Last active
April 4, 2023 06:55
-
-
Save AndrienkoAleksandr/7b4c08ccd2fb1710df132049dea46c1a to your computer and use it in GitHub Desktop.
pipelines-as-code 0.16.0 gosec scan result
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Golang errors": {}, | |
"Issues": [ | |
{ | |
"severity": "HIGH", | |
"confidence": "LOW", | |
"cwe": { | |
"id": "798", | |
"url": "https://cwe.mitre.org/data/definitions/798.html" | |
}, | |
"rule_id": "G101", | |
"details": "Potential hardcoded credentials", | |
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/secrets/basic_auth.go", | |
"code": "21: \t//nolint:gosec\n22: \tbasicAuthSecretName = `pac-gitauth-%s`\n23: )\n", | |
"line": "22", | |
"column": "2", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "HIGH", | |
"confidence": "LOW", | |
"cwe": { | |
"id": "798", | |
"url": "https://cwe.mitre.org/data/definitions/798.html" | |
}, | |
"rule_id": "G101", | |
"details": "Potential hardcoded credentials", | |
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/pipelineascode/match.go", | |
"code": "253: \t// nolint: gosec\n254: \toldBasicAuthSecretName := `\\W*secretName: \"pac-git-basic-auth-{{repo_owner}}-{{repo_name}}\"`\n255: \tif matched, _ := regexp.MatchString(oldBasicAuthSecretName, tmpl); matched {\n", | |
"line": "254", | |
"column": "2", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "HIGH", | |
"confidence": "LOW", | |
"cwe": { | |
"id": "798", | |
"url": "https://cwe.mitre.org/data/definitions/798.html" | |
}, | |
"rule_id": "G101", | |
"details": "Potential hardcoded credentials", | |
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/params/settings/config.go", | |
"code": "27: \tsecretGhAppTokenRepoScopedDefaultValue = \"true\"\n28: \tSecretGhAppTokenScopedExtraReposKey = \"secret-github-app-scope-extra-repos\" //nolint: gosec\n29: \tsecretGhAppTokenScopedExtraReposDefaultValue = \"\" //nolint: gosec\n", | |
"line": "28", | |
"column": "2", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "HIGH", | |
"confidence": "LOW", | |
"cwe": { | |
"id": "798", | |
"url": "https://cwe.mitre.org/data/definitions/798.html" | |
}, | |
"rule_id": "G101", | |
"details": "Potential hardcoded credentials", | |
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/params/settings/config.go", | |
"code": "25: \tsecretAutoCreateDefaultValue = \"true\"\n26: \tSecretGhAppTokenRepoScopedKey = \"secret-github-app-token-scoped\" //nolint: gosec\n27: \tsecretGhAppTokenRepoScopedDefaultValue = \"true\"\n", | |
"line": "26", | |
"column": "2", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "HIGH", | |
"confidence": "LOW", | |
"cwe": { | |
"id": "798", | |
"url": "https://cwe.mitre.org/data/definitions/798.html" | |
}, | |
"rule_id": "G101", | |
"details": "Potential hardcoded credentials", | |
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/cmd/tknpac/resolve/basic_auth_secret.go", | |
"code": "21: const (\n22: \tbasicAuthSecretString = `secretName: \"{{ git_auth_secret }}\"`\n23: \tgitProviderTokenKey = \"git-provider-token\"\n", | |
"line": "22", | |
"column": "2", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "MEDIUM", | |
"confidence": "HIGH", | |
"cwe": { | |
"id": "78", | |
"url": "https://cwe.mitre.org/data/definitions/78.html" | |
}, | |
"rule_id": "G204", | |
"details": "Subprocess launched with variable", | |
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/git/git.go", | |
"code": "22: \t}\n23: \tc := exec.Command(gitPath, args...)\n24: \tvar output bytes.Buffer\n", | |
"line": "23", | |
"column": "7", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "MEDIUM", | |
"confidence": "HIGH", | |
"cwe": { | |
"id": "78", | |
"url": "https://cwe.mitre.org/data/definitions/78.html" | |
}, | |
"rule_id": "G204", | |
"details": "Subprocess launched with variable", | |
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/cmd/tknpac/bootstrap/install.go", | |
