Merge pull request metal3-io#1213 from Nordix/tuomo/bump-gosec-2.17.0

🌱 bump gosec to 2.17.0, and fix gosec for submodules

.golangci.yaml

@@ -48,9 +48,7 @@ linters-settings:
     go: "1.20"
     severity: medium
     confidence: medium
-    excludes:
-      - G107
-      - G306
+    concurrency: 8
   importas:
     no-unaliased: true
     alias:
@@ -123,7 +121,7 @@ issues:
     - path: _test\.go
       linters:
         - unused
-    # Specific exclude rules for deprecated fields that are still part of the codebase. 
+    # Specific exclude rules for deprecated fields that are still part of the codebase.
     # These should be removed as the referenced deprecated item is removed from the project.
     - linters:
         - staticcheck

hack/gosec.sh

@@ -4,16 +4,23 @@ set -eux
 
 IS_CONTAINER="${IS_CONTAINER:-false}"
 CONTAINER_RUNTIME="${CONTAINER_RUNTIME:-podman}"
+GO_CONCURRENCY="${GO_CONCURRENCY:-8}"
 
 if [ "${IS_CONTAINER}" != "false" ]; then
     export XDG_CACHE_HOME="/tmp/.cache"
-    gosec -exclude=G107 -severity medium -confidence medium -concurrency 8 -quiet ./...
+    # It seems like gosec does not handle submodules well. Therefore we skip them and run separately.
+    gosec -severity medium --confidence medium -quiet \
+        -concurrency "${GO_CONCURRENCY}" -exclude-dir=api -exclude-dir=test ./...
+    (cd api && gosec -severity medium --confidence medium -quiet \
+        -concurrency "${GO_CONCURRENCY}" ./...)
+    (cd test && gosec -severity medium --confidence medium -quiet \
+        -concurrency "${GO_CONCURRENCY}" ./...)
 else
     "${CONTAINER_RUNTIME}" run --rm \
         --env IS_CONTAINER=TRUE \
         --volume "${PWD}:/workdir:ro,z" \
         --entrypoint sh \
         --workdir /workdir \
-        docker.io/securego/gosec:2.14.0@sha256:73858f8b1b9b7372917677151ec6deeceeaa40c5b02753080bd647dede14e213 \
+        docker.io/securego/gosec:2.17.0@sha256:4ea9b6053eac43abda841af5885bbd31ee1bf7289675545b8858bcedb40b4fa8 \
         /workdir/hack/gosec.sh
 fi

test/e2e/common.go

@@ -162,7 +162,7 @@ func EnsureImage(k8sVersion string) (imageURL string, imageChecksum string) {
 		sha256sum, err := getSha256Hash(rawImagePath)
 		Expect(err).To(BeNil())
 		formattedSha256sum := fmt.Sprintf("%x", sha256sum)
-		err = os.WriteFile(fmt.Sprintf("%s/%s.sha256sum", ironicImageDir, rawImageName), []byte(formattedSha256sum), 0544)
+		err = os.WriteFile(fmt.Sprintf("%s/%s.sha256sum", ironicImageDir, rawImageName), []byte(formattedSha256sum), 0600)
 		Expect(err).To(BeNil())
 		Logf("Image: %v downloaded", rawImagePath)
 	} else {
@@ -175,6 +175,7 @@ func EnsureImage(k8sVersion string) (imageURL string, imageChecksum string) {
 // DownloadFile will download a url and store it in local filepath.
 func DownloadFile(filePath string, url string) error {
 	// Get the data
+	/* #nosec G107 */
 	resp, err := http.Get(url) //nolint:noctx
 	if err != nil {
 		return err
@@ -629,8 +630,12 @@ func MachineToIPAddress(ctx context.Context, cli client.Client, m *clusterv1.Mac
 }
 
