Enable gosec linter for golangci-lint

`gosec` linter is able to identify issues described in containerd#6584 e.g. $ git revert 54e95e6 [gosec dfc8ca1ec] Revert "fix Implicit memory aliasing in for loop" 2 files changed, 2 deletions(-) $ make check + proto-fmt + check GOGC=75 golangci-lint run containerstore.go:192:54: G601: Implicit memory aliasing in for loop. (gosec) containers = append(containers, containerFromProto(&container)) ^ image_store.go:132:42: G601: Implicit memory aliasing in for loop. (gosec) images = append(images, imageFromProto(&image)) ^ make: *** [check] Error 1 I also disabled following two settings which prevent the linter to show a complete list of issues. * max-issues-per-linter (default 50) * max-same-issues (default 3) Furthermore enabling gosec revealed many other issues. For now I blacklisted the ones except G601. Will create separate tasks to address them one by one moving next. Signed-off-by: Henry Wang <[email protected]>
kiashok · Jan 18, 2023 · 7d308e0 · 7d308e0
1 parent e2a2bfb
commit 7d308e0
Show file tree

Hide file tree

Showing 7 changed files with 22 additions and 0 deletions.
diff --git a/.golangci.yml b/.golangci.yml
@@ -11,12 +11,28 @@ linters:
     - vet
     - unused
     - misspell
+    - gosec
   disable:
     - errcheck
 
 issues:
   include:
     - EXC0002
+  max-issues-per-linter: 0
+  max-same-issues: 0
+
+linters-settings:
+  gosec:
+    # The following issues surfaced when `gosec` linter
+    # was enabled. They are temporarily excluded to unblock
+    # the existing workflow, but still to be addressed by
+    # by future works.
+    excludes:
+      - G204
+      - G305
+      - G306
+      - G402
+      - G404
 
 run:
   timeout: 8m

diff --git a/metadata/boltutil/helpers.go b/metadata/boltutil/helpers.go
@@ -162,6 +162,7 @@ func WriteExtensions(bkt *bolt.Bucket, extensions map[string]types.Any) error {
 	}
 
 	for name, ext := range extensions {
+		ext := ext
 		p, err := proto.Marshal(&ext)
 		if err != nil {
 			return err

diff --git a/metadata/containers_test.go b/metadata/containers_test.go
@@ -152,6 +152,7 @@ func TestContainersList(t *testing.T) {
 			}
 
 			for _, result := range results {
+				result := result
 				checkContainersEqual(t, &result, testset[result.ID], "list results did not match")
 			}
 		})

diff --git a/metadata/images_test.go b/metadata/images_test.go
@@ -129,6 +129,7 @@ func TestImagesList(t *testing.T) {
 			}
 
 			for _, result := range results {
+				result := result
 				checkImagesEqual(t, &result, testset[result.Name], "list results did not match")
 			}
 		})

diff --git a/oci/spec_opts_test.go b/oci/spec_opts_test.go
@@ -596,6 +596,7 @@ func TestDevShmSize(t *testing.T) {
 
 	expected := "1024k"
 	for _, s := range ss {
+		s := s
 		if err := WithDevShmSize(1024)(nil, nil, nil, &s); err != nil {
 			if err != ErrNoShmMount {
 				t.Fatal(err)

diff --git a/services/containers/helpers.go b/services/containers/helpers.go
@@ -25,6 +25,7 @@ func containersToProto(containers []containers.Container) []api.Container {
 	var containerspb []api.Container
 
 	for _, image := range containers {
+		image := image
 		containerspb = append(containerspb, containerToProto(&image))
 	}
 

diff --git a/services/images/helpers.go b/services/images/helpers.go
@@ -27,6 +27,7 @@ func imagesToProto(images []images.Image) []imagesapi.Image {
 	var imagespb []imagesapi.Image
 
 	for _, image := range images {
+		image := image
 		imagespb = append(imagespb, imageToProto(&image))
 	}
-Original file line number
+Diff line change
@@ Expand Up / @@ -152,6 +152,7 @@ func TestContainersList(t *testing.T) { @@
     			}
     			for _, result := range results {
+    				result := result
     				checkContainersEqual(t, &result, testset[result.ID], "list results did not match")
     			}
     		})
@@ Expand Down @@