diff --git a/.github/workflows/gosec.yml b/.github/workflows/gosec.yml deleted file mode 100644 index 0a0d7c809a5a..000000000000 --- a/.github/workflows/gosec.yml +++ /dev/null @@ -1,45 +0,0 @@ -name: Run Gosec -on: - pull_request: - branches: - - main - - release/** - paths: - - "**/*.go" - - "go.mod" - - "go.sum" - push: - branches: - - main - paths: - - "**/*.go" - - "go.mod" - - "go.sum" - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true - -jobs: - Gosec: - permissions: - security-events: write - - runs-on: ubuntu-latest - env: - GO111MODULE: on - steps: - - name: Checkout Source - uses: actions/checkout@v4 - - - name: Run Gosec Security Scanner - uses: securego/gosec@master - with: - # we let the report trigger content trigger a failure using the GitHub Security features. - args: "-exclude=G101,G107 -exclude-dir=systemtests -no-fail -fmt sarif -out results.sarif ./..." - - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 - with: - # Path to SARIF file relative to the root of the repository - sarif_file: results.sarif diff --git a/.golangci.yml b/.golangci.yml index cf8a3661bc74..b3179482ec78 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -45,9 +45,6 @@ issues: - crypto/keys/secp256k1/internal/* - types/coin_regex.go exclude-rules: - - text: "Use of weak random number generator" - linters: - - gosec - text: "ST1003:" linters: - stylecheck @@ -95,44 +92,13 @@ linters-settings: disabled: true gosec: - # To select a subset of rules to run. # Available rules: https://github.com/securego/gosec#available-rules - # Default: [] - means include all rules - includes: - # - G101 # Look for hard coded credentials - - G102 # Bind to all interfaces - - G103 # Audit the use of unsafe block - - G104 # Audit errors not checked - - G106 # Audit the use of ssh.InsecureIgnoreHostKey - - G107 # Url provided to HTTP request as taint input - - G108 # Profiling endpoint automatically exposed on /debug/pprof - - G109 # Potential Integer overflow made by strconv.Atoi result conversion to int16/32 - - G110 # Potential DoS vulnerability via decompression bomb - - G111 # Potential directory traversal - - G112 # Potential slowloris attack - - G113 # Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772) - - G114 # Use of net/http serve function that has no support for setting timeouts - - G201 # SQL query construction using format string - - G202 # SQL query construction using string concatenation - - G203 # Use of unescaped data in HTML templates - - G204 # Audit use of command execution - - G301 # Poor file permissions used when creating a directory - - G302 # Poor file permissions used with chmod - - G303 # Creating tempfile using a predictable path - - G304 # File path provided as taint input - - G305 # File traversal when extracting zip/tar archive - - G306 # Poor file permissions used when writing to a new file - - G307 # Deferring a method which returns an error - - G401 # Detect the usage of DES, RC4, MD5 or SHA1 - - G402 # Look for bad TLS connection settings - - G403 # Ensure minimum RSA key length of 2048 bits - - G404 # Insecure random number source (rand) - - G501 # Import blocklist: crypto/md5 - - G502 # Import blocklist: crypto/des - - G503 # Import blocklist: crypto/rc4 - - G504 # Import blocklist: net/http/cgi - - G505 # Import blocklist: crypto/sha1 - - G601 # Implicit memory aliasing of items from a range statement + excludes: + - G101 # Potential hardcoded credentials + - G107 # Potential HTTP request made with variable url + - G404 # Use of weak random number generator (math/rand instead of crypto/rand) + exclude-generated: true + confidence: medium misspell: locale: US gofumpt: diff --git a/server/v2/cometbft/abci_test.go b/server/v2/cometbft/abci_test.go index fc67c2aa9635..0a4f1b16f975 