From e446b261b6fcafb41f8dc171c3a7c33aba33cd75 Mon Sep 17 00:00:00 2001 From: WaqarAhmedVC <122815219+WaqarAhmedVC@users.noreply.github.com> Date: Wed, 22 May 2024 11:26:31 +0100 Subject: [PATCH 1/5] Create gosec.yml --- .github/workflows/gosec.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 .github/workflows/gosec.yml diff --git a/.github/workflows/gosec.yml b/.github/workflows/gosec.yml new file mode 100644 index 000000000..9355a3857 --- /dev/null +++ b/.github/workflows/gosec.yml @@ -0,0 +1,26 @@ +name: Run Gosec +on: + push: + branches: + - master + - add-gosec + pull_request: + branches: + - master +jobs: + tests: + runs-on: ubuntu-latest + env: + GO111MODULE: on + steps: + - name: Checkout Source + uses: actions/checkout@v3 + - name: Run Gosec Security Scanner + uses: securego/gosec@master + with: + args: '-no-fail -fmt sarif -out results.sarif ./...' + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: results.sarif From 6447b9efb28c41fcccdd68d767b8ac23b4ae7e8a Mon Sep 17 00:00:00 2001 From: WaqarAhmedVC <122815219+WaqarAhmedVC@users.noreply.github.com> Date: Fri, 24 May 2024 09:46:13 +0100 Subject: [PATCH 2/5] Update gosec.yml --- .github/workflows/gosec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gosec.yml b/.github/workflows/gosec.yml index 9355a3857..26883a9a4 100644 --- a/.github/workflows/gosec.yml +++ b/.github/workflows/gosec.yml @@ -20,7 +20,7 @@ jobs: with: args: '-no-fail -fmt sarif -out results.sarif ./...' - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: results.sarif From eeeccdb3fe9b699413a459ad78475920302b3bde Mon Sep 17 00:00:00 2001 From: WaqarAhmedVC <122815219+WaqarAhmedVC@users.noreply.github.com> Date: Fri, 24 May 2024 10:31:57 +0100 Subject: [PATCH 3/5] add gosec to .golangci.yml --- .golangci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.golangci.yml b/.golangci.yml index cb30087d8..b9c99c667 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -24,6 +24,7 @@ linters: - durationcheck - exportloopref - whitespace + - gosec # - structcheck # lots of false positives # - errcheck #lot of false positives From eea95a5dc1fd9636297ca9d14772a8faabe1f710 Mon Sep 17 00:00:00 2001 From: WaqarAhmedVC <122815219+WaqarAhmedVC@users.noreply.github.com> Date: Fri, 24 May 2024 10:32:41 +0100 Subject: [PATCH 4/5] Delete .github/workflows/gosec.yml delete standalone gosec --- .github/workflows/gosec.yml | 26 -------------------------- 1 file changed, 26 deletions(-) delete mode 100644 .github/workflows/gosec.yml diff --git a/.github/workflows/gosec.yml b/.github/workflows/gosec.yml deleted file mode 100644 index 26883a9a4..000000000 --- a/.github/workflows/gosec.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: Run Gosec -on: - push: - branches: - - master - - add-gosec - pull_request: - branches: - - master -jobs: - tests: - runs-on: ubuntu-latest - env: - GO111MODULE: on - steps: - - name: Checkout Source - uses: actions/checkout@v3 - - name: Run Gosec Security Scanner - uses: securego/gosec@master - with: - args: '-no-fail -fmt sarif -out results.sarif ./...' - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 - with: - # Path to SARIF file relative to the root of the repository - sarif_file: