From b8d7c97eb75bd067c7cad1d84c39c5ecee160014 Mon Sep 17 00:00:00 2001 From: kolaente Date: Mon, 13 Apr 2020 22:30:09 +0200 Subject: [PATCH] Add gosec static analysis --- .drone1.yml | 2 ++ Makefile | 10 ++++++---- pkg/cmd/migrate.go | 2 +- pkg/config/config.go | 1 + pkg/log/logging.go | 2 +- pkg/mail/mail.go | 1 + pkg/user/user.go | 2 +- pkg/utils/md5_string.go | 5 +++-- 8 files changed, 16 insertions(+), 9 deletions(-) diff --git a/.drone1.yml b/.drone1.yml index a0e34bc3..37fb26a7 100644 --- a/.drone1.yml +++ b/.drone1.yml @@ -57,6 +57,8 @@ steps: - make goconst-check - make gocyclo-check - make static-check + - curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | bash -s -- -b $GOPATH/bin v2.2.0 # Need to manually install as it does not support being installed via go modules like the rest. + - make gosec-check - make build when: event: [ push, tag, pull_request ] diff --git a/Makefile b/Makefile index d72095ef..f1eb960b 100644 --- a/Makefile +++ b/Makefile @@ -231,15 +231,17 @@ static-check: .PHONY: gosec-check gosec-check: - @hash ./bin/gosec > /dev/null 2>&1; if [ $$? -ne 0 ]; then \ - curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s 1.2.0; \ + @hash gosec > /dev/null 2>&1; if [ $$? -ne 0 ]; then \ + echo "Please manually install gosec by running"; \ + echo "curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | bash -s -- -b $GOPATH/bin v2.2.0"; \ + exit 1; \ fi - for S in $(PACKAGES); do ./bin/gosec $$S || exit 1; done; + gosec ./... .PHONY: goconst-check goconst-check: @hash goconst > /dev/null 2>&1; if [ $$? -ne 0 ]; then \ go get -u github.com/jgautheron/goconst/cmd/goconst; \ go install $(GOFLAGS) github.com/jgautheron/goconst/cmd/goconst; \ - fi + fi; for S in $(PACKAGES); do goconst $$S || exit 1; done; diff --git a/pkg/cmd/migrate.go b/pkg/cmd/migrate.go index f816001a..165d8639 100644 --- a/pkg/cmd/migrate.go +++ b/pkg/cmd/migrate.go @@ -24,7 +24,7 @@ import ( func init() { migrateCmd.AddCommand(migrateListCmd) migrationRollbackCmd.Flags().StringVarP(&rollbackUntilFlag, "name", "n", "", "The id of the migration you want to roll back until.") - migrationRollbackCmd.MarkFlagRequired("name") + _ = migrationRollbackCmd.MarkFlagRequired("name") migrateCmd.AddCommand(migrationRollbackCmd) rootCmd.AddCommand(migrateCmd) } diff --git a/pkg/config/config.go b/pkg/config/config.go index 6b1d6592..f1708f52 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -34,6 +34,7 @@ type Key string // These constants hold all config value keys const ( + // #nosec ServiceJWTSecret Key = `service.JWTSecret` ServiceInterface Key = `service.interface` ServiceFrontendurl Key = `service.frontendurl` diff --git a/pkg/log/logging.go b/pkg/log/logging.go index 4e6f9bf5..ee07d852 100644 --- a/pkg/log/logging.go +++ b/pkg/log/logging.go @@ -86,7 +86,7 @@ func GetLogWriter(logfile string) (writer io.Writer) { switch viper.GetString("log." + logfile) { case "file": fullLogFilePath := config.LogPath.GetString() + "/" + logfile + ".log" - f, err := os.OpenFile(fullLogFilePath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) + f, err := os.OpenFile(fullLogFilePath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0600) if err != nil { Fatalf("Could not create logfile %s: %s", fullLogFilePath, err.Error()) } diff --git a/pkg/mail/mail.go b/pkg/mail/mail.go index 3b063b01..86748180 100644 --- a/pkg/mail/mail.go +++ b/pkg/mail/mail.go @@ -42,6 +42,7 @@ func StartMailDaemon() { go func() { d := gomail.NewDialer(config.MailerHost.GetString(), config.MailerPort.GetInt(), config.MailerUsername.GetString(), config.MailerPassword.GetString()) + // #nosec d.TLSConfig = &tls.Config{InsecureSkipVerify: config.MailerSkipTLSVerify.GetBool()} var s gomail.SendCloser diff --git a/pkg/user/user.go b/pkg/user/user.go index fa1bba9f..5cd4d925 100644 --- a/pkg/user/user.go +++ b/pkg/user/user.go @@ -160,7 +160,7 @@ func CheckUserCredentials(u *Login) (*User, error) { user, err := GetUserByUsername(u.Username) if err != nil { // hashing the password takes a long time, so we hash something to not make it clear if the username was wrong - bcrypt.GenerateFromPassword([]byte(u.Username), 14) + _, _ = bcrypt.GenerateFromPassword([]byte(u.Username), 14) return &User{}, ErrWrongUsernameOrPassword{} } diff --git a/pkg/utils/md5_string.go b/pkg/utils/md5_string.go index a06d194f..f2bbe85b 100644 --- a/pkg/utils/md5_string.go +++ b/pkg/utils/md5_string.go @@ -17,14 +17,15 @@ package utils import ( - "crypto/md5" + "crypto/md5" // #nosec "fmt" "io" ) // Md5String generates an md5 hash from a string func Md5String(in string) string { + // #nosec h := md5.New() - io.WriteString(h, in) + _, _ = io.WriteString(h, in) return fmt.Sprintf("%x", h.Sum(nil)) }