workflows: Fix gosec errors & enable code annotations
#9
Conversation
contracts.EntitiyFactoryFunc.WithInit() checked for contracts.Initer every time. Now it is only done once in common.NewSyncSubject().
This also requires explicit handling of custom variables as we need to multiplex the original values to handle flat custom variables.
….com/goccy/go-yaml ... not to have GPLv2<->Apache 2.0 (app<->deps) license conflicts.
Make {NotificationHistory,StateHistory,History*}#Id UUID -> SHA1
With this change Icinga DB will insert the environment after each heartbeat takeover if it does not already exist in the database as the environment may have changed, although this is likely to happen very rarely, Instead of checking whether the environment already exists, uses an INSERT statement that does nothing if it does.
The default environment of Icinga is the empty string. In Golang, the zero value of string is also the empty string. But it makes sense to distinguish whether the name is not set or set to the empty string. That is possible with this change.
If the environment changes during runtime, we have to restart HA in order to stop a possibly running config sync and start a new one.
Previously, we selected each entity from the database. Now we only select entities that belong to the current environment.
Icinga/icinga2#9036 introduced a new environment ID for Icinga DB that's written to the icinga:stats stream as field "icingadb_environment". This commit updates the code to make use of this ID instead of the one derived from the Icinga 2 Environment constant.
There's a small risk that when the environment ID changes, Icinga DB could update write into the wrong environment in the database. Therefore, Icinga/icinga2#9036 introduced a new default environment ID based on the CA public key so that there should be no cases where it's required to change the actual environment ID. So if this happens nonetheless, just bail out.
Fix flawed config keys and validation
Better handling of multiple environments
Rename driver names to `icinga-*sql`
`ColumnMap` provides a cached mapping of structs exported fields to their database column names. By default, all exported struct fields are mapped to their database column names using snake case notation. The `-` (hyphen) directive for the db tag can be used to exclude certain fields. Since `ColumnMap` uses cache, the returned slice MUST NOT be modified directly.
database: Introduce `ColumnMap`
Add go github workflows
Allow to dynamically define type constraint name
|
If these errors do not get fixed with the new permissions, we may have to either fix or suppress them. |
yhabteab
force-pushed
the
enable-annotations
branch
from
c7e8342 to
0d309c4
Compare
yhabteab
changed the title
gosec errors & nable code annotations
yhabteab
changed the title
gosec errors & nable code annotationsgosec errors & enable code annotations
config/config.go
Outdated
| @@ -80,7 +81,7 @@ func (t *TLS) MakeConfig(serverName string) (*tls.Config, error) { | |||
| return nil, nil | |||
| } | |||
|
|
|||
| tlsConfig := &tls.Config{} | |||
| tlsConfig := &tls.Config{} // #nosec G402 -- TLS MinVersion too low - we can't abandon TLS 1.0 as long as Centos 7 is alive. | |||
There was a problem hiding this comment.
CentOS 7 isn't a reason for that. The OpenSSL version in the base system only doesn't support TLS 1.3, TLS 1.2 works just fine there.
There was a problem hiding this comment.
Does that mean you want to set the min required TLS version to 1.2?
There was a problem hiding this comment.
But isn't this code being used to create a TLS configuration to access a database or a Redis server? Thus, does, i.e., a MariaDB on CentOS 7 support TLS 1.2?
There was a problem hiding this comment.
Does that mean you want to set the min required TLS version to 1.2?
Primarily, I wanted to doubt the claim that "we can't abandon TLS 1.0 as long as Centos 7 is alive".
In general, TLS 1.2 is a reasonable minimal requirement, everything older is better avoided unless there's a very good reason why you would need it (and SSL is a big no right away). And CentOS/RHEL 7, don't seem to be such a reason, the RHEL 7 documentation already recommends TLS 1.2.
|
Main branch was force pushed because the latest version of the Icinga Go library and the library code in the Icinga DB have diverged. Please create a new PR. |
Enables code annotations in case of failures and fixes the actions triggered by the main branch.
https://github.com/Icinga/icinga-go-library/actions/runs/7783022809/job/21220618068
Edit:
This PR suppresses some of the reported existing
gosecerrors and solves some of them as well and drops theonly-new-issueflag set for the go linter.