ci: remove duplicate gosec & lint fixes (backport #21685) (#21686)

Co-authored-by: Julien Robert <julien@rbrt.fr>
2024-09-12 15:15:53 +02:00 · 2024-09-12 15:15:53 +02:00 · b88a473dcd
commit b88a473dcd
parent 1ff55a78be
6 changed files with 27 additions and 99 deletions
--- a/.github/workflows/gosec.yml
+++ b/.github/workflows/gosec.yml
@ -1,45 +0,0 @@
-name: Run Gosec
-on:
-  pull_request:
-    branches:
-      - main
-      - release/**
-    paths:
-      - "**/*.go"
-      - "go.mod"
-      - "go.sum"
-  push:
-    branches:
-      - main
-    paths:
-      - "**/*.go"
-      - "go.mod"
-      - "go.sum"
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  Gosec:
-    permissions:
-      security-events: write
-
-    runs-on: ubuntu-latest
-    env:
-      GO111MODULE: on
-    steps:
-      - name: Checkout Source
-        uses: actions/checkout@v4
-
-      - name: Run Gosec Security Scanner
-        uses: securego/gosec@master
-        with:
-          # we let the report trigger content trigger a failure using the GitHub Security features.
-          args: "-exclude=G101,G107 -exclude-dir=systemtests -no-fail -fmt sarif -out results.sarif ./..."
-
-      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          # Path to SARIF file relative to the root of the repository
-          sarif_file: results.sarif
--- a/.golangci.yml
+++ b/.golangci.yml
@ -45,9 +45,6 @@ issues:
    - crypto/keys/secp256k1/internal/*
    - types/coin_regex.go
  exclude-rules:
-    - text: "Use of weak random number generator"
-      linters:
-        - gosec
    - text: "ST1003:"
      linters:
        - stylecheck
@ -95,44 +92,13 @@ linters-settings:
        disabled: true

  gosec:
-    # To select a subset of rules to run.
    # Available rules: https://github.com/securego/gosec#available-rules
-    # Default: [] - means include all rules
-    includes:
-      #  - G101 # Look for hard coded credentials
-      - G102 # Bind to all interfaces
-      - G103 # Audit the use of unsafe block
-      - G104 # Audit errors not checked
-      - G106 # Audit the use of ssh.InsecureIgnoreHostKey
-      - G107 # Url provided to HTTP request as taint input
-      - G108 # Profiling endpoint automatically exposed on /debug/pprof
-      - G109 # Potential Integer overflow made by strconv.Atoi result conversion to int16/32
-      - G110 # Potential DoS vulnerability via decompression bomb
-      - G111 # Potential directory traversal
-      - G112 # Potential slowloris attack
-      - G113 # Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772)
-      - G114 # Use of net/http serve function that has no support for setting timeouts
-      - G201 # SQL query construction using format string
-      - G202 # SQL query construction using string concatenation
-      - G203 # Use of unescaped data in HTML templates
-      - G204 # Audit use of command execution
-      - G301 # Poor file permissions used when creating a directory
-      - G302 # Poor file permissions used with chmod
-      - G303 # Creating tempfile using a predictable path
-      - G304 # File path provided as taint input
-      - G305 # File traversal when extracting zip/tar archive
-      - G306 # Poor file permissions used when writing to a new file
-      - G307 # Deferring a method which returns an error
-      - G401 # Detect the usage of DES, RC4, MD5 or SHA1
-      - G402 # Look for bad TLS connection settings
-      - G403 # Ensure minimum RSA key length of 2048 bits
-      - G404 # Insecure random number source (rand)
-      - G501 # Import blocklist: crypto/md5
-      - G502 # Import blocklist: crypto/des
-      - G503 # Import blocklist: crypto/rc4
-      - G504 # Import blocklist: net/http/cgi
-      - G505 # Import blocklist: crypto/sha1
-      - G601 # Implicit memory aliasing of items from a range statement
+    excludes:
+      - G101 # Potential hardcoded credentials
+      - G107 # Potential HTTP request made with variable url
+      - G404 # Use of weak random number generator (math/rand instead of crypto/rand)
+    exclude-generated: true
+    confidence: medium
  misspell:
    locale: US
  gofumpt:
--- a/server/v2/cometbft/abci_test.go
+++ b/server/v2/cometbft/abci_test.go
@ -575,7 +575,7 @@ func TestConsensus_Query(t *testing.T) {
 	c := setUpConsensus(t, 100_000, cometmock.MockMempool[mock.Tx]{})

