[chore] Add gosec via golangci-lint (#4452)

open-telemetry · Oct 21, 2023 · ed717ec · ed717ec
1 parent 8918009
commit ed717ec
Show file tree

Hide file tree

Showing 17 changed files with 24 additions and 48 deletions.
diff --git a/.github/workflows/gosec.yml b/.github/workflows/gosec.yml
diff --git a/.golangci.yml b/.golangci.yml
@@ -15,6 +15,7 @@ linters:
     - godot
     - gofumpt
     - goimports
+    - gosec
     - gosimple
     - govet
     - ineffassign
@@ -54,6 +55,10 @@ issues:
       text: "calls to (.+) only in main[(][)] or init[(][)] functions"
       linters:
         - revive
+    # It's okay to not run gosec in a test.
+    - path: _test\.go
+      linters:
+        - gosec
   include:
     # revive exported should have comment or be unexported.
     - EXC0012

diff --git a/detectors/aws/eks/detector.go b/detectors/aws/eks/detector.go
@@ -31,7 +31,7 @@ import (
 )
 
 const (
-	k8sTokenPath      = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+	k8sTokenPath      = "/var/run/secrets/kubernetes.io/serviceaccount/token" //nolint:gosec // False positive G101: Potential hardcoded credentials. The detector only check if the token exists.
 	k8sCertPath       = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
 	authConfigmapNS   = "kube-system"
 	authConfigmapName = "aws-auth"

diff --git a/detectors/aws/lambda/detector.go b/detectors/aws/lambda/detector.go
@@ -28,7 +28,7 @@ import (
 // For a complete list of reserved environment variables in Lambda, see:
 // https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html
 const (
-	lambdaFunctionNameEnvVar    = "AWS_LAMBDA_FUNCTION_NAME"
+	lambdaFunctionNameEnvVar    = "AWS_LAMBDA_FUNCTION_NAME" //nolint:gosec // False positive G101: Potential hardcoded credentials. The function name is added as attribute per semantic conventions.
 	awsRegionEnvVar             = "AWS_REGION"
 	lambdaFunctionVersionEnvVar = "AWS_LAMBDA_FUNCTION_VERSION"
 	lambdaLogStreamNameEnvVar   = "AWS_LAMBDA_LOG_STREAM_NAME"

diff --git a/instrumentation/github.com/emicklei/go-restful/otelrestful/example/server.go b/instrumentation/github.com/emicklei/go-restful/otelrestful/example/server.go
@@ -67,7 +67,7 @@ func main() {
 	restful.DefaultContainer.Filter(filter)
 	restful.DefaultContainer.Add(u.WebService())
 
-	_ = http.ListenAndServe(":8080", nil)
+	_ = http.ListenAndServe(":8080", nil) //nolint:gosec // Ignoring G114: Use of net/http serve function that has no support for setting timeouts.
 }
 
 func initTracer() (*sdktrace.TracerProvider, error) {

diff --git a/instrumentation/github.com/gorilla/mux/otelmux/example/server.go b/instrumentation/github.com/gorilla/mux/otelmux/example/server.go
@@ -53,7 +53,7 @@ func main() {
 		_, _ = w.Write(([]byte)(reply))
 	}))
 	http.Handle("/", r)
-	_ = http.ListenAndServe(":8080", nil)
+	_ = http.ListenAndServe(":8080", nil) //nolint:gosec // Ignoring G114: Use of net/http serve function that has no support for setting timeouts.
 }
 
 func initTracer() (*sdktrace.TracerProvider, error) {

diff --git a/instrumentation/google.golang.org/grpc/otelgrpc/example/client/main.go b/instrumentation/google.golang.org/grpc/otelgrpc/example/client/main.go
@@ -43,7 +43,7 @@ func main() {
 	}()
 
 	var conn *grpc.ClientConn
-	conn, err = grpc.Dial(":7777", grpc.WithTransportCredentials(insecure.NewCredentials()),
+	conn, err = grpc.Dial("127.0.0.1:7777", grpc.WithTransportCredentials(insecure.NewCredentials()),
 		grpc.WithStatsHandler(otelgrpc.NewClientHandler()),
 	)
 

diff --git a/instrumentation/google.golang.org/grpc/otelgrpc/example/server/main.go b/instrumentation/google.golang.org/grpc/otelgrpc/example/server/main.go
@@ -34,10 +34,6 @@ import (
 	"google.golang.org/grpc"
 )
 
