Merge pull request kubevirt#4192 from xpivarc/gosec

Add gosec to project
xpivarc · Oct 8, 2020 · 72d0d9b · 72d0d9b
2 parents 33cae25 + 5815ce2
commit 72d0d9b
Show file tree

Hide file tree

Showing 8 changed files with 41 additions and 3 deletions.
diff --git a/Makefile b/Makefile
@@ -53,6 +53,10 @@ client-python:
 go-build:
 	hack/dockerized "KUBEVIRT_VERSION=${KUBEVIRT_VERSION} ./hack/build-go.sh install ${WHAT}" && ./hack/build-copy-artifacts.sh ${WHAT}
 
+gosec:
+	hack/dockerized "GENERATE="true" ./hack/gosec.sh"
+	hack/dockerized "./hack/gosec.sh"
+
 coverage:
 	hack/dockerized "./hack/coverage.sh ${WHAT}"
 

diff --git a/hack/builder/Dockerfile b/hack/builder/Dockerfile
@@ -62,6 +62,7 @@ RUN set -x && \
     go get -v github.com/golang/protobuf/protoc-gen-go@1643683 && \
     go get -v k8s.io/code-generator/cmd/[email protected] && \
     go get -v sigs.k8s.io/controller-tools/cmd/[email protected] && \
+    go get -v github.com/securego/gosec/v2/cmd/gosec@0ce48a5 && \
     go clean -cache -modcache
 
 RUN set -x && \

diff --git a/hack/builder/version.sh b/hack/builder/version.sh
@@ -1,3 +1,3 @@
-VERSION=30-8.0.2
+VERSION=30-8.0.33
 # TODO: reenable ppc64le when new builds are available
 ARCHITECTURES="amd64"
diff --git a/hack/dockerized b/hack/dockerized
@@ -22,7 +22,7 @@ if [ -z ${KUBEVIRT_CRI} ]; then
     fi
 fi
 
-KUBEVIRT_BUILDER_IMAGE="kubevirt/builder@sha256:6c40c31d8537a3a48dd95d997d0775f480ea6976368cdf9c9720febf9c7b3e60"
+KUBEVIRT_BUILDER_IMAGE="kubevirt/builder@sha256:3390fe22e515d653e8c2d5fb50b761f75990a9b67394120ff613cb01f15def93"
 
 SYNC_OUT=${SYNC_OUT:-true}
 
@@ -135,7 +135,13 @@ fi
 
 # Run the command
 test -t 1 && USE_TTY="-it"
-$KUBEVIRT_CRI exec ${USE_TTY} ${BUILDER}-bazel-server /entrypoint.sh "$@"
+if ! $KUBEVIRT_CRI exec ${USE_TTY} ${BUILDER}-bazel-server /entrypoint.sh "$@"; then
+    # Copy the build output out of the container, make sure that _out exactly matches the build result
+    if [ "$SYNC_OUT" = "true" ]; then
+        _rsync --delete "rsync://[email protected]:${RSYNCD_PORT}/out" ${OUT_DIR}
+    fi
+    exit 1
+fi
 
 # Copy the whole kubevirt data out to get generated sources and formatting changes
 _rsync \

diff --git a/hack/gosec.sh b/hack/gosec.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+source hack/common.sh
+export ARTIFACTS=${ARTIFACTS:-$KUBEVIRT_DIR/_out/artifacts}
+
+mkdir -p $ARTIFACTS
+
+echo "Run go sec in pkg"
+cd $KUBEVIRT_DIR/pkg
+
+gosec -sort -quiet -out=${ARTIFACTS}/junit-gosec.xml -exclude-dir=testutils -fmt=junit-xml ./...
diff --git a/pkg/util/webhooks/tls.go b/pkg/util/webhooks/tls.go
@@ -12,6 +12,7 @@ import (
 
 func SetupPromTLS(certManager certificate.Manager) *tls.Config {
 	tlsConfig := &tls.Config{
+		MinVersion: tls.VersionTLS12,
 		GetCertificate: func(info *tls.ClientHelloInfo) (certificate *tls.Certificate, err error) {
 			cert := certManager.Current()
 			if cert == nil {
@@ -26,6 +27,7 @@ func SetupPromTLS(certManager certificate.Manager) *tls.Config {
 				return nil, fmt.Errorf("failed to get a certificate")
 			}
 			config := &tls.Config{
+				MinVersion:   tls.VersionTLS12,
 				Certificates: []tls.Certificate{*crt},
 				ClientAuth:   tls.VerifyClientCertIfGiven,
 			}
@@ -58,6 +60,7 @@ func SetupTLSWithCertManager(caManager ClientCAManager, certManager certificate.
 				return nil, err
 			}
 			config := &tls.Config{
+				MinVersion:   tls.VersionTLS12,
 				Certificates: []tls.Certificate{*cert},
 				ClientCAs:    clientCAPool,
 				ClientAuth:   clientAuth,
@@ -72,7 +75,10 @@ func SetupTLSWithCertManager(caManager ClientCAManager, certManager certificate.
 }
 
 func SetupTLSForVirtHandlerServer(caManager ClientCAManager, certManager certificate.Manager, externallyManaged bool) *tls.Config {
+	// #nosec cause: InsecureSkipVerify: true
+	// resolution: Neither the client nor the server should validate anything itself, `VerifyPeerCertificate` is still executed
 	return &tls.Config{
+		//
 		InsecureSkipVerify: true,
 		GetCertificate: func(info *tls.ClientHelloInfo) (certificate *tls.Certificate, err error) {
 			cert := certManager.Current()
@@ -142,7 +148,10 @@ func SetupTLSForVirtHandlerServer(caManager ClientCAManager, certManager certifi
 }
 
 func SetupTLSForVirtHandlerClients(caManager ClientCAManager, certManager certificate.Manager, externallyManaged bool) *tls.Config {
+	// #nosec cause: InsecureSkipVerify: true
+	// resolution: Neither the client nor the server should validate anything itself, `VerifyPeerCertificate` is still executed
 	return &tls.Config{
+		// Neither the client nor the server should validate anything itself, `VerifyPeerCertificate` is still executed
 		InsecureSkipVerify: true,
 		ClientAuth:         tls.RequireAndVerifyClientCert,
 		GetCertificate: func(info *tls.ClientHelloInfo) (certificate *tls.Certificate, err error) {

diff --git a/pkg/virtctl/imageupload/imageupload.go b/pkg/virtctl/imageupload/imageupload.go
@@ -307,6 +307,7 @@ func getHTTPClient(insecure bool) *http.Client {
 	client := &http.Client{}
 
 	if insecure {
+		// #nosec cause: InsecureSkipVerify: true resolution: this method explicitly ask for insecure http client
 		client.Transport = &http.Transport{
 			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 		}

diff --git a/tools/gosec/README.md b/tools/gosec/README.md
@@ -0,0 +1,6 @@
+# [GOSEC](https://github.com/securego/gosec)
+
+Junit contains all issues in the project.
+Use `// #nosec` on top of reported line to mark issue as false positive. 
+
+