stackrox · amarps · Oct 28, 2022 · Oct 30, 2022 · Oct 30, 2022 · Oct 30, 2022
diff --git a/.golangci.yml b/.golangci.yml
@@ -53,6 +53,7 @@ linters-settings:
     - G101
     - G102
     - G103
+    - G104
     - G303
     - G601
   revive:

diff --git a/central/activecomponent/updater/updater_impl.go b/central/activecomponent/updater/updater_impl.go
@@ -144,6 +144,7 @@ func (u *updaterImpl) updateForDeployment(ctx context.Context, deploymentID stri
 
 		result, ok := u.executableCache.Get(update.ImageID)
 		if !ok {
+			//#nosec G104
 			utils.Should(errors.New("cannot find image scan"))
 			continue
 		}
@@ -208,6 +209,7 @@ func (u *updaterImpl) createActiveComponentsAndUpdateDb(ctx context.Context, dep
 	for id, activeContexts := range acToContexts {
 		_, componentID, err := converter.DecomposeID(id)
 		if err != nil {
+			//#nosec G104
 			utils.Should(err)
 			continue
 		}

diff --git a/central/apitoken/backend/singleton.go b/central/apitoken/backend/singleton.go
@@ -34,10 +34,12 @@ func Singleton() Backend {
 		// Create and initialize source.
 		src := newSource()
 		err := src.initFromStore(ctx, datastore.Singleton())
+		//#nosec G104
 		utils.Should(errors.Wrap(err, "could not initialize API tokens source"))
 
 		// Create token issuer.
 		issuer, err := jwt.IssuerFactorySingleton().CreateIssuer(src, tokens.WithDefaultTTL(defaultTTL))
+		//#nosec G104
 		utils.Should(errors.Wrap(err, "could not create token issuer"))
 
 		// Create the final backend.

diff --git a/central/authprovider/datastore/datastore_impl.go b/central/authprovider/datastore/datastore_impl.go
@@ -98,6 +98,7 @@ func (b *datastoreImpl) verifyExistsAndMutable(ctx context.Context, id string, f
 		return errox.InvalidArgs.Newf("auth provider %q is immutable and can only be removed"+
 			" via API and specifying the force flag", id)
 	default:
+		//#nosec G104
 		utils.Should(errors.Wrapf(errox.InvalidArgs, "unknown mutability mode given: %q",
 			provider.GetTraits().GetMutabilityMode()))
 	}

diff --git a/central/cluster/datastore/datastore_impl.go b/central/cluster/datastore/datastore_impl.go
@@ -515,6 +515,7 @@ func (ds *datastoreImpl) postRemoveCluster(ctx context.Context, cluster *storage
 		if conn := ds.cm.GetConnection(cluster.GetId()); conn != nil {
 			conn.Terminate(errors.New("cluster was deleted"))
 			if !concurrency.WaitWithTimeout(conn.Stopped(), connectionTerminationTimeout) {
+				//#nosec G104
 				utils.Should(errors.Errorf("connection to sensor from cluster %s not terminated after %v", cluster.GetId(), connectionTerminationTimeout))
 			}
 		}

diff --git a/central/clusters/cert_bundle.go b/central/clusters/cert_bundle.go
@@ -15,6 +15,7 @@ func (b CertBundle) FileMap() map[string]string {
 	for svcType, cert := range b {
 		serviceName := services.ServiceTypeToSlugName(svcType)
 		if serviceName == "" {
+			//#nosec G104
 			utils.Should(errors.Errorf("invalid service type %v when creating certificate bundle to file map", svcType))
 			continue // ignore
 		}

diff --git a/central/compliance/aggregation/aggregation.go b/central/compliance/aggregation/aggregation.go
@@ -393,6 +393,7 @@ func (a *aggregatorImpl) getCategoryID(controlID string) string {
 