"code": "56: \t}\n57: \tcmd := exec.Command(path, \"apply\", \"-f\", uri)\n58: \tout, err := cmd.CombinedOutput()\n", | |
"line": "57", | |
"column": "9", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "MEDIUM", | |
"confidence": "HIGH", | |
"cwe": { | |
"id": "78", | |
"url": "https://cwe.mitre.org/data/definitions/78.html" | |
}, | |
"rule_id": "G204", | |
"details": "Subprocess launched with variable", | |
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/cli/browser/browser.go", | |
"code": "21: \targs = append(args, url)\n22: \treturn exec.Command(cmd, args...).Start()\n23: }\n", | |
"line": "22", | |
"column": "9", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "MEDIUM", | |
"confidence": "HIGH", | |
"cwe": { | |
"id": "78", | |
"url": "https://cwe.mitre.org/data/definitions/78.html" | |
}, | |
"rule_id": "G204", | |
"details": "Subprocess launched with a potential tainted input or cmd arguments", | |
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/cmd/tknpac/logs/logs.go", | |
"code": "255: \t//nolint: gosec\n256: \tif err := syscall.Exec(tknPath, []string{tknPath, \"pr\", \"logs\", \"-f\", \"-n\", ns, pr}, os.Environ()); err != nil {\n257: \t\tfmt.Fprintf(os.Stderr, \"Command finished with error: %v\", err)\n", | |
"line": "256", | |
"column": "12", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "MEDIUM", | |
"confidence": "HIGH", | |
"cwe": { | |
"id": "22", | |
"url": "https://cwe.mitre.org/data/definitions/22.html" | |
}, | |
"rule_id": "G304", | |
"details": "Potential file inclusion via variable", | |
"file": "/Users/oandriie/projects/pipelines-as-code/test/pkg/payload/get_entries.go", | |
"code": "43: \tvar buf bytes.Buffer\n44: \ttemplateContent, err := os.ReadFile(templateFile)\n45: \tif err != nil {\n", | |
"line": "44", | |
"column": "26", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "MEDIUM", | |
"confidence": "HIGH", | |
"cwe": { | |
"id": "22", | |
"url": "https://cwe.mitre.org/data/definitions/22.html" | |
}, | |
"rule_id": "G304", | |
"details": "Potential file inclusion via variable", | |
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/provider/bitbucketserver/test/test.go", | |
"code": "129: \t\t}\n130: \t\tcontent, err := os.ReadFile(fpath)\n131: \t\tassert.NilError(t, err)\n", | |
"line": "130", | |
"column": "19", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "MEDIUM", | |
"confidence": "HIGH", | |
"cwe": { | |
"id": "22", | |
"url": "https://cwe.mitre.org/data/definitions/22.html" | |
}, | |
"rule_id": "G304", | |
"details": "Potential file inclusion via variable", | |
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/provider/bitbucketcloud/test/bbcloudtest.go", | |
"code": "210: \t\t\t})\n211: \t\t\tcontent, err := os.ReadFile(fpath)\n212: \t\t\tassert.NilError(t, err)\n", | |
"line": "211", | |
"column": "20", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "MEDIUM", | |
"confidence": "HIGH", | |
"cwe": { | |
"id": "22", | |
"url": "https://cwe.mitre.org/data/definitions/22.html" | |
}, | |
"rule_id": "G304", | |
"details": "Potential file inclusion via variable", | |
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/matcher/annotation_tasks_install.go", | |
"code": "195: \n196: \tb, err := os.ReadFile(taskName)\n197: \tdata = string(b)\n", | |
"line": "196", | |
"column": "12", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "MEDIUM", | |
"confidence": "HIGH", | |
"cwe": { | |
"id": "22", | |
"url": "https://cwe.mitre.org/data/definitions/22.html" | |
}, | |
"rule_id": "G304", | |
"details": "Potential file inclusion via variable", | |
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/cmd/tknpac/resolve/resolve.go", | |
"code": "224: func appendYaml(filename string) string {\n225: \tb, err := os.ReadFile(filename)\n226: \tif err != nil {\n", | |
"line": "225", | |
