Clean up gosec violations

Signed-off-by: Dale Haiducek <[email protected]>
open-cluster-management-io · Feb 12, 2024 · 9b4e6a0 · 9b4e6a0
1 parent 225a893
commit 9b4e6a0
Show file tree

Hide file tree

Showing 6 changed files with 10 additions and 17 deletions.
diff --git a/.github/workflows/go-presubmit.yml b/.github/workflows/go-presubmit.yml
@@ -102,8 +102,7 @@ jobs:
  - name: Run Gosec Security Scanner
  uses: securego/gosec@master
  with:
- # gosec doesn't support in-line comment like `//nolint` to ignore the G602 warning.
- args: -exclude-generated -exclude=G602 ./...
+ args: -exclude-generated ./...
 
  e2e:
  name: e2e

diff --git a/cmd/manager/exec/manager.go b/cmd/manager/exec/manager.go
@@ -379,13 +379,12 @@ func serveHealthProbes(healthProbeBindAddress string, configCheck healthz.Checke
  "configz-ping": configCheck,
  }}))
 
- /* #nosec G402 */
  server := http.Server{
  Handler: mux,
  ReadHeaderTimeout: 5 * time.Second,
  Addr: healthProbeBindAddress,
  TLSConfig: &tls.Config{
- MinVersion: appsubv1.TLSMinVersionInt,
+ MinVersion: appsubv1.TLSMinVersionInt, // #nosec G402 -- TLS 1.2 is required for FIPS
  },
  }
 

diff --git a/pkg/helmrelease/utils/helmrepoutils.go b/pkg/helmrelease/utils/helmrepoutils.go
@@ -53,7 +53,6 @@ import (
 
 // GetHelmRepoClient returns an *http.client to access the helm repo
 func GetHelmRepoClient(parentNamespace string, configMap *corev1.ConfigMap, skipCertVerify bool) (rest.HTTPClient, error) {
- /* #nosec G402 */
  transport := &http.Transport{
  Proxy: http.ProxyFromEnvironment,
  DialContext: (&net.Dialer{
@@ -67,7 +66,7 @@ func GetHelmRepoClient(parentNamespace string, configMap *corev1.ConfigMap, skip
  ExpectContinueTimeout: 1 * time.Second,
  TLSClientConfig: &tls.Config{
  InsecureSkipVerify: skipCertVerify, // #nosec G402 InsecureSkipVerify conditionally
- MinVersion: appsubv1.TLSMinVersionInt,
+ MinVersion: appsubv1.TLSMinVersionInt, // #nosec G402 -- TLS 1.2 is required for FIPS
  },
  }
 
@@ -405,7 +404,7 @@ func getSSHOptions(options *git.CloneOptions, sshKey, passphrase []byte, knownho
 func getHTTPOptions(options *git.CloneOptions, caCerts string, insecureSkipVerify bool) error {
  installProtocol := false
 
- // #nosec G402
+ // #nosec G402 TLS 1.2 is required for FIPS
  clientConfig := &tls.Config{MinVersion: appsubv1.TLSMinVersionInt}
 
  // skip TLS certificate verification for Git servers with custom or self-signed certs
@@ -451,7 +450,6 @@ func getHTTPOptions(options *git.CloneOptions, caCerts string, insecureSkipVerif
  klog.Info("HTTPS_PROXY = " + os.Getenv("HTTPS_PROXY"))
 
  transportConfig := &http.Transport{
- /* #nosec G402 */
  TLSClientConfig: clientConfig,
  }
 
@@ -477,7 +475,6 @@ func getHTTPOptions(options *git.CloneOptions, caCerts string, insecureSkipVerif
  }
 
  customClient := &http.Client{
- /* #nosec G402 */
  Transport: transportConfig,
 
  // 15 second timeout

diff --git a/pkg/subscriber/helmrepo/helm_subscriber_item.go b/pkg/subscriber/helmrepo/helm_subscriber_item.go
@@ -448,10 +448,9 @@ func getHelmRepoClient(chnCfg *corev1.ConfigMap, insecureSkipVerify bool) (*http
  IdleConnTimeout: 90 * time.Second,
  TLSHandshakeTimeout: 10 * time.Second,
  ExpectContinueTimeout: 1 * time.Second,
- /* #nosec G402 */
  TLSClientConfig: &tls.Config{
  InsecureSkipVerify: insecureSkipVerify, // #nosec G402 InsecureSkipVerify optionally
- MinVersion: appv1.TLSMinVersionInt,
+ MinVersion: appv1.TLSMinVersionInt, // #nosec G402 -- TLS 1.2 is required for FIPS
  },
  }
 

diff --git a/pkg/utils/gitrepo.go b/pkg/utils/gitrepo.go
@@ -489,7 +489,7 @@ func getHTTPOptions(options *git.CloneOptions, user, password, caCerts string, i
 
  installProtocol := false
 
- // #nosec G402
+ // #nosec G402 -- TLS 1.2 is required for FIPS
  clientConfig := &tls.Config{MinVersion: appv1.TLSMinVersionInt}
 
  // skip TLS certificate verification for Git servers with custom or self-signed certs
@@ -553,7 +553,6 @@ func getHTTPOptions(options *git.CloneOptions, user, password, caCerts string, i
  klog.Info("NO_PROXY = " + os.Getenv("NO_PROXY"))
 
  transportConfig := &http.Transport{
- /* #nosec G402 */
  TLSClientConfig: clientConfig,
  }
 
@@ -574,7 +573,6 @@ func getHTTPOptions(options *git.CloneOptions, user, password, caCerts string, i
  }
 
  customClient := &http.Client{
- /* #nosec G402 */
  Transport: transportConfig,
 
  // 15 second timeout

diff --git a/pkg/webhook/listener/webhook_listener.go b/pkg/webhook/listener/webhook_listener.go
@@ -113,13 +113,14 @@ func (listener *WebhookListener) Start(ctx context.Context) error {
 
  if listener.TLSKeyFile != "" && listener.TLSCrtFile != "" {
  klog.Info("Starting the WebHook listener on port 8443 with TLS key and cert files: " + listener.TLSKeyFile + " " + listener.TLSCrtFile)
-
- // #nosec G402
+
  s := &http.Server{
  Addr: ":8443",
  Handler: mux,
  ReadHeaderTimeout: 32 * time.Second,
- TLSConfig: &tls.Config{MinVersion: appv1alpha1.TLSMinVersionInt},
+ TLSConfig: &tls.Config{
+ MinVersion: appv1alpha1.TLSMinVersionInt, // #nosec G402 -- TLS 1.2 is required for FIPS
+ },
  }
 
  klog.Fatal(s.ListenAndServeTLS(listener.TLSCrtFile, listener.TLSKeyFile))