diff --git a/Makefile b/Makefile index a4edfac86..2b920f830 100644 --- a/Makefile +++ b/Makefile @@ -39,6 +39,10 @@ verify-gocilint: go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.45.2 golangci-lint run --timeout=3m --modules-download-mode vendor ./... +verify-gosec: + go install github.com/securego/gosec/v2/cmd/gosec@v2.15.0 + gosec -exclude-dir=testing -exclude-dir=test ./... + update-crds: bash -x hack/copy-crds.sh @@ -47,7 +51,7 @@ update: update-crds verify-crds: bash -x hack/verify-crds.sh -verify: verify-crds verify-gocilint +verify: verify-crds verify-gocilint verify-gosec deploy-hub: ensure-kustomize cp deploy/hub/kustomization.yaml deploy/hub/kustomization.yaml.tmp @@ -94,7 +98,7 @@ deploy-spoke: ensure-kustomize $(KUBECTL) config use-context $(SPOKE_KUBECONFIG_CONTEXT) --kubeconfig $(SPOKE_KUBECONFIG) $(KUSTOMIZE) build deploy/spoke | $(KUBECTL) --kubeconfig $(SPOKE_KUBECONFIG) apply -f - mv deploy/spoke/kustomization.yaml.tmp deploy/spoke/kustomization.yaml - $(KUBECTL) --kubeconfig $(SPOKE_KUBECONFIG) apply -f deploy/spoke/role_extension-apiserver.yaml + $(KUBECTL) --kubeconfig $(SPOKE_KUBECONFIG) apply -f deploy/spoke/role_extension-apiserver.yaml $(KUBECTL) --kubeconfig $(SPOKE_KUBECONFIG) apply -f deploy/spoke/role_binding_extension-apiserver.yaml clean-hub: diff --git a/pkg/clientcert/cert_controller.go b/pkg/clientcert/cert_controller.go index 46ea79af4..1c8c47cba 100644 --- a/pkg/clientcert/cert_controller.go +++ b/pkg/clientcert/cert_controller.go @@ -399,7 +399,7 @@ func jitter(percentage float64, maxFactor float64) float64 { if maxFactor <= 0.0 { maxFactor = 1.0 } - newPercentage := percentage + percentage*rand.Float64()*maxFactor + newPercentage := percentage + percentage*rand.Float64()*maxFactor //#nosec G404 return newPercentage } diff --git a/pkg/spoke/managedcluster/secret_controller.go b/pkg/spoke/managedcluster/secret_controller.go index 6eaefbb2f..464c6763b 100644 --- a/pkg/spoke/managedcluster/secret_controller.go +++ b/pkg/spoke/managedcluster/secret_controller.go @@ -7,6 +7,7 @@ import ( "io/ioutil" "os" "path" + "path/filepath" "time" "github.com/openshift/library-go/pkg/controller/factory" @@ -93,7 +94,7 @@ func DumpSecret( // create/update files from the secret for key, data := range secret.Data { filename := path.Clean(path.Join(outputDir, key)) - lastData, err := ioutil.ReadFile(filename) + lastData, err := ioutil.ReadFile(filepath.Clean(filename)) switch { case os.IsNotExist(err): // create file