From 86d7d4026ac1308ca37ce990029a523fe0e88221 Mon Sep 17 00:00:00 2001
From: joccau <zak.zhao@pingcap.com>
Date: Tue, 21 Dec 2021 11:43:20 +0800
Subject: [PATCH 1/2] Enable lint gosec in br

Signed-off-by: joccau <zak.zhao@pingcap.com>
---
 .golangci_br.yml                            |  9 ++++++++-
 br/pkg/lightning/backend/kv/sql2kv.go       |  4 ++--
 br/pkg/lightning/checkpoints/checkpoints.go |  6 ++++--
 br/pkg/lightning/common/security.go         |  2 +-
 br/pkg/lightning/lightning.go               |  2 +-
 br/pkg/lightning/restore/meta_manager.go    | 11 ++++++-----
 br/pkg/mock/mock_cluster.go                 |  2 +-
 br/pkg/storage/hdfs.go                      |  1 +
 br/pkg/utils/pprof.go                       |  2 +-
 9 files changed, 25 insertions(+), 14 deletions(-)

diff --git a/.golangci_br.yml b/.golangci_br.yml
index 28bbba74f749f..835a88488e7a3 100644
--- a/.golangci_br.yml
+++ b/.golangci_br.yml
@@ -26,7 +26,6 @@ linters:
     - exhaustivestruct
     - exhaustive
     - godot
-    - gosec
     - errorlint
     - wrapcheck
     - gomoddirectives
@@ -81,3 +80,11 @@ linters-settings:
 
 issues:
   exclude-rules:
+    - path: br/tests/
+      linters:
+        - gosec
+        - errcheck
+    - path: _test\.go
+      linters:
+        - gosec
+    
diff --git a/br/pkg/lightning/backend/kv/sql2kv.go b/br/pkg/lightning/backend/kv/sql2kv.go
index 45fd0ab664f50..658ad77d51d08 100644
--- a/br/pkg/lightning/backend/kv/sql2kv.go
+++ b/br/pkg/lightning/backend/kv/sql2kv.go
@@ -79,7 +79,7 @@ func NewTableKVEncoder(tbl table.Table, options *SessionOptions) (Encoder, error
 		for _, col := range cols {
 			if mysql.HasPriKeyFlag(col.Flag) {
 				incrementalBits := autoRandomIncrementBits(col, int(meta.AutoRandomBits))
-				autoRandomBits := rand.New(rand.NewSource(options.AutoRandomSeed)).Int63n(1<<meta.AutoRandomBits) << incrementalBits
+				autoRandomBits := rand.New(rand.NewSource(options.AutoRandomSeed)).Int63n(1<<meta.AutoRandomBits) << incrementalBits // nolint:gosec
 				autoIDFn = func(id int64) int64 {
 					return autoRandomBits | id
 				}
@@ -87,7 +87,7 @@ func NewTableKVEncoder(tbl table.Table, options *SessionOptions) (Encoder, error
 			}
 		}
 	} else if meta.ShardRowIDBits > 0 {
-		rd := rand.New(rand.NewSource(options.AutoRandomSeed))
+		rd := rand.New(rand.NewSource(options.AutoRandomSeed)) // nolint:gosec
 		mask := int64(1)<<meta.ShardRowIDBits - 1
 		shift := autoid.RowIDBitLength - meta.ShardRowIDBits - 1
 		autoIDFn = func(id int64) int64 {
diff --git a/br/pkg/lightning/checkpoints/checkpoints.go b/br/pkg/lightning/checkpoints/checkpoints.go
index d903c99982aa1..a39a24098cbd4 100644
--- a/br/pkg/lightning/checkpoints/checkpoints.go
+++ b/br/pkg/lightning/checkpoints/checkpoints.go
@@ -990,7 +990,7 @@ func (cpdb *FileCheckpointsDB) save() error {
 	// because `os.WriteFile` is not atomic, directly write into it may reset the file
 	// to an empty file if write is not finished.
 	tmpPath := cpdb.path + ".tmp"
-	if err := os.WriteFile(tmpPath, serialized, 0o644); err != nil {
+	if err := os.WriteFile(tmpPath, serialized, 0o644); err != nil { // nolint:gosec
 		return errors.Trace(err)
 	}
 	if err := os.Rename(tmpPath, cpdb.path); err != nil {
@@ -1301,6 +1301,8 @@ func (cpdb *MySQLCheckpointsDB) GetLocalStoringTables(ctx context.Context) (map[
 	// 1. table status is earlier than CheckpointStatusIndexImported, and
 	// 2. engine status is earlier than CheckpointStatusImported, and
 	// 3. chunk has been read
+
+	// nolint:gosec
 	query := fmt.Sprintf(`
 		SELECT DISTINCT t.table_name, c.engine_id
 		FROM %s.%s t, %s.%s c, %s.%s e
@@ -1386,7 +1388,7 @@ func (cpdb *MySQLCheckpointsDB) DestroyErrorCheckpoint(ctx context.Context, tabl
 		colName = columnTableName
 		aliasedColName = "t.table_name"
 	}
-
+	// nolint:gosec
 	selectQuery := fmt.Sprintf(`
 		SELECT
 			t.table_name,
diff --git a/br/pkg/lightning/common/security.go b/br/pkg/lightning/common/security.go
index 2e7739512bba1..08718ce1d1406 100644
--- a/br/pkg/lightning/common/security.go
+++ b/br/pkg/lightning/common/security.go
@@ -72,7 +72,7 @@ func ToTLSConfig(caPath, certPath, keyPath string) (*tls.Config, error) {
 		return nil, errors.New("failed to append ca certs")
 	}
 
