Skip to content

Instantly share code, notes, and snippets.

@AndrienkoAleksandr

AndrienkoAleksandr/gist:7b4c08ccd2fb1710df132049dea46c1a

Last active April 4, 2023 06:55
Show Gist options
  • Save AndrienkoAleksandr/7b4c08ccd2fb1710df132049dea46c1a to your computer and use it in GitHub Desktop.
Save AndrienkoAleksandr/7b4c08ccd2fb1710df132049dea46c1a to your computer and use it in GitHub Desktop.
Download ZIP
pipelines-as-code 0.16.0 gosec scan result
Raw
gistfile1.txt
{
"Golang errors": {},
"Issues": [
{
"severity": "HIGH",
"confidence": "LOW",
"cwe": {
"id": "798",
"url": "https://cwe.mitre.org/data/definitions/798.html"
},
"rule_id": "G101",
"details": "Potential hardcoded credentials",
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/secrets/basic_auth.go",
"code": "21: \t//nolint:gosec\n22: \tbasicAuthSecretName = `pac-gitauth-%s`\n23: )\n",
"line": "22",
"column": "2",
"nosec": false,
"suppressions": null
},
{
"severity": "HIGH",
"confidence": "LOW",
"cwe": {
"id": "798",
"url": "https://cwe.mitre.org/data/definitions/798.html"
},
"rule_id": "G101",
"details": "Potential hardcoded credentials",
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/pipelineascode/match.go",
"code": "253: \t// nolint: gosec\n254: \toldBasicAuthSecretName := `\\W*secretName: \"pac-git-basic-auth-{{repo_owner}}-{{repo_name}}\"`\n255: \tif matched, _ := regexp.MatchString(oldBasicAuthSecretName, tmpl); matched {\n",
"line": "254",
"column": "2",
"nosec": false,
"suppressions": null
},
{
"severity": "HIGH",
"confidence": "LOW",
"cwe": {
"id": "798",
"url": "https://cwe.mitre.org/data/definitions/798.html"
},
"rule_id": "G101",
"details": "Potential hardcoded credentials",
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/params/settings/config.go",
"code": "27: \tsecretGhAppTokenRepoScopedDefaultValue = \"true\"\n28: \tSecretGhAppTokenScopedExtraReposKey = \"secret-github-app-scope-extra-repos\" //nolint: gosec\n29: \tsecretGhAppTokenScopedExtraReposDefaultValue = \"\" //nolint: gosec\n",
"line": "28",
"column": "2",
"nosec": false,
"suppressions": null
},
{
"severity": "HIGH",
"confidence": "LOW",
"cwe": {
"id": "798",
"url": "https://cwe.mitre.org/data/definitions/798.html"
},
"rule_id": "G101",
"details": "Potential hardcoded credentials",
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/params/settings/config.go",
"code": "25: \tsecretAutoCreateDefaultValue = \"true\"\n26: \tSecretGhAppTokenRepoScopedKey = \"secret-github-app-token-scoped\" //nolint: gosec\n27: \tsecretGhAppTokenRepoScopedDefaultValue = \"true\"\n",
"line": "26",
"column": "2",
"nosec": false,
"suppressions": null
},
{
"severity": "HIGH",
"confidence": "LOW",
"cwe": {
"id": "798",
"url": "https://cwe.mitre.org/data/definitions/798.html"
},
"rule_id": "G101",
"details": "Potential hardcoded credentials",
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/cmd/tknpac/resolve/basic_auth_secret.go",
"code": "21: const (\n22: \tbasicAuthSecretString = `secretName: \"{{ git_auth_secret }}\"`\n23: \tgitProviderTokenKey = \"git-provider-token\"\n",
"line": "22",
"column": "2",
"nosec": false,
"suppressions": null
},
{
"severity": "MEDIUM",
"confidence": "HIGH",
"cwe": {
"id": "78",
"url": "https://cwe.mitre.org/data/definitions/78.html"
},
"rule_id": "G204",
"details": "Subprocess launched with variable",
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/git/git.go",
"code": "22: \t}\n23: \tc := exec.Command(gitPath, args...)\n24: \tvar output bytes.Buffer\n",
"line": "23",
"column": "7",
"nosec": false,
"suppressions": null
},
{
"severity": "MEDIUM",
"confidence": "HIGH",
"cwe": {
"id": "78",
