search

confidential-containers / cloud-api-adaptor

Ability to create Kata pods using cloud provider APIs aka the peer-pods approach
Apache License 2.0
48 stars 85 forks source link

Fix go vet and gosec issues #327

Open huoqifeng opened 2 years ago

huoqifeng commented 2 years ago

go vet errors:

# go vet ./...
warning: GOPATH set to GOROOT (/root/go) has no effect
# github.com/confidential-containers/cloud-api-adaptor/pkg/adaptor/hypervisor/registry
pkg/adaptor/hypervisor/registry/register.go:9:9: undefined: newServer

gosec errors:

# gosec ./...
[gosec] 2022/10/31 00:24:30 Including rules: default
[gosec] 2022/10/31 00:24:30 Excluding rules: default
[gosec] 2022/10/31 00:24:30 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/util/netops
[gosec] 2022/10/31 00:24:30 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/util/hvutil
[gosec] 2022/10/31 00:24:30 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/util/cloudinit
[gosec] 2022/10/31 00:24:30 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/cmd
[gosec] 2022/10/31 00:24:31 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/adaptor/hypervisor/registry
[gosec] 2022/10/31 00:24:31 Checking package: hvutil
[gosec] 2022/10/31 00:24:31 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/util/hvutil/hvutil.go
[gosec] 2022/10/31 00:24:31 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/adaptor/hypervisor
[gosec] 2022/10/31 00:24:31 Checking package: cloudinit
[gosec] 2022/10/31 00:24:31 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/util/cloudinit/cloudconfig.go
[gosec] 2022/10/31 00:24:32 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/podnetwork/tunneler
[gosec] 2022/10/31 00:24:32 Checking package: netops
[gosec] 2022/10/31 00:24:32 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/util/netops/netops.go
[gosec] 2022/10/31 00:24:32 Checking package: cmd
[gosec] 2022/10/31 00:24:32 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/cmd/exit.go
[gosec] 2022/10/31 00:24:32 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/cmd/parse.go
[gosec] 2022/10/31 00:24:32 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/cmd/starter.go
[gosec] 2022/10/31 00:24:32 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/podnetwork/tunneler/vxlan
[gosec] 2022/10/31 00:24:32 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/cmd/version.go
[gosec] 2022/10/31 00:24:32 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/util/agentproto
[gosec] 2022/10/31 00:24:32 Checking package: hypervisor
[gosec] 2022/10/31 00:24:32 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/adaptor/hypervisor/types.go
[gosec] 2022/10/31 00:24:33 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/proto/podvminfo
[gosec] 2022/10/31 00:24:33 Checking package: tunneler
[gosec] 2022/10/31 00:24:33 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/podnetwork/tunneler/tunneler.go
[gosec] 2022/10/31 00:24:33 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/cmd/agent-protocol-forwarder
[gosec] 2022/10/31 00:24:33 Checking package: registry
[gosec] 2022/10/31 00:24:33 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/adaptor/hypervisor/registry/register.go
[gosec] 2022/10/31 00:24:34 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/webhook/pkg/utils
[gosec] 2022/10/31 00:24:34 Checking package: vxlan
[gosec] 2022/10/31 00:24:34 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/podnetwork/tunneler/vxlan/podnode.go
[gosec] 2022/10/31 00:24:34 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/podnetwork/tunneler/vxlan/workernode.go
[gosec] 2022/10/31 00:24:34 Checking package: agentproto
[gosec] 2022/10/31 00:24:34 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/util/agentproto/redirector.go
[gosec] 2022/10/31 00:24:34 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/webhook
[gosec] 2022/10/31 00:24:35 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/podnetwork
[gosec] 2022/10/31 00:24:35 Checking package: podvminfo
[gosec] 2022/10/31 00:24:35 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/proto/podvminfo/podvminfo.pb.go
[gosec] 2022/10/31 00:24:36 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/webhook/pkg/mutating_webhook
[gosec] 2022/10/31 00:24:36 Checking package: utils
[gosec] 2022/10/31 00:24:36 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/webhook/pkg/utils/utils.go
[gosec] 2022/10/31 00:24:36 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/adaptor/hypervisor/aws
[gosec] 2022/10/31 00:24:36 Checking package: main
[gosec] 2022/10/31 00:24:36 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/webhook/main.go
[gosec] 2022/10/31 00:24:37 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/forwarder
[gosec] 2022/10/31 00:24:37 Checking package: main
[gosec] 2022/10/31 00:24:37 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/cmd/agent-protocol-forwarder/main.go
[gosec] 2022/10/31 00:24:37 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/forwarder/interceptor