100644 --- a/server/v2/cometbft/abci_test.go +++ b/server/v2/cometbft/abci_test.go @@ -575,7 +575,7 @@ func TestConsensus_Query(t *testing.T) { c := setUpConsensus(t, 100_000, cometmock.MockMempool[mock.Tx]{}) // Write data to state storage - c.store.GetStateStorage().ApplyChangeset(1, &store.Changeset{ + err := c.store.GetStateStorage().ApplyChangeset(1, &store.Changeset{ Changes: []store.StateChanges{ { Actor: actorName, @@ -589,8 +589,9 @@ func TestConsensus_Query(t *testing.T) { }, }, }) + require.NoError(t, err) - _, err := c.InitChain(context.Background(), &abciproto.InitChainRequest{ + _, err = c.InitChain(context.Background(), &abciproto.InitChainRequest{ Time: time.Now(), ChainId: "test", InitialHeight: 1, @@ -630,6 +631,8 @@ func TestConsensus_Query(t *testing.T) { } func setUpConsensus(t *testing.T, gasLimit uint64, mempool mempool.Mempool[mock.Tx]) *Consensus[mock.Tx] { + t.Helper() + msgRouterBuilder := getMsgRouterBuilder(t, func(ctx context.Context, msg *gogotypes.BoolValue) (*gogotypes.BoolValue, error) { return nil, nil }) diff --git a/server/v2/cometbft/commands.go b/server/v2/cometbft/commands.go index 6e2afedfbb9d..367700e98269 100644 --- a/server/v2/cometbft/commands.go +++ b/server/v2/cometbft/commands.go @@ -7,9 +7,6 @@ import ( "strconv" "strings" - "github.com/spf13/cobra" - "sigs.k8s.io/yaml" - cmtcfg "github.com/cometbft/cometbft/config" cmtjson "github.com/cometbft/cometbft/libs/json" "github.com/cometbft/cometbft/node" @@ -18,6 +15,8 @@ import ( rpchttp "github.com/cometbft/cometbft/rpc/client/http" cmtversion "github.com/cometbft/cometbft/version" gogoproto "github.com/cosmos/gogoproto/proto" + "github.com/spf13/cobra" + "sigs.k8s.io/yaml" "cosmossdk.io/server/v2/cometbft/client/rpc" diff --git a/server/v2/cometbft/internal/mock/mock_store.go b/server/v2/cometbft/internal/mock/mock_store.go index e3e7f4dc708c..15a47b33d639 100644 --- a/server/v2/cometbft/internal/mock/mock_store.go +++ b/server/v2/cometbft/internal/mock/mock_store.go @@ -91,17 +91,22 @@ func (s *MockStore) GetStateCommitment() storev2.Committer { return s.Committer } -type Result struct { - key []byte - value []byte - version uint64 - proofOps []proof.CommitmentOp -} - func (s *MockStore) Query(storeKey []byte, version uint64, key []byte, prove bool) (storev2.QueryResult, error) { state, err := s.StateAt(version) + if err != nil { + return storev2.QueryResult{}, err + } + reader, err := state.GetReader(storeKey) + if err != nil { + return storev2.QueryResult{}, err + } + value, err := reader.Get(key) + if err != nil { + return storev2.QueryResult{}, err + } + res := storev2.QueryResult{ Key: key, Value: value, diff --git a/testutil/rest.go b/testutil/rest.go index 6b8066aafbb9..5026d1f01b96 100644 --- a/testutil/rest.go +++ b/testutil/rest.go @@ -42,7 +42,7 @@ func GetRequestWithHeaders(url string, headers map[string]string) ([]byte, error // GetRequest defines a wrapper around an HTTP GET request with a provided URL. // An error is returned if the request or reading the body fails. func GetRequest(url string) ([]byte, error) { - res, err := http.Get(url) //nolint:gosec // only used for testing + res, err := http.Get(url) if err != nil { return nil, err } @@ -61,7 +61,7 @@ func GetRequest(url string) ([]byte, error) { // PostRequest defines a wrapper around an HTTP POST request with a provided URL and data. // An error is returned if the request or reading the body fails. func PostRequest(url, contentType string, data []byte) ([]byte, error) { - res, err := http.Post(url, contentType, bytes.NewBuffer(data)) //nolint:gosec // only used for testing + res, err := http.Post(url, contentType, bytes.NewBuffer(data)) if err != nil { return nil, fmt.Errorf("error while sending post request: %w", err) }