Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix gosec warnings in all packages #31310

Closed
6 of 7 tasks
s3nt3 opened this issue Jan 5, 2022 · 0 comments
Closed
6 of 7 tasks

Fix gosec warnings in all packages #31310

s3nt3 opened this issue Jan 5, 2022 · 0 comments
Labels
type/enhancement The issue or PR belongs to an enhancement.

Comments

@s3nt3
Copy link
Contributor

s3nt3 commented Jan 5, 2022
edited
Loading

gosec is a static analysis tool which can help us automatically identify some basic security issues. We use some rules to scan TiDB (some rules are temporarily disabled and will be selectively enabled in the future), and the warning messages are summarized as follows:

  • G101 - CWE 798(8 warnings): hardcoded credentials
  • G102 - CWE 200(1 warning): bind to all interfaces
  • G107 - CWE 88(1 warning): url provided to HTTP request as taint input
  • G109 - CWE 190(1 warning): converting strconv.Atoi result to int32/int16
  • G201/G202 - CWE 89(8 warnings): insecure sql query construction using format string/concatenation
  • G301/G302 - CWE 276(12 warnings): poor file permissions used when creating a directory/file
  • G402 - CWE 295(1 warning): bad TLS connection settings

Fixing these warnings will help improve security, and these fixing tasks are relatively simple, which is suitable for who would like to start contributing to TiDB. The maintainers of related modules and community members are welcome to join in and help resolve these warnings.

Scan using specific rules, for example G101:

$ gosec -include=G101 ./...
@s3nt3 s3nt3 added the type/enhancement The issue or PR belongs to an enhancement. label Jan 5, 2022
@s3nt3 s3nt3 mentioned this issue Jan 5, 2022
Merged
1 task
@dveeden dveeden mentioned this issue Jan 10, 2022
Merged
4 tasks
ti-chi-bot pushed a commit that referenced this issue Jan 10, 2022
*: Annotations to fix gosec warnings of CWE-798 (#31311)
1d20bbf 
ref #31310
@s3nt3 s3nt3 mentioned this issue Jan 17, 2022
Merged
4 tasks
ti-chi-bot pushed a commit that referenced this issue Jan 22, 2022
*: Minimize file and directory permissions (#31740)
7f44207 
ref #31310
@joccau joccau mentioned this issue Feb 7, 2022
Merged
12 tasks
ti-chi-bot pushed a commit that referenced this issue Feb 8, 2022
@joccau
lightning: avoid warn risk for gosec lint (#32127)
6a135e2 
ref #31310
YuJuncen pushed a commit to pingcap/br that referenced this issue Mar 1, 2022
*: Minimize file and directory permissions (#31740)
2901a69 
ref pingcap/tidb#31310
YuJuncen pushed a commit to pingcap/br that referenced this issue Mar 1, 2022
@joccau
lightning: avoid warn risk for gosec lint (#32127)
ff12e41 
ref pingcap/tidb#31310
@s3nt3 s3nt3 closed this as completed Mar 2, 2022
ti-chi-bot pushed a commit that referenced this issue Mar 30, 2022
@dveeden
*: better gosec filtering (#31514)
f49add0 
ref #31310
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/enhancement The issue or PR belongs to an enhancement.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@s3nt3