ci: remove duplicate gosec & lint fixes (backport #21685) (#21686)

Co-authored-by: Julien Robert <julien@rbrt.fr>
cosmos · Sep 12, 2024 · b88a473 · b88a473
1 parent 1ff55a7
commit b88a473
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 99 deletions.
diff --git a/.github/workflows/gosec.yml b/.github/workflows/gosec.yml
diff --git a/.golangci.yml b/.golangci.yml
@@ -45,9 +45,6 @@ issues:
     - crypto/keys/secp256k1/internal/*
     - types/coin_regex.go
   exclude-rules:
-    - text: "Use of weak random number generator"
-      linters:
-        - gosec
     - text: "ST1003:"
       linters:
         - stylecheck
@@ -95,44 +92,13 @@ linters-settings:
         disabled: true
 
   gosec:
-    # To select a subset of rules to run.
     # Available rules: https://github.com/securego/gosec#available-rules
-    # Default: [] - means include all rules
-    includes:
-      #  - G101 # Look for hard coded credentials
-      - G102 # Bind to all interfaces
-      - G103 # Audit the use of unsafe block
-      - G104 # Audit errors not checked
-      - G106 # Audit the use of ssh.InsecureIgnoreHostKey
-      - G107 # Url provided to HTTP request as taint input
-      - G108 # Profiling endpoint automatically exposed on /debug/pprof
-      - G109 # Potential Integer overflow made by strconv.Atoi result conversion to int16/32
-      - G110 # Potential DoS vulnerability via decompression bomb
-      - G111 # Potential directory traversal
-      - G112 # Potential slowloris attack
-      - G113 # Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772)
-      - G114 # Use of net/http serve function that has no support for setting timeouts
-      - G201 # SQL query construction using format string
-      - G202 # SQL query construction using string concatenation
-      - G203 # Use of unescaped data in HTML templates
-      - G204 # Audit use of command execution
-      - G301 # Poor file permissions used when creating a directory
-      - G302 # Poor file permissions used with chmod
-      - G303 # Creating tempfile using a predictable path
-      - G304 # File path provided as taint input
-      - G305 # File traversal when extracting zip/tar archive
-      - G306 # Poor file permissions used when writing to a new file
-      - G307 # Deferring a method which returns an error
-      - G401 # Detect the usage of DES, RC4, MD5 or SHA1
-      - G402 # Look for bad TLS connection settings
-      - G403 # Ensure minimum RSA key length of 2048 bits
-      - G404 # Insecure random number source (rand)
-      - G501 # Import blocklist: crypto/md5
-      - G502 # Import blocklist: crypto/des
-      - G503 # Import blocklist: crypto/rc4
-      - G504 # Import blocklist: net/http/cgi
-      - G505 # Import blocklist: crypto/sha1
-      - G601 # Implicit memory aliasing of items from a range statement
+    excludes:
+      - G101 # Potential hardcoded credentials
+      - G107 # Potential HTTP request made with variable url
+      - G404 # Use of weak random number generator (math/rand instead of crypto/rand)
+    exclude-generated: true
+    confidence: medium
   misspell:
     locale: US
   gofumpt:

diff --git a/server/v2/cometbft/abci_test.go b/server/v2/cometbft/abci_test.go
@@ -575,7 +575,7 @@ func TestConsensus_Query(t *testing.T) {
 	c := setUpConsensus(t, 100_000, cometmock.MockMempool[mock.Tx]{})
 
 	// Write data to state storage
-	c.store.GetStateStorage().ApplyChangeset(1, &store.Changeset{
+	err := c.store.GetStateStorage().ApplyChangeset(1, &store.Changeset{
 		Changes: []store.StateChanges{
 			{
 				Actor: actorName,
@@ -589,8 +589,9 @@ func TestConsensus_Query(t *testing.T) {
 			},
 		},
 	})
+	require.NoError(t, err)
 
-	_, err := c.InitChain(context.Background(), &abciproto.InitChainRequest{
+	_, err = c.InitChain(context.Background(), &abciproto.InitChainRequest{
 		Time:          time.Now(),
 		ChainId:       "test",
 		InitialHeight: 1,
@@ -630,6 +631,8 @@ func TestConsensus_Query(t *testing.T) {
 }
 
 func setUpConsensus(t *testing.T, gasLimit uint64, mempool mempool.Mempool[mock.Tx]) *Consensus[mock.Tx] {
+	t.Helper()
+
 	msgRouterBuilder := getMsgRouterBuilder(t, func(ctx context.Context, msg *gogotypes.BoolValue) (*gogotypes.BoolValue, error) {
 		return nil, nil
 	})

diff --git a/server/v2/cometbft/commands.go b/server/v2/cometbft/commands.go
@@ -7,9 +7,6 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/spf13/cobra"
-	"sigs.k8s.io/yaml"
-
 	cmtcfg "github.com/cometbft/cometbft/config"
 	cmtjson "github.com/cometbft/cometbft/libs/json"
 	"github.com/cometbft/cometbft/node"
@@ -18,6 +15,8 @@ import (
 	rpchttp "github.com/cometbft/cometbft/rpc/client/http"
 	cmtversion "github.com/cometbft/cometbft/version"
 	gogoproto "github.com/cosmos/gogoproto/proto"
+	"github.com/spf13/cobra"
+	"sigs.k8s.io/yaml"
 
 	"cosmossdk.io/server/v2/cometbft/client/rpc"
 

diff --git a/server/v2/cometbft/internal/mock/mock_store.go b/server/v2/cometbft/internal/mock/mock_store.go
@@ -91,17 +91,22 @@ func (s *MockStore) GetStateCommitment() storev2.Committer {
 	return s.Committer
 }
 
-type Result struct {
-	key      []byte
-	value    []byte
-	version  uint64
-	proofOps []proof.CommitmentOp
-}
-
 func (s *MockStore) Query(storeKey []byte, version uint64, key []byte, prove bool) (storev2.QueryResult, error) {
 	state, err := s.StateAt(version)
+	if err != nil {
+		return storev2.QueryResult{}, err
+	}
+
 	reader, err := state.GetReader(storeKey)
+	if err != nil {
+		return storev2.QueryResult{}, err
+	}
+
 	value, err := reader.Get(key)
+	if err != nil {
+		return storev2.QueryResult{}, err
+	}
+
 	res := storev2.QueryResult{
 		Key:     key,
 		Value:   value,

diff --git a/testutil/rest.go b/testutil/rest.go
@@ -42,7 +42,7 @@ func GetRequestWithHeaders(url string, headers map[string]string) ([]byte, error
 // GetRequest defines a wrapper around an HTTP GET request with a provided URL.
 // An error is returned if the request or reading the body fails.
 func GetRequest(url string) ([]byte, error) {
-	res, err := http.Get(url) //nolint:gosec // only used for testing
+	res, err := http.Get(url) 
 	if err != nil {
 		return nil, err
 	}
@@ -61,7 +61,7 @@ func GetRequest(url string) ([]byte, error) {
 // PostRequest defines a wrapper around an HTTP POST request with a provided URL and data.
 // An error is returned if the request or reading the body fails.
 func PostRequest(url, contentType string, data []byte) ([]byte, error) {
-	res, err := http.Post(url, contentType, bytes.NewBuffer(data)) //nolint:gosec // only used	for testing
+	res, err := http.Post(url, contentType, bytes.NewBuffer(data)) 
 	if err != nil {
 		return nil, fmt.Errorf("error while sending post request: %w", err)
 	}