 	category := a.standards.GetCategoryByControl(controlID)
 	if category == nil {
+		//#nosec G104
 		utils.Should(errors.Errorf("no category found for control %q", controlID))
 		return ""
 	}
@@ -646,6 +647,7 @@ func (a *aggregatorImpl) getResultsFromScope(ctx context.Context, scope storage.
 	funcAndMap, ok := a.getSearchFuncs()[scope]
 	// Programming error.
 	if !ok {
+		//#nosec G104
 		utils.Should(errors.Errorf("No search func registered for scope: %s", scope))
 		return
 	}

diff --git a/central/compliance/framework/control.go b/central/compliance/framework/control.go
@@ -78,6 +78,7 @@ func finalize(ctx ComplianceContext, panicked *bool) {
 		}
 
 		if !halted {
+			//#nosec G104
 			utils.Should(err)
 		}
 	}

diff --git a/central/deployment/service/service_impl.go b/central/deployment/service/service_impl.go
@@ -212,6 +212,7 @@ func (s *serviceImpl) GetLabels(ctx context.Context, _ *v1.Empty) (*v1.Deploymen
 func labelsMapFromSearchResults(results []search.Result) (map[string]*v1.DeploymentLabelsResponse_LabelValues, []string) {
 	labelField, ok := deployments.OptionsMap.Get(search.DeploymentLabel.String())
 	if !ok {
+		//#nosec G104
 		utils.Should(errors.Errorf("could not find label %q in options map", search.DeploymentLabel.String()))
 		return nil, nil
 	}
@@ -225,6 +226,7 @@ func labelsMapFromSearchResults(results []search.Result) (map[string]*v1.Deploym
 	for _, r := range results {
 		keyMatches, valueMatches := r.Matches[keyFieldPath], r.Matches[valueFieldPath]
 		if len(keyMatches) != len(valueMatches) {
+			//#nosec G104
 			utils.Should(errors.Errorf("mismatch between key and value matches: %d != %d", len(keyMatches), len(valueMatches)))
 			continue
 		}

diff --git a/central/detection/lifecycle/manager_impl.go b/central/detection/lifecycle/manager_impl.go
@@ -97,6 +97,7 @@ func (m *managerImpl) buildIndicatorFilter() {
 
 	deploymentIDs, err := m.deploymentDataStore.GetDeploymentIDs(ctx)
 	if err != nil {
+		//#nosec G104
 		utils.Should(errors.Wrap(err, "error getting deployment IDs"))
 		return
 	}
@@ -115,11 +116,13 @@ func (m *managerImpl) buildIndicatorFilter() {
 		return nil
 	})
 	if err != nil {
+		//#nosec G104
 		utils.Should(errors.Wrap(err, "error building indicator filter"))
 	}
 
 	log.Infof("Cleaning up %d processes as a part of building process filter", len(processesToRemove))
 	if err := m.processesDataStore.RemoveProcessIndicators(ctx, processesToRemove); err != nil {
+		//#nosec G104
 		utils.Should(errors.Wrap(err, "error removing process indicators"))
 	}
 	log.Infof("Successfully cleaned up those %d processes", len(processesToRemove))

diff --git a/central/detection/lifecycle/singleton.go b/central/detection/lifecycle/singleton.go
@@ -41,6 +41,7 @@ func initialize() {
 	log.Infof("Injecting %d policies into detectors.", len(policies))
 	for _, policy := range policies {
 		err = manager.UpsertPolicy(policy)
+		//#nosec G104
 		utils.Should(errors.Wrap(err, "could not inject policy"))
 	}
 	log.Info("Done injecting policies.")

