@ -384,10 +384,10 @@ func (s *APIServer) populateAPIServerCerts() error {
return err
}

if err := os.WriteFile(filepath.Join(s.CertDir, "apiserver.crt"), certData, 0640); err != nil { //nolint:gosec
if err := os.WriteFile(filepath.Join(s.CertDir, "apiserver.crt"), certData, 0640); err != nil {
return err
}
if err := os.WriteFile(filepath.Join(s.CertDir, "apiserver.key"), keyData, 0640); err != nil { //nolint:gosec
if err := os.WriteFile(filepath.Join(s.CertDir, "apiserver.key"), keyData, 0640); err != nil {
return err
}

Expand All @@ -404,10 +404,10 @@ func (s *APIServer) populateAPIServerCerts() error {
return err
}

if err := os.WriteFile(filepath.Join(s.CertDir, saCertFile), saCert, 0640); err != nil { //nolint:gosec
if err := os.WriteFile(filepath.Join(s.CertDir, saCertFile), saCert, 0640); err != nil {
return err
}
return os.WriteFile(filepath.Join(s.CertDir, saKeyFile), saKey, 0640) //nolint:gosec
return os.WriteFile(filepath.Join(s.CertDir, saKeyFile), saKey, 0640)
}

// Stop stops this process gracefully, waits for its termination, and cleans up
Expand Down
2 changes: 1 addition & 1 deletion pkg/internal/testing/controlplane/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@ func (c *CertAuthn) Start() error {
return fmt.Errorf("start called before configure")
}
caCrt := c.ca.CA.CertBytes()
if err := os.WriteFile(c.caCrtPath(), caCrt, 0640); err != nil { //nolint:gosec
if err := os.WriteFile(c.caCrtPath(), caCrt, 0640); err != nil {
return fmt.Errorf("unable to save the client certificate CA to %s: %w", c.caCrtPath(), err)
}

Expand Down
2 changes: 1 addition & 1 deletion pkg/internal/testing/process/process.go
Original file line number Diff line number Diff line change
Expand Up @@ -215,7 +215,7 @@ func pollURLUntilOK(url url.URL, interval time.Duration, ready chan bool, stopCh
// there's probably certs *somewhere*,
// but it's fine to just skip validating
// them for health checks during testing
InsecureSkipVerify: true, //nolint:gosec
InsecureSkipVerify: true,
},
},
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/log/zap/flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ func (ev *levelFlag) Set(flagValue string) error {
}
if logLevel > 0 {
intLevel := -1 * logLevel
ev.setFunc(zap.NewAtomicLevelAt(zapcore.Level(int8(intLevel)))) //nolint:gosec // We are not worried about integer overflows (G115) here.
ev.setFunc(zap.NewAtomicLevelAt(zapcore.Level(int8(intLevel))))
} else {
return fmt.Errorf("invalid log level \"%s\"", flagValue)
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/manager/internal/integration/manager_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -261,7 +261,7 @@ func createConversionWebhook(mgr manager.Manager) *ConversionWebhook {
// This is a hack but it's better than using a hard-coded port.
v := reflect.ValueOf(mgr).Elem()
field := v.FieldByName("healthProbeListener")
healthProbeListener := *(*net.Listener)(unsafe.Pointer(field.UnsafeAddr())) //nolint:gosec
healthProbeListener := *(*net.Listener)(unsafe.Pointer(field.UnsafeAddr()))
readinessEndpoint := fmt.Sprint("http://", healthProbeListener.Addr().String(), "/readyz")

return &ConversionWebhook{
Expand Down
4 changes: 2 additions & 2 deletions pkg/manager/manager_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -572,7 +572,7 @@ var _ = Describe("manger.Manager", func() {
})

It("should return an error if the metrics bind address is already in use", func() {
ln, err := net.Listen("tcp", ":0") //nolint:gosec
ln, err := net.Listen("tcp", ":0")
Expect(err).ShouldNot(HaveOccurred())

var srv metricsserver.Server
Expand All @@ -597,7 +597,7 @@ var _ = Describe("manger.Manager", func() {
})

It("should return an error if the metrics bind address is already in use and secure serving enabled", func() {
ln, err := net.Listen("tcp", ":0") //nolint:gosec
ln, err := net.Listen("tcp", ":0")
Expect(err).ShouldNot(HaveOccurred())

var srv metricsserver.Server
Expand Down
2 changes: 1 addition & 1 deletion pkg/metrics/filters/filters_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ var _ = Describe("manger.Manager", func() {
Elem().
Set(reflect.ValueOf(newMetricsServer))
httpClient = &http.Client{Transport: &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, //nolint:gosec
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}}
})