"url": "https://cwe.mitre.org/data/definitions/78.html"
},
"rule_id": "G204",
"details": "Subprocess launched with variable",
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/cmd/tknpac/bootstrap/install.go",
"code": "56: \t}\n57: \tcmd := exec.Command(path, \"apply\", \"-f\", uri)\n58: \tout, err := cmd.CombinedOutput()\n",
"line": "57",
"column": "9",
"nosec": false,
"suppressions": null
},
{
"severity": "MEDIUM",
"confidence": "HIGH",
"cwe": {
"id": "78",
"url": "https://cwe.mitre.org/data/definitions/78.html"
},
"rule_id": "G204",
"details": "Subprocess launched with variable",
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/cli/browser/browser.go",
"code": "21: \targs = append(args, url)\n22: \treturn exec.Command(cmd, args...).Start()\n23: }\n",
"line": "22",
"column": "9",
"nosec": false,
"suppressions": null
},
{
"severity": "MEDIUM",
"confidence": "HIGH",
"cwe": {
"id": "78",
"url": "https://cwe.mitre.org/data/definitions/78.html"
},
"rule_id": "G204",
"details": "Subprocess launched with a potential tainted input or cmd arguments",
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/cmd/tknpac/logs/logs.go",
"code": "255: \t//nolint: gosec\n256: \tif err := syscall.Exec(tknPath, []string{tknPath, \"pr\", \"logs\", \"-f\", \"-n\", ns, pr}, os.Environ()); err != nil {\n257: \t\tfmt.Fprintf(os.Stderr, \"Command finished with error: %v\", err)\n",
"line": "256",
"column": "12",
"nosec": false,
"suppressions": null
},
{
"severity": "MEDIUM",
"confidence": "HIGH",
"cwe": {
"id": "22",
"url": "https://cwe.mitre.org/data/definitions/22.html"
},
"rule_id": "G304",
"details": "Potential file inclusion via variable",
"file": "/Users/oandriie/projects/pipelines-as-code/test/pkg/payload/get_entries.go",
"code": "43: \tvar buf bytes.Buffer\n44: \ttemplateContent, err := os.ReadFile(templateFile)\n45: \tif err != nil {\n",
"line": "44",
"column": "26",
"nosec": false,
"suppressions": null
},
{
"severity": "MEDIUM",
"confidence": "HIGH",
"cwe": {
"id": "22",
"url": "https://cwe.mitre.org/data/definitions/22.html"
},
"rule_id": "G304",
"details": "Potential file inclusion via variable",
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/provider/bitbucketserver/test/test.go",
"code": "129: \t\t}\n130: \t\tcontent, err := os.ReadFile(fpath)\n131: \t\tassert.NilError(t, err)\n",
"line": "130",
"column": "19",
"nosec": false,
"suppressions": null
},
{
"severity": "MEDIUM",
"confidence": "HIGH",
"cwe": {
"id": "22",
"url": "https://cwe.mitre.org/data/definitions/22.html"
},
"rule_id": "G304",
"details": "Potential file inclusion via variable",
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/provider/bitbucketcloud/test/bbcloudtest.go",
"code": "210: \t\t\t})\n211: \t\t\tcontent, err := os.ReadFile(fpath)\n212: \t\t\tassert.NilError(t, err)\n",
"line": "211",
"column": "20",
"nosec": false,
"suppressions": null
},
{
"severity": "MEDIUM",
"confidence": "HIGH",
"cwe": {
"id": "22",
"url": "https://cwe.mitre.org/data/definitions/22.html"
},
"rule_id": "G304",
"details": "Potential file inclusion via variable",
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/matcher/annotation_tasks_install.go",
"code": "195: \n196: \tb, err := os.ReadFile(taskName)\n197: \tdata = string(b)\n",
"line": "196",
"column": "12",
"nosec": false,
"suppressions": null
},
{
"severity": "MEDIUM",
"confidence": "HIGH",
"cwe": {
"id": "22",
"url": "https://cwe.mitre.org/data/definitions/22.html"
},
"rule_id": "G304",
"details": "Potential file inclusion via variable",
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/cmd/tknpac/resolve/resolve.go",
