Enable gosec scanner on builds

lawrencegripper commented 3 years ago
Doing this as part of #350
lawrencegripper commented 3 years ago
Running locally this flags a few items for investigation which look valid, I'll look at fixing these up as part of adding gosec
[/workspaces/azbrowse/internal/pkg/expanders/containerService.go:315-318] - G402 (CWE-295): TLS MinVersion too low. (Confidence: HIGH, Severity: HIGH)
    314:    transport := &http.Transport{
  > 315:        TLSClientConfig: &tls.Config{
  > 316:            Certificates: []tls.Certificate{cert},
  > 317:            RootCAs:      caCerts,
  > 318:        },
    319:    }

[/workspaces/azbrowse/pkg/armclient/authutils.go:55] - G204 (CWE-78): Subprocess launched with variable (Confidence: HIGH, Severity: MEDIUM)
    54:
  > 55:     out, err := exec.Command("az", args...).Output()
    56:     if err != nil {

[/workspaces/azbrowse/pkg/armclient/authutils.go:26] - G204 (CWE-78): Subprocess launched with variable (Confidence: HIGH, Severity: MEDIUM)
    25:             query := fmt.Sprintf("[?tenantId=='%s'].id| [0] ", tenantID)
  > 26:             out, err := exec.Command("az", "account", "list", "--output", "tsv", "--query", query).Output()
    27:             if err != nil {

[/workspaces/azbrowse/internal/pkg/wsl/utils.go:51] - G204 (CWE-78): Subprocess launched with variable (Confidence: HIGH, Severity: MEDIUM)
    50: func TryLaunchBrowser(url string) error {
  > 51:     cmd := exec.Command("explorer.exe", url)
    52:     var stderr bytes.Buffer

[/workspaces/azbrowse/internal/pkg/wsl/utils.go:20] - G204 (CWE-78): Subprocess launched with variable (Confidence: HIGH, Severity: MEDIUM)
    19: func TranslateToWindowsPath(localPath string) (string, error) {
  > 20:     cmd := exec.Command("wslpath", "-w", localPath)
    21:     var out bytes.Buffer

[/workspaces/azbrowse/cmd/azbrowse/cmd.go:140] - G204 (CWE-78): Subprocess launched with variable (Confidence: HIGH, Severity: MEDIUM)
    139:                    query := fmt.Sprintf("[?name=='%[1]s' || id== '%[1]s'].id", subscription)
  > 140:                    out, err := exec.Command("az", "account", "list", "--query", query, "--output", "tsv").Output()
    141:                    if err != nil {

[/workspaces/azbrowse/cmd/azbrowse/cmd.go:129] - G204 (CWE-78): Subprocess launched with variable (Confidence: HIGH, Severity: MEDIUM)
    128:                query := fmt.Sprintf("[?name=='%[1]s' || id== '%[1]s'].tenantId", subscription)
  > 129:                out, err := exec.Command("az", "account", "list", "--query", query, "--output", "tsv").Output()
    130:                if err != nil {

[/workspaces/azbrowse/internal/pkg/editor/editor.go:84] - G204 (CWE-78): Subprocess launched with function call as argument or cmd arguments (Confidence: HIGH, Severity: MEDIUM)
    83:     args = append(args, filename)
  > 84:     cmd := exec.Command(command.Executable, args...)
    85:     cmd.Stdin = os.Stdin

[/workspaces/azbrowse/internal/pkg/tfprovider/provider.go:146] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    145:    hash := sha256.New()
  > 146:    f, err := os.Open(path)
    147:    if err != nil {

[/workspaces/azbrowse/internal/pkg/config/config.go:59] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    58:     }
  > 59:     configFile, err := os.Open(configLocation)
    60:     if err != nil {

[/workspaces/azbrowse/cmd/swagger-codegen/main.go:84] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    83:         apiSetPath := fmt.Sprintf("%s/api-set.json", apiSetFolder)
  > 84:         buf, err := ioutil.ReadFile(apiSetPath)
    85:         if err != nil {

[/workspaces/azbrowse/pkg/swagger/swagger.go:222] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
    221:
  > 222:        getOperation, err := getOperationByVerb(&swaggerPathItem, getVerb)
    223:        if err != nil {

[/workspaces/azbrowse/internal/pkg/expanders/storageManagementPolicies.go:80] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
    79:                         ExpandURL:           url,
  > 80:                         SwaggerResourceType: &resourceType,
    81:                     })

[/workspaces/azbrowse/internal/pkg/expanders/tfimport.go:228] - G301 (CWE-276): Expect directory permissions to be 0750 or less (Confidence: HIGH, Severity: MEDIUM)
    227:    }
  > 228:    err = os.MkdirAll(azbPath, 0777)
    229:    if err != nil {

[/workspaces/azbrowse/internal/pkg/tfprovider/provider.go:123] - G306 (CWE-276): Expect WriteFile permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM)
    122:
  > 123:    err = ioutil.WriteFile(path.Join(workingDir, "provider.tf"), []byte(providerFileContent), 0644)
    124:    if err != nil {

[/workspaces/azbrowse/internal/pkg/expanders/containerService.go:275] - G306 (CWE-276): Expect WriteFile permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM)
    274:        tmpPath := tmpDir + "/k8s-paths.yml"
  > 275:        ioutil.WriteFile(tmpPath, tempBuf, 0644) //nolint:errcheck
    276:    }

[/workspaces/azbrowse/internal/pkg/tfprovider/provider.go:150] - G307 (CWE-703): Deferring unsafe method "Close" on type "*os.File" (Confidence: HIGH, Severity: MEDIUM)
    149:    }
  > 150:    defer f.Close() //nolint: errcheck
    151:    if _, err := io.Copy(hash, f); err != nil {

[/workspaces/azbrowse/internal/pkg/config/config.go:63] - G307 (CWE-703): Deferring unsafe method "Close" on type "*os.File" (Confidence: HIGH, Severity: MEDIUM)
    62:     }
  > 63:     defer configFile.Close() //nolint: errcheck
    64:     bytes, _ := ioutil.ReadAll(configFile)
lawrencegripper commented 3 years ago
Completed with #350
lawrencegripper / azbrowse

Enable gosec scanner on builds #341