diff --git a/central/globaldb/v2backuprestore/manager/restore_process.go b/central/globaldb/v2backuprestore/manager/restore_process.go
@@ -290,6 +290,7 @@ func (p *restoreProcess) onReaderDetached(event ioutils.ReaderDetachmentEvent) {
 
 	if event.ReadError() == io.EOF {
 		if err := event.Finish(io.EOF); err != nil {
+			//#nosec G104
 			utils.Should(err)
 		}
 		return
@@ -319,11 +320,13 @@ func (p *restoreProcess) onReaderDetached(event ioutils.ReaderDetachmentEvent) {
 		select {
 		case <-p.cancelSig.Done():
 			if err := event.Finish(errors.New("process canceled")); err != nil {
+				//#nosec G104
 				utils.Should(err)
 			}
 			return
 		case <-timer.C:
 			if err := event.Finish(errors.Errorf("timeout: no new data stream attached after %v", p.reattachTimeout)); err != nil {
+				//#nosec G104
 				utils.Should(err)
 			}
 			return

diff --git a/central/group/datastore/datastore_impl.go b/central/group/datastore/datastore_impl.go
@@ -377,6 +377,7 @@ func (ds *dataStoreImpl) validateMutableGroupIDNoLock(ctx context.Context, id st
 		return errox.InvalidArgs.Newf("group %q is immutable and can only be removed"+
 			" via API and specifying the force flag", id)
 	default:
+		//#nosec G104
 		utils.Should(errors.Wrapf(errox.InvalidArgs, "unknown mutability mode given: %q",
 			group.GetProps().GetTraits().GetMutabilityMode().String()))
 	}

diff --git a/central/group/datastore/singleton.go b/central/group/datastore/singleton.go
@@ -40,9 +40,11 @@ func initialize() {
 			sac.ResourceScopeKeys(resources.Group)))
 
 	grps, err := ds.GetFiltered(ctx, isEmptyGroupPropertiesF)
+	//#nosec G104
 	utils.Should(err)
 	for _, grp := range grps {
 		err = ds.Remove(ctx, grp.GetProps(), true)
+		//#nosec G104
 		utils.Should(err)
 	}
 }

diff --git a/central/image/datastore/store/postgres/store.go b/central/image/datastore/store/postgres/store.go
@@ -735,6 +735,7 @@ func (s *storeImpl) getFullImage(ctx context.Context, tx pgx.Tx, imageID string)
 	}
 
 	if len(componentEdgeMap) != len(componentMap) {
+		//#nosec G104
 		utils.Should(
 			errors.Errorf("Number of component (%d) in image-component edges is not equal to number of stored components (%d) for image %s (imageID=%s)",
 				len(componentEdgeMap), len(componentMap), image.GetName().GetFullName(), image.GetId()),

diff --git a/central/image/index/indexer_impl.go b/central/image/index/indexer_impl.go
@@ -46,13 +46,15 @@ func getVulnPath(s string) (string, []string) {
 func getSubMappingOrPanic(mapping *mapping.DocumentMapping, subPath string) *mapping.DocumentMapping {
 	subMapping := mapping.Properties[subPath]
 	if subMapping == nil {
+		//#nosec G104
 		utils.Should(errors.Errorf("no mapping with name %q", subPath))
 	}
 	return subMapping
 }
 
 func getFieldOrPanic(mapping *mapping.DocumentMapping) *mapping.FieldMapping {
 	if len(mapping.Fields) == 0 {
+		//#nosec G104
 		utils.Should(errors.Errorf("no fields are available for mapping: %+v", mapping))
 	}
 	return mapping.Fields[0]

diff --git a/central/networkgraph/aggregator/aggregator_impl.go b/central/networkgraph/aggregator/aggregator_impl.go
@@ -37,11 +37,13 @@ func (a *aggregateToSupernetImpl) Aggregate(conns []*storage.NetworkFlow) []*sto
 		srcEntity, dstEntity := conn.GetProps().GetSrcEntity(), conn.GetProps().GetDstEntity()
 		// This is essentially an invalid connection.
 		if srcEntity == nil || dstEntity == nil {
+			//#nosec G104
 			utils.Should(errors.Errorf("network conn %s without endpoints is unexpected", networkgraph.GetNetworkConnIndicator(conn).String()))
 			continue
 		}
 
 		if networkgraph.IsExternal(srcEntity) && networkgraph.IsExternal(dstEntity) {
+			//#nosec G104
 			utils.Should(errors.Errorf("network conn %s with all external endpoints is unexpected", networkgraph.GetNetworkConnIndicator(conn).String()))
 			continue
 		}
@@ -51,6 +53,7 @@ func (a *aggregateToSupernetImpl) Aggregate(conns []*storage.NetworkFlow) []*sto
 
