Merge pull request #117 from inteon/fix_gosec

Fix gosec linter issues and enable linter

.golangci.yaml

@@ -1,8 +1,3 @@
-issues:
-  exclude-rules:
-    - linters:
-        - gosec
-      text: ".*"
 linters:
   # Explicitly define all enabled linters
   disable-all: true

conditions/certificaterequest_test.go

@@ -38,7 +38,7 @@ func randomTime() time.Time {
 	max := time.Date(2070, 1, 0, 0, 0, 0, 0, time.UTC).Unix()
 	delta := max - min
 
-	sec := rand.Int63n(delta) + min
+	sec := rand.Int63n(delta) + min // #nosec: G404 -- The random time does not have to be secure.
 	return time.Unix(sec, 0)
 }
 
@@ -51,7 +51,7 @@ func TestSetCertificateRequestStatusCondition(t *testing.T) {
 		conditionType      cmapi.CertificateRequestConditionType
 		status             cmmeta.ConditionStatus
 
-		expectedCondition *cmapi.CertificateRequestCondition
+		expectedCondition cmapi.CertificateRequestCondition
 		expectNewEntry    bool
 	}
 
@@ -75,7 +75,7 @@ func TestSetCertificateRequestStatusCondition(t *testing.T) {
 			conditionType:   cmapi.CertificateRequestConditionReady,
 			status:          cmmeta.ConditionTrue,
 
-			expectedCondition: &cmapi.CertificateRequestCondition{
+			expectedCondition: cmapi.CertificateRequestCondition{
 				Type:               cmapi.CertificateRequestConditionReady,
 				Status:             cmmeta.ConditionTrue,
 				LastTransitionTime: &fakeTimeObj1,
@@ -94,7 +94,7 @@ func TestSetCertificateRequestStatusCondition(t *testing.T) {
 			conditionType:   cmapi.CertificateRequestConditionReady,
 			status:          cmmeta.ConditionFalse,
 
-			expectedCondition: &cmapi.CertificateRequestCondition{
+			expectedCondition: cmapi.CertificateRequestCondition{
 				Type:               cmapi.CertificateRequestConditionReady,
 				Status:             cmmeta.ConditionFalse,
 				LastTransitionTime: &fakeTimeObj2,
@@ -118,7 +118,7 @@ func TestSetCertificateRequestStatusCondition(t *testing.T) {
 			conditionType: cmapi.CertificateRequestConditionReady,
 			status:        cmmeta.ConditionTrue,
 
-			expectedCondition: &cmapi.CertificateRequestCondition{
+			expectedCondition: cmapi.CertificateRequestCondition{
 				Type:               cmapi.CertificateRequestConditionReady,
 				Status:             cmmeta.ConditionTrue,
 				LastTransitionTime: &fakeTimeObj1,
@@ -142,7 +142,7 @@ func TestSetCertificateRequestStatusCondition(t *testing.T) {
 			conditionType: cmapi.CertificateRequestConditionApproved,
 			status:        cmmeta.ConditionTrue,
 
-			expectedCondition: &cmapi.CertificateRequestCondition{
+			expectedCondition: cmapi.CertificateRequestCondition{
 				Type:               cmapi.CertificateRequestConditionApproved,
 				Status:             cmmeta.ConditionTrue,
 				LastTransitionTime: &fakeTimeObj2,
@@ -193,7 +193,7 @@ func TestSetCertificateRequestStatusCondition(t *testing.T) {
 			}
 			test.expectedCondition.Reason = "NewReason"
 			test.expectedCondition.Message = "NewMessage"
-			require.Equal(t, test.expectedCondition, cond)
+			require.Equal(t, test.expectedCondition, *cond)
 			require.Equal(t, &fakeTimeObj2, time)
 
 			// Check that the patchConditions slice got a new entry if expected
@@ -206,7 +206,7 @@ func TestSetCertificateRequestStatusCondition(t *testing.T) {
 			// Make sure only the expected condition in the patchConditions slice got updated
 			for _, c := range patchConditions {
 				if c.Type == test.conditionType {
-					require.Equal(t, test.expectedCondition, &c)
+					require.Equal(t, test.expectedCondition, c)
 					continue
 				}
 

conditions/certificatesigningrequest_test.go

@@ -35,7 +35,7 @@ func TestSetCertificateSigningRequestStatusCondition(t *testing.T) {
 		conditionType      certificatesv1.RequestConditionType
 		status             v1.ConditionStatus
 
-		expectedCondition *certificatesv1.CertificateSigningRequestCondition
+		expectedCondition certificatesv1.CertificateSigningRequestCondition
 		expectNewEntry    bool
 	}
 