-	return &tls.Config{
+	return &tls.Config{ // nolint:gosec
 		Certificates: certificates,
 		RootCAs:      certPool,
 		NextProtos:   []string{"h2", "http/1.1"}, // specify `h2` to let Go use HTTP/2.
diff --git a/br/pkg/lightning/lightning.go b/br/pkg/lightning/lightning.go
index 9fc40cdf77144..f067a535faa85 100644
--- a/br/pkg/lightning/lightning.go
+++ b/br/pkg/lightning/lightning.go
@@ -789,7 +789,7 @@ func CleanupMetas(ctx context.Context, cfg *config.Config, tableName string) err
 func UnsafeCloseEngine(ctx context.Context, importer backend.Backend, engine string) (*backend.ClosedEngine, error) {
 	if index := strings.LastIndexByte(engine, ':'); index >= 0 {
 		tableName := engine[:index]
-		engineID, err := strconv.Atoi(engine[index+1:])
+		engineID, err := strconv.Atoi(engine[index+1:]) // nolint:gosec
 		if err != nil {
 			return nil, errors.Trace(err)
 		}
diff --git a/br/pkg/lightning/restore/meta_manager.go b/br/pkg/lightning/restore/meta_manager.go
index 544b91c0b5f90..acc74fa3e1261 100644
--- a/br/pkg/lightning/restore/meta_manager.go
+++ b/br/pkg/lightning/restore/meta_manager.go
@@ -180,7 +180,7 @@ func (m *dbTableMetaMgr) AllocTableRowIDs(ctx context.Context, rawRowIDMax int64
 	}
 	needAutoID := common.TableHasAutoRowID(m.tr.tableInfo.Core) || m.tr.tableInfo.Core.GetAutoIncrementColInfo() != nil || m.tr.tableInfo.Core.ContainsAutoRandomBits()
 	err = exec.Transact(ctx, "init table allocator base", func(ctx context.Context, tx *sql.Tx) error {
-		query := fmt.Sprintf("SELECT task_id, row_id_base, row_id_max, total_kvs_base, total_bytes_base, checksum_base, status from %s WHERE table_id = ? FOR UPDATE", m.tableName)
+		query := fmt.Sprintf("SELECT task_id, row_id_base, row_id_max, total_kvs_base, total_bytes_base, checksum_base, status from %s WHERE table_id = ? FOR UPDATE", m.tableName) // nolint:gosec
 		rows, err := tx.QueryContext(ctx, query, m.tr.tableInfo.ID)
 		if err != nil {
 			return errors.Trace(err)
@@ -381,6 +381,7 @@ func (m *dbTableMetaMgr) CheckAndUpdateLocalChecksum(ctx context.Context, checks
 	needChecksum = true
 	needRemoteDupe = true
 	err = exec.Transact(ctx, "checksum pre-check", func(ctx context.Context, tx *sql.Tx) error {
+		// nolint:gosec
 		query := fmt.Sprintf("SELECT task_id, total_kvs_base, total_bytes_base, checksum_base, total_kvs, total_bytes, checksum, status, has_duplicates from %s WHERE table_id = ? FOR UPDATE", m.tableName)
 		rows, err := tx.QueryContext(ctx, query, m.tr.tableInfo.ID)
 		if err != nil {
@@ -593,7 +594,7 @@ func (m *dbTaskMetaMgr) CheckTaskExist(ctx context.Context) (bool, error) {
 	// avoid override existing metadata if the meta is already inserted.
 	exist := false
 	err := exec.Transact(ctx, "check whether this task has started before", func(ctx context.Context, tx *sql.Tx) error {
-		query := fmt.Sprintf("SELECT task_id from %s WHERE task_id = %d", m.tableName, m.taskID)
+		query := fmt.Sprintf("SELECT task_id from %s WHERE task_id = %d", m.tableName, m.taskID) // nolint:gosec
 		rows, err := tx.QueryContext(ctx, query)
 		if err != nil {
 			return errors.Annotate(err, "fetch task meta failed")
@@ -635,7 +636,7 @@ func (m *dbTaskMetaMgr) CheckTasksExclusively(ctx context.Context, action func(t
 		return errors.Annotate(err, "enable pessimistic transaction failed")
 	}
 	return exec.Transact(ctx, "check tasks exclusively", func(ctx context.Context, tx *sql.Tx) error {
-		query := fmt.Sprintf("SELECT task_id, pd_cfgs, status, state, source_bytes, cluster_avail from %s FOR UPDATE", m.tableName)
+		query := fmt.Sprintf("SELECT task_id, pd_cfgs, status, state, source_bytes, cluster_avail from %s FOR UPDATE", m.tableName) // nolint:gosec
 		rows, err := tx.QueryContext(ctx, query)
 		if err != nil {
 			return errors.Annotate(err, "fetch task metas failed")
@@ -695,7 +696,7 @@ func (m *dbTaskMetaMgr) CheckAndPausePdSchedulers(ctx context.Context) (pdutil.U
 	paused := false
 	var pausedCfg storedCfgs
 	err = exec.Transact(ctx, "check and pause schedulers", func(ctx context.Context, tx *sql.Tx) error {
-		query := fmt.Sprintf("SELECT task_id, pd_cfgs, status, state from %s FOR UPDATE", m.tableName)
+		query := fmt.Sprintf("SELECT task_id, pd_cfgs, status, state from %s FOR UPDATE", m.tableName) // nolint:gosec
 		rows, err := tx.QueryContext(ctx, query)
 		if err != nil {
 			return errors.Annotate(err, "fetch task meta failed")
@@ -821,7 +822,7 @@ func (m *dbTaskMetaMgr) CheckAndFinishRestore(ctx context.Context, finished bool
 	switchBack := true
 	allFinished := finished
 	err = exec.Transact(ctx, "check and finish schedulers", func(ctx context.Context, tx *sql.Tx) error {
-		query := fmt.Sprintf("SELECT task_id, status, state from %s FOR UPDATE", m.tableName)
+		query := fmt.Sprintf("SELECT task_id, status, state from %s FOR UPDATE", m.tableName) // nolint:gosec
 		rows, err := tx.QueryContext(ctx, query)
 		if err != nil {
 			return errors.Annotate(err, "fetch task meta failed")
diff --git a/br/pkg/mock/mock_cluster.go b/br/pkg/mock/mock_cluster.go
index d1ece26505d05..680364aa43fdb 100644
--- a/br/pkg/mock/mock_cluster.go
+++ b/br/pkg/mock/mock_cluster.go
@@ -207,7 +207,7 @@ func waitUntilServerOnline(addr string, statusPort uint) string {
 	// connect http status
 	statusURL := fmt.Sprintf("http://127.0.0.1:%d/status", statusPort)
 	for retry = 0; retry < retryTime; retry++ {
-		resp, err := http.Get(statusURL) // nolint:noctx
+		resp, err := http.Get(statusURL) // nolint:gosec
 		if err == nil {
 			// Ignore errors.
 			_, _ = io.ReadAll(resp.Body)
diff --git a/br/pkg/storage/hdfs.go b/br/pkg/storage/hdfs.go
index cbcc24088292f..d2b3d996047ce 100644
--- a/br/pkg/storage/hdfs.go
+++ b/br/pkg/storage/hdfs.go
@@ -49,6 +49,7 @@ func dfsCommand(args ...string) (*exec.Cmd, error) {
 	}
 	cmd = append(cmd, bin, "dfs")
 	cmd = append(cmd, args...)
+	//nolint:gosec
 	return exec.Command(cmd[0], cmd[1:]...), nil
 }
 
