Conversation
Signed-off-by: Sascha Schwarze <schwarzs@de.ibm.com>
Required for gosec Signed-off-by: Justin Chadwell <me@jedevc.com>
Signed-off-by: Justin Chadwell <me@jedevc.com>
By default we exclude potential hardcoded credentials and implicit memory aliasing for giving lots of false positives on correct behavior (where the addressed value never leaves the loop, or we break immediately after). We additionally exclude TLS MinVersion warnings (we need to co-ordinate with other projects upstream if we want to do this). Finally, we exclude net/http/cgi blocklist, since it error for a vulnerability in a version of Go that we don't target. Signed-off-by: Justin Chadwell <me@jedevc.com>
| gosec: | ||
| excludes: | ||
| - G101 # Potential hardcoded credentials (false positives) | ||
| - G402 # TLS MinVersion too low |
There was a problem hiding this comment.
We should track this somewhere (likely containerd)
| - G101 # Potential hardcoded credentials (false positives) | ||
| - G402 # TLS MinVersion too low | ||
| - G601 # Implicit memory aliasing in for loop (false positives) | ||
| - G504 # Import blocklist: net/http/cgi |
There was a problem hiding this comment.
These comments could be improved. Eg. why do we have an import on "net/http/cgi" and what do we need to do to fix it.
There was a problem hiding this comment.
We only use it for testing in gitsource_test.go to use git http-backend - we could just remove the warning in that file, but the gosec warning itself is very weird.
The only reason it errors is that there's a vulnerability in an old version of go... that we don't support. I think it's reasonable to disable it globally, since we don't target that version.
tonistiigi
left a comment
There was a problem hiding this comment.
Noticed the changes I commented about were already described in PR description. Still don't understand the "CGI" case though.
Replaces #2449.
For the default excludes rules:
net/http/cgiblocklist, since it errors for a vulnerability in a version of Go that we don't target (1.16, we now use generics so buildkit won't even compile with that version).