gosec: fix or ignore all cases of integer overflow conversions

cmd/gen-manifests/main.go

@@ -607,6 +607,8 @@ func main() {
 
 	nJobs := len(jobs)
 	fmt.Printf("Collected %d jobs\n", nJobs)
+
+	// nolint:gosec
 	wq := newWorkerQueue(uint32(nWorkers), uint32(nJobs))
 	wq.start()
 	fmt.Printf("Initialised %d workers\n", nWorkers)

internal/cmdutil/rand.go

@@ -44,5 +44,6 @@ func SeedArgFor(bc *buildconfig.BuildConfig, imgTypeName, distributionName, arch
 	h.Write([]byte(imgTypeName))
 	h.Write([]byte(bc.Name))
 
+	// nolint:gosec
 	return rngSeed + int64(h.Sum64()), nil
 }

pkg/blueprint/filesystem_customizations.go

@@ -26,7 +26,11 @@ func (fsc *FilesystemCustomization) UnmarshalTOML(data interface{}) error {
 
 	switch d["minsize"].(type) {
 	case int64:
-		fsc.MinSize = uint64(d["minsize"].(int64))
+		minSize := d["minsize"].(int64)
+		if minSize < 0 {
+			return fmt.Errorf("TOML unmarshal: minsize cannot be negative")
+		}
+		fsc.MinSize = uint64(minSize)
 	case string:
 		minSize, err := common.DataSizeToUint64(d["minsize"].(string))
 		if err != nil {

pkg/disk/partition_table.go

@@ -403,7 +403,7 @@ func (pt *PartitionTable) HeaderSize() uint64 {
 	}
 
 	// calculate the space we need for
-	parts := len(pt.Partitions)
+	parts := uint64(len(pt.Partitions))
 
 	// reserve a minimum of 128 partition entires
 	if parts < 128 {
@@ -413,7 +413,7 @@ func (pt *PartitionTable) HeaderSize() uint64 {
 	// Assume that each partition entry is 128 bytes
 	// which might not be the case if the partition
 	// name exceeds 72 bytes
-	header += uint64(parts * 128)
+	header += parts * 128
 
 	return header
 }

pkg/distro/fedora/distro.go

@@ -450,6 +450,9 @@ func getISOLabelFunc(variant string) isoLabelFunc {
 }
 
 func getDistro(version int) distribution {
+	if version < 0 {
+		panic("Invalid Fedora version (must be positive)")
+	}
 	return distribution{
 		name:               fmt.Sprintf("fedora-%d", version),
 		product:            "Fedora",

pkg/distro/rhel/distribution.go

@@ -109,7 +109,11 @@ func NewDistribution(name string, major, minor int) (*Distribution, error) {
 	var rd *Distribution
 	switch name {
 	case "rhel":
-		if minor == -1 {
+		if major < 0 {
+			return nil, errors.New("Invalid RHEL major version (must be positive)")
+		}
+
+		if minor < 0 {
 			return nil, errors.New("RHEL requires a minor version")
 		}
 

pkg/dnfjson/cache.go

@@ -259,7 +259,10 @@ func dirSize(path string) (uint64, error) {
 		if err != nil {
 			return err
 		}
-		size += uint64(info.Size())
+		infoSize := info.Size()
+		if infoSize > 0 {
+			size += uint64(infoSize)
+		}
 		return nil
 	}
 	err := filepath.Walk(path, sizer)

pkg/osbuild/grub2_inst_stage.go

@@ -150,8 +150,10 @@ func NewGrub2InstStageOption(filename string, pt *disk.PartitionTable, platform
 	prefix := PrefixPartition{
 		Type:      "partition",
 		PartLabel: pt.Type,
-		Number:    uint(bootIdx),
-		Path:      prefixPath,
+		// bootidx can't be negative after check with rootIdx above:
+		// nolint:gosec
+		Number: uint(bootIdx),
+		Path:   prefixPath,
 	}
 
 	return &Grub2InstStageOptions{

pkg/upload/koji/koji.go

@@ -3,6 +3,8 @@ package koji
 import (
 	"bytes"
 	"context"
+	"math"
+
 	// koji uses MD5 hashes
 	/* #nosec G501 */
 	"crypto/md5"
@@ -402,7 +404,9 @@ func (k *Koji) Upload(file io.Reader, filepath, filename string) (string, uint64
 			return "", 0, err
 		}
 
-		offset += uint64(n)
+		if n > 0 {
+			offset += uint64(n)
+		}
 
 		m, err := hash.Write(chunk[:n])
 		if err != nil {
@@ -477,6 +481,9 @@ func CreateKojiTransport(relaxTimeout uint) http.RoundTripper {
 
 	// Relax timeouts a bit
 	if relaxTimeout > 0 {
+		if relaxTimeout > math.MaxInt64 {
+			panic("relaxTimeout would overflow int64 in call to time.Duration()")
+		}
 		transport.TLSHandshakeTimeout *= time.Duration(relaxTimeout)
 		transport.DialContext = (&net.Dialer{
 			Timeout:   30 * time.Second * time.Duration(relaxTimeout),