stackrox · janisz · Oct 27, 2022 · Oct 26, 2022 · Oct 26, 2022 · Oct 27, 2022
diff --git a/.golangci.yml b/.golangci.yml
@@ -52,6 +52,7 @@ linters-settings:
     includes:
     - G101
     - G102
+    - G103
     - G303
     - G601
   revive:

diff --git a/central/idmap/shared_storage.go b/central/idmap/shared_storage.go
@@ -19,6 +19,7 @@ type sharedIDMapStorage struct {
 // newSharedIDMapStorage creates a new shared storage for an ID map.
 func newSharedIDMapStorage() *sharedIDMapStorage {
 	return &sharedIDMapStorage{
+		//#nosec G103
 		shared: unsafe.Pointer(NewIDMap()),
 	}
 }
@@ -31,6 +32,7 @@ func (s *sharedIDMapStorage) Update(updater func(m *IDMap) bool) {
 	if sharedInstance == nil {
 		// If we have no shared instance, clone the current read-only instance.
 		sharedInstance = (*IDMap)(atomic.LoadPointer(&s.readOnly)).Clone()
+		//#nosec G103
 		atomic.StorePointer(&s.shared, unsafe.Pointer(sharedInstance))
 	}
 
@@ -58,6 +60,7 @@ func (s *sharedIDMapStorage) Get() *IDMap {
 
 	// Claim the current shared instance as the read-only instance.
 	m = (*IDMap)(atomic.LoadPointer(&s.shared))
+	//#nosec G103
 	atomic.StorePointer(&s.readOnly, unsafe.Pointer(m))
 	atomic.StorePointer(&s.shared, nil)
 

diff --git a/pkg/concurrency/error_signal.go b/pkg/concurrency/error_signal.go
@@ -114,6 +114,7 @@ func (s *errorSignalState) getErrPtr() *error {
 }
 
 func (s *errorSignalState) trigger(err error) bool {
+	//#nosec G103
 	if !atomic.CompareAndSwapPointer(&s.errPtr, nil, unsafe.Pointer(&err)) {
 		return false
 	}
@@ -129,6 +130,7 @@ func newErrorSignalState() *errorSignalState {
 
 var (
 	defaultErrorSignalState = &errorSignalState{
+		//#nosec G103
 		errPtr:  unsafe.Pointer(&[]error{nil}[0]),
 		signalC: closedCh,
 	}
@@ -144,6 +146,7 @@ type ErrorSignal struct {
 // NewErrorSignal creates and returns a new error signal.
 func NewErrorSignal() ErrorSignal {
 	return ErrorSignal{
+		//#nosec G103
 		statePtr: unsafe.Pointer(newErrorSignalState()),
 	}
 }
@@ -187,6 +190,7 @@ func (s *ErrorSignal) ErrorAndReset() (Error, bool) {
 	// concurrent reset happened and succeeded, this Reset invocation will not. If the signal has been reset and
 	// triggered in the meantime, we fail, too, pretending this Reset invocation happened as the first action in a
 	// Reset - Trigger - Reset sequence.
+	//#nosec G103
 	if !atomic.CompareAndSwapPointer(&s.statePtr, unsafe.Pointer(rawState), unsafe.Pointer(newErrorSignalState())) {
 		return nil, false
 	}

diff --git a/pkg/concurrency/signal.go b/pkg/concurrency/signal.go
@@ -63,6 +63,7 @@ func (s *Signal) Wait() {
 // actually performed (i.e., the signal was triggered). It returns false if the signal was not in the triggered state.
 func (s *Signal) Reset() bool {
 	ch := make(chan struct{})
+	//#nosec G103
 	return atomic.CompareAndSwapPointer(&s.ch, nil, unsafe.Pointer(&ch))
 }
 

diff --git a/pkg/concurrency/value_stream.go b/pkg/concurrency/value_stream.go
@@ -53,6 +53,7 @@ type ValueStream[T any] struct {
 // NewValueStream initializes a value stream with an initial value.
 func NewValueStream[T any](initVal T) *ValueStream[T] {
 	return &ValueStream[T]{
+		//#nosec G103
 		curr: unsafe.Pointer(&valueStreamStrictIter[T]{
 			valueStreamIterBase: valueStreamIterBase[T]{
 				currVal: initVal,
@@ -172,6 +173,7 @@ func (s *ValueStream[T]) Push(val T) (T, ValueStreamIter[T]) {
 		},
 	}
 
