Add gosec static analysis

This commit is contained in:
kolaente 2020-04-13 22:30:09 +02:00
parent fb8ac92abf
commit b8d7c97eb7
No known key found for this signature in database
GPG key ID: F40E70337AB24C9B
8 changed files with 16 additions and 9 deletions

View file

@ -57,6 +57,8 @@ steps:
- make goconst-check
- make gocyclo-check
- make static-check
- curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | bash -s -- -b $GOPATH/bin v2.2.0 # Need to manually install as it does not support being installed via go modules like the rest.
- make gosec-check
- make build
when:
event: [ push, tag, pull_request ]

View file

@ -231,15 +231,17 @@ static-check:
.PHONY: gosec-check
gosec-check:
@hash ./bin/gosec > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s 1.2.0; \
@hash gosec > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
echo "Please manually install gosec by running"; \
echo "curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | bash -s -- -b $GOPATH/bin v2.2.0"; \
exit 1; \
fi
for S in $(PACKAGES); do ./bin/gosec $$S || exit 1; done;
gosec ./...
.PHONY: goconst-check
goconst-check:
@hash goconst > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
go get -u github.com/jgautheron/goconst/cmd/goconst; \
go install $(GOFLAGS) github.com/jgautheron/goconst/cmd/goconst; \
fi
fi;
for S in $(PACKAGES); do goconst $$S || exit 1; done;

View file

@ -24,7 +24,7 @@ import (
func init() {
migrateCmd.AddCommand(migrateListCmd)
migrationRollbackCmd.Flags().StringVarP(&rollbackUntilFlag, "name", "n", "", "The id of the migration you want to roll back until.")
migrationRollbackCmd.MarkFlagRequired("name")
_ = migrationRollbackCmd.MarkFlagRequired("name")
migrateCmd.AddCommand(migrationRollbackCmd)
rootCmd.AddCommand(migrateCmd)
}

View file

@ -34,6 +34,7 @@ type Key string
// These constants hold all config value keys
const (
// #nosec
ServiceJWTSecret Key = `service.JWTSecret`
ServiceInterface Key = `service.interface`
ServiceFrontendurl Key = `service.frontendurl`

View file

@ -86,7 +86,7 @@ func GetLogWriter(logfile string) (writer io.Writer) {
switch viper.GetString("log." + logfile) {
case "file":
fullLogFilePath := config.LogPath.GetString() + "/" + logfile + ".log"
f, err := os.OpenFile(fullLogFilePath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
f, err := os.OpenFile(fullLogFilePath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0600)
if err != nil {
Fatalf("Could not create logfile %s: %s", fullLogFilePath, err.Error())
}

View file

@ -42,6 +42,7 @@ func StartMailDaemon() {
go func() {
d := gomail.NewDialer(config.MailerHost.GetString(), config.MailerPort.GetInt(), config.MailerUsername.GetString(), config.MailerPassword.GetString())
// #nosec
d.TLSConfig = &tls.Config{InsecureSkipVerify: config.MailerSkipTLSVerify.GetBool()}
var s gomail.SendCloser

View file

@ -160,7 +160,7 @@ func CheckUserCredentials(u *Login) (*User, error) {
user, err := GetUserByUsername(u.Username)
if err != nil {
// hashing the password takes a long time, so we hash something to not make it clear if the username was wrong
bcrypt.GenerateFromPassword([]byte(u.Username), 14)
_, _ = bcrypt.GenerateFromPassword([]byte(u.Username), 14)
return &User{}, ErrWrongUsernameOrPassword{}
}

View file

@ -17,14 +17,15 @@
package utils
import (
"crypto/md5"
"crypto/md5" // #nosec
"fmt"
"io"
)
// Md5String generates an md5 hash from a string
func Md5String(in string) string {
// #nosec
h := md5.New()
io.WriteString(h, in)
_, _ = io.WriteString(h, in)
return fmt.Sprintf("%x", h.Sum(nil))
}