 		// If both endpoints are not external (including INTERNET), skip processing.
 		if !networkgraph.IsExternal(srcEntity) && !networkgraph.IsExternal(dstEntity) {
+			//#nosec G104
 			ret = append(ret, conn)
 			continue
 		}
@@ -104,11 +107,13 @@ func (a *aggregateDefaultToCustomExtSrcsImpl) Aggregate(conns []*storage.Network
 		srcEntity, dstEntity := conn.GetProps().GetSrcEntity(), conn.GetProps().GetDstEntity()
 		// This is essentially an invalid connection.
 		if srcEntity == nil || dstEntity == nil {
+			//#nosec G104
 			utils.Should(errors.Errorf("network conn %s without endpoints is unexpected", networkgraph.GetNetworkConnIndicator(conn).String()))
 			continue
 		}
 
 		if networkgraph.IsExternal(srcEntity) && networkgraph.IsExternal(dstEntity) {
+			//#nosec G104
 			utils.Should(errors.Errorf("network conn %s with all external endpoints is unexpected", networkgraph.GetNetworkConnIndicator(conn).String()))
 			continue
 		}
@@ -163,11 +168,13 @@ func (a *aggregateExternalConnByNameImpl) Aggregate(flows []*storage.NetworkFlow
 		srcEntity, dstEntity := flow.GetProps().GetSrcEntity(), flow.GetProps().GetDstEntity()
 		// This is essentially an invalid connection.
 		if srcEntity == nil || dstEntity == nil {
+			//#nosec G104
 			utils.Should(errors.Errorf("network conn %s without endpoints is unexpected", networkgraph.GetNetworkConnIndicator(flow).String()))
 			continue
 		}
 
 		if networkgraph.IsExternal(srcEntity) && networkgraph.IsExternal(dstEntity) {
+			//#nosec G104
 			utils.Should(errors.Errorf("network conn %s with all external endpoints is unexpected", networkgraph.GetNetworkConnIndicator(flow).String()))
 			continue
 		}

diff --git a/central/networkgraph/aggregator/common.go b/central/networkgraph/aggregator/common.go
@@ -19,6 +19,7 @@ func mapToSupernet(networkTree tree.ReadOnlyNetworkTree,
 
 		cidr, err := externalsrcs.NetworkFromID(entity.GetId())
 		if err != nil {
+			//#nosec G104
 			utils.Should(errors.Wrapf(err, "getting CIDR from external source ID %s", entity.GetId()))
 			*entity = *networkgraph.InternetEntity().ToProto()
 			continue

diff --git a/central/networkgraph/config/datastore/datastore_impl.go b/central/networkgraph/config/datastore/datastore_impl.go
@@ -43,6 +43,7 @@ func New(s store.Store) DataStore {
 		))
 
 	if err := ds.initDefaultConfig(ctx); err != nil {
+		//#nosec G104
 		utils.Should(errors.Wrap(err, "could not initialize default network graph configuration"))
 	}
 

diff --git a/central/networkgraph/entity/datastore/datastore_impl.go b/central/networkgraph/entity/datastore/datastore_impl.go
@@ -130,6 +130,7 @@ func (ds *dataStoreImpl) GetIDs(ctx context.Context) ([]string, error) {
 	ret := make([]string, 0, len(ids))
 	for _, id := range ids {
 		resID, err := sac.ParseResourceID(id)
+		//#nosec G104
 		utils.Should(err)
 
 		ok, found := allowed[resID.ClusterID()]

diff --git a/central/networkgraph/service/service_impl.go b/central/networkgraph/service/service_impl.go
@@ -257,6 +257,7 @@ func (s *serviceImpl) getNetworkGraph(ctx context.Context, request *v1.NetworkGr
 	if requestClone.GetSince() == nil {
 		since, err := types.TimestampProto(time.Now().Add(defaultSince))
 		if err != nil {
+			//#nosec G104
 			utils.Should(err)
 		}
 		requestClone.Since = since
@@ -383,6 +384,7 @@ func (s *serviceImpl) addDeploymentFlowsToGraph(
 
 	// Aggregate all external conns into supernet conns for which external entities do not exists (as a result of deletion).
 	aggr, err := aggregator.NewSubnetToSupernetConnAggregator(networkTree)
+	//#nosec G104
 	utils.Should(err)
 	flows = aggr.Aggregate(flows)
 

diff --git a/central/networkpolicies/generator/generator_impl.go b/central/networkpolicies/generator/generator_impl.go
@@ -157,6 +157,7 @@ func (g *generator) generateGraph(ctx context.Context, clusterID string, query *
 
 	// Aggregate all external conns into supernet conns for which external entities do not exists (as a result of deletion).
 	aggr, err := aggregator.NewSubnetToSupernetConnAggregator(networkTree)
+	//#nosec G104
 	utils.Should(err)
 	flows = aggr.Aggregate(flows)
 	flows, missingInfoFlows := networkgraph.UpdateFlowsWithEntityDesc(flows, objects.ListDeploymentsMapByIDFromDeployments(relevantDeployments),

diff --git a/central/networkpolicies/graph/diff.go b/central/networkpolicies/graph/diff.go
@@ -160,6 +160,7 @@ func (g *networkGraphWrapper) getNodeOutEdges(id string) map[string]*v1.NetworkE
 	ret := make(map[string]*v1.NetworkEdgePropertiesBundle)
 	for i, edge := range node.GetOutEdges() {
 		if i < 0 || i >= int32(len(g.idxToIDs)) {
+			//#nosec G104
 			utils.Should(errors.Errorf("invalid network graph node %d index", i))
 			continue
 		}

diff --git a/central/networkpolicies/graph/graph_builder.go b/central/networkpolicies/graph/graph_builder.go
@@ -386,6 +386,7 @@ func (b *graphBuilder) ToProto(includePorts bool) []*v1.NetworkNode {
 		srcQueried := b.deploymentPredicate(src.deployment.GetId())
 		for tgt := range src.adjacentNodes {
 			if tgt == nil {
+				//#nosec G104
 				utils.Should(errors.New("network policy graph peer node is nil"))
 				continue
 			}
@@ -421,8 +422,10 @@ func (b *graphBuilder) ToProto(includePorts bool) []*v1.NetworkNode {
 			tgtIdx, ok := nodeMap[tgt]
 			if !ok {
 				if tgt.deployment != nil {
+					//#nosec G104
 					utils.Should(errors.Errorf("deployment node %s not found in network node map", tgt.deployment.GetId()))
 				} else if tgt.extSrc != nil {
+					//#nosec G104
 					utils.Should(errors.Errorf("external node %s not found in network node map", tgt.extSrc.GetId()))
 				}
 				continue
@@ -506,6 +509,7 @@ func (b *graphBuilder) getRelevantNodeIDs() set.StringSet {
 
 		for adjNode := range currNode.adjacentNodes {
 			if adjNode == nil || (adjNode.deployment == nil && adjNode.extSrc == nil) {
+				//#nosec G104
 				utils.Should(errors.New("network policy graph peer node is nil"))
 				continue
 			}
@@ -564,6 +568,7 @@ func (b *graphBuilder) getRelevantNodeIDs() set.StringSet {
 	for _, node := range b.extSrcs {
 		for adjNode := range node.adjacentNodes {
 			if adjNode == nil {
+				//#nosec G104
 				utils.Should(errors.New("network policy graph peer node is nil"))
 				continue
 			}

diff --git a/central/node/datastore/store/postgres/store.go b/central/node/datastore/store/postgres/store.go
@@ -684,6 +684,7 @@ func (s *storeImpl) getFullNode(ctx context.Context, tx pgx.Tx, nodeID string) (
 	}
 
 	if len(componentEdgeMap) != len(componentMap) {
+		//#nosec G104
 		utils.Should(
 			errors.Errorf("Number of node component from edges (%d) is unexpected (%d) for node %s (id=%s)",
 				len(componentEdgeMap), len(componentMap), node.GetName(), node.GetId()),

diff --git a/central/notifier/processor/singleton.go b/central/notifier/processor/singleton.go
@@ -43,6 +43,7 @@ func initialize() {
 	for _, protoNotifier := range protoNotifiers {
 		notifier, err := notifiers.CreateNotifier(protoNotifier)
 		if err != nil {
+			//#nosec G104
 			utils.Should(errors.Wrapf(err, "error creating notifier with %v (%v) and type %v", protoNotifier.GetId(), protoNotifier.GetName(), protoNotifier.GetType()))
 			continue
 		}

@@ -52,6 +52,7 @@ func (m *clusterMatcher) anyExclusionMatches(exclusions []*storage.Exclusion) bo
 func (m *clusterMatcher) exclusionMatches(exclusion *storage.Exclusion) bool {
 	cs, err := scopecomp.CompileScope(exclusion.GetDeployment().GetScope())
 	if err != nil {
+		//#nosec G104
 		utils.Should(errors.Wrap(err, "could not compile excluded scopes"))
 		return false
 	}
@@ -88,6 +89,7 @@ func (m *clusterMatcher) anyScopeMatches(scopes []*storage.Scope) bool {
 func (m *clusterMatcher) scopeMatches(scope *storage.Scope) bool {
 	cs, err := scopecomp.CompileScope(scope)
 	if err != nil {
+		//#nosec G104
 		utils.Should(errors.Wrap(err, "could not compile scope"))
 		return false
 	}

@@ -76,6 +76,7 @@ func (m *deploymentMatcher) anyScopeMatches(scopes []*storage.Scope) bool {
 func (m *deploymentMatcher) scopeMatches(scope *storage.Scope) bool {
 	cs, err := scopecomp.CompileScope(scope)
 	if err != nil {
+		//#nosec G104
 		utils.Should(errors.Wrap(err, "could not compile scope"))
 		return false
 	}

@@ -67,6 +67,7 @@ func (m *namespaceMatcher) anyScopeMatches(scopes []*storage.Scope) bool {
 func (m *namespaceMatcher) scopeMatches(scope *storage.Scope) bool {
 	cs, err := scopecomp.CompileScope(scope)
 	if err != nil {
+		//#nosec G104
 		utils.Should(errors.Wrap(err, "could not compiled scope"))
 		return false
 	}

diff --git a/central/probeupload/manager/singleton.go b/central/probeupload/manager/singleton.go
@@ -16,6 +16,7 @@ func Singleton() Manager {
 	instanceInit.Do(func() {
 		instance = newManager(migrations.DBMountPath())
 		if err := instance.Initialize(); err != nil {
+			//#nosec G104
 			utils.Should(err)
 			log.Error("There was an error initializing the probe upload functionality. Probe upload/download functionality will likely be affected.")
 		}
-Original file line number
+Diff line change
@@ Expand Up / @@ -53,6 +53,7 @@ linters-settings: @@
         - G101
         - G102
         - G103
+        - G104
         - G303
         - G601
       revive:
@@ Expand Down @@