diff --git a/br/pkg/utils/pprof.go b/br/pkg/utils/pprof.go
index 684d974174d7d..efa25389b80d8 100644
--- a/br/pkg/utils/pprof.go
+++ b/br/pkg/utils/pprof.go
@@ -11,7 +11,7 @@ import (
 	// #nosec
 	// register HTTP handler for /debug/pprof
 	"net/http"
-	_ "net/http/pprof"
+	_ "net/http/pprof" // nolint:gosec
 
 	"github.com/pingcap/errors"
 	"github.com/pingcap/failpoint"

From 1932e742d3d8d44a84a8ed8731baf57e474f13f9 Mon Sep 17 00:00:00 2001
From: joccau <zak.zhao@pingcap.com>
Date: Fri, 24 Dec 2021 22:22:54 +0800
Subject: [PATCH 2/2] Deal comments in pr

Signed-off-by: joccau <zak.zhao@pingcap.com>
---
 br/pkg/mock/mock_cluster.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/br/pkg/mock/mock_cluster.go b/br/pkg/mock/mock_cluster.go
index 680364aa43fdb..387887a7f1b12 100644
--- a/br/pkg/mock/mock_cluster.go
+++ b/br/pkg/mock/mock_cluster.go
@@ -207,7 +207,7 @@ func waitUntilServerOnline(addr string, statusPort uint) string {
 	// connect http status
 	statusURL := fmt.Sprintf("http://127.0.0.1:%d/status", statusPort)
 	for retry = 0; retry < retryTime; retry++ {
-		resp, err := http.Get(statusURL) // nolint:gosec
+		resp, err := http.Get(statusURL) // nolint:noctx,gosec
 		if err == nil {
 			// Ignore errors.
 			_, _ = io.ReadAll(resp.Body)