Deprecation, gosec, and spelling fixes

.github/workflows/go-presubmit.yml

@@ -102,8 +102,7 @@ jobs:
  - name: Run Gosec Security Scanner
  uses: securego/gosec@master
  with:
- # gosec doesn't support in-line comment like `//nolint` to ignore the G602 warning.
- args: -exclude-generated -exclude=G602 ./...
+ args: -exclude-generated ./...
 
  e2e:
  name: e2e

cmd/manager/exec/manager.go

@@ -200,7 +200,7 @@ func RunManager() {
  }
 
  if !Options.Debug {
- // Setup Webhook listner
+ // Setup Webhook listener
  if err := webhook.AddToManager(mgr, hubconfig, Options.TLSKeyFilePathName, Options.TLSCrtFilePathName, Options.DisableTLS, true); err != nil {
  klog.Error("Failed to initialize WebHook listener with error:", err)
  os.Exit(1)
@@ -360,7 +360,7 @@ func setupStandalone(mgr manager.Manager, hubconfig *rest.Config, id *types.Name
  }
 
  if standalone && !Options.Debug {
- // Setup Webhook listner
+ // Setup Webhook listener
  if err := webhook.AddToManager(mgr, hubconfig, Options.TLSKeyFilePathName, Options.TLSCrtFilePathName, Options.DisableTLS, false); err != nil {
  klog.Error("Failed to initialize WebHook listener with error:", err)
 
@@ -379,13 +379,12 @@ func serveHealthProbes(healthProbeBindAddress string, configCheck healthz.Checke
  "configz-ping": configCheck,
  }}))
 
- /* #nosec G402 */
  server := http.Server{
  Handler: mux,
  ReadHeaderTimeout: 5 * time.Second,
  Addr: healthProbeBindAddress,
  TLSConfig: &tls.Config{
- MinVersion: appsubv1.TLSMinVersionInt,
+ MinVersion: appsubv1.TLSMinVersionInt, // #nosec G402 -- TLS 1.2 is required for FIPS
  },
  }
 

e2e/e2e_test.go

@@ -17,7 +17,7 @@ package e2e
 import (
  "encoding/json"
  "fmt"
- "io/ioutil"
+ "io"
  "net/http"
  "testing"
 )
@@ -86,7 +86,7 @@ func (r *Runner) Run(runID string) error {
  defer resp.Body.Close()
 
  if resp.StatusCode == http.StatusOK {
- bodyBytes, err := ioutil.ReadAll(resp.Body)
+ bodyBytes, err := io.ReadAll(resp.Body)
  if err != nil {
  return err
  }

pkg/controller/mcmhub/gitrepo_sync.go

@@ -16,7 +16,7 @@ package mcmhub
 
 import (
  "encoding/json"
- "io/ioutil"
+ "os"
  "path/filepath"
  "strings"
 
@@ -227,7 +227,7 @@ func (r *ReconcileSubscription) subscribeResources(
  rscFiles []string, objRefMap map[v1.ObjectReference]*v1.ObjectReference) error {
  // sync kube resource manifests
  for _, rscFile := range rscFiles {
- file, err := ioutil.ReadFile(rscFile) // #nosec G304 rscFile is not user input
+ file, err := os.ReadFile(rscFile) // #nosec G304 rscFile is not user input
 
  if err != nil {
  klog.Error(err, "Failed to read YAML file "+rscFile)

pkg/controller/mcmhub/hub_git.go

@@ -17,7 +17,6 @@ package mcmhub
 import (
  "context"
  "fmt"
- "io/ioutil"
  "os"
  "path/filepath"
  "strconv"
@@ -699,7 +698,7 @@ func parseAsAnsibleJobs(rscFiles []string, parser func([]byte) [][]byte, logger
  jobs := []ansiblejob.AnsibleJob{}
  // sync kube resource manifests
  for _, rscFile := range rscFiles {
- file, err := ioutil.ReadFile(rscFile) // #nosec G304 rscFile is not user input
+ file, err := os.ReadFile(rscFile) // #nosec G304 rscFile is not user input
 
  if err != nil {
  return []ansiblejob.AnsibleJob{}, err

pkg/controller/subscription/lease_controller_test.go

@@ -16,7 +16,6 @@ package subscription
 
 import (
  "context"
- "io/ioutil"
  "os"
  "testing"
  "time"
@@ -73,7 +72,7 @@ func TestLeaseReconcile(t *testing.T) {
  addontNs, _ := utils.GetComponentNamespace()
  pod.SetNamespace(addontNs)
 
