Skip to content

ENG-14840: Ignore harmless sec warnings #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rodolforeitz merged 8 commits into from
Feb 14, 2025
Merged

ENG-14840: Ignore harmless sec warnings #4

rodolforeitz merged 8 commits into from
Feb 14, 2025

Conversation

@rodolforeitz
Copy link

@rodolforeitz rodolforeitz commented Feb 14, 2025
edited
Loading

gosec -fmt=sonarqube -exclude-generated -out secreport.json ./...

after

{
	"issues": []
}

before:

{
	"issues": [
		{
			"engineId": "gosec",
			"ruleId": "G304",
			"primaryLocation": {
				"message": "Potential file inclusion via variable",
				"filePath": "parser/pkgpath.go",
				"textRange": {
					"startLine": 114,
					"endLine": 114
				}
			},
			"type": "VULNERABILITY",
			"severity": "MAJOR",
			"effortMinutes": 5
		},
		{
			"engineId": "gosec",
			"ruleId": "G306",
			"primaryLocation": {
				"message": "Expect WriteFile permissions to be 0600 or less",
				"filePath": "bootstrap/bootstrap.go",
				"textRange": {
					"startLine": 215,
					"endLine": 215
				}
			},
			"type": "VULNERABILITY",
			"severity": "MAJOR",
			"effortMinutes": 5
		},
		{
			"engineId": "gosec",
			"ruleId": "G103",
			"primaryLocation": {
				"message": "Use of unsafe calls should be audited",
				"filePath": "jlexer/bytestostr.go",
				"textRange": {
					"startLine": 20,
					"endLine": 20
				}
			},
			"type": "VULNERABILITY",
			"severity": "MINOR",
			"effortMinutes": 5
		},
		{
			"engineId": "gosec",
			"ruleId": "G103",
			"primaryLocation": {
				"message": "Use of unsafe calls should be audited",
				"filePath": "helpers.go",
				"textRange": {
					"startLine": 47,
					"endLine": 47
				}
			},
			"type": "VULNERABILITY",
			"severity": "MINOR",
			"effortMinutes": 5
		},
		{
			"engineId": "gosec",
			"ruleId": "G103",
			"primaryLocation": {
				"message": "Use of unsafe calls should be audited",
				"filePath": "buffer/pool.go",
				"textRange": {
					"startLine": 55,
					"endLine": 55
				}
			},
			"type": "VULNERABILITY",
			"severity": "MINOR",
			"effortMinutes": 5
		},
		{
			"engineId": "gosec",
			"ruleId": "G104",
			"primaryLocation": {
				"message": "Errors unhandled",
				"filePath": "gen/generator.go",
				"textRange": {
					"startLine": 78,
					"endLine": 78
				}
			},
			"type": "VULNERABILITY",
			"severity": "MINOR",
			"effortMinutes": 5
		},
		{
			"engineId": "gosec",
			"ruleId": "G104",
			"primaryLocation": {
				"message": "Errors unhandled",
				"filePath": "bootstrap/bootstrap.go",
				"textRange": {
					"startLine": 199,
					"endLine": 199
				}
			},
			"type": "VULNERABILITY",
			"severity": "MINOR",
			"effortMinutes": 5
		}
	]
}

@rodolforeitz rodolforeitz changed the base branch from master to main February 14, 2025 20:00
yoursnerdly
yoursnerdly reviewed Feb 14, 2025
View reviewed changes
Copy link

@yoursnerdly yoursnerdly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please fix the workflow file so it triggers on PR/push to main?

bootstrap/bootstrap.go Outdated
return err
}
return ioutil.WriteFile(g.OutName, out, 0644)
return ioutil.WriteFile(g.OutName, out, 0644) // #nosec G306 -- Auto code generation.
Copy link

@yoursnerdly yoursnerdly Feb 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return ioutil.WriteFile(g.OutName, out, 0644) // #nosec G306 -- Auto code generation.
return ioutil.WriteFile(g.OutName, out, 0644) // #nosec G306 -- autogenerated code file, 0644 is fine.

Copy link
Author

@rodolforeitz rodolforeitz Feb 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file isn't generated, but the generator itself.

Copy link

@yoursnerdly yoursnerdly Feb 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, I understand that.

Copy link

@yoursnerdly yoursnerdly Feb 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I meant that the file being written here is autogenerated code file.

yoursnerdly
yoursnerdly reviewed Feb 14, 2025
View reviewed changes
.github/workflows/easyjson.yml
Copy link

@yoursnerdly yoursnerdly Feb 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can delete the step test-non-amd64 as we don't use the library on anything other than amd64. The check is failing and it does not seem worthwhile to invest time in it.

Copy link
Author

@rodolforeitz rodolforeitz Feb 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

f2172ee

@rodolforeitz rodolforeitz merged commit 51ffa73 into main Feb 14, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yoursnerdly yoursnerdly yoursnerdly approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rodolforeitz @yoursnerdly