From 6fb0f23a434787a8a969fd3e96cc1efede1a205b Mon Sep 17 00:00:00 2001 From: tu1h Date: Mon, 23 Sep 2024 14:39:52 +0800 Subject: [PATCH] Enable gosec in golangci check Signed-off-by: tu1h --- .golangci.yml | 13 ++++++++++++- pkg/util/entrypoint/entrypoint.go | 17 +++++++++-------- pkg/webhooks/clusterops/clusterops_webhook.go | 10 +++++++--- 3 files changed, 28 insertions(+), 12 deletions(-) diff --git a/.golangci.yml b/.golangci.yml index f55907275..a661588eb 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -76,6 +76,17 @@ linters-settings: min-complexity: 20 nestif: min-complexity: 20 + gosec: + config: + nosec: true + G101: + # Regexp pattern for variables and constants to find. + pattern: "(?i)passwd|pass|password|pwd|secret|token|pw|apiKey|bearer|cred|crt|cert|certificate" + excludes: + - G112 + - G401 + - G501 + - G601 output: formats: colored-line-number @@ -117,7 +128,6 @@ linters: - cyclop # checks function and package cyclomatic complexity - errcheck # Errcheck is a program for checking for unchecked errors in go programs. These unchecked errors can be critical bugs in some cases - unparam # Reports unused function parameters - - gosec # Inspects source code for security problems - funlen # Tool for detection of long functions - gocognit # Computes and checks the cognitive complexity of functions - gocyclo # Computes and checks the cyclomatic complexity of functions @@ -160,4 +170,5 @@ linters: - unused # Checks Go code for unused constants, variables, functions and types - whitespace # Tool for detection of leading and trailing whitespace - godot # Check if comments end in a period + - gosec # Inspects source code for security problems diff --git a/pkg/util/entrypoint/entrypoint.go b/pkg/util/entrypoint/entrypoint.go index fddab8b1c..ea053fffe 100644 --- a/pkg/util/entrypoint/entrypoint.go +++ b/pkg/util/entrypoint/entrypoint.go @@ -24,14 +24,15 @@ const ( RemoveNodePB = "remove-node.yml" UpgradeClusterPB = "upgrade-cluster.yml" - PingPB = "ping.yml" - RepoPB = "enable-repo.yml" - FirewallPB = "disable-firewalld.yml" - KubeconfigPB = "kubeconfig.yml" - ClusterInfoPB = "cluster-info.yml" - UpdateHostsPB = "update-hosts.yml" - RemovePkgsPB = "remove-pkgs.yml" - PreCheckPB = "precheck.yml" + PingPB = "ping.yml" + RepoPB = "enable-repo.yml" + FirewallPB = "disable-firewalld.yml" + KubeconfigPB = "kubeconfig.yml" + ClusterInfoPB = "cluster-info.yml" + UpdateHostsPB = "update-hosts.yml" + RemovePkgsPB = "remove-pkgs.yml" + PreCheckPB = "precheck.yml" + // #nosec RenewCertsPB = "renew-certs.yml" KubeVipConfigPB = "config-for-kube-vip.yml" ConfigInsecureRegistryPB = "config-insecure-registry.yml" diff --git a/pkg/webhooks/clusterops/clusterops_webhook.go b/pkg/webhooks/clusterops/clusterops_webhook.go index 06cce7ee2..bb783866f 100644 --- a/pkg/webhooks/clusterops/clusterops_webhook.go +++ b/pkg/webhooks/clusterops/clusterops_webhook.go @@ -35,12 +35,16 @@ import ( ) var ( - certsDir = "/etc/webhook/certs" - certKey = "tls.key" + // #nosec + certsDir = "/etc/webhook/certs" + // #nosec + certKey = "tls.key" + // #nosec certFile = "tls.crt" Organization = "kubean.io" DefaultEffectTime = 10 * 365 * 24 * time.Hour - CAStoreSecret = "webhook-http-ca-secret" + // #nosec + CAStoreSecret = "webhook-http-ca-secret" WebHookPath = "/webhook" WebhookSVCNamespace, _ = os.LookupEnv("WEBHOOK_SERVICE_NAMESPACE")