- tmpFile, err := ioutil.TempFile("", "temptest")
+ tmpFile, err := os.CreateTemp("", "temptest")
  g.Expect(err).ShouldNot(gomega.HaveOccurred())
 
  _, err = tmpFile.WriteString("fake kubeconfig data")

pkg/helmrelease/utils/helmrepoutils.go

@@ -23,7 +23,6 @@ import (
  "encoding/pem"
  "fmt"
  "io"
- "io/ioutil"
  "net"
  "net/http"
  "net/url"
@@ -53,7 +52,6 @@ import (
 
 // GetHelmRepoClient returns an *http.client to access the helm repo
 func GetHelmRepoClient(parentNamespace string, configMap *corev1.ConfigMap, skipCertVerify bool) (rest.HTTPClient, error) {
- /* #nosec G402 */
  transport := &http.Transport{
  Proxy: http.ProxyFromEnvironment,
  DialContext: (&net.Dialer{
@@ -67,7 +65,7 @@ func GetHelmRepoClient(parentNamespace string, configMap *corev1.ConfigMap, skip
  ExpectContinueTimeout: 1 * time.Second,
  TLSClientConfig: &tls.Config{
  InsecureSkipVerify: skipCertVerify, // #nosec G402 InsecureSkipVerify conditionally
- MinVersion: appsubv1.TLSMinVersionInt,
+ MinVersion: appsubv1.TLSMinVersionInt, // #nosec G402 -- TLS 1.2 is required for FIPS
  },
  }
 
@@ -349,7 +347,7 @@ func getKnownHostFromURL(sshURL string, filepath string) error {
 
  klog.Info("SSH host key: " + string(stdout))
 
- if err := ioutil.WriteFile(filepath, stdout, 0600); err != nil {
+ if err := os.WriteFile(filepath, stdout, 0600); err != nil {
  klog.Error("failed to write known_hosts file: ", err)
  return err
  }
@@ -405,7 +403,7 @@ func getSSHOptions(options *git.CloneOptions, sshKey, passphrase []byte, knownho
 func getHTTPOptions(options *git.CloneOptions, caCerts string, insecureSkipVerify bool) error {
  installProtocol := false
 
- // #nosec G402
+ // #nosec G402 -- TLS 1.2 is required for FIPS
  clientConfig := &tls.Config{MinVersion: appsubv1.TLSMinVersionInt}
 
  // skip TLS certificate verification for Git servers with custom or self-signed certs
@@ -451,7 +449,6 @@ func getHTTPOptions(options *git.CloneOptions, caCerts string, insecureSkipVerif
  klog.Info("HTTPS_PROXY = " + os.Getenv("HTTPS_PROXY"))
 
  transportConfig := &http.Transport{
- /* #nosec G402 */
  TLSClientConfig: clientConfig,
  }
 
@@ -477,7 +474,6 @@ func getHTTPOptions(options *git.CloneOptions, caCerts string, insecureSkipVerif
  }
 
  customClient := &http.Client{
- /* #nosec G402 */
  Transport: transportConfig,
 
  // 15 second timeout

pkg/helmrelease/utils/helmrepoutils_test.go

@@ -20,7 +20,6 @@ import (
  "context"
  "crypto/tls"
  "encoding/pem"
- "io/ioutil"
  "os"
  "path/filepath"
  "reflect"
@@ -164,7 +163,7 @@ func TestDownloadChartGitHub(t *testing.T) {
  ChartName: "subscription-release-test-1",
  },
  }
- dir, err := ioutil.TempDir("/tmp", "charts")
+ dir, err := os.MkdirTemp("/tmp", "charts")
  assert.NoError(t, err)
 
  defer os.RemoveAll(dir)
@@ -194,7 +193,7 @@ func TestDownloadChartGit(t *testing.T) {
  ChartName: "subscription-release-test-1",
  },
  }
- dir, err := ioutil.TempDir("/tmp", "charts")
+ dir, err := os.MkdirTemp("/tmp", "charts")
  assert.NoError(t, err)
 
