diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 900ecbfe..940df6e0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,7 +7,7 @@ on: jobs: build: runs-on: ubuntu-latest - container: golangci/golangci-lint:v1.57.2 + container: golangci/golangci-lint:v1.58.0 steps: - uses: actions/cache@v2 with: diff --git a/.golangci.yml b/.golangci.yml index 3b5f3ee7..a8d8b3b8 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -82,7 +82,7 @@ linters: # Triggers on TODOs in the code, which is fine to put. - godox # Disabled until we implement some error types and migrate to use them. - - goerr113 + - err113 # We don't really care about sprintf performance. - perfsprint # To allow defensive approach when initializing structs. @@ -100,6 +100,7 @@ linters: - asciicheck - bidichk - bodyclose + - canonicalheader - containedctx - contextcheck - cyclop @@ -112,9 +113,9 @@ linters: - errchkjson - errname - errorlint - - execinquery - exhaustive - exportloopref + - fatcontext - forbidigo - forcetypeassert - funlen @@ -132,21 +133,25 @@ linters: - gofumpt - goheader - goimports - - gomnd - gomoddirectives - gomodguard - goprintffuncname + - gosec + - gosimple - gosmopolitan + - govet - grouper - importas - inamedparam - ineffassign - interfacebloat - lll + - loggercheck - maintidx - makezero - mirror - misspell + - mnd - musttag - nakedret - nestif @@ -168,6 +173,7 @@ linters: - sloglint - spancheck - sqlclosecheck + - staticcheck - stylecheck - tagalign - tagliatelle @@ -178,6 +184,7 @@ linters: - tparallel - unconvert - unparam + - unused - usestdlibvars - varnamelen - wastedassign diff --git a/Makefile b/Makefile index 61a3f0bf..e2b8f407 100644 --- a/Makefile +++ b/Makefile @@ -11,7 +11,7 @@ GORUN=$(GOCMD) run GOBUILD=$(GOCMD) build -v -ldflags $(LD_FLAGS) -trimpath CC_TEST_REPORTER_ID=6e107e510c5479f40b0ce9166a254f3f1ee0bc547b3e48281bada1a5a32bb56d -GOLANGCI_LINT_VERSION=v1.57.2 +GOLANGCI_LINT_VERSION=v1.58.0 BIN_PATH=$$HOME/bin GO_PACKAGES=./... diff --git a/internal/utiltest/x509.go b/internal/utiltest/x509.go index 61a76113..70887d89 100644 --- a/internal/utiltest/x509.go +++ b/internal/utiltest/x509.go @@ -102,10 +102,12 @@ func GeneratePKI(t *testing.T) *PKI { // generateX509Certificate generates X.509 certificate in DER format using given RSA private key. func generateX509Certificate(priv *rsa.PrivateKey) ([]byte, error) { + var serialNumberLimitBase uint = 128 + // Generate serial number for X.509 certificate. // //nolint:gomnd // As in https://golang.org/src/crypto/tls/generate_cert.go. - serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) + serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), serialNumberLimitBase) serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) if err != nil { diff --git a/pkg/apiloadbalancer/api-loadbalancers_integration_test.go b/pkg/apiloadbalancer/api-loadbalancers_integration_test.go index 5d754713..52934e54 100644 --- a/pkg/apiloadbalancer/api-loadbalancers_integration_test.go +++ b/pkg/apiloadbalancer/api-loadbalancers_integration_test.go @@ -20,6 +20,7 @@ func TestDeploy(t *testing.T) { sshPrivateKeyPath = "/home/core/.ssh/id_rsa" } + //#nosec G304 // Expected path customization. key, err := os.ReadFile(sshPrivateKeyPath) if err != nil { t.Fatalf("Reading SSH private key shouldn't fail, got: %v", err) diff --git a/pkg/etcd/member.go b/pkg/etcd/member.go index dfb6812c..1dfc05a9 100644 --- a/pkg/etcd/member.go +++ b/pkg/etcd/member.go @@ -233,8 +233,10 @@ func (m *member) ToHostConfiguredContainer() (*container.HostConfiguredContainer }, } + //#nosec G101 // False positive. initialClusterTokenArgument := "--initial-cluster-state=existing" if m.config.NewCluster { + //#nosec G101 // False positive. initialClusterTokenArgument = "--initial-cluster-token=etcd-cluster-2" } diff --git a/pkg/host/transport/ssh/ssh_integration_test.go b/pkg/host/transport/ssh/ssh_integration_test.go index 46abdabe..06ab4171 100644 --- a/pkg/host/transport/ssh/ssh_integration_test.go +++ b/pkg/host/transport/ssh/ssh_integration_test.go @@ -26,9 +26,11 @@ func TestPasswordAuth(t *testing.T) { passwordFilePath := os.Getenv("TEST_INTEGRATION_SSH_PASSWORD_FILE") if passwordFilePath == "" { + //#nosec 101 // Expected default path. passwordFilePath = "/home/core/.ssh/password" } + //#nosec G304 // Expected test path customization. pass, err := os.ReadFile(passwordFilePath) if err != nil { t.Fatalf("Reading password file %q: %v", passwordFilePath, err) @@ -100,6 +102,7 @@ func withPrivateKey(t *testing.T) transport.Interface { sshPrivateKeyPath = "/home/core/.ssh/id_rsa" } + //#nosec G304 // Expected test path customization. key, err := os.ReadFile(sshPrivateKeyPath) if err != nil { t.Fatalf("Reading SSH private key from %q shouldn't fail, got: %v", sshPrivateKeyPath, err) @@ -197,6 +200,8 @@ func prepareTestSocket(t *testing.T, socket string) net.Listener { } { // We may SSH into host as unprivileged user, so make sure we are allowed to access the // socket file. + // + //nolint:gosec // Nosec rule does not work, this is expected test permissions. if err := os.Chmod(path, 0o777); err != nil { fmt.Printf("Socket chmod should succeed, got: %v\n", err) t.Fail() diff --git a/pkg/host/transport/ssh/ssh_test.go b/pkg/host/transport/ssh/ssh_test.go index 2d9a7eca..cd0ee93d 100644 --- a/pkg/host/transport/ssh/ssh_test.go +++ b/pkg/host/transport/ssh/ssh_test.go @@ -2,13 +2,13 @@ package ssh import ( "bytes" - cryptorand "crypto/rand" + "crypto/rand" "crypto/rsa" "crypto/x509" "encoding/pem" "fmt" "io" - "math/rand" + "math/big" "net" "os" "reflect" @@ -167,7 +167,7 @@ func newTestConfig(t *testing.T) *Config { func generateRSAPrivateKey(t *testing.T) string { t.Helper() - privateKey, err := rsa.GenerateKey(cryptorand.Reader, 2048) + privateKey, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { t.Fatalf("Generating key failed: %v", err) } @@ -187,10 +187,13 @@ const maxTestMessageLength = 1024 func testMessage(t *testing.T) ([]byte, int) { t.Helper() - rand := rand.New(rand.NewSource(time.Now().UTC().UnixNano())) + randLength, err := rand.Int(rand.Reader, big.NewInt(maxTestMessageLength)) + if err != nil { + t.Fatalf("Generating random length: %v", err) + } // We must have at least 1 byte message. - length := rand.Intn(maxTestMessageLength) + 1 + length := randLength.Int64() + 1 message := make([]byte, length) if _, err := rand.Read(message); err != nil { diff --git a/pkg/pki/pki.go b/pkg/pki/pki.go index 3a774783..a66b5543 100644 --- a/pkg/pki/pki.go +++ b/pkg/pki/pki.go @@ -5,7 +5,7 @@ import ( "bytes" "crypto/rand" "crypto/rsa" - "crypto/sha1" + "crypto/sha256" "crypto/x509" "crypto/x509/pkix" "encoding/pem" @@ -420,10 +420,12 @@ func (c *Certificate) decodeKeyUsage() (x509.KeyUsage, []x509.ExtKeyUsage) { } func (c *Certificate) generateX509Certificate(certPK *rsa.PrivateKey, caCert *Certificate) error { + var serialNumberLimitBase uint = 128 + // Generate serial number for X.509 certificate. // //nolint:gomnd // As in https://golang.org/src/crypto/tls/generate_cert.go. - serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) + serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), serialNumberLimitBase) serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) if err != nil { @@ -485,7 +487,7 @@ func (c *Certificate) createAndPersist(cert, caCert *x509.Certificate, certPK, c // Taken from https://play.golang.org/p/tispiUVmdm. func bigIntHash(n *big.Int) ([]byte, error) { - hash := sha1.New() // #nosec G401 + hash := sha256.New() // #nosec G401 if _, err := hash.Write(n.Bytes()); err != nil { return nil, fmt.Errorf("writing bytes to SHA1 function: %w", err) diff --git a/pkg/types/privatekey_test.go b/pkg/types/privatekey_test.go index f27d7b82..e8fb819c 100644 --- a/pkg/types/privatekey_test.go +++ b/pkg/types/privatekey_test.go @@ -84,6 +84,7 @@ func TestParsePrivateKeyEC(t *testing.T) { func TestParsePrivateKeyBad(t *testing.T) { t.Parallel() + //#nosec G101 // Just bad test data. privateKey := `--- bar: | -----BEGIN RSA PRIVATE KEY-----