diff --git a/e2e/utils.go b/e2e/utils.go index a75a6b20e..53ee0a15c 100644 --- a/e2e/utils.go +++ b/e2e/utils.go @@ -31,17 +31,18 @@ import ( testutils "k8s.io/kubernetes/test/utils" ) +/* #nosec:G101, values not credententials, just a reference to the location.*/ const ( defaultNs = "default" - vaultSecretNs = "/secret/ceph-csi/" // nolint: gosec + vaultSecretNs = "/secret/ceph-csi/" // rook created cephfs user - cephfsNodePluginSecretName = "rook-csi-cephfs-node" // nolint: gosec - cephfsProvisionerSecretName = "rook-csi-cephfs-provisioner" // nolint: gosec + cephfsNodePluginSecretName = "rook-csi-cephfs-node" + cephfsProvisionerSecretName = "rook-csi-cephfs-provisioner" // rook created rbd user - rbdNodePluginSecretName = "rook-csi-rbd-node" // nolint: gosec - rbdProvisionerSecretName = "rook-csi-rbd-provisioner" // nolint: gosec + rbdNodePluginSecretName = "rook-csi-rbd-node" + rbdProvisionerSecretName = "rook-csi-rbd-provisioner" rookTolBoxPodLabel = "app=rook-ceph-tools" rbdmountOptions = "mountOptions" diff --git a/internal/cephfs/util.go b/internal/cephfs/util.go index cdb6a4560..120b5008b 100644 --- a/internal/cephfs/util.go +++ b/internal/cephfs/util.go @@ -34,7 +34,7 @@ type volumeID string func execCommand(ctx context.Context, program string, args ...string) (stdout, stderr []byte, err error) { var ( - cmd = exec.Command(program, args...) // nolint: gosec, #nosec + cmd = exec.Command(program, args...) // #nosec:G204, not called with user specified parameters. sanitizedArgs = util.StripSecretInArgs(args) stdoutBuf bytes.Buffer stderrBuf bytes.Buffer diff --git a/internal/util/cephcmds.go b/internal/util/cephcmds.go index 5cbc899fb..e9d1b2be5 100644 --- a/internal/util/cephcmds.go +++ b/internal/util/cephcmds.go @@ -33,7 +33,7 @@ const InvalidPoolID int64 = -1 // ExecCommand executes passed in program with args and returns separate stdout and stderr streams. func ExecCommand(program string, args ...string) (stdout, stderr []byte, err error) { var ( - cmd = exec.Command(program, args...) // nolint: gosec, #nosec + cmd = exec.Command(program, args...) // #nosec:G204, commands executing not vulnerable. sanitizedArgs = StripSecretInArgs(args) stdoutBuf bytes.Buffer stderrBuf bytes.Buffer diff --git a/internal/util/conn_pool.go b/internal/util/conn_pool.go index 20e597b0d..6ed19963b 100644 --- a/internal/util/conn_pool.go +++ b/internal/util/conn_pool.go @@ -96,7 +96,7 @@ func (cp *ConnPool) Destroy() { func (cp *ConnPool) generateUniqueKey(monitors, user, keyfile string) (string, error) { // the keyfile can be unique for operations, contents will be the same - key, err := ioutil.ReadFile(keyfile) // nolint: gosec, #nosec + key, err := ioutil.ReadFile(keyfile) // #nosec:G304, file inclusion via variable. if err != nil { return "", fmt.Errorf("could not open keyfile %s: %w", keyfile, err) } diff --git a/internal/util/cryptsetup.go b/internal/util/cryptsetup.go index 3a3a15024..08d7543db 100644 --- a/internal/util/cryptsetup.go +++ b/internal/util/cryptsetup.go @@ -46,7 +46,7 @@ func LuksStatus(mapperFile string) (stdout, stderr []byte, err error) { func execCryptsetupCommand(stdin *string, args ...string) (stdout, stderr []byte, err error) { var ( program = "cryptsetup" - cmd = exec.Command(program, args...) // nolint: gosec, #nosec + cmd = exec.Command(program, args...) // #nosec:G204, commands executing not vulnerable. sanitizedArgs = StripSecretInArgs(args) stdoutBuf bytes.Buffer stderrBuf bytes.Buffer diff --git a/internal/util/csiconfig_test.go b/internal/util/csiconfig_test.go index 79bfc3faf..b684c134d 100644 --- a/internal/util/csiconfig_test.go +++ b/internal/util/csiconfig_test.go @@ -53,7 +53,7 @@ func TestCSIConfig(t *testing.T) { } data = "" - err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644) + err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600) if err != nil { t.Errorf("Test setup error %s", err) } @@ -65,7 +65,7 @@ func TestCSIConfig(t *testing.T) { } data = "[{\"clusterIDBad\":\"" + clusterID2 + "\",\"monitors\":[\"mon1\",\"mon2\",\"mon3\"]}]" - err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644) + err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600) if err != nil { t.Errorf("Test setup error %s", err) } @@ -77,7 +77,7 @@ func TestCSIConfig(t *testing.T) { } data = "[{\"clusterID\":\"" + clusterID2 + "\",\"monitorsBad\":[\"mon1\",\"mon2\",\"mon3\"]}]" - err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644) + err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600) if err != nil { t.Errorf("Test setup error %s", err) } @@ -89,7 +89,7 @@ func TestCSIConfig(t *testing.T) { } data = "[{\"clusterID\":\"" + clusterID2 + "\",\"monitors\":[\"mon1\",2,\"mon3\"]}]" - err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644) + err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600) if err != nil { t.Errorf("Test setup error %s", err) } @@ -101,7 +101,7 @@ func TestCSIConfig(t *testing.T) { } data = "[{\"clusterID\":\"" + clusterID2 + "\",\"monitors\":[\"mon1\",\"mon2\",\"mon3\"]}]" - err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644) + err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600) if err != nil { t.Errorf("Test setup error %s", err) } @@ -120,7 +120,7 @@ func TestCSIConfig(t *testing.T) { data = "[{\"clusterID\":\"" + clusterID2 + "\",\"monitors\":[\"mon1\",\"mon2\",\"mon3\"]}," + "{\"clusterID\":\"" + clusterID1 + "\",\"monitors\":[\"mon4\",\"mon5\",\"mon6\"]}]" - err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644) + err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600) if err != nil { t.Errorf("Test setup error %s", err) } diff --git a/internal/util/vault.go b/internal/util/vault.go index b668e1675..c428b01c1 100644 --- a/internal/util/vault.go +++ b/internal/util/vault.go @@ -41,7 +41,7 @@ const ( vaultDefaultPassphrasePath = "" // vault request headers - vaultTokenHeader = "X-Vault-Token" // nolint: gosec, #nosec + vaultTokenHeader = "X-Vault-Token" // #nosec:G101, value not credential, just references token. vaultNamespaceHeader = "X-Vault-Namespace" )