From b8bf504e948557f1cc17e6e56c255ff19c9e9dca Mon Sep 17 00:00:00 2001 From: Henry Wang Date: Sat, 12 Mar 2022 05:33:32 +0000 Subject: [PATCH] Enable gosec linter for golangci-lint `gosec` linter is able to identify issues described in #6584 e.g. $ git revert 54e95e6b880912e489529be120d4ecead80dbd90 [gosec dfc8ca1ec] Revert "fix Implicit memory aliasing in for loop" 2 files changed, 2 deletions(-) $ make check + proto-fmt + check GOGC=75 golangci-lint run containerstore.go:192:54: G601: Implicit memory aliasing in for loop. (gosec) containers = append(containers, containerFromProto(&container)) ^ image_store.go:132:42: G601: Implicit memory aliasing in for loop. (gosec) images = append(images, imageFromProto(&image)) ^ make: *** [check] Error 1 I also disabled following two settings which prevent the linter to show a complete list of issues. * max-issues-per-linter (default 50) * max-same-issues (default 3) Furthermore enabling gosec revealed many other issues. For now I blacklisted the ones except G601. Will create separate tasks to address them one by one moving next. Signed-off-by: Henry Wang --- .golangci.yml | 16 ++++++++++++++++ metadata/boltutil/helpers.go | 1 + metadata/containers_test.go | 1 + metadata/images_test.go | 1 + oci/spec_opts_test.go | 1 + services/containers/helpers.go | 1 + services/images/helpers.go | 1 + 7 files changed, 22 insertions(+) diff --git a/.golangci.yml b/.golangci.yml index 4bf84599d..da5e0c07f 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -11,12 +11,28 @@ linters: - vet - unused - misspell + - gosec disable: - errcheck issues: include: - EXC0002 + max-issues-per-linter: 0 + max-same-issues: 0 + +linters-settings: + gosec: + # The following issues surfaced when `gosec` linter + # was enabled. They are temporarily excluded to unblock + # the existing workflow, but still to be addressed by + # by future works. + excludes: + - G204 + - G305 + - G306 + - G402 + - G404 run: timeout: 8m diff --git a/metadata/boltutil/helpers.go b/metadata/boltutil/helpers.go index 4722a5226..4201d7ba9 100644 --- a/metadata/boltutil/helpers.go +++ b/metadata/boltutil/helpers.go @@ -162,6 +162,7 @@ func WriteExtensions(bkt *bolt.Bucket, extensions map[string]types.Any) error { } for name, ext := range extensions { + ext := ext p, err := proto.Marshal(&ext) if err != nil { return err diff --git a/metadata/containers_test.go b/metadata/containers_test.go index c0192a458..2b9efbd14 100644 --- a/metadata/containers_test.go +++ b/metadata/containers_test.go @@ -152,6 +152,7 @@ func TestContainersList(t *testing.T) { } for _, result := range results { + result := result checkContainersEqual(t, &result, testset[result.ID], "list results did not match") } }) diff --git a/metadata/images_test.go b/metadata/images_test.go index 7d556b000..323426da1 100644 --- a/metadata/images_test.go +++ b/metadata/images_test.go @@ -129,6 +129,7 @@ func TestImagesList(t *testing.T) { } for _, result := range results { + result := result checkImagesEqual(t, &result, testset[result.Name], "list results did not match") } }) diff --git a/oci/spec_opts_test.go b/oci/spec_opts_test.go index d8c974be4..679e47205 100644 --- a/oci/spec_opts_test.go +++ b/oci/spec_opts_test.go @@ -596,6 +596,7 @@ func TestDevShmSize(t *testing.T) { expected := "1024k" for _, s := range ss { + s := s if err := WithDevShmSize(1024)(nil, nil, nil, &s); err != nil { if err != ErrNoShmMount { t.Fatal(err) diff --git a/services/containers/helpers.go b/services/containers/helpers.go index dde4caed1..aece9ca41 100644 --- a/services/containers/helpers.go +++ b/services/containers/helpers.go @@ -25,6 +25,7 @@ func containersToProto(containers []containers.Container) []api.Container { var containerspb []api.Container for _, image := range containers { + image := image containerspb = append(containerspb, containerToProto(&image)) } diff --git a/services/images/helpers.go b/services/images/helpers.go index 2d4ec76dc..6b7b008c0 100644 --- a/services/images/helpers.go +++ b/services/images/helpers.go @@ -27,6 +27,7 @@ func imagesToProto(images []images.Image) []imagesapi.Image { var imagespb []imagesapi.Image for _, image := range images { + image := image imagespb = append(imagespb, imageToProto(&image)) }