 	// Write data to state storage
-	c.store.GetStateStorage().ApplyChangeset(1, &store.Changeset{
+	err := c.store.GetStateStorage().ApplyChangeset(1, &store.Changeset{
 		Changes: []store.StateChanges{
 			{
 				Actor: actorName,
@ -589,8 +589,9 @@ func TestConsensus_Query(t *testing.T) {
 			},
 		},
 	})
+	require.NoError(t, err)

-	_, err := c.InitChain(context.Background(), &abciproto.InitChainRequest{
+	_, err = c.InitChain(context.Background(), &abciproto.InitChainRequest{
 		Time:          time.Now(),
 		ChainId:       "test",
 		InitialHeight: 1,
@ -630,6 +631,8 @@ func TestConsensus_Query(t *testing.T) {
 }

 func setUpConsensus(t *testing.T, gasLimit uint64, mempool mempool.Mempool[mock.Tx]) *Consensus[mock.Tx] {
+	t.Helper()
+
 	msgRouterBuilder := getMsgRouterBuilder(t, func(ctx context.Context, msg *gogotypes.BoolValue) (*gogotypes.BoolValue, error) {
 		return nil, nil
 	})
--- a/server/v2/cometbft/commands.go
+++ b/server/v2/cometbft/commands.go
@ -7,9 +7,6 @@ import (
 	"strconv"
 	"strings"

-	"github.com/spf13/cobra"
-	"sigs.k8s.io/yaml"
-
 	cmtcfg "github.com/cometbft/cometbft/config"
 	cmtjson "github.com/cometbft/cometbft/libs/json"
 	"github.com/cometbft/cometbft/node"
@ -18,6 +15,8 @@ import (
 	rpchttp "github.com/cometbft/cometbft/rpc/client/http"
 	cmtversion "github.com/cometbft/cometbft/version"
 	gogoproto "github.com/cosmos/gogoproto/proto"
+	"github.com/spf13/cobra"
+	"sigs.k8s.io/yaml"

 	"cosmossdk.io/server/v2/cometbft/client/rpc"

--- a/server/v2/cometbft/internal/mock/mock_store.go
+++ b/server/v2/cometbft/internal/mock/mock_store.go
@ -91,17 +91,22 @@ func (s *MockStore) GetStateCommitment() storev2.Committer {
 	return s.Committer
 }

-type Result struct {
-	key      []byte
-	value    []byte
-	version  uint64
-	proofOps []proof.CommitmentOp
-}
-
 func (s *MockStore) Query(storeKey []byte, version uint64, key []byte, prove bool) (storev2.QueryResult, error) {
 	state, err := s.StateAt(version)
+	if err != nil {
+		return storev2.QueryResult{}, err
+	}
+
 	reader, err := state.GetReader(storeKey)
+	if err != nil {
+		return storev2.QueryResult{}, err
+	}
+
 	value, err := reader.Get(key)
+	if err != nil {
+		return storev2.QueryResult{}, err
+	}
+
 	res := storev2.QueryResult{
 		Key:     key,
 		Value:   value,
--- a/testutil/rest.go
+++ b/testutil/rest.go
@ -42,7 +42,7 @@ func GetRequestWithHeaders(url string, headers map[string]string) ([]byte, error
 // GetRequest defines a wrapper around an HTTP GET request with a provided URL.
 // An error is returned if the request or reading the body fails.
 func GetRequest(url string) ([]byte, error) {
-	res, err := http.Get(url) //nolint:gosec // only used for testing
+	res, err := http.Get(url) 
 	if err != nil {
 		return nil, err
 	}
@ -61,7 +61,7 @@ func GetRequest(url string) ([]byte, error) {
 // PostRequest defines a wrapper around an HTTP POST request with a provided URL and data.
 // An error is returned if the request or reading the body fails.
 func PostRequest(url, contentType string, data []byte) ([]byte, error) {
-	res, err := http.Post(url, contentType, bytes.NewBuffer(data)) //nolint:gosec // only used	for testing
+	res, err := http.Post(url, contentType, bytes.NewBuffer(data)) 
 	if err != nil {
 		return nil, fmt.Errorf("error while sending post request: %w", err)
 	}