"column": "12", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "MEDIUM", | |
"confidence": "HIGH", | |
"cwe": { | |
"id": "22", | |
"url": "https://cwe.mitre.org/data/definitions/22.html" | |
}, | |
"rule_id": "G304", | |
"details": "Potential file inclusion via variable", | |
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/cmd/tknpac/resolve/basic_auth_secret.go", | |
"code": "27: \tfor _, filename := range filenames {\n28: \t\tfile, err := os.Open(filename)\n29: \t\tif err != nil {\n", | |
"line": "28", | |
"column": "16", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "MEDIUM", | |
"confidence": "LOW", | |
"cwe": { | |
"id": "400", | |
"url": "https://cwe.mitre.org/data/definitions/400.html" | |
}, | |
"rule_id": "G112", | |
"details": "Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server", | |
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/cmd/tknpac/bootstrap/web.go", | |
"code": "21: \t//nolint: gosec\n22: \ts := http.Server{Addr: fmt.Sprintf(\":%d\", opts.webserverPort), Handler: m}\n23: \tcodeCh := make(chan string)\n", | |
"line": "22", | |
"column": "7", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "MEDIUM", | |
"confidence": "LOW", | |
"cwe": { | |
"id": "400", | |
"url": "https://cwe.mitre.org/data/definitions/400.html" | |
}, | |
"rule_id": "G112", | |
"details": "Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server", | |
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/adapter/adapter.go", | |
"code": "81: \t//nolint: gosec\n82: \tsrv := \u0026http.Server{\n83: \t\tAddr: \":\" + adapterPort,\n84: \t\tHandler: http.TimeoutHandler(mux,\n85: \t\t\t10*time.Second, \"Listener Timeout!\\n\"),\n86: \t}\n87: \n", | |
"line": "82-86", | |
"column": "10", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "MEDIUM", | |
"confidence": "HIGH", | |
"cwe": { | |
"id": "276", | |
"url": "https://cwe.mitre.org/data/definitions/276.html" | |
}, | |
"rule_id": "G301", | |
"details": "Expect directory permissions to be 0750 or less", | |
"file": "/Users/oandriie/projects/pipelines-as-code/test/pkg/gitea/scm.go", | |
"code": "60: \tfor filename, content := range entries {\n61: \t\tassert.NilError(t, os.MkdirAll(filepath.Dir(filename), 0o755))\n62: \t\t// write content to filename\n", | |
"line": "61", | |
"column": "22", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "MEDIUM", | |
"confidence": "HIGH", | |
"cwe": { | |
"id": "276", | |
"url": "https://cwe.mitre.org/data/definitions/276.html" | |
}, | |
"rule_id": "G301", | |
"details": "Expect directory permissions to be 0750 or less", | |
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/cmd/tknpac/generate/generate.go", | |
"code": "206: \t\tif _, err := os.Stat(filepath.Join(o.GitInfo.TopLevelPath, \".tekton\")); os.IsNotExist(err) {\n207: \t\t\tif err := os.MkdirAll(filepath.Join(o.GitInfo.TopLevelPath, \".tekton\"), 0o755); err != nil {\n208: \t\t\t\treturn err\n", | |
"line": "207", | |
"column": "14", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "MEDIUM", | |
"confidence": "HIGH", | |
"cwe": { | |
"id": "276", | |
"url": "https://cwe.mitre.org/data/definitions/276.html" | |
}, | |
"rule_id": "G306", | |
"details": "Expect WriteFile permissions to be 0600 or less", | |
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/cmd/tknpac/generate/generate.go", | |
"code": "239: \t//nolint: gosec\n240: \terr = os.WriteFile(fpath, tmpl.Bytes(), 0o644)\n241: \tif err != nil {\n", | |
"line": "240", | |
"column": "8", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "MEDIUM", | |
"confidence": "HIGH", | |
"cwe": { | |
"id": "703", | |
"url": "https://cwe.mitre.org/data/definitions/703.html" | |
}, | |
"rule_id": "G307", | |
"details": "Deferring unsafe method \"Close\" on type \"io.ReadCloser\"", | |
"file": "/Users/oandriie/projects/pipelines-as-code/test/pkg/payload/send.go", | |
"code": "67: \t}\n68: \tdefer resp.Body.Close()\n69: \t_, err = io.ReadAll(resp.Body)\n", | |