-const (
-	port = ":7777"
-)
-
 var tracer = otel.Tracer("grpc-example")
 
 // server is used to implement api.HelloServiceServer.
@@ -134,7 +130,7 @@ func main() {
 		}
 	}()
 
-	lis, err := net.Listen("tcp", port)
+	lis, err := net.Listen("tcp", "127.0.0.1:7777")
 	if err != nil {
 		log.Fatalf("failed to listen: %v", err)
 	}

diff --git a/instrumentation/net/http/httptrace/otelhttptrace/example/server/server.go b/instrumentation/net/http/httptrace/otelhttptrace/example/server/server.go
@@ -78,7 +78,7 @@ func main() {
 	otelHandler := otelhttp.NewHandler(http.HandlerFunc(helloHandler), "Hello")
 
 	http.Handle("/hello", otelHandler)
-	err = http.ListenAndServe(":7777", nil)
+	err = http.ListenAndServe(":7777", nil) //nolint:gosec // Ignoring G114: Use of net/http serve function that has no support for setting timeouts.
 	if err != nil {
 		log.Fatal(err)
 	}

diff --git a/instrumentation/net/http/otelhttp/example/server/server.go b/instrumentation/net/http/otelhttp/example/server/server.go
@@ -102,7 +102,7 @@ func main() {
 	otelHandler := otelhttp.NewHandler(http.HandlerFunc(helloHandler), "Hello")
 
 	http.Handle("/hello", otelHandler)
-	err = http.ListenAndServe(":7777", nil)
+	err = http.ListenAndServe(":7777", nil) //nolint:gosec // Ignoring G114: Use of net/http serve function that has no support for setting timeouts.
 	if err != nil {
 		log.Fatal(err)
 	}

diff --git a/instrumentation/net/http/otelhttp/handler_example_test.go b/instrumentation/net/http/otelhttp/handler_example_test.go
@@ -94,7 +94,7 @@ func ExampleNewHandler() {
 		),
 	)
 
-	if err := http.ListenAndServe(":7777",
+	if err := http.ListenAndServe(":7777", //nolint:gosec // Ignoring G114: Use of net/http serve function that has no support for setting timeouts.
 		otelhttp.NewHandler(&mux, "server",
 			otelhttp.WithMessageEvents(otelhttp.ReadEvents, otelhttp.WriteEvents),
 		),

diff --git a/propagators/aws/xray/idgenerator.go b/propagators/aws/xray/idgenerator.go
@@ -69,7 +69,7 @@ func NewIDGenerator() *IDGenerator {
 	gen := &IDGenerator{}
 	var rngSeed int64
 	_ = binary.Read(crand.Reader, binary.LittleEndian, &rngSeed)
-	gen.randSource = rand.New(rand.NewSource(rngSeed))
+	gen.randSource = rand.New(rand.NewSource(rngSeed)) //nolint:gosec // Tracked under: https://github.com/open-telemetry/opentelemetry-go-contrib/issues/4449.
 	return gen
 }
 

diff --git a/propagators/opencensus/examples/opentelemetry_server/server.go b/propagators/opencensus/examples/opentelemetry_server/server.go
@@ -32,21 +32,21 @@ import (
 	sdktrace "go.opentelemetry.io/otel/sdk/trace"
 )
 
-const port = ":50051"
+const address = "localhost:50051"
 
