Enable gosec rules

Currently we have only one (1) gosec rule enabled in golangci-lint config. 
https://github.com/stackrox/stackrox/blob/334e6b714e63d63006fdae2c95057c136367adcb/.golangci.yml#L51-L53

Ideally we should enable all of them. Every PR should fix one rule. There is a chance that some rules are already fixed and we only need to enable them. After including new rule, please ensure `make golangci-lint` is passing if there are errors please fix them.

- [x] **G101**: Look for hard coded credentials https://github.com/stackrox/stackrox/pull/3566
- [x] **G102**: Bind to all interfaces https://github.com/stackrox/stackrox/pull/3567
- [x] **G103**: Audit the use of unsafe block https://github.com/stackrox/stackrox/pull/3568
- [x] **G104**: Audit errors not checked https://github.com/stackrox/stackrox/pull/3936
- [x] **G106**: Audit the use of ssh.InsecureIgnoreHostKey https://github.com/stackrox/stackrox/pull/3677
- [ ] **G107**: Url provided to HTTP request as taint input
- [x] **G108**: Profiling endpoint automatically exposed on /debug/pprof https://github.com/stackrox/stackrox/pull/3677
- [x] **G109**: Potential Integer overflow made by strconv.Atoi result conversion to int16/32 https://github.com/stackrox/stackrox/pull/3677
- [ ] **G110**: Potential DoS vulnerability via decompression bomb
- [x] **G111**: Potential directory traversal https://github.com/stackrox/stackrox/pull/3629
- [ ] **G112**: Potential slowloris attack
- [x] **G113**: Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772) https://github.com/stackrox/stackrox/pull/3631
- [ ] **G114**: Use of net/http serve function that has no support for setting timeouts
- [x] **G201**: SQL query construction using format string https://github.com/stackrox/stackrox/pull/3677
- [x] **G202**: SQL query construction using string concatenation https://github.com/stackrox/stackrox/pull/3677
- [x] **G203**: Use of unescaped data in HTML templates https://github.com/stackrox/stackrox/pull/3677
- [ ] **G204**: Audit use of command execution
- [ ] **G301**: Poor file permissions used when creating a directory
- [ ] **G302**: Poor file permissions used with chmod
- [x] **G303**: Creating tempfile using a predictable path https://github.com/stackrox/stackrox/pull/3560
- [ ] **G304**: File path provided as taint input
- [ ] **G305**: File traversal when extracting zip/tar archive
- [ ] **G306**: Poor file permissions used when writing to a new file
- [x] **G307**: Deferring a method which returns an error https://github.com/stackrox/stackrox/pull/3677
- [ ] **G401**: Detect the usage of DES, RC4, MD5 or SHA1
- [ ] **G402**: Look for bad TLS connection settings
- [x] **G403**: Ensure minimum RSA key length of 2048 bits https://github.com/stackrox/stackrox/pull/3677
- [ ] **G404**: Insecure random number source (rand)
- [ ] **G501**: Import blocklist: crypto/md5
- [x] **G502**: Import blocklist: crypto/des https://github.com/stackrox/stackrox/pull/3677
- [x] **G503**: Import blocklist: crypto/rc4 https://github.com/stackrox/stackrox/pull/3677
- [x] **G504**: Import blocklist: net/http/cgi https://github.com/stackrox/stackrox/pull/3677
- [ ] **G505**: Import blocklist: crypto/sha1
- [x] **G601**: Implicit memory aliasing of items from a range statement

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Enable gosec rules #3545

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

	gosec:
	includes:
	- G601

Enable gosec rules #3545

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions