From eb7a82c15ea9f0999cf8eef10090ba17e0caf6b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Paj=C4=85k?= Date: Wed, 18 Oct 2023 07:06:03 +0000 Subject: [PATCH] [chore] Add gosec via golangci-lint --- .github/workflows/gosec.yml | 27 ------------------- .golangci.yml | 15 +++++++++++ example/prometheus/main.go | 2 +- example/view/main.go | 2 +- .../internal/otest/collector.go | 6 ++++- .../internal/otest/collector.go | 6 ++++- .../otlptracehttp/mock_collector_test.go | 5 +++- exporters/zipkin/zipkin_test.go | 4 ++- .../otlp/otlpmetric/otest/collector.go.tmpl | 6 ++++- sdk/resource/env.go | 2 +- 10 files changed, 40 insertions(+), 35 deletions(-) delete mode 100644 .github/workflows/gosec.yml diff --git a/.github/workflows/gosec.yml b/.github/workflows/gosec.yml deleted file mode 100644 index 2747e0afa59..00000000000 --- a/.github/workflows/gosec.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: Run Gosec -on: - workflow_dispatch: - schedule: - # ┌───────────── minute (0 - 59) - # │ ┌───────────── hour (0 - 23) - # │ │ ┌───────────── day of the month (1 - 31) - # │ │ │ ┌───────────── month (1 - 12 or JAN-DEC) - # │ │ │ │ ┌───────────── day of the week (0 - 6 or SUN-SAT) - # │ │ │ │ │ - # │ │ │ │ │ - # │ │ │ │ │ - # * * * * * - - cron: '30 2 * * *' -jobs: - tests: - runs-on: ubuntu-latest - env: - GO111MODULE: on - steps: - - name: Checkout Source - uses: actions/checkout@v4 - - name: Run Gosec Security Scanner - uses: securego/gosec@master - with: - args: ./... - diff --git a/.golangci.yml b/.golangci.yml index 7121593d5d2..a62511f382e 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -14,6 +14,7 @@ linters: - godot - gofumpt - goimports + - gosec - gosimple - govet - ineffassign @@ -53,6 +54,20 @@ issues: text: "calls to (.+) only in main[(][)] or init[(][)] functions" linters: - revive + # It's okay to not run gosec in a test. + - path: _test\.go + linters: + - gosec + # Igonoring gosec G404: Use of weak random number generator (math/rand instead of crypto/rand) + # as we commonly use it in tests and examples. + - text: "G404:" + linters: + - gosec + # Igonoring gosec G402: TLS MinVersion too low + # as the https://pkg.go.dev/crypto/tls#Config handles MinVersion default well. + - text: "G402: TLS MinVersion too low." + linters: + - gosec include: # revive exported should have comment or be unexported. - EXC0012 diff --git a/example/prometheus/main.go b/example/prometheus/main.go index 3c7e4db7976..fee550de6d0 100644 --- a/example/prometheus/main.go +++ b/example/prometheus/main.go @@ -91,7 +91,7 @@ func main() { func serveMetrics() { log.Printf("serving metrics at localhost:2223/metrics") http.Handle("/metrics", promhttp.Handler()) - err := http.ListenAndServe(":2223", nil) + err := http.ListenAndServe(":2223", nil) //nolint:gosec // Ignoring G114: Use of net/http serve function that has no support for setting timeouts. if err != nil { fmt.Printf("error serving http: %v", err) return diff --git a/example/view/main.go b/example/view/main.go index 712e325301e..876457052b9 100644 --- a/example/view/main.go +++ b/example/view/main.go @@ -90,7 +90,7 @@ func main() { func serveMetrics() { log.Printf("serving metrics at localhost:2222/metrics") http.Handle("/metrics", promhttp.Handler()) - err := http.ListenAndServe(":2222", nil) + err := http.ListenAndServe(":2222", nil) //nolint:gosec // Ignoring G114: Use of net/http serve function that has no support for setting timeouts. if err != nil { fmt.Printf("error serving http: %v", err) return diff --git a/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/otest/collector.go b/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/otest/collector.go index f5eb0a4af9c..c96ca1fda6e 100644 --- a/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/otest/collector.go +++ b/exporters/otlp/otlpmetric/otlpmetricgrpc/internal/otest/collector.go @@ -242,7 +242,11 @@ func NewHTTPCollector(endpoint string, resultCh <-chan ExportResult) (*HTTPColle mux := http.NewServeMux() mux.Handle(u.Path, http.HandlerFunc(c.handler)) - c.srv = &http.Server{Handler: mux} + c.srv = &http.Server{ + Handler: mux, + ReadTimeout: 10 * time.Second, + WriteTimeout: 10 * time.Second, + } if u.Scheme == "https" { cert, err := weakCertificate() if err != nil { diff --git a/exporters/otlp/otlpmetric/otlpmetrichttp/internal/otest/collector.go b/exporters/otlp/otlpmetric/otlpmetrichttp/internal/otest/collector.go index 0b6b9387167..503eba65bea 100644 --- a/exporters/otlp/otlpmetric/otlpmetrichttp/internal/otest/collector.go +++ b/exporters/otlp/otlpmetric/otlpmetrichttp/internal/otest/collector.go @@ -242,7 +242,11 @@ func NewHTTPCollector(endpoint string, resultCh <-chan ExportResult) (*HTTPColle mux := http.NewServeMux() mux.Handle(u.Path, http.HandlerFunc(c.handler)) - c.srv = &http.Server{Handler: mux} + c.srv = &http.Server{ + Handler: mux, + ReadTimeout: 10 * time.Second, + WriteTimeout: 10 * time.Second, + } if u.Scheme == "https" { cert, err := weakCertificate() if err != nil { diff --git a/exporters/otlp/otlptrace/otlptracehttp/mock_collector_test.go b/exporters/otlp/otlptrace/otlptracehttp/mock_collector_test.go index 919a15fa4df..2b87215d183 100644 --- a/exporters/otlp/otlptrace/otlptracehttp/mock_collector_test.go +++ b/exporters/otlp/otlptrace/otlptracehttp/mock_collector_test.go @@ -25,6 +25,7 @@ import ( "net/http" "sync" "testing" + "time" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -241,7 +242,9 @@ func runMockCollector(t *testing.T, cfg mockCollectorConfig) *mockCollector { mux := http.NewServeMux() mux.Handle(cfg.TracesURLPath, http.HandlerFunc(m.serveTraces)) server := &http.Server{ - Handler: mux, + Handler: mux, + ReadTimeout: 10 * time.Second, + WriteTimeout: 10 * time.Second, } if cfg.WithTLS { pem, err := generateWeakCertificate() diff --git a/exporters/zipkin/zipkin_test.go b/exporters/zipkin/zipkin_test.go index cc90b5f789d..ad720a042b2 100644 --- a/exporters/zipkin/zipkin_test.go +++ b/exporters/zipkin/zipkin_test.go @@ -120,7 +120,9 @@ func startMockZipkinCollector(t *testing.T) *mockZipkinCollector { require.NoError(t, err) collector.url = fmt.Sprintf("http://%s", listener.Addr().String()) server := &http.Server{ - Handler: http.HandlerFunc(collector.handler), + Handler: http.HandlerFunc(collector.handler), + ReadTimeout: 10 * time.Second, + WriteTimeout: 10 * time.Second, } collector.server = server wg := &sync.WaitGroup{} diff --git a/internal/shared/otlp/otlpmetric/otest/collector.go.tmpl b/internal/shared/otlp/otlpmetric/otest/collector.go.tmpl index 31fc32224b9..1adf55807a5 100644 --- a/internal/shared/otlp/otlpmetric/otest/collector.go.tmpl +++ b/internal/shared/otlp/otlpmetric/otest/collector.go.tmpl @@ -242,7 +242,11 @@ func NewHTTPCollector(endpoint string, resultCh <-chan ExportResult) (*HTTPColle mux := http.NewServeMux() mux.Handle(u.Path, http.HandlerFunc(c.handler)) - c.srv = &http.Server{Handler: mux} + c.srv = &http.Server{ + Handler: mux, + ReadTimeout: 10 * time.Second, + WriteTimeout: 10 * time.Second, + } if u.Scheme == "https" { cert, err := weakCertificate() if err != nil { diff --git a/sdk/resource/env.go b/sdk/resource/env.go index 606d5500f26..7e49ed58116 100644 --- a/sdk/resource/env.go +++ b/sdk/resource/env.go @@ -28,7 +28,7 @@ import ( const ( // resourceAttrKey is the environment variable name OpenTelemetry Resource information will be read from. - resourceAttrKey = "OTEL_RESOURCE_ATTRIBUTES" + resourceAttrKey = "OTEL_RESOURCE_ATTRIBUTES" //nolint:gosec // False positive G101: Potential hardcoded credentials // svcNameKey is the environment variable name that Service Name information will be read from. svcNameKey = "OTEL_SERVICE_NAME"