 // server is used to implement helloworld.GreeterServer.
 type server struct{}
 
 // SayHello implements helloworld.GreeterServer.
 func (s *server) SayHello(ctx context.Context, in *pb.HelloRequest) (*pb.HelloReply, error) {
 	_, span := trace.StartSpan(ctx, "sleep")
-	time.Sleep(time.Duration(rand.Float64() * float64(time.Second)))
+	time.Sleep(time.Duration(rand.Float64() * float64(time.Second))) //nolint:gosec // Ignoring G404: Use of weak random number generator (math/rand instead of crypto/rand)
 	span.End()
 	return &pb.HelloReply{Message: "Hello " + in.Name}, nil
 }
 
 func main() {
-	lis, err := net.Listen("tcp", port)
+	lis, err := net.Listen("tcp", address)
 	if err != nil {
 		log.Fatalf("Failed to listen: %v", err)
 	}

diff --git a/samplers/aws/xray/rand.go b/samplers/aws/xray/rand.go
@@ -35,7 +35,7 @@ var seed = newSeed()
 func newGlobalRand() *rand.Rand {
 	src := rand.NewSource(seed)
 	if src64, ok := src.(rand.Source64); ok {
-		return rand.New(src64)
+		return rand.New(src64) //nolint:gosec // Tracked under: https://github.com/open-telemetry/opentelemetry-go-contrib/issues/4450.
 	}
-	return rand.New(src)
+	return rand.New(src) //nolint:gosec // Tracked under: https://github.com/open-telemetry/opentelemetry-go-contrib/issues/4450.
 }
diff --git a/samplers/jaegerremote/internal/utils/http_json.go b/samplers/jaegerremote/internal/utils/http_json.go
@@ -25,7 +25,7 @@ import (
 
 // GetJSON makes an HTTP call to the specified URL and parses the returned JSON into `out`.
 func GetJSON(url string, out interface{}) error {
-	resp, err := http.Get(url)
+	resp, err := http.Get(url) //nolint:gosec // False positive G107: Potential HTTP request made with variable url
 	if err != nil {
 		return err
 	}

diff --git a/samplers/probability/consistent/sampler.go b/samplers/probability/consistent/sampler.go
@@ -86,7 +86,7 @@ func (s consistentProbabilityBasedRandomSource) apply(cfg *consistentProbability
 // used as the root delegate of a `Parent` sampler.
 func ProbabilityBased(fraction float64, opts ...ProbabilityBasedOption) sdktrace.Sampler {
 	cfg := consistentProbabilityBasedConfig{
-		source: rand.NewSource(rand.Int63()),
+		source: rand.NewSource(rand.Int63()), //nolint:gosec // G404: Use of weak random number generator (math/rand instead of crypto/rand) is ignored as this is not security-sensitive.
 	}
 	for _, opt := range opts {
 		opt.apply(&cfg)
@@ -104,7 +104,7 @@ func ProbabilityBased(fraction float64, opts ...ProbabilityBasedOption) sdktrace
 		lowLAC:  lowLAC,
 		highLAC: highLAC,
 		lowProb: lowProb,
-		rnd:     rand.New(cfg.source),
+		rnd:     rand.New(cfg.source), //nolint:gosec // G404: Use of weak random number generator (math/rand instead of crypto/rand) is ignored as this is not security-sensitive.
 	}
 }
 

diff --git a/zpages/templates.go b/zpages/templates.go
@@ -58,6 +58,7 @@ func parseTemplate(name string) *template.Template {
 	return template.Must(template.New(name).Funcs(templateFunctions).Parse(string(text)))
 }
 
+//nolint:gosec // G203: The used method does not auto-escape HTML. Tracked under https://github.com/open-telemetry/opentelemetry-go-contrib/issues/4451.
 func spanRowFormatter(r spanRow) template.HTML {
 	if !r.SpanContext.IsValid() {
 		return ""