+	//#nosec G103
 	oldIter := (*valueStreamStrictIter[T])(atomic.SwapPointer(&s.curr, unsafe.Pointer(newIter)))
 	oldIter.next = newIter
 	close(oldIter.nextC)

diff --git a/pkg/grpc/authn/basic/manager.go b/pkg/grpc/authn/basic/manager.go
@@ -24,6 +24,7 @@ func (m *Manager) hashFile() *htpasswd.HashFile {
 
 // SetHashFile sets the hash file to be used for basic auth.
 func (m *Manager) SetHashFile(hashFile *htpasswd.HashFile) {
+	//#nosec G103
 	atomic.StorePointer(&m.hashFilePtr, unsafe.Pointer(hashFile))
 }
 
@@ -50,6 +51,7 @@ func (m *Manager) IdentityForCreds(ctx context.Context, username, password strin
 // NewManager creates a new manager for basic authentication.
 func NewManager(hashFile *htpasswd.HashFile, roleMapper permissions.RoleMapper) *Manager {
 	return &Manager{
+		//#nosec G103
 		hashFilePtr: unsafe.Pointer(hashFile),
 		mapper:      roleMapper,
 	}

diff --git a/pkg/grpc/util/lazy_conn.go b/pkg/grpc/util/lazy_conn.go
@@ -34,6 +34,7 @@ type LazyClientConn struct {
 // client conn type that returns an error right away.
 func NewLazyClientConn() *LazyClientConn {
 	return &LazyClientConn{
+		//#nosec G103
 		state: unsafe.Pointer(makeState(nil)),
 	}
 }
@@ -42,6 +43,7 @@ func NewLazyClientConn() *LazyClientConn {
 // become available will be woken up, although they might block again soon afterwards if nil was specified.
 func (c *LazyClientConn) Set(cc grpc.ClientConnInterface) {
 	newState := makeState(cc)
+	//#nosec G103
 	oldState := (*lazyConnState)(atomic.SwapPointer(&c.state, unsafe.Pointer(newState)))
 	if oldState.waitC != nil {
 		oldState.cc = cc

diff --git a/pkg/protoreflect/slice_id.go b/pkg/protoreflect/slice_id.go
@@ -13,6 +13,7 @@ func identityOfSlice(slice []byte) sliceIdentity {
 		return sliceIdentity{}
 	}
 	return sliceIdentity{
+		//#nosec G103
 		base:   uintptr(unsafe.Pointer(&slice[0])),
 		length: len(slice),
 	}

@@ -188,6 +188,7 @@ func newUnvalidatedRequirement(key string, op selection.Operator, values []strin
 
 	setValue := func(fieldName string, value interface{}) {
 		field := reqUnleashed.FieldByName(fieldName)
+		//#nosec G103
 		field = reflect.NewAt(field.Type(), unsafe.Pointer(field.UnsafeAddr())).Elem()
 		field.Set(reflect.ValueOf(value).Elem())
 	}

diff --git a/pkg/testutils/full_init.go b/pkg/testutils/full_init.go
@@ -178,6 +178,7 @@ func fullInitStruct(structVal reflect.Value, init BasicTypeInitializer, fieldFil
 		fieldVal := structVal.FieldByIndex(field.Index)
 		if field.Name != "" && unicode.IsLower([]rune(field.Name)[0]) {
 			// If a field is not exported, we need to make it writable with the following hack.
+			//#nosec G103
 			fieldVal = reflect.NewAt(fieldVal.Type(), unsafe.Pointer(fieldVal.UnsafeAddr())).Elem()
 		}
 		fullInitRecursive(fieldVal, init, fieldFilter, append(fieldPath, field), seenTypes)

@@ -329,6 +329,7 @@ func (m *manager) ProcessNewSettings(newSettings *sensor.AdmissionControlSetting
 		m.cacheVersion = newSettings.GetCacheVersion()
 	}
 
+	//#nosec G103
 	atomic.StorePointer(&m.statePtr, unsafe.Pointer(newState))
 	if m.lastSettingsUpdate == nil {
 		log.Info("RE-ENABLING admission control service")
-Original file line number
+Diff line change
@@ Expand Up / @@ -52,6 +52,7 @@ linters-settings: @@
         includes:
         - G101
         - G102
+        - G103
         - G303
         - G601
       revive:
@@ Expand Down @@