"line": "68", | |
"column": "2", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "MEDIUM", | |
"confidence": "HIGH", | |
"cwe": { | |
"id": "703", | |
"url": "https://cwe.mitre.org/data/definitions/703.html" | |
}, | |
"rule_id": "G307", | |
"details": "Deferring unsafe method \"Close\" on type \"io.ReadCloser\"", | |
"file": "/Users/oandriie/projects/pipelines-as-code/test/pkg/gitea/scm.go", | |
"code": "142: \t}\n143: \tdefer resp.Body.Close()\n144: \tvar tls Timelines\n", | |
"line": "143", | |
"column": "2", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "MEDIUM", | |
"confidence": "HIGH", | |
"cwe": { | |
"id": "703", | |
"url": "https://cwe.mitre.org/data/definitions/703.html" | |
}, | |
"rule_id": "G307", | |
"details": "Deferring unsafe method \"Close\" on type \"io.ReadCloser\"", | |
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/params/clients/clients.go", | |
"code": "40: \t}\n41: \tdefer res.Body.Close()\n42: \tstatusOK := res.StatusCode \u003e= 200 \u0026\u0026 res.StatusCode \u003c 300\n", | |
"line": "41", | |
"column": "2", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "MEDIUM", | |
"confidence": "HIGH", | |
"cwe": { | |
"id": "703", | |
"url": "https://cwe.mitre.org/data/definitions/703.html" | |
}, | |
"rule_id": "G307", | |
"details": "Deferring unsafe method \"Close\" on type \"io.ReadCloser\"", | |
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/matcher/annotation_tasks_install.go", | |
"code": "80: \t\tdata, _ := io.ReadAll(res.Body)\n81: \t\tdefer res.Body.Close()\n82: \t\trt.Logger.Infof(\"successfully fetched \\\"%s\\\" from remote https url\", uri)\n", | |
"line": "81", | |
"column": "3", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "MEDIUM", | |
"confidence": "HIGH", | |
"cwe": { | |
"id": "703", | |
"url": "https://cwe.mitre.org/data/definitions/703.html" | |
}, | |
"rule_id": "G307", | |
"details": "Deferring unsafe method \"Close\" on type \"*os.File\"", | |
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/cmd/tknpac/resolve/basic_auth_secret.go", | |
"code": "31: \t\t}\n32: \t\tdefer file.Close()\n33: \t\t// check if we have the string secretName: \"{{ git_auth_secret }}\" and\n", | |
"line": "32", | |
"column": "3", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "MEDIUM", | |
"confidence": "HIGH", | |
"cwe": { | |
"id": "327", | |
"url": "https://cwe.mitre.org/data/definitions/327.html" | |
}, | |
"rule_id": "G505", | |
"details": "Blocklisted import crypto/sha1: weak cryptographic primitive", | |
"file": "/Users/oandriie/projects/pipelines-as-code/test/pkg/payload/send.go", | |
"code": "11: \t//nolint:gosec\n12: \t\"crypto/sha1\"\n13: \t\"crypto/sha256\"\n", | |
"line": "12", | |
"column": "2", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "LOW", | |
"confidence": "HIGH", | |
"cwe": { | |
"id": "703", | |
"url": "https://cwe.mitre.org/data/definitions/703.html" | |
}, | |
"rule_id": "G104", | |
"details": "Errors unhandled.", | |
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/cmd/tknpac/list/list.go", | |
"code": "186: \t}\n187: \tw.Flush()\n188: \treturn nil\n", | |
"line": "187", | |
"column": "2", | |
"nosec": false, | |
"suppressions": null | |
}, | |
{ | |
"severity": "LOW", | |
"confidence": "HIGH", | |
"cwe": { | |
"id": "703", | |
"url": "https://cwe.mitre.org/data/definitions/703.html" | |
}, | |
"rule_id": "G104", | |
"details": "Errors unhandled.", | |
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/cmd/tknpac/bootstrap/route.go", | |
"code": "61: \t}\n62: \tresp.Body.Close()\n63: \treturn \"\"\n", | |
"line": "62", | |
"column": "2", | |
"nosec": false, | |
"suppressions": null | |
} | |
], | |
"Stats": { | |
"files": 222, | |
"lines": 21213, | |
"nosec": 0, | |
"found": 28 | |
}, | |
"GosecVersion": "dev" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment