ci: remove duplicate gosec & lint fixes (#21685)

2024-09-12 14:30:50 +02:00 · 2024-09-12 14:30:50 +02:00 · bd52dcf096
commit bd52dcf096
parent a77a92adf1
12 changed files with 44 additions and 120 deletions
--- a/.github/workflows/gosec.yml
+++ b/.github/workflows/gosec.yml
@ -1,45 +0,0 @@
-name: Run Gosec
-on:
-  pull_request:
-    branches:
-      - main
-      - release/**
-    paths:
-      - "**/*.go"
-      - "go.mod"
-      - "go.sum"
-  push:
-    branches:
-      - main
-    paths:
-      - "**/*.go"
-      - "go.mod"
-      - "go.sum"
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  Gosec:
-    permissions:
-      security-events: write
-
-    runs-on: ubuntu-latest
-    env:
-      GO111MODULE: on
-    steps:
-      - name: Checkout Source
-        uses: actions/checkout@v4
-
-      - name: Run Gosec Security Scanner
-        uses: securego/gosec@master
-        with:
-          # we let the report trigger content trigger a failure using the GitHub Security features.
-          args: "-exclude=G101,G107 -exclude-dir=systemtests -no-fail -fmt sarif -out results.sarif ./..."
-
-      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          # Path to SARIF file relative to the root of the repository
-          sarif_file: results.sarif
--- a/.golangci.yml
+++ b/.golangci.yml
@ -3,10 +3,9 @@ run:
  timeout: 15m
  allow-parallel-runners: true
  build-tags:
-  - e2e
-  - ledger
-  - test_ledger_mock
-
+    - e2e
+    - ledger
+    - test_ledger_mock

 linters:
  disable-all: true
@ -35,7 +34,7 @@ linters:
    - unused

 issues:
-  exclude-dirs: 
+  exclude-dirs:
    - testutil/testdata
  exclude-files:
    - server/grpc/gogoreflection/fix_registration.go
@ -46,9 +45,6 @@ issues:
    - crypto/keys/secp256k1/internal/*
    - types/coin_regex.go
  exclude-rules:
-    - text: "Use of weak random number generator"
-      linters:
-        - gosec
    - text: "ST1003:"
      linters:
        - stylecheck
@ -99,44 +95,13 @@ linters-settings:
        disabled: true

  gosec:
-    # To select a subset of rules to run.
    # Available rules: https://github.com/securego/gosec#available-rules
-    # Default: [] - means include all rules
-    includes:
-      #  - G101 # Look for hard coded credentials
-      - G102 # Bind to all interfaces
-      - G103 # Audit the use of unsafe block
-      - G104 # Audit errors not checked
-      - G106 # Audit the use of ssh.InsecureIgnoreHostKey
-      - G107 # Url provided to HTTP request as taint input
-      - G108 # Profiling endpoint automatically exposed on /debug/pprof
-      - G109 # Potential Integer overflow made by strconv.Atoi result conversion to int16/32
-      - G110 # Potential DoS vulnerability via decompression bomb
-      - G111 # Potential directory traversal
-      - G112 # Potential slowloris attack
-      - G113 # Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772)
-      - G114 # Use of net/http serve function that has no support for setting timeouts
-      - G201 # SQL query construction using format string
-      - G202 # SQL query construction using string concatenation
-      - G203 # Use of unescaped data in HTML templates
-      - G204 # Audit use of command execution
-      - G301 # Poor file permissions used when creating a directory
-      - G302 # Poor file permissions used with chmod
-      - G303 # Creating tempfile using a predictable path
-      - G304 # File path provided as taint input
-      - G305 # File traversal when extracting zip/tar archive
-      - G306 # Poor file permissions used when writing to a new file
-      - G307 # Deferring a method which returns an error
-      - G401 # Detect the usage of DES, RC4, MD5 or SHA1
-      - G402 # Look for bad TLS connection settings
-      - G403 # Ensure minimum RSA key length of 2048 bits
-      - G404 # Insecure random number source (rand)
-      - G501 # Import blocklist: crypto/md5
-      - G502 # Import blocklist: crypto/des
-      - G503 # Import blocklist: crypto/rc4
-      - G504 # Import blocklist: net/http/cgi
-      - G505 # Import blocklist: crypto/sha1
-      - G601 # Implicit memory aliasing of items from a range statement
+    excludes:
+      - G101 # Potential hardcoded credentials
+      - G107 # Potential HTTP request made with variable url
+      - G404 # Use of weak random number generator (math/rand instead of crypto/rand)
+    exclude-generated: true
+    confidence: medium
  misspell:
    locale: US
  gofumpt:
--- a/collections/collections.go
+++ b/collections/collections.go
@ -107,8 +107,6 @@ type collectionSchemaCodec struct {
 	objectType   schema.ObjectType
 	keyDecoder   func([]byte) (any, error)
 	valueDecoder func([]byte) (any, error)
-	keyEncoder   func(any) ([]byte, error)
-	valueEncoder func(any) ([]byte, error)
 }