@@ -59,7 +59,7 @@ func TestSetCertificateSigningRequestStatusCondition(t *testing.T) {
 			conditionType:   certificatesv1.CertificateApproved,
 			status:          v1.ConditionTrue,
 
-			expectedCondition: &certificatesv1.CertificateSigningRequestCondition{
+			expectedCondition: certificatesv1.CertificateSigningRequestCondition{
 				Type:               certificatesv1.CertificateApproved,
 				Status:             v1.ConditionTrue,
 				LastTransitionTime: fakeTimeObj1,
@@ -78,7 +78,7 @@ func TestSetCertificateSigningRequestStatusCondition(t *testing.T) {
 			conditionType:   certificatesv1.CertificateApproved,
 			status:          v1.ConditionFalse,
 
-			expectedCondition: &certificatesv1.CertificateSigningRequestCondition{
+			expectedCondition: certificatesv1.CertificateSigningRequestCondition{
 				Type:               certificatesv1.CertificateApproved,
 				Status:             v1.ConditionFalse,
 				LastTransitionTime: fakeTimeObj2,
@@ -102,7 +102,7 @@ func TestSetCertificateSigningRequestStatusCondition(t *testing.T) {
 			conditionType: certificatesv1.CertificateApproved,
 			status:        v1.ConditionTrue,
 
-			expectedCondition: &certificatesv1.CertificateSigningRequestCondition{
+			expectedCondition: certificatesv1.CertificateSigningRequestCondition{
 				Type:               certificatesv1.CertificateApproved,
 				Status:             v1.ConditionTrue,
 				LastTransitionTime: fakeTimeObj1,
@@ -126,7 +126,7 @@ func TestSetCertificateSigningRequestStatusCondition(t *testing.T) {
 			conditionType: certificatesv1.CertificateDenied,
 			status:        v1.ConditionTrue,
 
-			expectedCondition: &certificatesv1.CertificateSigningRequestCondition{
+			expectedCondition: certificatesv1.CertificateSigningRequestCondition{
 				Type:               certificatesv1.CertificateDenied,
 				Status:             v1.ConditionTrue,
 				LastTransitionTime: fakeTimeObj2,
@@ -181,7 +181,7 @@ func TestSetCertificateSigningRequestStatusCondition(t *testing.T) {
 			test.expectedCondition.LastUpdateTime = fakeTimeObj2
 			test.expectedCondition.Reason = "NewReason"
 			test.expectedCondition.Message = "NewMessage"
-			require.Equal(t, test.expectedCondition, cond)
+			require.Equal(t, test.expectedCondition, *cond)
 			require.Equal(t, &fakeTimeObj2, time)
 
 			// Check that the patchConditions slice got a new entry if expected
@@ -194,7 +194,7 @@ func TestSetCertificateSigningRequestStatusCondition(t *testing.T) {
 			// Make sure only the expected condition in the patchConditions slice got updated
 			for _, c := range patchConditions {
 				if c.Type == test.conditionType {
-					require.Equal(t, test.expectedCondition, &c)
+					require.Equal(t, test.expectedCondition, c)
 					continue
 				}
 

conditions/issuer_test.go

@@ -35,7 +35,7 @@ func TestSetIssuerStatusCondition(t *testing.T) {
 		conditionType      cmapi.IssuerConditionType
 		status             cmmeta.ConditionStatus
 
-		expectedCondition *cmapi.IssuerCondition
+		expectedCondition cmapi.IssuerCondition
 		expectNewEntry    bool
 	}
 
@@ -59,7 +59,7 @@ func TestSetIssuerStatusCondition(t *testing.T) {
 			conditionType:   cmapi.IssuerConditionReady,
 			status:          cmmeta.ConditionTrue,
 
-			expectedCondition: &cmapi.IssuerCondition{
+			expectedCondition: cmapi.IssuerCondition{
 				Type:               cmapi.IssuerConditionReady,
 				Status:             cmmeta.ConditionTrue,
 				LastTransitionTime: &fakeTimeObj1,
@@ -78,7 +78,7 @@ func TestSetIssuerStatusCondition(t *testing.T) {
 			conditionType:   cmapi.IssuerConditionReady,
 			status:          cmmeta.ConditionFalse,
 
-			expectedCondition: &cmapi.IssuerCondition{
+			expectedCondition: cmapi.IssuerCondition{
 				Type:               cmapi.IssuerConditionReady,
 				Status:             cmmeta.ConditionFalse,
 				LastTransitionTime: &fakeTimeObj2,
@@ -102,7 +102,7 @@ func TestSetIssuerStatusCondition(t *testing.T) {
 			conditionType: cmapi.IssuerConditionReady,
 			status:        cmmeta.ConditionTrue,
 
