Fix gosec complaints in libnetwork

These were purposefully ignored before but this goes ahead and "fixes" most of them. Note that none of the things gosec flagged are problematic, just quieting the linter here. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-06-18 22:20:06 +00:00 · 2021-06-18 22:20:06 +00:00 · 116f200737
commit 116f200737
parent 0645eb8461
10 changed files with 17 additions and 12 deletions
--- a/libnetwork/cmd/diagnostic/main.go
+++ b/libnetwork/cmd/diagnostic/main.go
@ -117,7 +117,7 @@ func fetchNodePeers(ip string, port int, network string) map[string]string {
 		path = fmt.Sprintf(clusterPeers, ip, port)
 	}

-	resp, err := http.Get(path) // nolint:gosec
+	resp, err := http.Get(path) //nolint:gosec // G107: Potential HTTP request made with variable url
 	if err != nil {
 		logrus.WithError(err).Fatalf("Failed fetching path")
 	}
--- a/libnetwork/drivers/bridge/setup_verify.go
+++ b/libnetwork/drivers/bridge/setup_verify.go
@ -39,8 +39,9 @@ func setupVerifyAndReconcile(config *networkConfiguration, i *bridgeInterface) e

 	// Release any residual IPv6 address that might be there because of older daemon instances
 	for _, addrv6 := range addrsv6 {
+		addrv6 := addrv6
 		if addrv6.IP.IsGlobalUnicast() && !types.CompareIPNet(addrv6.IPNet, i.bridgeIPv6) {
-			if err := i.nlh.AddrDel(i.Link, &addrv6); err != nil { // nolint:gosec
+			if err := i.nlh.AddrDel(i.Link, &addrv6); err != nil {
 				logrus.Warnf("Failed to remove residual IPv6 address %s from bridge: %v", addrv6.IPNet, err)
 			}
 		}
--- a/libnetwork/drivers/overlay/encryption.go
+++ b/libnetwork/drivers/overlay/encryption.go
@ -628,8 +628,9 @@ func clearEncryptionStates() {
 		logrus.Warnf("Failed to retrieve SA list for cleanup: %v", err)
 	}
 	for _, sp := range spList {
+		sp := sp
 		if sp.Mark != nil && sp.Mark.Value == spMark.Value {
-			if err := nlh.XfrmPolicyDel(&sp); err != nil { // nolint:gosec
+			if err := nlh.XfrmPolicyDel(&sp); err != nil {
 				logrus.Warnf("Failed to delete stale SP %s: %v", sp, err)
 				continue
 			}
@ -637,8 +638,9 @@ func clearEncryptionStates() {
 		}
 	}
 	for _, sa := range saList {
+		sa := sa
 		if sa.Reqid == r {
-			if err := nlh.XfrmStateDel(&sa); err != nil { // nolint:gosec
+			if err := nlh.XfrmStateDel(&sa); err != nil {
 				logrus.Warnf("Failed to delete stale SA %s: %v", sa, err)
 				continue
 			}
--- a/libnetwork/drivers/overlay/peerdb.go
+++ b/libnetwork/drivers/overlay/peerdb.go
@ -131,10 +131,11 @@ func (d *driver) peerDbNetworkWalk(nid string, f func(*peerKey, *peerEntry) bool

 	for pKeyStr, pEntry := range mp {
 		var pKey peerKey
+		pEntry := pEntry
 		if _, err := fmt.Sscan(pKeyStr, &pKey); err != nil {
 			logrus.Warnf("Peer key scan on network %s failed: %v", nid, err)
 		}
-		if f(&pKey, &pEntry) { // nolint:gosec
+		if f(&pKey, &pEntry) {
 			return nil
 		}
 	}
--- a/libnetwork/endpoint_info.go
+++ b/libnetwork/endpoint_info.go
@ -448,7 +448,8 @@ func (epj *endpointJoinInfo) UnmarshalJSON(b []byte) error {
 	}
 	var StaticRoutes []*types.StaticRoute
 	for _, r := range tStaticRoute {
-		StaticRoutes = append(StaticRoutes, &r) // nolint:gosec
+		r := r
+		StaticRoutes = append(StaticRoutes, &r)
 	}
 	epj.StaticRoutes = StaticRoutes

--- a/libnetwork/networkdb/cluster.go
+++ b/libnetwork/networkdb/cluster.go
@ -244,7 +244,7 @@ func (nDB *NetworkDB) clusterLeave() error {

 func (nDB *NetworkDB) triggerFunc(stagger time.Duration, C <-chan time.Time, f func()) {
 	// Use a random stagger to avoid synchronizing
-	randStagger := time.Duration(uint64(rnd.Int63()) % uint64(stagger)) // nolint:gosec
+	randStagger := time.Duration(uint64(rnd.Int63()) % uint64(stagger)) //nolint:gosec // gosec complains about the use of rand here. It should be fine.
 	select {
 	case <-time.After(randStagger):
 	case <-nDB.ctx.Done():
--- a/libnetwork/resolver.go
+++ b/libnetwork/resolver.go
@ -214,7 +214,7 @@ func setCommonFlags(msg *dns.Msg) {

 func shuffleAddr(addr []net.IP) []net.IP {
 	for i := len(addr) - 1; i > 0; i-- {
-		r := rand.Intn(i + 1) // nolint:gosec
+		r := rand.Intn(i + 1) // nolint:gosec // gosec complains about the use of rand here. It should be fine.
 		addr[i], addr[r] = addr[r], addr[i]
 	}
 	return addr
--- a/libnetwork/resolver_unix.go
+++ b/libnetwork/resolver_unix.go
@ -49,7 +49,7 @@ func reexecSetupResolver() {
 		logrus.Errorf("failed get network namespace %q: %v", os.Args[1], err)
 		os.Exit(2)
 	}
-	defer f.Close() // nolint:gosec
+	defer f.Close() //nolint:gosec

 	nsFD := f.Fd()
 	if err = netns.Set(netns.NsHandle(nsFD)); err != nil {
--- a/libnetwork/sandbox_dns_unix.go
+++ b/libnetwork/sandbox_dns_unix.go
@ -322,7 +322,7 @@ func (sb *sandbox) updateDNS(ipv6Enabled bool) error {
 	if err != nil {
 		return err
 	}
-	err = ioutil.WriteFile(sb.config.resolvConfPath, newRC.Content, 0644) // nolint:gosec
+	err = ioutil.WriteFile(sb.config.resolvConfPath, newRC.Content, 0644) //nolint:gosec // gosec complains about perms here, which must be 0644 in this case
 	if err != nil {
 		return err
 	}
--- a/libnetwork/service_linux.go
+++ b/libnetwork/service_linux.go
@ -378,7 +378,7 @@ func programIngress(gwIP net.IP, ingressPorts []*PortConfig, isDelete bool) erro
 		}

 		path := filepath.Join("/proc/sys/net/ipv4/conf", oifName, "route_localnet")
-		if err := ioutil.WriteFile(path, []byte{'1', '\n'}, 0644); err != nil { // nolint:gosec
+		if err := ioutil.WriteFile(path, []byte{'1', '\n'}, 0644); err != nil { //nolint:gosec // gosec complains about perms here, which must be 0644 in this case
 			return fmt.Errorf("could not write to %s: %v", path, err)
 		}

@ -542,7 +542,7 @@ func writePortsToFile(ports []*PortConfig) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	defer f.Close() // nolint:gosec
+	defer f.Close() //nolint:gosec

 	buf, _ := proto.Marshal(&EndpointRecord{
 		IngressPorts: ports,