 // Prefix defines a segregation bytes namespace for specific collections objects.
--- a/collections/indexing.go
+++ b/collections/indexing.go
@ -167,13 +167,11 @@ func ensureFieldNames(x any, defaultName string, cols []schema.Field) {
 	for i, col := range cols {
 		if names != nil && i < len(names) {
 			col.Name = names[i]
-		} else {
-			if col.Name == "" {
-				if i == 0 && len(cols) == 1 {
-					col.Name = defaultName
-				} else {
-					col.Name = fmt.Sprintf("%s%d", defaultName, i+1)
-				}
+		} else if col.Name == "" {
+			if i == 0 && len(cols) == 1 {
+				col.Name = defaultName
+			} else {
+				col.Name = fmt.Sprintf("%s%d", defaultName, i+1)
 			}
 		}
 		cols[i] = col
--- a/indexer/postgres/tests/postgres_test.go
+++ b/indexer/postgres/tests/postgres_test.go
@ -29,6 +29,8 @@ func TestPostgresIndexer(t *testing.T) {
 }

 func testPostgresIndexer(t *testing.T, retainDeletions bool) {
+	t.Helper()
+
 	tempDir, err := os.MkdirTemp("", "postgres-indexer-test")
 	require.NoError(t, err)

--- a/orm/model/ormdb/module_test.go
+++ b/orm/model/ormdb/module_test.go
@ -17,7 +17,6 @@ import (
 	ormmodulev1alpha1 "cosmossdk.io/api/cosmos/orm/module/v1alpha1"
 	ormv1alpha1 "cosmossdk.io/api/cosmos/orm/v1alpha1"
 	"cosmossdk.io/core/genesis"
-	"cosmossdk.io/core/store"
 	corestore "cosmossdk.io/core/store"
 	"cosmossdk.io/depinject"
 	"cosmossdk.io/depinject/appconfig"
@ -361,11 +360,11 @@ type testStoreService struct {
 	db corestore.KVStoreWithBatch
 }

-func (t testStoreService) OpenKVStore(context.Context) store.KVStore {
+func (t testStoreService) OpenKVStore(context.Context) corestore.KVStore {
 	return testkv.TestStore{Db: t.db}
 }

-func (t testStoreService) OpenMemoryStore(context.Context) store.KVStore {
+func (t testStoreService) OpenMemoryStore(context.Context) corestore.KVStore {
 	return testkv.TestStore{Db: t.db}
 }

@ -395,7 +394,7 @@ func TestGetBackendResolver(t *testing.T) {
 	assert.NilError(t, err)
 }

-func ProvideTestRuntime() store.KVStoreService {
+func ProvideTestRuntime() corestore.KVStoreService {
 	return testStoreService{db: dbm.NewMemDB()}
 }

--- a/runtime/v2/go.mod
+++ b/runtime/v2/go.mod
@ -14,7 +14,7 @@ replace (

 require (
 	cosmossdk.io/api v0.7.5
-	cosmossdk.io/core v1.0.0-alpha.1
+	cosmossdk.io/core v1.0.0-alpha.2
 	cosmossdk.io/depinject v1.0.0
 	cosmossdk.io/log v1.4.1
 	cosmossdk.io/server/v2/appmanager v0.0.0-00010101000000-000000000000
--- a/runtime/v2/go.sum
+++ b/runtime/v2/go.sum
@ -2,8 +2,8 @@ buf.build/gen/go/cometbft/cometbft/protocolbuffers/go v1.34.2-20240701160653-fed
 buf.build/gen/go/cometbft/cometbft/protocolbuffers/go v1.34.2-20240701160653-fedbb9acfd2f.2/go.mod h1:1+3gJj2NvZ1mTLAtHu+lMhOjGgQPiCKCeo+9MBww0Eo=
 buf.build/gen/go/cosmos/gogo-proto/protocolbuffers/go v1.34.2-20240130113600-88ef6483f90f.2 h1:b7EEYTUHmWSBEyISHlHvXbJPqtKiHRuUignL1tsHnNQ=
 buf.build/gen/go/cosmos/gogo-proto/protocolbuffers/go v1.34.2-20240130113600-88ef6483f90f.2/go.mod h1:HqcXMSa5qnNuakaMUo+hWhF51mKbcrZxGl9Vp5EeJXc=
-cosmossdk.io/core v1.0.0-alpha.1 h1:iElkDJhxmy51aLMSLMZcfsqcv4QG4/1UHbHiW8Llw6k=
-cosmossdk.io/core v1.0.0-alpha.1/go.mod h1:abgLjeFLhtuKIYZWSPlVUgQBrKObO7ULV35KYfexE90=
+cosmossdk.io/core v1.0.0-alpha.2 h1:epU0Xwces4Rgl5bMhHHkXGaGDcyucNGlC/JDH+Suckg=
+cosmossdk.io/core v1.0.0-alpha.2/go.mod h1:abgLjeFLhtuKIYZWSPlVUgQBrKObO7ULV35KYfexE90=
 cosmossdk.io/depinject v1.0.0 h1:dQaTu6+O6askNXO06+jyeUAnF2/ssKwrrszP9t5q050=
 cosmossdk.io/depinject v1.0.0/go.mod h1:zxK/h3HgHoA/eJVtiSsoaRaRA2D5U4cJ5thIG4ssbB8=
 cosmossdk.io/errors/v2 v2.0.0-20240731132947-df72853b3ca5 h1:IQNdY2kB+k+1OM2DvqFG1+UgeU1JzZrWtwuWzI3ZfwA=
--- a/server/v2/cometbft/abci_test.go
+++ b/server/v2/cometbft/abci_test.go
@ -575,7 +575,7 @@ func TestConsensus_Query(t *testing.T) {
 	c := setUpConsensus(t, 100_000, cometmock.MockMempool[mock.Tx]{})