[gosec] 2022/10/31 00:24:37 Checking package: aws
[gosec] 2022/10/31 00:24:37 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/adaptor/hypervisor/aws/types.go
[gosec] 2022/10/31 00:24:37 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/util
[gosec] 2022/10/31 00:24:38 Checking package: podnetwork
[gosec] 2022/10/31 00:24:38 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/podnetwork/common.go
[gosec] 2022/10/31 00:24:38 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/podnetwork/podnode.go
[gosec] 2022/10/31 00:24:38 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/podnetwork/workernode.go
[gosec] 2022/10/31 00:24:38 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/adaptor/hypervisor/ibmcloud
[gosec] 2022/10/31 00:24:38 Checking package: mutating_webhook
[gosec] 2022/10/31 00:24:38 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/webhook/pkg/mutating_webhook/mutating-webhook.go
[gosec] 2022/10/31 00:24:38 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/webhook/pkg/mutating_webhook/remove-resourcespec.go
[gosec] 2022/10/31 00:24:39 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/podnetwork/tunneler/routing
[gosec] 2022/10/31 00:24:39 Checking package: util
[gosec] 2022/10/31 00:24:39 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/util/redacting.go
[gosec] 2022/10/31 00:24:40 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/adaptor/hypervisor/vsphere
[gosec] 2022/10/31 00:24:40 Checking package: ibmcloud
[gosec] 2022/10/31 00:24:40 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/adaptor/hypervisor/ibmcloud/types.go
[gosec] 2022/10/31 00:24:40 Checking package: forwarder
[gosec] 2022/10/31 00:24:40 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/forwarder/forwarder.go
[gosec] 2022/10/31 00:24:40 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/cmd/cloud-api-adaptor
[gosec] 2022/10/31 00:24:40 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/adaptor/hypervisor/libvirt
[gosec] 2022/10/31 00:24:40 Checking package: interceptor
[gosec] 2022/10/31 00:24:40 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/forwarder/interceptor/interceptor.go
[gosec] 2022/10/31 00:24:41 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/adaptor/proxy
[gosec] 2022/10/31 00:24:41 Checking package: routing
[gosec] 2022/10/31 00:24:41 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/podnetwork/tunneler/routing/common.go
[gosec] 2022/10/31 00:24:41 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/podnetwork/tunneler/routing/iptables.go
[gosec] 2022/10/31 00:24:41 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/podnetwork/tunneler/routing/keepalive.go
[gosec] 2022/10/31 00:24:41 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/podnetwork/tunneler/routing/podnode.go
[gosec] 2022/10/31 00:24:41 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/podnetwork/tunneler/routing/workernode.go
[gosec] 2022/10/31 00:24:41 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/internal/testing
[gosec] 2022/10/31 00:24:41 Checking package: libvirt
[gosec] 2022/10/31 00:24:41 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/adaptor/hypervisor/libvirt/types.go
[gosec] 2022/10/31 00:24:43 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/podnetwork/tuntest
[gosec] 2022/10/31 00:24:43 Checking package: testutils
[gosec] 2022/10/31 00:24:43 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/internal/testing/testutils.go
[gosec] 2022/10/31 00:24:44 Import directory: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/adaptor/hypervisor/azure
[gosec] 2022/10/31 00:24:44 Checking package: vsphere
[gosec] 2022/10/31 00:24:44 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/adaptor/hypervisor/vsphere/server.go
[gosec] 2022/10/31 00:24:44 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/adaptor/hypervisor/vsphere/service.go
[gosec] 2022/10/31 00:24:44 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/adaptor/hypervisor/vsphere/types.go
[gosec] 2022/10/31 00:24:44 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/adaptor/hypervisor/vsphere/vsphere.go
[gosec] 2022/10/31 00:24:45 Checking package: main
[gosec] 2022/10/31 00:24:45 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/cmd/cloud-api-adaptor/main.go
[gosec] 2022/10/31 00:24:45 Checking package: azure
[gosec] 2022/10/31 00:24:45 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/adaptor/hypervisor/azure/types.go
[gosec] 2022/10/31 00:24:45 Checking package: proxy
[gosec] 2022/10/31 00:24:45 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/adaptor/proxy/proxy.go
[gosec] 2022/10/31 00:24:45 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/adaptor/proxy/service.go
[gosec] 2022/10/31 00:24:46 Checking package: tuntest
[gosec] 2022/10/31 00:24:46 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/podnetwork/tuntest/tuntest.go
[gosec] 2022/10/31 00:24:46 Checking file: /root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/podnetwork/tuntest/util.go
Results:

Golang errors in file: [/root/go/src/github.com/confidential-containers/cloud-api-adaptor/cmd/starter.go]:

  > [line 54 : column 26] - Interrupt not declared by package os

Golang errors in file: [/root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/adaptor/hypervisor/registry/register.go]:

  > [line 9 : column 9] - undeclared name: newServer

Golang errors in file: [/root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/adaptor/proxy/proxy.go]:

  > [line 135 : column 15] - Remove not declared by package os

Golang errors in file: [/root/go/src/github.com/confidential-containers/cloud-api-adaptor/webhook/main.go]:

  > [line 20 : column 2] - could not import confidential-containers/peer-pods-webhook/pkg/mutating_webhook (invalid package name: "")

  > [line 26 : column 4] - could not import k8s.io/client-go/plugin/pkg/client/auth (invalid package name: "")

  > [line 28 : column 2] - could not import k8s.io/apimachinery/pkg/runtime (invalid package name: "")

  > [line 29 : column 14] - could not import k8s.io/apimachinery/pkg/util/runtime (invalid package name: "")

  > [line 30 : column 17] - could not import k8s.io/client-go/kubernetes/scheme (invalid package name: "")

  > [line 31 : column 7] - could not import sigs.k8s.io/controller-runtime (invalid package name: "")

  > [line 32 : column 2] - could not import sigs.k8s.io/controller-runtime/pkg/healthz (invalid package name: "")

  > [line 33 : column 2] - could not import sigs.k8s.io/controller-runtime/pkg/log/zap (invalid package name: "")

  > [line 34 : column 2] - could not import sigs.k8s.io/controller-runtime/pkg/webhook (invalid package name: "")

Golang errors in file: [/root/go/src/github.com/confidential-containers/cloud-api-adaptor/webhook/pkg/mutating_webhook/mutating-webhook.go]:

  > [line 24 : column 9] - could not import k8s.io/api/core/v1 (invalid package name: "")

  > [line 25 : column 2] - could not import sigs.k8s.io/controller-runtime/pkg/client (invalid package name: "")

  > [line 26 : column 2] - could not import sigs.k8s.io/controller-runtime/pkg/webhook/admission (invalid package name: "")

Golang errors in file: [/root/go/src/github.com/confidential-containers/cloud-api-adaptor/webhook/pkg/mutating_webhook/remove-resourcespec.go]:

  > [line 7 : column 2] - could not import k8s.io/apimachinery/pkg/api/resource (invalid package name: "")

Golang errors in file: [/root/go/src/github.com/confidential-containers/cloud-api-adaptor/webhook/pkg/utils/utils.go]:

  > [line 8 : column 9] - could not import k8s.io/api/core/v1 (invalid package name: "")

  > [line 9 : column 2] - could not import k8s.io/apimachinery/pkg/api/resource (invalid package name: "")

[/root/go/src/github.com/confidential-containers/cloud-api-adaptor/cmd/agent-protocol-forwarder/main.go:33] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    32:
  > 33:     file, err := os.Open(path)
    34:     if err != nil {

[/root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/podnetwork/tuntest/util.go:152-154] - G112 (CWE-400): Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (Confidence: LOW, Severity: MEDIUM)
    151:        var err error
  > 152:        s.server = &http.Server{
  > 153:            Handler: testHTTPHandler,
  > 154:        }
    155:        s.listener, err = net.Listen("tcp", addr)

[/root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/podnetwork/tuntest/tuntest.go:161-163] - G112 (CWE-400): Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (Confidence: LOW, Severity: MEDIUM)
    160:            if err := pod.podNodeNS.Run(func() error {
  > 161:                httpServer := http.Server{
  > 162:                    Addr: net.JoinHostPort("0.0.0.0", "15150"),
  > 163:                }
    164:                return httpServer.ListenAndServe()

[/root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/podnetwork/tunneler/routing/keepalive.go:264-266] - G112 (CWE-400): Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (Confidence: LOW, Severity: MEDIUM)
    263:
  > 264:    httpServer := http.Server{
  > 265:        Addr: listenAddr,
  > 266:    }
    267:

[/root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/util/netops/netops.go:738] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
    737:        if route.Dst == nil {
  > 738:            defaultRoute = &route
    739:            break

[/root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/util/netops/netops.go:552] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
    551:    for _, route := range routes {
  > 552:        if err := ns.handle.RouteDel(&route); err != nil {
    553:            return fmt.Errorf("failed to delete a route: table %d, dest: %s, gw: %s, dev %s: %w", table, dest, gw, dev, err)

[/root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/adaptor/hypervisor/vsphere/service.go:173] - G306 (CWE-276): Expect WriteFile permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM)
    172:    // Store daemon.json in worker node for debugging
  > 173:    if err = os.WriteFile(filepath.Join(sandbox.podDirPath, "daemon.json"), daemonJSON, 0666); err != nil {
    174:        return nil, fmt.Errorf("failed to store daemon.json at %s: %w", sandbox.podDirPath, err)

[/root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/podnetwork/tuntest/util.go:178] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    177:        err := s.server.Shutdown(context.Background())
  > 178:        s.listener.Close()
    179:        return err

[/root/go/src/github.com/confidential-containers/cloud-api-adaptor/pkg/podnetwork/tunneler/routing/keepalive.go:231] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    230:
  > 231:            res.Body.Close()
    232:

Summary:
  Gosec  : v2.14.0
  Files  : 44
  Lines  : 6873
  Nosec  : 0
  Issues : 9
huoqifeng commented 2 years ago

@bpradipt this is the errors I mentioned in https://github.com/confidential-containers/cloud-api-adaptor/issues/320, I created a separate issue to address them.

huoqifeng commented 2 years ago

go vet support build flags also, run like this can tell vet pick corresponding files:

# go vet -tags=ibmcloud|aws|libvirt ./...
huoqifeng commented 2 years ago

gosec declared support -tags here https://github.com/securego/gosec/issues/393, but looks not work in our case.