  defer os.RemoveAll(dir)
@@ -224,7 +223,7 @@ func TestDownloadChartHelmRepo(t *testing.T) {
  Digest: "long-fake-digest-that-is-very-long",
  },
  }
- dir, err := ioutil.TempDir("/tmp", "charts")
+ dir, err := os.MkdirTemp("/tmp", "charts")
  assert.NoError(t, err)
 
  defer os.RemoveAll(dir)
@@ -257,7 +256,7 @@ func TestDownloadChartHelmRepoContainsInvalidURL(t *testing.T) {
  ChartName: "subscription-release-test-1",
  },
  }
- dir, err := ioutil.TempDir("/tmp", "charts")
+ dir, err := os.MkdirTemp("/tmp", "charts")
  assert.NoError(t, err)
 
  defer os.RemoveAll(dir)
@@ -286,7 +285,7 @@ func TestDownloadChartHelmRepoContainsInvalidURL2(t *testing.T) {
  ChartName: "subscription-release-test-1",
  },
  }
- dir, err := ioutil.TempDir("/tmp", "charts")
+ dir, err := os.MkdirTemp("/tmp", "charts")
  assert.NoError(t, err)
 
  defer os.RemoveAll(dir)
@@ -314,7 +313,7 @@ func TestDownloadChartHelmRepoAllInvalidURLs(t *testing.T) {
  ChartName: "subscription-release-test-1",
  },
  }
- dir, err := ioutil.TempDir("/tmp", "charts")
+ dir, err := os.MkdirTemp("/tmp", "charts")
  assert.NoError(t, err)
 
  defer os.RemoveAll(dir)
@@ -341,7 +340,7 @@ func TestDownloadChartFromGitHub(t *testing.T) {
  ChartName: "subscription-release-test-1",
  },
  }
- dir, err := ioutil.TempDir("/tmp", "charts")
+ dir, err := os.MkdirTemp("/tmp", "charts")
  assert.NoError(t, err)
 
  defer os.RemoveAll(dir)
@@ -371,7 +370,7 @@ func TestDownloadChartFromGit(t *testing.T) {
  ChartName: "subscription-release-test-1",
  },
  }
- dir, err := ioutil.TempDir("/tmp", "charts")
+ dir, err := os.MkdirTemp("/tmp", "charts")
  assert.NoError(t, err)
 
  defer os.RemoveAll(dir)
@@ -401,7 +400,7 @@ func TestDownloadChartFromHelmRepoHTTP(t *testing.T) {
  Digest: "short",
  },
  }
- dir, err := ioutil.TempDir("/tmp", "charts")
+ dir, err := os.MkdirTemp("/tmp", "charts")
  assert.NoError(t, err)
 
  defer os.RemoveAll(dir)
@@ -434,7 +433,7 @@ func TestDownloadChartFromHelmRepoHTTPConfigMap(t *testing.T) {
  Digest: "short",
  },
  }
- dir, err := ioutil.TempDir("/tmp", "charts")
+ dir, err := os.MkdirTemp("/tmp", "charts")
  assert.NoError(t, err)
 
  defer os.RemoveAll(dir)
@@ -470,7 +469,7 @@ func TestDownloadChartFromHelmRepoHTTPNoDigest(t *testing.T) {
  ChartName: "subscription-release-test-1",
  },
  }
- dir, err := ioutil.TempDir("/tmp", "charts")
+ dir, err := os.MkdirTemp("/tmp", "charts")
  assert.NoError(t, err)
 
  defer os.RemoveAll(dir)
@@ -502,7 +501,7 @@ func TestDownloadChartFromHelmRepoLocal(t *testing.T) {
  Digest: "digest",
  },
  }
- dir, err := ioutil.TempDir("/tmp", "charts")
+ dir, err := os.MkdirTemp("/tmp", "charts")
  assert.NoError(t, err)
 
  defer os.RemoveAll(dir)
@@ -533,7 +532,7 @@ func TestDownloadChartFromHelmRepoLocalNoDigest(t *testing.T) {
  ChartName: "subscription-release-test-1",
  },
  }
- dir, err := ioutil.TempDir("/tmp", "charts")
+ dir, err := os.MkdirTemp("/tmp", "charts")
  assert.NoError(t, err)
 