 	// Write data to state storage
-	c.store.GetStateStorage().ApplyChangeset(1, &store.Changeset{
+	err := c.store.GetStateStorage().ApplyChangeset(1, &store.Changeset{
 		Changes: []store.StateChanges{
 			{
 				Actor: actorName,
@ -589,8 +589,9 @@ func TestConsensus_Query(t *testing.T) {
 			},
 		},
 	})
+	require.NoError(t, err)

-	_, err := c.InitChain(context.Background(), &abciproto.InitChainRequest{
+	_, err = c.InitChain(context.Background(), &abciproto.InitChainRequest{
 		Time:          time.Now(),
 		ChainId:       "test",
 		InitialHeight: 1,
@ -630,6 +631,8 @@ func TestConsensus_Query(t *testing.T) {
 }

 func setUpConsensus(t *testing.T, gasLimit uint64, mempool mempool.Mempool[mock.Tx]) *Consensus[mock.Tx] {
+	t.Helper()
+
 	msgRouterBuilder := getMsgRouterBuilder(t, func(ctx context.Context, msg *gogotypes.BoolValue) (*gogotypes.BoolValue, error) {
 		return nil, nil
 	})
--- a/server/v2/cometbft/commands.go
+++ b/server/v2/cometbft/commands.go
@ -7,9 +7,6 @@ import (
 	"strconv"
 	"strings"

-	"github.com/spf13/cobra"
-	"sigs.k8s.io/yaml"
-
 	cmtcfg "github.com/cometbft/cometbft/config"
 	cmtjson "github.com/cometbft/cometbft/libs/json"
 	"github.com/cometbft/cometbft/node"
@ -18,6 +15,8 @@ import (
 	rpchttp "github.com/cometbft/cometbft/rpc/client/http"
 	cmtversion "github.com/cometbft/cometbft/version"
 	gogoproto "github.com/cosmos/gogoproto/proto"
+	"github.com/spf13/cobra"
+	"sigs.k8s.io/yaml"

 	"cosmossdk.io/server/v2/cometbft/client/rpc"

--- a/server/v2/cometbft/internal/mock/mock_store.go
+++ b/server/v2/cometbft/internal/mock/mock_store.go
@ -91,17 +91,22 @@ func (s *MockStore) GetStateCommitment() storev2.Committer {
 	return s.Committer
 }

-type Result struct {
-	key      []byte
-	value    []byte
-	version  uint64
-	proofOps []proof.CommitmentOp
-}
-
 func (s *MockStore) Query(storeKey []byte, version uint64, key []byte, prove bool) (storev2.QueryResult, error) {
 	state, err := s.StateAt(version)
+	if err != nil {
+		return storev2.QueryResult{}, err
+	}
+
 	reader, err := state.GetReader(storeKey)
+	if err != nil {
+		return storev2.QueryResult{}, err
+	}
+
 	value, err := reader.Get(key)
+	if err != nil {
+		return storev2.QueryResult{}, err
+	}
+
 	res := storev2.QueryResult{
 		Key:     key,
 		Value:   value,
--- a/testutil/rest.go
+++ b/testutil/rest.go
@ -42,7 +42,7 @@ func GetRequestWithHeaders(url string, headers map[string]string) ([]byte, error
 // GetRequest defines a wrapper around an HTTP GET request with a provided URL.
 // An error is returned if the request or reading the body fails.
 func GetRequest(url string) ([]byte, error) {
-	res, err := http.Get(url) //nolint:gosec // only used for testing
+	res, err := http.Get(url) 
 	if err != nil {
 		return nil, err
 	}
@ -61,7 +61,7 @@ func GetRequest(url string) ([]byte, error) {
 // PostRequest defines a wrapper around an HTTP POST request with a provided URL and data.
 // An error is returned if the request or reading the body fails.
 func PostRequest(url, contentType string, data []byte) ([]byte, error) {
-	res, err := http.Post(url, contentType, bytes.NewBuffer(data)) //nolint:gosec // only used	for testing
+	res, err := http.Post(url, contentType, bytes.NewBuffer(data)) 
 	if err != nil {
 		return nil, fmt.Errorf("error while sending post request: %w", err)
 	}