 func runCommand(logFolder, filename, machineIP, user, command string) error {
-	home := os.Getenv("HOME")
-	privkey, err := os.ReadFile(path.Join(home, "/.ssh/id_rsa"))
+	home, err := os.UserHomeDir()
+	if err != nil {
+		return fmt.Errorf("could not get home directory: %w", err)
+	}
+	keyPath := path.Join(filepath.Clean(home), ".ssh", "id_rsa")
+	privkey, err := os.ReadFile(keyPath) //#nosec G304:gosec
 	if err != nil {
 		return fmt.Errorf("couldn't read private key")
 	}
@@ -664,7 +669,7 @@ func runCommand(logFolder, filename, machineIP, user, command string) error {
 		return fmt.Errorf("unable to send command %q: %w", "sudo "+command, err)
 	}
 	result := strings.TrimSuffix(stdoutBuf.String(), "\n") + "\n" + strings.TrimSuffix(stderrBuf.String(), "\n")
-	if err := os.WriteFile(logFile, []byte(result), 0o777); err != nil {
+	if err := os.WriteFile(logFile, []byte(result), 0400); err != nil {
 		return fmt.Errorf("error writing log file: %w", err)
 	}
 	return nil

test/e2e/pivoting.go

@@ -406,9 +406,9 @@ func labelBMOCRDs(targetCluster framework.ClusterProxy) {
 	for _, label := range labels {
 		var cmd *exec.Cmd
 		if kubectlArgs == "" {
-			cmd = exec.Command("kubectl", "label", "--overwrite", "crds", crdName, label) // #nosec G204:gosec
+			cmd = exec.Command("kubectl", "label", "--overwrite", "crds", crdName, label) //#nosec G204:gosec
 		} else {
-			cmd = exec.Command("kubectl", kubectlArgs, "label", "--overwrite", "crds", crdName, label) // #nosec G204:gosec
+			cmd = exec.Command("kubectl", kubectlArgs, "label", "--overwrite", "crds", crdName, label) //#nosec G204:gosec
 		}
 		err := cmd.Run()
 		Expect(err).To(BeNil(), "Cannot label BMO CRDs")
@@ -509,7 +509,8 @@ func rePivoting(ctx context.Context, inputGetter func() RePivotingInput) {
 	if ephemeralCluster == Kind {
 		bmoPath := input.E2EConfig.GetVariable("BMOPATH")
 		ironicCommand := bmoPath + "/tools/run_local_ironic.sh"
-		cmd := exec.Command("sh", "-c", "export CONTAINER_RUNTIME=docker; "+ironicCommand) // #nosec G204:gosec
+		//#nosec G204:gosec
+		cmd := exec.Command("sh", "-c", "export CONTAINER_RUNTIME=docker; "+ironicCommand)
 		stdoutStderr, err := cmd.CombinedOutput()
 		fmt.Printf("%s\n", stdoutStderr)
 		Expect(err).To(BeNil(), "Cannot run local ironic")
@@ -621,11 +622,11 @@ func fetchContainerLogs(containerNames *[]string, folder string, containerComman
 		cmd := exec.Command("sudo", containerCommand, "logs", name) // #nosec G204:gosec
 		out, err := cmd.Output()
 		if err != nil {
-			writeErr := os.WriteFile(filepath.Join(logDir, "stderr.log"), []byte(err.Error()), 0444)
+			writeErr := os.WriteFile(filepath.Join(logDir, "stderr.log"), []byte(err.Error()), 0400)
 			Expect(writeErr).ToNot(HaveOccurred())
 			log.Fatal(err)
 		}
-		writeErr := os.WriteFile(filepath.Join(logDir, "stdout.log"), out, 0444)
+		writeErr := os.WriteFile(filepath.Join(logDir, "stdout.log"), out, 0400)
 		Expect(writeErr).ToNot(HaveOccurred())
 	}
 }

test/e2e/upgrade_clusterctl_test.go

@@ -331,7 +331,7 @@ func preCleanupManagementCluster(clusterProxy framework.ClusterProxy) {
 	// Fetch logs from management cluster
 	By("Fetch logs from management cluster")
 	path := filepath.Join(os.Getenv("CAPM3PATH"), "scripts")
-	cmd := exec.Command("./fetch_target_logs.sh") // #nosec G204:gosec
+	cmd := exec.Command("./fetch_target_logs.sh") //#nosec G204:gosec
 	cmd.Dir = path
 	errorPipe, _ := cmd.StderrPipe()
 	_ = cmd.Start()