-			expectedCondition: &cmapi.IssuerCondition{
+			expectedCondition: cmapi.IssuerCondition{
 				Type:               cmapi.IssuerConditionReady,
 				Status:             cmmeta.ConditionTrue,
 				LastTransitionTime: &fakeTimeObj1,
@@ -126,7 +126,7 @@ func TestSetIssuerStatusCondition(t *testing.T) {
 			conditionType: cmapi.IssuerConditionType("AnotherCondition"),
 			status:        cmmeta.ConditionTrue,
 
-			expectedCondition: &cmapi.IssuerCondition{
+			expectedCondition: cmapi.IssuerCondition{
 				Type:               cmapi.IssuerConditionType("AnotherCondition"),
 				Status:             cmmeta.ConditionTrue,
 				LastTransitionTime: &fakeTimeObj2,
@@ -182,7 +182,7 @@ func TestSetIssuerStatusCondition(t *testing.T) {
 			test.expectedCondition.Reason = "NewReason"
 			test.expectedCondition.Message = "NewMessage"
 			test.expectedCondition.ObservedGeneration = 8
-			require.Equal(t, test.expectedCondition, cond)
+			require.Equal(t, test.expectedCondition, *cond)
 			require.Equal(t, &fakeTimeObj2, time)
 
 			// Check that the patchConditions slice got a new entry if expected
@@ -195,7 +195,7 @@ func TestSetIssuerStatusCondition(t *testing.T) {
 			// Make sure only the expected condition in the patchConditions slice got updated
 			for _, c := range patchConditions {
 				if c.Type == test.conditionType {
-					require.Equal(t, test.expectedCondition, &c)
+					require.Equal(t, test.expectedCondition, c)
 					continue
 				}
 

controllers/issuer_controller_test.go

@@ -57,7 +57,7 @@ func randomTime() time.Time {
 	max := time.Date(2070, 1, 0, 0, 0, 0, 0, time.UTC).Unix()
 	delta := max - min
 
-	sec := rand.Int63n(delta) + min
+	sec := rand.Int63n(delta) + min // #nosec: G404 -- The random time does not have to be secure.
 	return time.Unix(sec, 0)
 }
 

internal/kubeutil/watch.go

@@ -19,12 +19,12 @@ package kubeutil
 import (
 	"context"
 	"fmt"
-	"math/rand"
 
 	"github.com/go-logr/logr"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/rand"
 	"k8s.io/client-go/util/workqueue"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -73,7 +73,7 @@ func NewLinkedResourceHandler(
 	addToQueue func(q workqueue.RateLimitingInterface, req reconcile.Request),
 ) (handler.EventHandler, error) {
 	// a random index name prevents collisions with other indexes
-	refField := fmt.Sprintf(".x-index.%s", randStringRunes(10))
+	refField := fmt.Sprintf(".x-index.%s", rand.String(10))
 
 	if err := SetGroupVersionKind(scheme, objType); err != nil {
 		return nil, err
@@ -142,16 +142,6 @@ func (r *linkedResourceHandler) findObjectsForKind(ctx context.Context, object c
 	return requests
 }
 
-var letterRunes = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
-
-func randStringRunes(n int) string {
-	b := make([]rune, n)
-	for i := range b {
-		b[i] = letterRunes[rand.Intn(len(letterRunes))]
-	}
-	return string(b)
-}
-
 // Based on https://github.com/kubernetes-sigs/controller-runtime/blob/00f2425ce068525e0ff674dba51c3e76ee6ad2da/pkg/handler/enqueue_mapped.go
 // Copied to this linkedResourceHandler type such that dependencies can be injected.
 

internal/tests/testresource/kube.go

@@ -20,7 +20,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"math/rand"
 	goruntime "runtime"
 	"testing"
 	"time"
@@ -33,6 +32,7 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/rand"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
@@ -205,20 +205,10 @@ func (k *OwnedKubeClients) StartObjectWatch(
 	}
 }
 
-const letterBytes = "abcdefghijklmnopqrstuvwxyz"
-
-func randStringBytes(n int) string {
-	b := make([]byte, n)
-	for i := range b {
-		b[i] = letterBytes[rand.Intn(len(letterBytes))]
-	}
-	return string(b)
-}
-
 func (k *OwnedKubeClients) SetupNamespace(tb testing.TB, ctx context.Context) (string, context.CancelFunc) {
 	tb.Helper()
 
-	namespace := randStringBytes(15)
+	namespace := rand.String(15)
 
 	removeNamespace := func(cleanupCtx context.Context) (bool, error) {
 		err := k.KubeClient.CoreV1().Namespaces().Delete(cleanupCtx, namespace, metav1.DeleteOptions{})