"code": "224: func appendYaml(filename string) string {\n225: \tb, err := os.ReadFile(filename)\n226: \tif err != nil {\n",
"line": "225",
"column": "12",
"nosec": false,
"suppressions": null
},
{
"severity": "MEDIUM",
"confidence": "HIGH",
"cwe": {
"id": "22",
"url": "https://cwe.mitre.org/data/definitions/22.html"
},
"rule_id": "G304",
"details": "Potential file inclusion via variable",
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/cmd/tknpac/resolve/basic_auth_secret.go",
"code": "27: \tfor _, filename := range filenames {\n28: \t\tfile, err := os.Open(filename)\n29: \t\tif err != nil {\n",
"line": "28",
"column": "16",
"nosec": false,
"suppressions": null
},
{
"severity": "MEDIUM",
"confidence": "LOW",
"cwe": {
"id": "400",
"url": "https://cwe.mitre.org/data/definitions/400.html"
},
"rule_id": "G112",
"details": "Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server",
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/cmd/tknpac/bootstrap/web.go",
"code": "21: \t//nolint: gosec\n22: \ts := http.Server{Addr: fmt.Sprintf(\":%d\", opts.webserverPort), Handler: m}\n23: \tcodeCh := make(chan string)\n",
"line": "22",
"column": "7",
"nosec": false,
"suppressions": null
},
{
"severity": "MEDIUM",
"confidence": "LOW",
"cwe": {
"id": "400",
"url": "https://cwe.mitre.org/data/definitions/400.html"
},
"rule_id": "G112",
"details": "Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server",
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/adapter/adapter.go",
"code": "81: \t//nolint: gosec\n82: \tsrv := \u0026http.Server{\n83: \t\tAddr: \":\" + adapterPort,\n84: \t\tHandler: http.TimeoutHandler(mux,\n85: \t\t\t10*time.Second, \"Listener Timeout!\\n\"),\n86: \t}\n87: \n",
"line": "82-86",
"column": "10",
"nosec": false,
"suppressions": null
},
{
"severity": "MEDIUM",
"confidence": "HIGH",
"cwe": {
"id": "276",
"url": "https://cwe.mitre.org/data/definitions/276.html"
},
"rule_id": "G301",
"details": "Expect directory permissions to be 0750 or less",
"file": "/Users/oandriie/projects/pipelines-as-code/test/pkg/gitea/scm.go",
"code": "60: \tfor filename, content := range entries {\n61: \t\tassert.NilError(t, os.MkdirAll(filepath.Dir(filename), 0o755))\n62: \t\t// write content to filename\n",
"line": "61",
"column": "22",
"nosec": false,
"suppressions": null
},
{
"severity": "MEDIUM",
"confidence": "HIGH",
"cwe": {
"id": "276",
"url": "https://cwe.mitre.org/data/definitions/276.html"
},
"rule_id": "G301",
"details": "Expect directory permissions to be 0750 or less",
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/cmd/tknpac/generate/generate.go",
"code": "206: \t\tif _, err := os.Stat(filepath.Join(o.GitInfo.TopLevelPath, \".tekton\")); os.IsNotExist(err) {\n207: \t\t\tif err := os.MkdirAll(filepath.Join(o.GitInfo.TopLevelPath, \".tekton\"), 0o755); err != nil {\n208: \t\t\t\treturn err\n",
"line": "207",
"column": "14",
"nosec": false,
"suppressions": null
},
{
"severity": "MEDIUM",
"confidence": "HIGH",
"cwe": {
"id": "276",
"url": "https://cwe.mitre.org/data/definitions/276.html"
},
"rule_id": "G306",
"details": "Expect WriteFile permissions to be 0600 or less",
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/cmd/tknpac/generate/generate.go",
"code": "239: \t//nolint: gosec\n240: \terr = os.WriteFile(fpath, tmpl.Bytes(), 0o644)\n241: \tif err != nil {\n",
"line": "240",
"column": "8",
"nosec": false,
"suppressions": null
},
{
"severity": "MEDIUM",
"confidence": "HIGH",
"cwe": {
"id": "703",
"url": "https://cwe.mitre.org/data/definitions/703.html"
},
"rule_id": "G307",
"details": "Deferring unsafe method \"Close\" on type \"io.ReadCloser\"",
