Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce gosec for Static Application Security Testing (SAST) #108

Merged
merged 11 commits into from
Oct 14, 2024
Merged

Introduce gosec for Static Application Security Testing (SAST) #108

merged 11 commits into from
Oct 14, 2024

Conversation

ScheererJ
Copy link
Member

/area networking
/area security
/area compliance
/kind enhancement

What this PR does / why we need it:

This PR introduces gosec for Static Application Security Testing at Gardener and should replace other code scanners.

It uses the default ruleset of gosec from gardener/gardener as introduced in gardener/gardener#9959.

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Until gardener/gardener#10642 is in a gardener/gardener release there is a small workaround necessary, which will be removed afterwards.

Release note:

`gosec` was introduced for Static Application Security Testing (SAST).

/hold
Issues still need to be fixed.

@gardener-robot gardener-robot added area/compliance Compliance related area/networking Networking related area/security Security related kind/enhancement Enhancement, improvement, extension reviewed/do-not-merge Has no approval for merging as it may break things, be of poor quality or have (ext.) dependencies needs/review Needs review size/s Size of pull request is small (see gardener-robot robot/bots/size.py) labels Oct 11, 2024
@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Oct 11, 2024
@gardener-robot-ci-1 gardener-robot-ci-1 added needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Oct 11, 2024
@ScheererJ
Address G306 findings
a299384 
G306: Poor file permissions used when writing to a new file
@ScheererJ
Address G404 findings
0ae3bcc 
G404: Insecure random number source (rand)
@gardener-robot-ci-3 gardener-robot-ci-3 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Oct 11, 2024
@ScheererJ
Address G104 findings
abdc988 
G104: Audit errors not checked
@gardener-robot-ci-3 gardener-robot-ci-3 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Oct 14, 2024
@ScheererJ
Address G204 findings
0d8c7e4 
G204: Audit use of command execution
@gardener-robot-ci-3 gardener-robot-ci-3 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Oct 14, 2024
@gardener-robot-ci-2 gardener-robot-ci-2 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Oct 14, 2024
@ScheererJ
Address G112 findings
dc432d1 
G112: Potential slowloris attack
@ScheererJ
Address G114 findings
81015ae 
G114: Use of net/http serve function that has no support for setting timeouts
@ScheererJ
Address G108 findings
bd099f6 
G108: Profiling endpoint automatically exposed on /debug/pprof

`pprof` was automatically enabled as a side effect in the metrics
exporter. Now, the metrics exporter has `pprof` properly disabled by
using a separate http mux.
@gardener-robot gardener-robot added size/m Size of pull request is medium (see gardener-robot robot/bots/size.py) and removed size/s Size of pull request is small (see gardener-robot robot/bots/size.py) labels Oct 14, 2024
@gardener-robot-ci-1 gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Oct 14, 2024
@ScheererJ ScheererJ marked this pull request as ready for review October 14, 2024 11:25
@gardener-robot-ci-1 gardener-robot-ci-1 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Oct 14, 2024
@MartinWeindel MartinWeindel self-assigned this Oct 14, 2024
axel7born
axel7born previously approved these changes Oct 14, 2024
View reviewed changes
MartinWeindel
MartinWeindel previously approved these changes Oct 14, 2024
View reviewed changes
Copy link
Member

@MartinWeindel MartinWeindel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
Thanks!

@gardener-robot gardener-robot added reviewed/lgtm Has approval for merging and removed needs/review Needs review labels Oct 14, 2024
@gardener-robot-ci-1 gardener-robot-ci-1 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Oct 14, 2024
@ScheererJ ScheererJ dismissed stale reviews from MartinWeindel and axel7born via ca28b0f October 14, 2024 14:11
@gardener-robot gardener-robot added needs/review Needs review and removed needs/review Needs review labels Oct 14, 2024
@ScheererJ
Copy link
Member Author

/unhold

@gardener-robot gardener-robot added the needs/review Needs review label Oct 14, 2024
@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Oct 14, 2024
@gardener-robot gardener-robot removed the needs/review Needs review label Oct 14, 2024
@ScheererJ ScheererJ removed the reviewed/do-not-merge Has no approval for merging as it may break things, be of poor quality or have (ext.) dependencies label Oct 14, 2024
@MartinWeindel
Copy link
Member

/lgtm

@gardener-robot-ci-3 gardener-robot-ci-3 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Oct 14, 2024
@gardener-robot-ci-1 gardener-robot-ci-1 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Oct 14, 2024
@MartinWeindel
Copy link
Member

/lgtm

@MartinWeindel MartinWeindel merged commit 9b0bcd8 into gardener:master Oct 14, 2024
9 checks passed
@gardener-robot gardener-robot added the status/closed Issue is closed (either delivered or triaged) label Oct 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MartinWeindel MartinWeindel MartinWeindel approved these changes

@axel7born axel7born axel7born left review comments

@DockToFuture DockToFuture Awaiting requested review from DockToFuture DockToFuture is a code owner

@marwinski marwinski Awaiting requested review from marwinski marwinski is a code owner

Assignees

@MartinWeindel MartinWeindel

Labels
area/compliance Compliance related area/networking Networking related area/security Security related kind/enhancement Enhancement, improvement, extension needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) reviewed/lgtm Has approval for merging size/m Size of pull request is medium (see gardener-robot robot/bots/size.py) status/closed Issue is closed (either delivered or triaged)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@ScheererJ @MartinWeindel @axel7born @gardener-robot-ci-1 @gardener-robot-ci-2 @gardener-robot-ci-3 @gardener-robot