results.sarif From dbe4c1d4bb6d4232bd767612857356508d8bd391 Mon Sep 17 00:00:00 2001 From: otherview Date: Fri, 24 May 2024 11:18:26 +0100 Subject: [PATCH 5/5] fixing lint --- api/accounts/accounts_test.go | 4 ++-- api/blocks/blocks_test.go | 2 +- api/debug/debug_test.go | 2 +- api/events/events_test.go | 2 +- api/node/node_test.go | 2 +- api/transactions/transactions_test.go | 4 ++-- api/transfers/transfers_test.go | 2 +- block/header_test.go | 12 ++++++------ cache/prio_cache_test.go | 6 +++--- cache/rnd_cache.go | 4 ++-- cmd/thor/node/tx_stash_test.go | 2 +- cmd/thor/solo/solo.go | 2 +- cmd/thor/utils.go | 2 +- comm/peer.go | 2 +- p2psrv/rpc/rpc.go | 2 +- runtime/statedb/statedb_test.go | 2 +- state/cached_object_test.go | 2 +- test/datagen/numbers.go | 4 ++-- thor/hash_test.go | 4 ++-- trie/iterator_test.go | 2 +- trie/proof_test.go | 6 +++--- trie/trie_test.go | 2 +- tx/block_ref_test.go | 2 +- tx/reserved_test.go | 2 +- txpool/blocklist_test.go | 2 +- txpool/tx_object_test.go | 4 ++-- txpool/tx_pool.go | 2 +- 27 files changed, 42 insertions(+), 42 deletions(-) diff --git a/api/accounts/accounts_test.go b/api/accounts/accounts_test.go index 1feb89043..67ce4cd84 100644 --- a/api/accounts/accounts_test.go +++ b/api/accounts/accounts_test.go @@ -527,7 +527,7 @@ func httpPost(t *testing.T, url string, body interface{}) ([]byte, int) { if err != nil { t.Fatal(err) } - res, err := http.Post(url, "application/x-www-form-urlencoded", bytes.NewReader(data)) + res, err := http.Post(url, "application/x-www-form-urlencoded", bytes.NewReader(data)) // nolint:gosec if err != nil { t.Fatal(err) } @@ -540,7 +540,7 @@ func httpPost(t *testing.T, url string, body interface{}) ([]byte, int) { } func httpGet(t *testing.T, url string) ([]byte, int) { - res, err := http.Get(url) + res, err := http.Get(url) // nolint:gosec if err != nil { t.Fatal(err) } diff --git a/api/blocks/blocks_test.go b/api/blocks/blocks_test.go index 26a947a73..c2b676422 100644 --- a/api/blocks/blocks_test.go +++ b/api/blocks/blocks_test.go @@ -237,7 +237,7 @@ func checkExpandedBlock(t *testing.T, expBl *block.Block, actBl *blocks.JSONExpa } func httpGet(t *testing.T, url string) ([]byte, int) { - res, err := http.Get(url) + res, err := http.Get(url) // nolint:gosec if err != nil { t.Fatal(err) } diff --git a/api/debug/debug_test.go b/api/debug/debug_test.go index 0ac47003d..b7534bf67 100644 --- a/api/debug/debug_test.go +++ b/api/debug/debug_test.go @@ -509,7 +509,7 @@ func httpPostAndCheckResponseStatus(t *testing.T, url string, obj interface{}, r if err != nil { t.Fatal(err) } - res, err := http.Post(url, "application/x-www-form-urlencoded", bytes.NewReader(data)) + res, err := http.Post(url, "application/x-www-form-urlencoded", bytes.NewReader(data)) // nolint:gosec if err != nil { t.Fatal(err) } diff --git a/api/events/events_test.go b/api/events/events_test.go index 7b4e2e4d0..0920225d9 100644 --- a/api/events/events_test.go +++ b/api/events/events_test.go @@ -160,7 +160,7 @@ func httpPost(t *testing.T, url string, body interface{}) ([]byte, int) { if err != nil { t.Fatal(err) } - res, err := http.Post(url, "application/x-www-form-urlencoded", bytes.NewReader(data)) + res, err := http.Post(url, "application/x-www-form-urlencoded", bytes.NewReader(data)) // nolint:gosec if err != nil { t.Fatal(err) } diff --git a/api/node/node_test.go b/api/node/node_test.go index 7952415a3..90857d0d0 100644 --- a/api/node/node_test.go +++ b/api/node/node_test.go @@ -56,7 +56,7 @@ func initCommServer(t *testing.T) { } func httpGet(t *testing.T, url string) []byte { - res, err := http.Get(url) + res, err := http.Get(url) // nolint:gosec if err != nil { t.Fatal(err) } diff --git a/api/transactions/transactions_test.go b/api/transactions/transactions_test.go index a96f94585..c53a68e26 100644 --- a/api/transactions/transactions_test.go +++ b/api/transactions/transactions_test.go @@ -258,7 +258,7 @@ func httpPostAndCheckResponseStatus(t *testing.T, url string, obj interface{}, r if err != nil { t.Fatal(err) } - res, err := http.Post(url, "application/x-www-form-urlencoded", bytes.NewReader(data)) + res, err := http.Post(url, "application/x-www-form-urlencoded", bytes.NewReader(data)) // nolint: gosec if err != nil { t.Fatal(err) } @@ -364,7 +364,7 @@ func checkMatchingTx(t *testing.T, expectedTx *tx.Transaction, actualTx *transac } func httpGetAndCheckResponseStatus(t *testing.T, url string, responseStatusCode int) []byte { - res, err := http.Get(url) + res, err := http.Get(url) // nolint:gosec if err != nil { t.Fatal(err) } diff --git a/api/transfers/transfers_test.go b/api/transfers/transfers_test.go index 7c24d6504..8c940b90b 100644 --- a/api/transfers/transfers_test.go +++ b/api/transfers/transfers_test.go @@ -170,7 +170,7 @@ func httpPost(t *testing.T, url string, body interface{}) ([]byte, int) { if err != nil { t.Fatal(err) } - res, err := http.Post(url, "application/x-www-form-urlencoded", bytes.NewReader(data)) + res, err := http.Post(url, "application/x-www-form-urlencoded", bytes.NewReader(data)) // nolint: gosec if err != nil { t.Fatal(err) } diff --git a/block/header_test.go b/block/header_test.go index 2ab93a857..c167504f8 100644 --- a/block/header_test.go +++ b/block/header_test.go @@ -63,7 +63,7 @@ func TestHeader_BetterThan(t *testing.T) { func TestHeaderEncoding(t *testing.T) { var sig [65]byte - rand.Read(sig[:]) + rand.Read(sig[:]) // nolint:gosec block := new(Builder).Build().WithSignature(sig[:]) h := block.Header() @@ -86,8 +86,8 @@ func TestHeaderEncoding(t *testing.T) { var proof [81]byte var alpha [32]byte - rand.Read(proof[:]) - rand.Read(alpha[:]) + rand.Read(proof[:]) // nolint:gosec + rand.Read(alpha[:]) // nolint:gosec complex, err := NewComplexSignature(sig[:], proof[:]) if err != nil { @@ -110,7 +110,7 @@ func TestHeaderEncoding(t *testing.T) { // type extension struct{Alpha []byte} func TestEncodingBadExtension(t *testing.T) { var sig [65]byte - rand.Read(sig[:]) + rand.Read(sig[:]) // nolint:gosec block := new(Builder).Build().WithSignature(sig[:]) h := block.Header() @@ -157,8 +157,8 @@ func TestEncodingBadExtension(t *testing.T) { func TestEncodingExtension(t *testing.T) { var sig [ComplexSigSize]byte var alpha [32]byte - rand.Read(sig[:]) - rand.Read(alpha[:]) + rand.Read(sig[:]) // nolint:gosec + rand.Read(alpha[:]) // nolint:gosec block := new(Builder).Alpha(alpha[:]).Build().WithSignature(sig[:]) h := block.Header() diff --git a/cache/prio_cache_test.go b/cache/prio_cache_test.go index 4ade4da03..79c6d19d9 100644 --- a/cache/prio_cache_test.go +++ b/cache/prio_cache_test.go @@ -46,9 +46,9 @@ func TestPrioCache(t *testing.T) { for i := 0; i < 100; i++ { e := kvp{ - rand.Int(), - rand.Int(), - rand.Float64()} + rand.Int(), // nolint: gosec + rand.Int(), // nolint:gosec + rand.Float64()} // nolint:gosec kvps = append(kvps, e) c.Set(e.k, e.v, e.p) } diff --git a/cache/rnd_cache.go b/cache/rnd_cache.go index 661546497..8310d3c15 100644 --- a/cache/rnd_cache.go +++ b/cache/rnd_cache.go @@ -106,7 +106,7 @@ func (rc *RandCache) Pick() *Entry { if len(rc.s) == 0 { return nil } - ent := rc.s[rand.Intn(len(rc.s))] + ent := rc.s[rand.Intn(len(rc.s))] // nolint:gosec cpy := ent.Entry return &cpy } @@ -141,6 +141,6 @@ func (rc *RandCache) randDrop() { if len(rc.s) == 0 { return } - ent := rc.s[rand.Intn(len(rc.s))] + ent := rc.s[rand.Intn(len(rc.s))] // nolint:gosec rc.remove(ent.Key) } diff --git a/cmd/thor/node/tx_stash_test.go b/cmd/thor/node/tx_stash_test.go index d4bb7b255..a573b682a 100644 --- a/cmd/thor/node/tx_stash_test.go +++ b/cmd/thor/node/tx_stash_test.go @@ -20,7 +20,7 @@ import ( ) func newTx() *tx.Transaction { - tx := new(tx.Builder).Nonce(rand.Uint64()).Build() + tx := new(tx.Builder).Nonce(rand.Uint64()).Build() // nolint:gosec sig, _ := crypto.Sign(tx.SigningHash().Bytes(), genesis.DevAccounts()[0].PrivateKey) return tx.WithSignature(sig) } diff --git a/cmd/thor/solo/solo.go b/cmd/thor/solo/solo.go index 830184298..cee0eb7bc 100644 --- a/cmd/thor/solo/solo.go +++ b/cmd/thor/solo/solo.go @@ -263,7 +263,7 @@ func (s *Solo) newTx(clauses []*tx.Clause, from genesis.DevAccount) (*tx.Transac newTx := builder.BlockRef(tx.NewBlockRef(0)). Expiration(math.MaxUint32). - Nonce(rand.Uint64()). + Nonce(rand.Uint64()). // nolint:gosec DependsOn(nil). Gas(1_000_000). Build() diff --git a/cmd/thor/utils.go b/cmd/thor/utils.go index f85f4b203..4057e700a 100644 --- a/cmd/thor/utils.go +++ b/cmd/thor/utils.go @@ -485,7 +485,7 @@ func startAPIServer(ctx *cli.Context, handler http.Handler, genesisID thor.Bytes handler = handleXGenesisID(handler, genesisID) handler = handleXThorestVersion(handler) handler = requestBodyLimit(handler) - srv := &http.Server{Handler: handler} + srv := &http.Server{Handler: handler, ReadHeaderTimeout: time.Second, ReadTimeout: 5 * time.Second} var goes co.Goes goes.Go(func() { srv.Serve(listener) diff --git a/comm/peer.go b/comm/peer.go index b5f397a84..b01d1b1b2 100644 --- a/comm/peer.go +++ b/comm/peer.go @@ -84,7 +84,7 @@ func (p *Peer) UpdateHead(id thor.Bytes32, totalScore uint64) { // MarkTransaction marks a transaction to known. func (p *Peer) MarkTransaction(hash thor.Bytes32) { // that's 10~100 block intervals - expiration := mclock.AbsTime(time.Second * time.Duration(thor.BlockInterval*uint64(rand.Intn(91)+10))) + expiration := mclock.AbsTime(time.Second * time.Duration(thor.BlockInterval*uint64(rand.Intn(91)+10))) // nolint:gosec deadline := mclock.Now() + expiration p.knownTxs.Add(hash, deadline) diff --git a/p2psrv/rpc/rpc.go b/p2psrv/rpc/rpc.go index a7d6fdecf..ab7dcff91 100644 --- a/p2psrv/rpc/rpc.go +++ b/p2psrv/rpc/rpc.go @@ -158,7 +158,7 @@ func (r *RPC) prepareCall(msgCode uint64, onResult func(*p2p.Msg) error) uint32 r.lock.Lock() defer r.lock.Unlock() for { - id := rand.Uint32() + id := rand.Uint32() // nolint:gosec if id == 0 { // 0 id is taken by Notify continue diff --git a/runtime/statedb/statedb_test.go b/runtime/statedb/statedb_test.go index 89fd592a1..578850c4d 100644 --- a/runtime/statedb/statedb_test.go +++ b/runtime/statedb/statedb_test.go @@ -134,7 +134,7 @@ func newTestAction(addr common.Address, r *rand.Rand) testAction { nameargs = append(nameargs, addr.Hex()) } for _, i := range action.args { - action.args[i] = rand.Int63n(100) + action.args[i] = rand.Int63n(100) // nolint:gosec nameargs = append(nameargs, fmt.Sprint(action.args[i])) } action.name += strings.Join(nameargs, ", ") diff --git a/state/cached_object_test.go b/state/cached_object_test.go index 6527bcad2..b1db7464c 100644 --- a/state/cached_object_test.go +++ b/state/cached_object_test.go @@ -41,7 +41,7 @@ func TestCachedObject(t *testing.T) { assert.Nil(t, err) code := make([]byte, 100) - rand.Read(code) + rand.Read(code) // nolint:gosec codeHash := thor.Keccak256(code).Bytes() db.NewStore(codeStoreName).Put(codeHash, code) diff --git a/test/datagen/numbers.go b/test/datagen/numbers.go index cd953948d..e49a4613d 100644 --- a/test/datagen/numbers.go +++ b/test/datagen/numbers.go @@ -10,9 +10,9 @@ import ( ) func RandInt() int { - return mathrand.Int() + return mathrand.Int() // nolint:gosec } func RandIntN(n int) int { - return mathrand.Intn(n) + return mathrand.Intn(n) // nolint:gosec } diff --git a/thor/hash_test.go b/thor/hash_test.go index 68e2afc4e..c34d32cd1 100644 --- a/thor/hash_test.go +++ b/thor/hash_test.go @@ -18,7 +18,7 @@ import ( func BenchmarkHash(b *testing.B) { data := make([]byte, 10) - rand.New(rand.NewSource(1)).Read(data) + rand.New(rand.NewSource(1)).Read(data) // nolint:gosec b.Run("keccak", func(b *testing.B) { type keccakState interface { @@ -44,7 +44,7 @@ func BenchmarkHash(b *testing.B) { func BenchmarkBlake2b(b *testing.B) { data := make([]byte, 100) - rand.New(rand.NewSource(1)).Read(data) + rand.New(rand.NewSource(1)).Read(data) // nolint:gosec b.Run("Blake2b", func(b *testing.B) { for i := 0; i < b.N; i++ { thor.Blake2b(data).Bytes() diff --git a/trie/iterator_test.go b/trie/iterator_test.go index c5466db63..2e80f8dbe 100644 --- a/trie/iterator_test.go +++ b/trie/iterator_test.go @@ -331,7 +331,7 @@ func TestIteratorContinueAfterError(t *testing.T) { // because that one is already loaded. var rkey []byte for { - if rkey = keys[rand.Intn(len(keys))]; !bytes.Equal(rkey, tr.Hash().Bytes()) { + if rkey = keys[rand.Intn(len(keys))]; !bytes.Equal(rkey, tr.Hash().Bytes()) { // nolint:gosec break } } diff --git a/trie/proof_test.go b/trie/proof_test.go index 758658688..e26b6a101 100644 --- a/trie/proof_test.go +++ b/trie/proof_test.go @@ -79,7 +79,7 @@ func TestVerifyBadProof(t *testing.T) { t.Fatal("zero length proof") } keys := proofs.Keys() - key := keys[mrand.Intn(len(keys))] + key := keys[mrand.Intn(len(keys))] // nolint:gosec node, _ := proofs.Get(key) proofs.Delete(key) mutateByte(node) @@ -92,8 +92,8 @@ func TestVerifyBadProof(t *testing.T) { // mutateByte changes one byte in b. func mutateByte(b []byte) { - for r := mrand.Intn(len(b)); ; { - new := byte(mrand.Intn(255)) + for r := mrand.Intn(len(b)); ; { // nolint:gosec + new := byte(mrand.Intn(255)) // nolint:gosec if new != b[r] { b[r] = new break diff --git a/trie/trie_test.go b/trie/trie_test.go index 22e49354d..0774de81c 100644 --- a/trie/trie_test.go +++ b/trie/trie_test.go @@ -546,7 +546,7 @@ func benchUpdate(b *testing.B, e binary.ByteOrder) *Trie { // insert into the trie before measuring the hashing. func BenchmarkHash(b *testing.B) { // Make the random benchmark deterministic - random := rand.New(rand.NewSource(0)) + random := rand.New(rand.NewSource(0)) // nolint:gosec // Create a realistic account trie to hash addresses := make([][20]byte, b.N) diff --git a/tx/block_ref_test.go b/tx/block_ref_test.go index e535d76ea..f139cea2d 100644 --- a/tx/block_ref_test.go +++ b/tx/block_ref_test.go @@ -21,7 +21,7 @@ func TestBlockRef(t *testing.T) { assert.Equal(t, tx.BlockRef{0, 0, 0, 0xff, 0, 0, 0, 0}, tx.NewBlockRef(0xff)) var bid thor.Bytes32 - rand.Read(bid[:]) + rand.Read(bid[:]) // nolint:gosec br := tx.NewBlockRefFromID(bid) assert.Equal(t, bid[:8], br[:]) diff --git a/tx/reserved_test.go b/tx/reserved_test.go index f2b392022..9af60a9c4 100644 --- a/tx/reserved_test.go +++ b/tx/reserved_test.go @@ -25,7 +25,7 @@ func TestReservedEncoding(t *testing.T) { } for i, c := range cases { - data, err := rlp.EncodeToBytes(&c.input) + data, err := rlp.EncodeToBytes(&c.input) // nolint:gosec assert.Nil(t, err, "case #%v", i) assert.Equal(t, c.expected, data, "case #%v", i) } diff --git a/txpool/blocklist_test.go b/txpool/blocklist_test.go index 161721c25..49a4b2db8 100644 --- a/txpool/blocklist_test.go +++ b/txpool/blocklist_test.go @@ -26,7 +26,7 @@ func SetupTempFile(t *testing.T, dummyData string) string { } testFilePath := tempFile.Name() - err = os.WriteFile(testFilePath, []byte(dummyData), 0644) + err = os.WriteFile(testFilePath, []byte(dummyData), 0644) // nolint: gosec if err != nil { t.Fatalf("Failed to write to temp file: %s", err) } diff --git a/txpool/tx_object_test.go b/txpool/tx_object_test.go index 036e2c57a..fd384fdcb 100644 --- a/txpool/tx_object_test.go +++ b/txpool/tx_object_test.go @@ -42,7 +42,7 @@ func newTx(chainTag byte, clauses []*tx.Clause, gas uint64, blockRef tx.BlockRef tx := builder.BlockRef(blockRef). Expiration(expiration). - Nonce(rand.Uint64()). + Nonce(rand.Uint64()). // nolint:gosec DependsOn(dependsOn). Features(features). Gas(gas).Build() @@ -61,7 +61,7 @@ func newDelegatedTx(chainTag byte, clauses []*tx.Clause, gas uint64, blockRef tx tx := builder.BlockRef(blockRef). Expiration(expiration). - Nonce(rand.Uint64()). + Nonce(rand.Uint64()). // nolint:gosec DependsOn(dependsOn). Features(features). Gas(gas).Build() diff --git a/txpool/tx_pool.go b/txpool/tx_pool.go index f3dcd824e..8068a2662 100644 --- a/txpool/tx_pool.go +++ b/txpool/tx_pool.go @@ -180,7 +180,7 @@ func (p *TxPool) fetchBlocklistLoop() { for { // delay 1~2 min - delay := time.Second * time.Duration(rand.Int()%60+60) + delay := time.Second * time.Duration(rand.Int()%60+60) // nolint:gosec select { case <-p.ctx.Done(): return