这是indexloc提供的服务,不要输入任何密码
Skip to content

Apply gosec checks to the codebase, except tests. #9489

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 21, 2020
Merged

Apply gosec checks to the codebase, except tests. #9489

merged 1 commit into from
Sep 21, 2020

Conversation

markusthoemmes
Copy link
Contributor

@markusthoemmes markusthoemmes commented Sep 21, 2020
edited
Loading

Proposed Changes

I found the findings somewhat interesting and worth enabling the check if only to force us to think through decisions (like the TLS version for example) and document why we've chosen to disable security features.

Release Note

For security reasons, registries that are shipping image metadata on TLS version 1.0 or 1.1 are no longer supported.

/assign @julz @vagababov @mattmoor

/hold

Especially for the TLS Version bump on the image digest resolution. That needs some eyes for sure.

@knative-prow-robot knative-prow-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 21, 2020
@googlebot googlebot added the cla: yes Indicates the PR's author has signed the CLA. label Sep 21, 2020
@knative-prow-robot knative-prow-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Sep 21, 2020
knative-prow-robot
knative-prow-robot reviewed Sep 21, 2020
View reviewed changes
Copy link
Contributor

@knative-prow-robot knative-prow-robot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@markusthoemmes: 0 warnings.

In response to this:

Proposed Changes

I found the findings somewhat interesting and worth enabling the check if only to force us to think through decisions (like the TLS version for example) and document why we've chosen to disable security features.

Release Note

NONE

/assign @julz @vagababov @mattmoor

/hold

Especially for the TLS Version bump on the image digest resolution. That needs some eyes for sure.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@knative-prow-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: markusthoemmes

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow-robot knative-prow-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. area/API API objects and controllers area/autoscale area/networking labels Sep 21, 2020
@knative-test-reporter-robot
Copy link

The following jobs failed:

Test name Triggers Retries
pull-knative-serving-unit-tests 0/3

Failed non-flaky tests preventing automatic retry of pull-knative-serving-unit-tests:

pkg/apis/serving.TestPodSpecValidation/with_volume_(ok)
pkg/apis/serving.TestPodSpecValidation/with_volume_name_collision
pkg/apis/serving.TestPodSpecValidation/with_volume_mount_path_collision
pkg/apis/serving.TestPodSpecValidation
pkg/apis/serving.TestPodSpecMultiContainerValidation/Volume_mounts_ok_with_single_container
pkg/apis/serving.TestPodSpecMultiContainerValidation/Volume_mounts_ok_when_having_multiple_containers
pkg/apis/serving.TestPodSpecMultiContainerValidation/Volume_not_mounted_when_having_multiple_containers
pkg/apis/serving.TestPodSpecMultiContainerValidation

and 19 more.

@knative-metrics-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-knative-serving-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/serving/k8s_validation.go 99.3% 99.3% 0.0

@codecov
Copy link

codecov bot commented Sep 21, 2020
edited
Loading

Codecov Report

Merging #9489 into master will decrease coverage by 0.01%.
The diff coverage is 100.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #9489      +/-   ##
==========================================
- Coverage   88.61%   88.60%   -0.02%     
==========================================
  Files         209      209              
  Lines        9374     9378       +4     
==========================================
+ Hits         8307     8309       +2     
  Misses        814      814              
- Partials      253      255       +2
Impacted Files Coverage Δ
pkg/activator/net/lb_policy.go 91.89% <ø> (ø)
pkg/queue/health/probe.go 93.93% <ø> (ø)
pkg/apis/serving/k8s_validation.go 97.93% <100.00%> (+0.01%) ⬆️
pkg/reconciler/revision/resolve.go 94.87% <100.00%> (+0.13%) ⬆️
pkg/reconciler/revision/resources/deploy.go 100.00% <100.00%> (ø)
pkg/reconciler/route/traffic/traffic.go 93.33% <100.00%> (ø)
pkg/reconciler/revision/reconcile_resources.go 80.72% <0.00%> (-2.41%) ⬇️
pkg/reconciler/autoscaling/kpa/scaler.go 88.40% <0.00%> (-1.45%) ⬇️
pkg/activator/net/revision_backends.go 91.40% <0.00%> (+0.90%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7398ed7...9256e45. Read the comment docs.

mattmoor
mattmoor reviewed Sep 21, 2020
View reviewed changes
pkg/apis/serving/k8s_validation.go
@@ -250,7 +250,8 @@ func validateEnv(ctx context.Context, envVars []corev1.EnvVar) *apis.FieldError

func validateEnvFrom(envFromList []corev1.EnvFromSource) *apis.FieldError {
var errs *apis.FieldError
for i, envFrom := range envFromList {
for i := range envFromList {
envFrom := envFromList[i]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's wrong with the iterator style?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/golang/go/wiki/CommonMistakes#using-reference-to-loop-iterator-variable

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was trying to understand how we had so few, but I'm guessing this is limited to things where & is taken or it'd be everywhere. This is pleasantly small, and finally a check to keep us from making this common mistake 🤩

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that this matters if the function stores the object somehow, but definitely no need to have a possible bug anyway :)

mattmoor
mattmoor reviewed Sep 21, 2020
View reviewed changes
Copy link
Member

@mattmoor mattmoor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably do this in PKG too.

@markusthoemmes
Copy link
Contributor Author

We should probably do this in PKG too.

You bet I'm on it.

mattmoor
mattmoor reviewed Sep 21, 2020
View reviewed changes
Copy link
Member

@mattmoor mattmoor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@knative-prow-robot knative-prow-robot added the lgtm Indicates that a PR is ready to be merged. label Sep 21, 2020
@julz
Copy link
Member

julz commented Sep 21, 2020

can we put a release note on this re: the TLS version? I think IIUC that means we now require remote registries to have at least TLS 1.2 (which is probably fine, but worth making sure to call out in release notes).

julz
julz reviewed Sep 21, 2020
View reviewed changes
Copy link
Member

@julz julz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

apart from that,
/lgtm

@markusthoemmes
Copy link
Contributor Author

Done @julz

/hold cancel

@knative-prow-robot knative-prow-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 21, 2020
@knative-prow-robot knative-prow-robot merged commit 5b12982 into knative:master Sep 21, 2020
@markusthoemmes markusthoemmes mentioned this pull request Sep 21, 2020
Merged
@julz julz mentioned this pull request Sep 21, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@julz julz julz left review comments

@mattmoor mattmoor mattmoor left review comments

@knative-prow-robot knative-prow-robot knative-prow-robot left review comments

@nak3 nak3 Awaiting requested review from nak3

@tcnghia tcnghia Awaiting requested review from tcnghia

@vagababov vagababov Awaiting requested review from vagababov

@yanweiguo yanweiguo Awaiting requested review from yanweiguo

Assignees

@julz julz

@vagababov vagababov

@mattmoor mattmoor

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/API API objects and controllers area/autoscale area/networking cla: yes Indicates the PR's author has signed the CLA. lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@markusthoemmes @knative-prow-robot @knative-test-reporter-robot @knative-metrics-robot @julz @vagababov @mattmoor @googlebot