Add gosec static analysis

2020-04-13 22:30:09 +02:00 · 2020-04-13 22:30:09 +02:00 · b8d7c97eb7
parent fb8ac92abf
commit b8d7c97eb7
8 changed files with 16 additions and 9 deletions
--- a/.drone1.yml
+++ b/.drone1.yml
@ -57,6 +57,8 @@ steps:
      - make goconst-check
      - make gocyclo-check
      - make static-check
+      - curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | bash -s -- -b $GOPATH/bin v2.2.0 # Need to manually install as it does not support being installed via go modules like the rest.
+      - make gosec-check
      - make build
    when:
      event: [ push, tag, pull_request ]
--- a/10
+++ b/10
@ -231,15 +231,17 @@ static-check:

 .PHONY: gosec-check
 gosec-check:
-	@hash ./bin/gosec > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
-		curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s 1.2.0; \
+	@hash gosec > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
+		echo "Please manually install gosec by running"; \
+		echo "curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | bash -s -- -b $GOPATH/bin v2.2.0"; \
+		exit 1; \
 	fi
-	for S in $(PACKAGES); do ./bin/gosec $$S || exit 1; done;
+	gosec ./...

 .PHONY: goconst-check
 goconst-check:
 	@hash goconst > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
 		go get -u github.com/jgautheron/goconst/cmd/goconst; \
 		go install $(GOFLAGS) github.com/jgautheron/goconst/cmd/goconst; \
-	fi
+	fi;
 	for S in $(PACKAGES); do goconst $$S || exit 1; done;
--- a/pkg/cmd/migrate.go
+++ b/pkg/cmd/migrate.go
@ -24,7 +24,7 @@ import (
 func init() {
 	migrateCmd.AddCommand(migrateListCmd)
 	migrationRollbackCmd.Flags().StringVarP(&rollbackUntilFlag, "name", "n", "", "The id of the migration you want to roll back until.")
-	migrationRollbackCmd.MarkFlagRequired("name")
+	_ = migrationRollbackCmd.MarkFlagRequired("name")
 	migrateCmd.AddCommand(migrationRollbackCmd)
 	rootCmd.AddCommand(migrateCmd)
 }
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@ -34,6 +34,7 @@ type Key string

 // These constants hold all config value keys
 const (
+	// #nosec
 	ServiceJWTSecret             Key = `service.JWTSecret`
 	ServiceInterface             Key = `service.interface`
 	ServiceFrontendurl           Key = `service.frontendurl`
--- a/pkg/log/logging.go
+++ b/pkg/log/logging.go
@ -86,7 +86,7 @@ func GetLogWriter(logfile string) (writer io.Writer) {
 	switch viper.GetString("log." + logfile) {
 	case "file":
 		fullLogFilePath := config.LogPath.GetString() + "/" + logfile + ".log"
-		f, err := os.OpenFile(fullLogFilePath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
+		f, err := os.OpenFile(fullLogFilePath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0600)
 		if err != nil {
 			Fatalf("Could not create logfile %s: %s", fullLogFilePath, err.Error())
 		}
--- a/pkg/mail/mail.go
+++ b/pkg/mail/mail.go
@ -42,6 +42,7 @@ func StartMailDaemon() {

 	go func() {
 		d := gomail.NewDialer(config.MailerHost.GetString(), config.MailerPort.GetInt(), config.MailerUsername.GetString(), config.MailerPassword.GetString())
+		// #nosec
 		d.TLSConfig = &tls.Config{InsecureSkipVerify: config.MailerSkipTLSVerify.GetBool()}

 		var s gomail.SendCloser
--- a/pkg/user/user.go
+++ b/pkg/user/user.go
@ -160,7 +160,7 @@ func CheckUserCredentials(u *Login) (*User, error) {
 	user, err := GetUserByUsername(u.Username)
 	if err != nil {
 		// hashing the password takes a long time, so we hash something to not make it clear if the username was wrong
-		bcrypt.GenerateFromPassword([]byte(u.Username), 14)
+		_, _ = bcrypt.GenerateFromPassword([]byte(u.Username), 14)
 		return &User{}, ErrWrongUsernameOrPassword{}
 	}

--- a/pkg/utils/md5_string.go
+++ b/pkg/utils/md5_string.go
@ -17,14 +17,15 @@
 package utils

 import (
-	"crypto/md5"
+	"crypto/md5" // #nosec
 	"fmt"
 	"io"
 )

 // Md5String generates an md5 hash from a string
 func Md5String(in string) string {
+	// #nosec
 	h := md5.New()
-	io.WriteString(h, in)
+	_, _ = io.WriteString(h, in)
 	return fmt.Sprintf("%x", h.Sum(nil))
 }