  defer os.RemoveAll(dir)
@@ -551,7 +550,7 @@ func TestDownloadChartFromHelmRepoLocalNoDigest(t *testing.T) {
 func TestDownloadGitRepo(t *testing.T) {
  httpURLs := []string{"https://" + testutils.GetTestGitRepoURLFromEnvVar() + ".git"}
  sshURLs := []string{"ssh://" + testutils.GetTestGitRepoURLFromEnvVar() + ".git"}
- dir, err := ioutil.TempDir("/tmp", "charts")
+ dir, err := os.MkdirTemp("/tmp", "charts")
  assert.NoError(t, err)
 
  defer os.RemoveAll(dir)
@@ -653,7 +652,7 @@ tYny6pJJNYEhf7HPmb2O3zBuuqsCC0O2SHrgFYH350zA4To9Ez5nifkZ0CBx0pn9jWn02V
 }
 
 func TestGetKnownHostFromURL(t *testing.T) {
- tmpfile, err := ioutil.TempFile("", "temptest")
+ tmpfile, err := os.CreateTemp("", "temptest")
  if err != nil {
  t.Error("error creating temp file")
  }

pkg/subscriber/git/git_subscriber_item.go

@@ -18,7 +18,7 @@ import (
  "context"
  "errors"
  "fmt"
- "io/ioutil"
+ "os"
  "path/filepath"
  "strconv"
  "strings"
@@ -519,7 +519,7 @@ func checkSubscriptionAnnotation(resource kubeResource) error {
 func (ghsi *SubscriberItem) subscribeResources(rscFiles []string) error {
  // sync kube resource manifests
  for _, rscFile := range rscFiles {
- file, err := ioutil.ReadFile(rscFile) // #nosec G304 rscFile is not user input
+ file, err := os.ReadFile(rscFile) // #nosec G304 rscFile is not user input
 
  if err != nil {
  klog.Error(err, "Failed to read YAML file "+rscFile)

pkg/subscriber/helmrepo/helm_subscriber_item.go

@@ -19,7 +19,7 @@ import (
  "crypto/sha1" // #nosec G505 Used only to generate random value to be used to generate hash string
  "crypto/tls"
  "fmt"
- "io/ioutil"
+ "io"
  "net"
  "net/http"
  "strconv"
@@ -448,10 +448,9 @@ func getHelmRepoClient(chnCfg *corev1.ConfigMap, insecureSkipVerify bool) (*http
  IdleConnTimeout: 90 * time.Second,
  TLSHandshakeTimeout: 10 * time.Second,
  ExpectContinueTimeout: 1 * time.Second,
- /* #nosec G402 */
  TLSClientConfig: &tls.Config{
- InsecureSkipVerify: insecureSkipVerify, // #nosec G402 InsecureSkipVerify optionally
- MinVersion: appv1.TLSMinVersionInt,
+ InsecureSkipVerify: insecureSkipVerify,  // #nosec G402 InsecureSkipVerify optionally
+ MinVersion: appv1.TLSMinVersionInt, // #nosec G402 -- TLS 1.2 is required for FIPS
  },
  }
 
@@ -525,7 +524,7 @@ func getHelmRepoIndex(client rest.HTTPClient, sub *appv1.Subscription,
 
  klog.V(5).Info("Get succeeded: ", cleanRepoURL)
 
- body, err := ioutil.ReadAll(resp.Body)
+ body, err := io.ReadAll(resp.Body)
  if err != nil {
  klog.Error(err, "Unable to read body: ", cleanRepoURL)
 

pkg/utils/aws/objectstore.go

@@ -17,7 +17,7 @@ package aws
 import (
  "bytes"
  "context"
- "io/ioutil"
+ "io"
  "strings"
 
  "github.com/aws/aws-sdk-go-v2/aws"
@@ -258,7 +258,7 @@ func (h *Handler) Get(bucket, name string) (DeployableObject, error) {
 
  generateName := resp.Metadata[DployableMateGenerateNameKey]
  version := resp.Metadata[DeployableMetaVersionKey]
- body, err := ioutil.ReadAll(resp.Body)
+ body, err := io.ReadAll(resp.Body)
 
  if err != nil {
  klog.Error("Failed to parse Get request. error: ", err)