Introduce make targets for sast and address security issues. (#134)

* Introduce make targets for sast and address security issues.

* Add license-headers and update go lang version to 1.23.3.

.ci/check

@@ -24,7 +24,7 @@ export PATH="${GOBIN}:${PATH}"
 ###############################################################################
 # Install golangci-lint (linting tool).
 if [[ -z "${GOLANGCI_LINT_VERSION}" ]]; then
-  export GOLANGCI_LINT_VERSION=v1.57.1
+  export GOLANGCI_LINT_VERSION=v1.60.3
 fi
 echo "Fetching golangci-lint tool"
 go install github.com/golangci/golangci-lint/cmd/golangci-lint@"${GOLANGCI_LINT_VERSION}"
@@ -49,4 +49,7 @@ echo "Executing golangci-lint..."
 # golangci-lint can't be run from outside the directory
 (cd ${SOURCE_PATH} && golangci-lint run -c .golangci.yaml --timeout 10m)
 
+# Run Static Application Security Testing (SAST) using gosec
+make sast-report
+
 echo "Check script has passed successfully"

.ci/pipeline_definitions

@@ -9,9 +9,9 @@ machine-controller-manager-provider-gcp:
     steps_template: &steps_anchor
       steps:
         check:
-          image: 'golang:1.22.5'
+          image: 'golang:1.23.3'
         build:
-          image: 'golang:1.22.5'
+          image: 'golang:1.23.3'
           output_dir: 'binary'
         test:
           image: 'europe-docker.pkg.dev/gardener-project/releases/testmachinery/base-step:stable'
@@ -57,7 +57,7 @@ machine-controller-manager-provider-gcp:
           interval: '24h'
         update_component_deps:
           set_dependency_version_script_container_image:
-            image_reference: 'golang:1.22.5'
+            image_reference: 'golang:1.23.3'
     release:
       <<: *steps_anchor
       traits:

.gitignore

@@ -28,3 +28,6 @@ kubectl
 yq_linux*
 main
 cmi-plugin
+
+# gosec
+gosec-report.sarif

Dockerfile

@@ -1,5 +1,5 @@
 #############      builder                          #############
-FROM golang:1.22.5 AS builder
+FROM golang:1.23.3 AS builder
 
 WORKDIR /go/src/github.com/gardener/machine-controller-manager-provider-gcp
 COPY . .

MCM_VERSION

@@ -1 +1 @@
-v0.54.0
+v0.55.1

Makefile

@@ -1,7 +1,9 @@
 # SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
 #
 # SPDX-License-Identifier: Apache-2.0
-
+MCM_DIR   	:= $(shell go list -m -f "{{.Dir}}" github.com/gardener/machine-controller-manager)
+TOOLS_DIR := hack/tools
+include $(MCM_DIR)/hack/tools.mk
 -include .env
 export
 
@@ -96,3 +98,15 @@ clean:
 
 generate:
 	@./hack/api-reference/generate-spec-doc.sh
+
+.PHONY: add-license-headers
+add-license-headers: $(GO_ADD_LICENSE)
+	@./hack/add_license_headers.sh ${YEAR}
+
+.PHONY: sast
+sast: $(GOSEC)
+	@./hack/sast.sh
+
+.PHONY: sast-report
+sast-report: $(GOSEC)
+	@./hack/sast.sh --gosec-report true

docs/index.html

@@ -1,4 +1,10 @@
 <!DOCTYPE html>
+<!--
+ SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+
+ SPDX-License-Identifier: Apache-2.0
+-->
+
 <html lang="en">
 <head>
   <meta charset="UTF-8">

go.mod

@@ -1,11 +1,11 @@
 module github.com/gardener/machine-controller-manager-provider-gcp
 
-go 1.22.0
+go 1.23.0
 
-toolchain go1.22.5
+toolchain go1.23.3
 
 require (
-	github.com/gardener/machine-controller-manager v0.54.0
+	github.com/gardener/machine-controller-manager v0.55.1
 	github.com/onsi/ginkgo/v2 v2.19.0
 	github.com/onsi/gomega v1.33.1
 	github.com/pkg/errors v0.9.1

go.sum

@@ -37,8 +37,8 @@ github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
 github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
-github.com/gardener/machine-controller-manager v0.54.0 h1:V7EOODiaBO9VesskdCgxMvo5vgMAmtmUTdb9Y9Nwp50=
-github.com/gardener/machine-controller-manager v0.54.0/go.mod h1:RPpnU8gmTrhDAd79+iKqKlbANiXCRkXoJW+z+5zSTME=
+github.com/gardener/machine-controller-manager v0.55.1 h1:d6mTnuYko+jWeIi7tAFWgWnL1nR5hGcI6pRCDcH0TGY=
+github.com/gardener/machine-controller-manager v0.55.1/go.mod h1:eCng7De6OE15rndmMm6Q1fwMQI39esASCd3WKZ/lLmY=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=