"file": "/Users/oandriie/projects/pipelines-as-code/test/pkg/payload/send.go",
"code": "67: \t}\n68: \tdefer resp.Body.Close()\n69: \t_, err = io.ReadAll(resp.Body)\n",
"line": "68",
"column": "2",
"nosec": false,
"suppressions": null
},
{
"severity": "MEDIUM",
"confidence": "HIGH",
"cwe": {
"id": "703",
"url": "https://cwe.mitre.org/data/definitions/703.html"
},
"rule_id": "G307",
"details": "Deferring unsafe method \"Close\" on type \"io.ReadCloser\"",
"file": "/Users/oandriie/projects/pipelines-as-code/test/pkg/gitea/scm.go",
"code": "142: \t}\n143: \tdefer resp.Body.Close()\n144: \tvar tls Timelines\n",
"line": "143",
"column": "2",
"nosec": false,
"suppressions": null
},
{
"severity": "MEDIUM",
"confidence": "HIGH",
"cwe": {
"id": "703",
"url": "https://cwe.mitre.org/data/definitions/703.html"
},
"rule_id": "G307",
"details": "Deferring unsafe method \"Close\" on type \"io.ReadCloser\"",
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/params/clients/clients.go",
"code": "40: \t}\n41: \tdefer res.Body.Close()\n42: \tstatusOK := res.StatusCode \u003e= 200 \u0026\u0026 res.StatusCode \u003c 300\n",
"line": "41",
"column": "2",
"nosec": false,
"suppressions": null
},
{
"severity": "MEDIUM",
"confidence": "HIGH",
"cwe": {
"id": "703",
"url": "https://cwe.mitre.org/data/definitions/703.html"
},
"rule_id": "G307",
"details": "Deferring unsafe method \"Close\" on type \"io.ReadCloser\"",
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/matcher/annotation_tasks_install.go",
"code": "80: \t\tdata, _ := io.ReadAll(res.Body)\n81: \t\tdefer res.Body.Close()\n82: \t\trt.Logger.Infof(\"successfully fetched \\\"%s\\\" from remote https url\", uri)\n",
"line": "81",
"column": "3",
"nosec": false,
"suppressions": null
},
{
"severity": "MEDIUM",
"confidence": "HIGH",
"cwe": {
"id": "703",
"url": "https://cwe.mitre.org/data/definitions/703.html"
},
"rule_id": "G307",
"details": "Deferring unsafe method \"Close\" on type \"*os.File\"",
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/cmd/tknpac/resolve/basic_auth_secret.go",
"code": "31: \t\t}\n32: \t\tdefer file.Close()\n33: \t\t// check if we have the string secretName: \"{{ git_auth_secret }}\" and\n",
"line": "32",
"column": "3",
"nosec": false,
"suppressions": null
},
{
"severity": "MEDIUM",
"confidence": "HIGH",
"cwe": {
"id": "327",
"url": "https://cwe.mitre.org/data/definitions/327.html"
},
"rule_id": "G505",
"details": "Blocklisted import crypto/sha1: weak cryptographic primitive",
"file": "/Users/oandriie/projects/pipelines-as-code/test/pkg/payload/send.go",
"code": "11: \t//nolint:gosec\n12: \t\"crypto/sha1\"\n13: \t\"crypto/sha256\"\n",
"line": "12",
"column": "2",
"nosec": false,
"suppressions": null
},
{
"severity": "LOW",
"confidence": "HIGH",
"cwe": {
"id": "703",
"url": "https://cwe.mitre.org/data/definitions/703.html"
},
"rule_id": "G104",
"details": "Errors unhandled.",
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/cmd/tknpac/list/list.go",
"code": "186: \t}\n187: \tw.Flush()\n188: \treturn nil\n",
"line": "187",
"column": "2",
"nosec": false,
"suppressions": null
},
{
"severity": "LOW",
"confidence": "HIGH",
"cwe": {
"id": "703",
"url": "https://cwe.mitre.org/data/definitions/703.html"
},
"rule_id": "G104",
"details": "Errors unhandled.",
"file": "/Users/oandriie/projects/pipelines-as-code/pkg/cmd/tknpac/bootstrap/route.go",
"code": "61: \t}\n62: \tresp.Body.Close()\n63: \treturn \"\"\n",
"line": "62",
"column": "2",
"nosec": false,
"suppressions": null
}
],
"Stats": {
"files": 222,
"lines": 21213,
"nosec": 0,
"found": 28
},
"GosecVersion": "dev"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment