Add gosec static analysis

.drone1.yml

@@ -57,6 +57,8 @@ steps:
       - make goconst-check
       - make gocyclo-check
       - make static-check
+      - curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | bash -s -- -b $GOPATH/bin v2.2.0 # Need to manually install as it does not support being installed via go modules like the rest.
+      - make gosec-check
       - make build
     when:
       event: [ push, tag, pull_request ]

Makefile

@@ -231,15 +231,17 @@ static-check:
 
 .PHONY: gosec-check
 gosec-check:
-	@hash ./bin/gosec > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
-		curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s 1.2.0; \
+	@hash gosec > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
+		echo "Please manually install gosec by running"; \
+		echo "curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | bash -s -- -b $GOPATH/bin v2.2.0"; \
+		exit 1; \
 	fi
-	for S in $(PACKAGES); do ./bin/gosec $$S || exit 1; done;
+	gosec ./...
 
 .PHONY: goconst-check
 goconst-check:
 	@hash goconst > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
 		go get -u github.com/jgautheron/goconst/cmd/goconst; \
 		go install $(GOFLAGS) github.com/jgautheron/goconst/cmd/goconst; \
-	fi
+	fi;
 	for S in $(PACKAGES); do goconst $$S || exit 1; done;

pkg/cmd/migrate.go

@@ -24,7 +24,7 @@ import (
 func init() {
 	migrateCmd.AddCommand(migrateListCmd)
 	migrationRollbackCmd.Flags().StringVarP(&rollbackUntilFlag, "name", "n", "", "The id of the migration you want to roll back until.")
-	migrationRollbackCmd.MarkFlagRequired("name")
+	_ = migrationRollbackCmd.MarkFlagRequired("name")
 	migrateCmd.AddCommand(migrationRollbackCmd)
 	rootCmd.AddCommand(migrateCmd)
 }

pkg/config/config.go

@@ -34,6 +34,7 @@ type Key string
 
 // These constants hold all config value keys
 const (
+	// #nosec
 	ServiceJWTSecret             Key = `service.JWTSecret`
 	ServiceInterface             Key = `service.interface`
 	ServiceFrontendurl           Key = `service.frontendurl`

pkg/log/logging.go

@@ -86,7 +86,7 @@ func GetLogWriter(logfile string) (writer io.Writer) {
 	switch viper.GetString("log." + logfile) {
 	case "file":
 		fullLogFilePath := config.LogPath.GetString() + "/" + logfile + ".log"
-		f, err := os.OpenFile(fullLogFilePath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
+		f, err := os.OpenFile(fullLogFilePath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0600)
 		if err != nil {
 			Fatalf("Could not create logfile %s: %s", fullLogFilePath, err.Error())
 		}

pkg/mail/mail.go

@@ -42,6 +42,7 @@ func StartMailDaemon() {
 
 	go func() {
 		d := gomail.NewDialer(config.MailerHost.GetString(), config.MailerPort.GetInt(), config.MailerUsername.GetString(), config.MailerPassword.GetString())
+		// #nosec
 		d.TLSConfig = &tls.Config{InsecureSkipVerify: config.MailerSkipTLSVerify.GetBool()}
 
 		var s gomail.SendCloser

pkg/user/user.go

@@ -160,7 +160,7 @@ func CheckUserCredentials(u *Login) (*User, error) {
 	user, err := GetUserByUsername(u.Username)
 	if err != nil {
 		// hashing the password takes a long time, so we hash something to not make it clear if the username was wrong
-		bcrypt.GenerateFromPassword([]byte(u.Username), 14)
+		_, _ = bcrypt.GenerateFromPassword([]byte(u.Username), 14)
 		return &User{}, ErrWrongUsernameOrPassword{}
 	}
 

pkg/utils/md5_string.go

@@ -17,14 +17,15 @@
 package utils
 
 import (
-	"crypto/md5"
+	"crypto/md5" // #nosec
 	"fmt"
 	"io"
 )
 
 // Md5String generates an md5 hash from a string
 func Md5String(in string) string {
+	// #nosec
 	h := md5.New()
-	io.WriteString(h, in)
+	_, _ = io.WriteString(h, in)
 	return fmt.Sprintf("%x", h.Sum(nil))
 }