hack/add_license_headers.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -e
+
+echo "> Adding Apache License header to all go files where it is not present"
+
+YEAR=$1
+if [[ -z "$1" ]]; then
+  cat << EOF
+Unspecified 'YEAR' argument.
+Usage: add_licence_headers.sh <YEAR>
+EOF
+  exit 1
+fi
+
+temp_file=$(mktemp)
+trap "rm -f $temp_file" EXIT
+sed "s/{YEAR}/${YEAR}/g" hack/license_boilerplate.txt > $temp_file
+
+# Uses the tool https://github.com/google/addlicense
+addlicense \
+  -f $temp_file \
+  -ignore ".idea/**" \
+  -ignore ".vscode/**" \
+  -ignore "**/*.md" \
+  -ignore "**/*.yaml" \
+  -ignore "**/Dockerfile" \
+  .

hack/api-reference/generate-spec-doc.sh

@@ -1,3 +1,7 @@
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
 cd ./hack/api-reference
 ./gen-crd-api-reference-docs -config "providerspec-config.json" -api-dir "../../pkg/api/v1alpha1" -out-file="../../docs/docs/provider-spec.md"
 sed 's/?id=//g' ../../docs/docs/provider-spec.md > ../../docs/docs/provider-spec-1.md

hack/license_boilerplate.txt

@@ -0,0 +1,3 @@
+SPDX-FileCopyrightText: {YEAR} SAP SE or an SAP affiliate company and Gardener contributors
+
+SPDX-License-Identifier: Apache-2.0

hack/sast.sh

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+#
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -e
+
+root_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." &> /dev/null && pwd )"
+gosec_report="false"
+gosec_report_parse_flags=""
+
+parse_flags() {
+  while test $# -gt 1; do
+    case "$1" in
+      --gosec-report)
+        shift; gosec_report="$1"
+        ;;
+      *)
+        echo "Unknown argument: $1"
+        exit 1
+        ;;
+    esac
+    shift
+  done
+}
+
+parse_flags "$@"
+
+echo "> Running gosec"
+gosec --version
+if [[ "$gosec_report" != "false" ]]; then
+  echo "Exporting report to $root_dir/gosec-report.sarif"
+  gosec_report_parse_flags="-track-suppressions -fmt=sarif -out=gosec-report.sarif -stdout"
+fi
+
+# MCM uses code-generators https://github.com/kubernetes/code-generator which create lots of G103 (CWE-242:
+# Use of unsafe calls should be audited) & G104 (CWE-703: Errors unhandled) errors.
+# However, those generators are best-pratice in Kubernetes environment and their results are tested well.
+# Thus, generated code is excluded from gosec scan.
+# Nested go modules are not supported by gosec (see https://github.com/securego/gosec/issues/501), so the ./hack folder
+# is excluded too. It does not contain productive code anyway.
+gosec -exclude-generated -exclude-dir=hack $gosec_report_parse_flags  ./...

pkg/gcp/fake/mockserver.go

@@ -42,7 +42,7 @@ func (h *httpHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 // NewMockServer creates an http server to mock the gcp compute api
 func NewMockServer() {
 
-	var srv = http.Server{
+	var srv = http.Server{ // #nosec  G112 (CWE-400) -- Only used for testing
 		Addr:    ":6666",
 		Handler: new(httpHandler),
 	}

pkg/gcp/machine_controller_util.go

@@ -373,7 +373,7 @@ func prepareErrorf(err error, format string, args ...interface{}) error {
 		code = codes.Internal
 		wrapped = errors.Wrap(err, fmt.Sprintf(format, args...))
 	}
-	klog.V(2).Infof(wrapped.Error())
+	klog.V(2).Infof("%s", wrapped.Error())
 	return status.Error(code, wrapped.Error())
 }
 
@@ -450,5 +450,5 @@ func checkIfResourceExhaustedError(opErr *compute.OperationErrorErrors, errorMes
 	if opErr.Code == "RESOURCE_POOL_EXHAUSTED" || opErr.Code == "ZONE_RESOURCE_POOL_EXHAUSTED" || opErr.Code == "ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS" || strings.Contains(opErr.Code, "QUOTA") {
 		return &errors2.MachineResourceExhaustedError{Msg: combinedErrMsg}
 	}
-	return fmt.Errorf(combinedErrMsg)
+	return fmt.Errorf("%s", combinedErrMsg)
 }

test/integration/controller/controller_suite_test.go

@@ -1,3 +1,7 @@
+// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package controller_test
 
 import (

test/integration/controller/controller_test.go

@@ -1,3 +1,7 @@
+// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+//
+// SPDX-License-Identifier: Apache-2.0
+
 /**
 	Overview
 		- Tests the provider specific Machine Controller

test/integration/provider/gcp.go

@@ -1,3 +1,7 @@
+// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package provider
 
 import (

test/integration/provider/rti.go

@@ -1,3 +1,7 @@
+// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package provider
 
 import (