stackrox · janisz · Oct 27, 2022 · Oct 26, 2022 · Oct 26, 2022
diff --git a/.golangci.yml b/.golangci.yml
@@ -50,6 +50,7 @@ issues:
 linters-settings:
   gosec:
     includes:
+    - G101
     - G102
     - G303
     - G601

diff --git a/central/main.go b/central/main.go
@@ -199,7 +199,8 @@ var (
 )
 
 const (
-	ssoURLPathPrefix     = "/sso/"
+	ssoURLPathPrefix = "/sso/"
+	//#nosec G101 -- This is a false positive
 	tokenRedirectURLPath = "/auth/response/generic"
 
 	grpcServerWatchdogTimeout = 20 * time.Second

diff --git a/central/metadata/service/service_impl_test.go b/central/metadata/service/service_impl_test.go
@@ -17,6 +17,7 @@ import (
 )
 
 const (
+	//#nosec G101 -- This is a false positive
 	validChallengeToken   = "h83_PGhSqS8OAvplb8asYMfPHy1JhVVMKcajYyKmrIU="
 	invalidChallengeToken = "invalid"
 )

diff --git a/central/notifiers/pagerduty/pagerduty_test.go b/central/notifiers/pagerduty/pagerduty_test.go
@@ -14,6 +14,7 @@ import (
 )
 
 const (
+	//#nosec G101 -- This is a false positive
 	apiKeyEnv = "PAGERDUTY_APIKEY"
 )
 

@@ -8,6 +8,7 @@ const (
 
 // The following are the valid reasons for the ProxyConfigFailedStatusType condition.
 const (
+	//#nosec G101 -- This is a false positive
 	SecretReconcileErrorReason = `ProxyConfigSecretReconcileError`
 	NoProxyConfigReason        = `NoProxyConfig`
 	ProxyConfigAppliedReason   = `ProxyConfigApplied`

@@ -29,9 +29,10 @@ import (
 const (
 	fragmentCallbackURLPath = "/auth/response/oidc"
 
-	issuerConfigKey                    = "issuer"
-	clientIDConfigKey                  = "client_id"
-	clientSecretConfigKey              = "client_secret"
+	issuerConfigKey       = "issuer"
+	clientIDConfigKey     = "client_id"
+	clientSecretConfigKey = "client_secret"
+	//#nosec G101 -- This is a false positive
 	dontUseClientSecretConfigKey       = "do_not_use_client_secret"
 	modeConfigKey                      = "mode"
 	disableOfflineAccessScopeConfigKey = "disable_offline_access_scope"

@@ -13,6 +13,7 @@ func TestCannedHtpasswd(t *testing.T) {
 	// htpasswd utility:
 	// https://httpd.apache.org/docs/2.4/programs/htpasswd.html
 	// You must use bcrypt (-B).
+	//#nosec G101 -- This is a false positive
 	const htpasswd = `user:$2y$05$zOuqmZyoE82NGG4iitj91OrOQBoCrn0d/LiyHL833EvBzm0Wyy85.
 other:$2y$05$b9mSdCSh6OnHhRDG/DAXee8USMpWYMK5XZcBZwFjQnCD5xQOu.F8y
 admin:$2y$05$l.sGXGtYVWaoywFO06gDZeIHME8BFKWRuNv5PG4RLGUk0Yq/M4c86`

@@ -7,6 +7,7 @@ import (
 )
 
 const (
+	//#nosec G101 -- This is a false positive
 	automountServiceAccountTokenTemplate = `Deployment {{- if .AutomountServiceAccountToken }} mounts{{else}} does not mount{{end}} the service account tokens.`
 )
 

diff --git a/pkg/satoken/paths.go b/pkg/satoken/paths.go
@@ -3,6 +3,7 @@ package satoken
 const (
 	// ServiceAccountTokenDir is the directory into which the secret data from the Kubernetes service account token is
 	// mounted.
+	//#nosec G101 -- This is a false positive
 	ServiceAccountTokenDir = `/run/secrets/kubernetes.io/serviceaccount`
 	// ServiceAccountTokenJWTPath is the path of the file containing the Kubernetes service account JWT.
 	ServiceAccountTokenJWTPath = ServiceAccountTokenDir + `/token`

diff --git a/pkg/testutils/centralgrpc/connect_to_central.go b/pkg/testutils/centralgrpc/connect_to_central.go
@@ -26,7 +26,8 @@ const (
 
 	apiEndpointEnvVar = "API_ENDPOINT"
 
-	defaultUsername     = "admin"
+	defaultUsername = "admin"
+	//#nosec G101 -- This is a false positive
 	defaultPasswordPath = "deploy/k8s/central-deploy/password"
 	defaultAPIEndpoint  = "localhost:8000"
 )

@@ -28,6 +28,7 @@ func checkAuthParameters() error {
 	return nil
 }
 
+//#nosec G101 -- This is a false positive
 const userHelpLiteralToken = `There is no token in file %q. The token file should only contain a single authentication token.
 To provide a token value directly, set the ROX_API_TOKEN environment variable.
 `

@@ -37,6 +37,7 @@ const (
 
 	// passedTemplate is a (raw) template for displaying when there are no
 	// failed policies.
+	//#nosec G101 -- This is a false positive
 	passedTemplate = `✔ The scanned resources passed all policies
 `
 

@@ -43,6 +43,7 @@ const (
 	trustInfoUntrustedCentral = "CtIEMIICTjCCAfSgAwIBAgIJANYUBtnEPMvRMAoGCCqGSM49BAMCMEcxJzAlBgNVBAMTHlN0YWNrUm94IENlcnRpZmljYXRlIEF1dGhvcml0eTEcMBoGA1UEBRMTNTkzMTk2NjM4NzcxMzkwNTgzMjAeFw0yMTEwMjEwOTAyMDBaFw0yMjEwMjExMDAyMDBaMFwxGDAWBgNVBAsMD0NFTlRSQUxfU0VSVklDRTEhMB8GA1UEAwwYQ0VOVFJBTF9TRVJWSUNFOiBDZW50cmFsMR0wGwYDVQQFExQxNTQyNTk2MjE1NjAyMDc3OTk4NTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNeN6Vr6JzdqYuhbMYywuGzVxNLYmuiOt7vBd0n3y/0+hqhw57u9cRlVUqDYzrQgV5kWLqOG8x9eW+FGbyP4ZM6jgbMwgbAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQCPd9tI81J+WfhCi3tfZHw0vwPZTAfBgNVHSMEGDAWgBSsFJ+sB5YiXsxIwlyAOZk/z4aVSTAxBgNVHREEKjAoghBjZW50cmFsLnN0YWNrcm94ghRjZW50cmFsLnN0YWNrcm94LnN2YzAKBggqhkjOPQQDAgNIADBFAiEAtgK8ueDNBKtowtHSQl6+DdXJNiJZIyNteRqO2lK2LNkCIGeMhGX5gNli98NU26odZ+QrxWsLa39iK710jsVTj6nwCtYDMIIB0jCCAXigAwIBAgIUYDi0j/ypoh0u5w8FU70RzDHH9MMwCgYIKoZIzj0EAwIwRzEnMCUGA1UEAxMeU3RhY2tSb3ggQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRwwGgYDVQQFExM1OTMxOTY2Mzg3NzEzOTA1ODMyMB4XDTIxMTAyMTA5NTcwMFoXDTI2MTAyMDA5NTcwMFowRzEnMCUGA1UEAxMeU3RhY2tSb3ggQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRwwGgYDVQQFExM1OTMxOTY2Mzg3NzEzOTA1ODMyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEASqFQTVprF72w5TH2C62JjnHRlA50n/xRgRCLCWmnSj8V8jgXc5wOpc8dbSLh1fn0cZ320j6F5erwQaloZc3GaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFKwUn6wHliJezEjCXIA5mT/PhpVJMAoGCCqGSM49BAMCA0gAMEUCIQDbiBkLqvuX6YC32zion11nYTO9p5eo3RVVFkvusgNAWQIgX/BADqhoAuGNXTO6qosJwwO40E/0bT5rtVjBNoN4XTASLGg4M19QR2hTcVM4T0F2cGxiOGFzWU1mUEh5MUpoVlZNS2Nhall5S21ySVU9GixGRm5sT2tqc29HcVJmZkYxczl0MUdJamNUYTBnMkN3eXo2UGp5b0NVUEpjPQ=="
 	signatureUntrustedCentral = "MEUCIQDz2vnle9zrByV7KgwawvQkkXPNTMHxeAt2+hlLRch2QQIgFU+uu9w7LrjzuknVnZRq2ZzdmIbYVkzWYQkZhCH8kSQ="
 
+	//#nosec G101 -- This is a false positive
 	exampleChallengeToken = "h83_PGhSqS8OAvplb8asYMfPHy1JhVVMKcajYyKmrIU="
 )
 

@@ -17,7 +17,8 @@ import (
 
 const (
 	namespaceFile = `/run/secrets/kubernetes.io/serviceaccount/namespace`
-	tokenFile     = `/run/secrets/kubernetes.io/serviceaccount/token`
+	//#nosec G101 -- This is a false positive
+	tokenFile = `/run/secrets/kubernetes.io/serviceaccount/token`
 
 	namespaceClaimKey        = `kubernetes.io/serviceaccount/namespace`
 	serviceAccountIDClaimKey = `kubernetes.io/serviceaccount/service-account.uid`

@@ -21,7 +21,7 @@ auto-upgrade.stackrox.io/component: "sensor"
 imagePullSecrets:
 - name: stackrox
 `
-
+	//#nosec G101 -- This is a false positive
 	sensorTLSSecretYAML = `apiVersion: v1
 kind: Secret
 data:
@@ -38,6 +38,7 @@ metadata:
   namespace: stackrox
 type: Opaque
 `
+	//#nosec G101 -- This is a false positive
 	centralTLSSecretYAML = `apiVersion: v1
 kind: Secret
 type: Opaque

@@ -3,6 +3,7 @@ package snapshot
 const (
 	// secretName is the name of the secret storing the upgrader state
 	secretName = `sensor-upgrader-snapshot`
+	//#nosec G101 -- This is a false positive
 	// secretDataName is the key in the `data` map of the secret storing the gzip'd JSON data.
 	secretDataName = `snapshot.json.gz`
 )
-Original file line number
+Diff line change
@@ Expand Up / @@ -50,6 +50,7 @@ issues: @@
     linters-settings:
       gosec:
         includes:
+        - G101
         - G102
         - G303
         - G601
@@ Expand Down @@