Enable gosec linter for golangci-lint

henry118 · thaJeztah · commit 977ce8ef508d · 2023-03-08T00:00:24.000+01:00
`gosec` linter is able to identify issues described in #6584 e.g. $ git revert 54e95e6 [gosec dfc8ca1ec] Revert "fix Implicit memory aliasing in for loop" 2 files changed, 2 deletions(-) $ make check + proto-fmt + check GOGC=75 golangci-lint run containerstore.go:192:54: G601: Implicit memory aliasing in for loop. (gosec) containers = append(containers, containerFromProto(&container)) ^ image_store.go:132:42: G601: Implicit memory aliasing in for loop. (gosec) images = append(images, imageFromProto(&image)) ^ make: *** [check] Error 1 I also disabled following two settings which prevent the linter to show a complete list of issues. * max-issues-per-linter (default 50) * max-same-issues (default 3) Furthermore enabling gosec revealed many other issues. For now I blacklisted the ones except G601. Will create separate tasks to address them one by one moving next. Signed-off-by: Henry Wang <henwang@amazon.com> (cherry picked from commit b8bf504) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
diff --git a/.golangci.yml b/.golangci.yml
@@ -11,12 +11,28 @@ linters:
     - vet
     - unused
     - misspell
+    - gosec
   disable:
     - errcheck
 
 issues:
   include:
     - EXC0002
+  max-issues-per-linter: 0
+  max-same-issues: 0
+
+linters-settings:
+  gosec:
+    # The following issues surfaced when `gosec` linter
+    # was enabled. They are temporarily excluded to unblock
+    # the existing workflow, but still to be addressed by
+    # by future works.
+    excludes:
+      - G204
+      - G305
+      - G306
+      - G402
+      - G404
 
 run:
   timeout: 8m
diff --git a/metadata/boltutil/helpers.go b/metadata/boltutil/helpers.go
@@ -162,6 +162,7 @@ func WriteExtensions(bkt *bolt.Bucket, extensions map[string]types.Any) error {
 	}
 
 	for name, ext := range extensions {
+		ext := ext
 		p, err := proto.Marshal(&ext)
 		if err != nil {
 			return err
diff --git a/metadata/containers_test.go b/metadata/containers_test.go
@@ -150,6 +150,7 @@ func TestContainersList(t *testing.T) {
 			}
 
 			for _, result := range results {
+				result := result
 				checkContainersEqual(t, &result, testset[result.ID], "list results did not match")
 			}
 		})
diff --git a/metadata/images_test.go b/metadata/images_test.go
@@ -129,6 +129,7 @@ func TestImagesList(t *testing.T) {
 			}
 
 			for _, result := range results {
+				result := result
 				checkImagesEqual(t, &result, testset[result.Name], "list results did not match")
 			}
 		})
diff --git a/oci/spec_opts_test.go b/oci/spec_opts_test.go
@@ -593,6 +593,7 @@ func TestDevShmSize(t *testing.T) {
 
 	expected := "1024k"
 	for _, s := range ss {
+		s := s
 		if err := WithDevShmSize(1024)(nil, nil, nil, &s); err != nil {
 			if err != ErrNoShmMount {
 				t.Fatal(err)
diff --git a/services/containers/helpers.go b/services/containers/helpers.go
@@ -25,6 +25,7 @@ func containersToProto(containers []containers.Container) []api.Container {
 	var containerspb []api.Container
 
 	for _, image := range containers {
+		image := image
 		containerspb = append(containerspb, containerToProto(&image))
 	}
 
diff --git a/services/images/helpers.go b/services/images/helpers.go
@@ -27,6 +27,7 @@ func imagesToProto(images []images.Image) []imagesapi.Image {
 	var imagespb []imagesapi.Image
 
 	for _, image := range images {
+		image := image
 		imagespb = append(imagespb, imageToProto(&image))
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -162,6 +162,7 @@ func WriteExtensions(bkt *bolt.Bucket, extensions map[string]types.Any) error {`
`162`	`162`	`}`
`163`	`163`
`164`	`164`	`for name, ext := range extensions {`
	`165`	`+ ext := ext`
`165`	`166`	`p, err := proto.Marshal(&ext)`
`166`	`167`	`if err != nil {`
`167`	`168`	`return err`
Original file line number	Diff line number	Diff line change
`@@ -150,6 +150,7 @@ func TestContainersList(t *testing.T) {`
`150`	`150`	`}`
`151`	`151`
`152`	`152`	`for _, result := range results {`
	`153`	`+ result := result`
`153`	`154`	`checkContainersEqual(t, &result, testset[result.ID], "list results did not match")`
`154`	`155`	`}`
`155`	`156`	`})`
Original file line number	Diff line number	Diff line change
`@@ -129,6 +129,7 @@ func TestImagesList(t *testing.T) {`
`129`	`129`	`}`
`130`	`130`
`131`	`131`	`for _, result := range results {`
	`132`	`+ result := result`
`132`	`133`	`checkImagesEqual(t, &result, testset[result.Name], "list results did not match")`
`133`	`134`	`}`
`134`	`135`	`})`
Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,7 @@ func containersToProto(containers []containers.Container) []api.Container {`
`25`	`25`	`var containerspb []api.Container`
`26`	`26`
`27`	`27`	`for _, image := range containers {`
	`28`	`+ image := image`
`28`	`29`	`containerspb = append(containerspb, containerToProto(&image))`
`29`	`30`	`}`
`30`	`31`
Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,7 @@ func imagesToProto(images []images.Image) []imagesapi.Image {`
`27`	`27`	`var imagespb []imagesapi.Image`
`28`	`28`
`29`	`29`	`for _, image := range images {`
	`30`	`+ image := image`
`30`	`31`	`imagespb = append(imagespb, imageToProto(&image))`
`31`	`32`	`}`
`32`	`33`