Uploaded image for project: 'VOLTHA'
  1. VOLTHA
  2. VOL-4163

Fix gosec static code analytics failures

    XMLWordPrintable

    Details

    • Story Points:
      3

      Description

      Although the gosec is enabled in golangci, running gosec ./... against some go repositories produces issues not visible in golangci.

      The reason for this is that golangci has some issues disabled by default (which they mean to call "false positives"), additionally some gosec issues are disabled directly in the code.

      Since security requirements are very high, we propose to have stricter gosec rules.

      • we need to remove lines like //nolint:gosec to disable rule exclusion
      • we need to fix all gosec issues

      The list of affected repos and issues

      voltha-openolt-adapter 

       [/builds/Access40/dev/pod/voltha-openolt-adapter/internal/pkg/core/device_handler.go:2204] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
          2203: logger.Debugw(ctx, "onu-data", log.Fields{"onu": onu})
        > 2204: if err := dh.clearUNIData(ctx, &onu); err != nil {
          2205: logger.Warnw(ctx, "failed-to-clear-uni-data-for-onu", log.Fields{
      
      
      
      [/builds/Access40/dev/pod/voltha-openolt-adapter/internal/pkg/core/device_handler.go:1776] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
          1775: logger.Debugw(ctx, "onu-data", log.Fields{"onu": onu})
        > 1776: if err = dh.clearUNIData(ctx, &onu); err != nil {
          1777: logger.Errorw(ctx, "failed-to-clear-data-for-onu", log.Fields{"onu-device": onu})
      
      
      
      Summary:
         Files: 24
         Lines: 13024
         Nosec: 0
        Issues: 2
       

      voltha-go

      Results:
      
      
      [/builds/Access40/dev/pod/voltha-go/rw_core/utils/id.go:41] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
          40: // A logical port is a uint32
        > 41: return rand.Uint32()
          42: }
      
      
      
      [/builds/Access40/dev/pod/voltha-go/rw_core/core/device/state/transitions.go:390] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
          389: }
        > 390: tempHandler, m = getHandler(pState, cState, &aTransition)
          391: if tempHandler != nil {
      
      
      
      Summary:
         Files: 66
         Lines: 15127
         Nosec: 0
        Issues: 2 

      voltha-openonu-adapter-go

      Results:
      
      
      [/builds/Access40/dev/pod/voltha-openonu-adapter-go/internal/pkg/onuadaptercore/adapter_download_manager.go:248] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
          247: //nolint:gosec
        > 248: file, err := os.Open(aLocalPath + "/" + aFileName)
          249: if err != nil {
      
      
      
      [/builds/Access40/dev/pod/voltha-openonu-adapter-go/internal/pkg/onuadaptercore/adapter_download_manager.go:229] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
          228: //nolint:gosec
        > 229: file, err := os.Open(aLocalPath + "/" + aFileName)
          230: if err != nil {
      
      
      
      [/builds/Access40/dev/pod/voltha-openonu-adapter-go/internal/pkg/onuadaptercore/adapter_download_manager.go:253] - G307 (CWE-703): Deferring unsafe method "Close" on type "*os.File" (Confidence: HIGH, Severity: MEDIUM)
          252: //nolint:errcheck
        > 253: defer file.Close()
          254:
      
      
      
      [/builds/Access40/dev/pod/voltha-openonu-adapter-go/internal/pkg/onuadaptercore/adapter_download_manager.go:234] - G307 (CWE-703): Deferring unsafe method "Close" on type "*os.File" (Confidence: HIGH, Severity: MEDIUM)
          233: //nolint:errcheck
        > 234: defer file.Close()
          235:
      
      
      
      Summary:
         Files: 28
         Lines: 20619
         Nosec: 0
        Issues: 4 

      ofagent-go

      Results:
      
      
      [/builds/Access40/dev/pod/voltha-ofagent-go/internal/pkg/openflow/meter.go:115] - G103 (CWE-242): Use of unsafe calls should be audited (Confidence: HIGH, Severity: LOW)
          114: message.SetData(meterByteId)
        > 115: message.Length = uint16(unsafe.Sizeof(*message))
          116: if err := ofc.SendMessage(ctx, message); err != nil {
      
      
      
      [/builds/Access40/dev/pod/voltha-ofagent-go/internal/pkg/openflow/connection.go:219] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
          218: log.Fields{"device-id": ofc.DeviceID})
        > 219: ofc.conn.Close()
          220: ofc.conn = nil
      
      
      
      [/builds/Access40/dev/pod/voltha-ofagent-go/internal/pkg/openflow/connection.go:75] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
          74: log.Fields{"device-id": ofc.DeviceID})
        > 75: ofc.conn.Close()
          76: ofc.conn = nil
      
      
      
      [/builds/Access40/dev/pod/voltha-ofagent-go/internal/pkg/ofagent/connection.go:38] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
          37: if ofa.volthaConnection != nil {
        > 38: ofa.volthaConnection.Close()
          39: }
      
      
      
      Summary:
         Files: 31
         Lines: 4719
         Nosec: 0
        Issues: 4 

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            Assignee:
            breathbath Andrey Pozolotin
            Reporter:
            breathbath Andrey Pozolotin
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Gerrit Reviews

                There are no open Gerrit changes