Expand Down
2 changes: 1 addition & 1 deletion pkg/metrics/server/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -275,7 +275,7 @@ func (s *defaultServer) createListener(ctx context.Context, log logr.Logger) (ne
return s.options.ListenConfig.Listen(ctx, "tcp", s.options.BindAddress)
}

cfg := &tls.Config{ //nolint:gosec
cfg := &tls.Config{
NextProtos: []string{"h2"},
}
// fallback TLS config ready, will now mutate if passer wants full control over it
Expand Down
2 changes: 1 addition & 1 deletion pkg/webhook/admission/response.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ func ValidationResponse(allowed bool, message string) Response {
AdmissionResponse: admissionv1.AdmissionResponse{
Allowed: allowed,
Result: &metav1.Status{
Code: int32(code), //nolint:gosec // Integer overflows (G115) cannot occur here.
Code: int32(code),
Reason: reason,
},
},
Expand Down
2 changes: 1 addition & 1 deletion pkg/webhook/example_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,7 @@ func ExampleStandaloneWebhook() {
mux.Handle("/validating", validatingHookHandler)

// Run your handler
if err := http.ListenAndServe(port, mux); err != nil { //nolint:gosec // it's fine to not set timeouts here
if err := http.ListenAndServe(port, mux); err != nil {
panic(err)
}
}
4 changes: 2 additions & 2 deletions pkg/webhook/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@ func (s *DefaultServer) Start(ctx context.Context) error {

log.Info("Starting webhook server")

cfg := &tls.Config{ //nolint:gosec
cfg := &tls.Config{
NextProtos: []string{"h2"},
}
// fallback TLS config ready, will now mutate if passer wants full control over it
Expand Down Expand Up @@ -272,7 +272,7 @@ func (s *DefaultServer) Start(ctx context.Context) error {
// server has been started.
func (s *DefaultServer) StartedChecker() healthz.Checker {
config := &tls.Config{
InsecureSkipVerify: true, //nolint:gosec // config is used to connect to our own webhook port.
InsecureSkipVerify: true,
}
return func(req *http.Request) error {
s.mu.Lock()
Expand Down
3 changes: 1 addition & 2 deletions tools/setup-envtest/remote/read_body.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
package remote

import (
//nolint:gosec // We're aware that md5 is a weak cryptographic primitive, but we don't have a choice here.
"crypto/md5"
"crypto/sha512"
"encoding/base64"
Expand All @@ -28,7 +27,7 @@ func readBody(resp *http.Response, out io.Writer, archiveName string, platform v
case versions.SHA512HashType:
hasher = sha512.New()
case versions.MD5HashType:
hasher = md5.New() //nolint:gosec // We're aware that md5 is a weak cryptographic primitive, but we don't have a choice here.
hasher = md5.New()
default:
return fmt.Errorf("hash type %s not implemented", platform.Hash.Type)
}
Expand Down
6 changes: 3 additions & 3 deletions tools/setup-envtest/store/store.go
Original file line number Diff line number Diff line change
Expand Up @@ -167,14 +167,14 @@ func (s *Store) Add(ctx context.Context, item Item, contents io.Reader) (resErr
// preferfing our own scheme.
targetPath := filepath.Base(header.Name)
log.V(1).Info("writing archive file to disk", "archive file", header.Name, "on-disk file", targetPath)
perms := 0555 & header.Mode // make sure we're at most r+x
binOut, err := itemPath.OpenFile(targetPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, os.FileMode(perms)) //nolint:gosec // Integer overflows (G115) seem unlikely here.
perms := 0555 & header.Mode // make sure we're at most r+x
binOut, err := itemPath.OpenFile(targetPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, os.FileMode(perms))
if err != nil {
return fmt.Errorf("unable to create file %s from archive to disk for version-platform pair %s", targetPath, itemName)
}
if err := func() error { // IIFE to get the defer properly in a loop
defer binOut.Close()
if _, err := io.Copy(binOut, tarReader); err != nil { //nolint:gosec
if _, err := io.Copy(binOut, tarReader); err != nil {
return fmt.Errorf("unable to write file %s from archive to disk for version-platform pair %s", targetPath, itemName)
}
return nil
Expand Down

0 comments on commit 3b0b995

Please sign in to comment.