fix go check issues

1, Fix GoSec G404: Use of weak random number generator (math/rand instead of crypto/rand)
2, Fix Static check: ST1019: package "github.com/sirupsen/logrus" is being imported more than once

Signed-off-by: Wang Yan <wangyan@vmware.com>
This commit is contained in:
Wang Yan 2021-11-15 14:57:22 +08:00
parent 6248a88d03
commit f637481c67
3 changed files with 38 additions and 25 deletions

View file

@ -2,9 +2,10 @@ package main
import ( import (
"context" "context"
"crypto/rand"
"encoding/json" "encoding/json"
"flag" "flag"
"math/rand" "math/big"
"net/http" "net/http"
"strconv" "strconv"
"strings" "strings"
@ -141,8 +142,15 @@ const refreshTokenLength = 15
func newRefreshToken() string { func newRefreshToken() string {
s := make([]rune, refreshTokenLength) s := make([]rune, refreshTokenLength)
max := int64(len(refreshCharacters))
for i := range s { for i := range s {
s[i] = refreshCharacters[rand.Intn(len(refreshCharacters))] randInt, err := rand.Int(rand.Reader, big.NewInt(max))
// let '0' serves the failure case
if err != nil {
logrus.Infof("Error on making refersh token: %v", err)
randInt = big.NewInt(0)
}
s[i] = refreshCharacters[randInt.Int64()]
} }
return string(s) return string(s)
} }

View file

@ -2,10 +2,11 @@ package handlers
import ( import (
"context" "context"
cryptorand "crypto/rand" "crypto/rand"
"expvar" "expvar"
"fmt" "fmt"
"math/rand" "math"
"math/big"
"net" "net"
"net/http" "net/http"
"net/url" "net/url"
@ -612,7 +613,7 @@ func (app *App) configureLogHook(configuration *configuration.Configuration) {
func (app *App) configureSecret(configuration *configuration.Configuration) { func (app *App) configureSecret(configuration *configuration.Configuration) {
if configuration.HTTP.Secret == "" { if configuration.HTTP.Secret == "" {
var secretBytes [randomSecretSize]byte var secretBytes [randomSecretSize]byte
if _, err := cryptorand.Read(secretBytes[:]); err != nil { if _, err := rand.Read(secretBytes[:]); err != nil {
panic(fmt.Sprintf("could not generate random bytes for HTTP secret: %v", err)) panic(fmt.Sprintf("could not generate random bytes for HTTP secret: %v", err))
} }
configuration.HTTP.Secret = string(secretBytes[:]) configuration.HTTP.Secret = string(secretBytes[:])
@ -1062,8 +1063,13 @@ func startUploadPurger(ctx context.Context, storageDriver storagedriver.StorageD
} }
go func() { go func() {
rand.Seed(time.Now().Unix()) randInt, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
jitter := time.Duration(rand.Int()%60) * time.Minute if err != nil {
log.Infof("Failed to generate random jitter: %v", err)
// sleep 30min for failure case
randInt = big.NewInt(30)
}
jitter := time.Duration(randInt.Int64()%60) * time.Minute
log.Infof("Starting upload purge in %s", jitter) log.Infof("Starting upload purge in %s", jitter)
time.Sleep(jitter) time.Sleep(jitter)

View file

@ -20,7 +20,6 @@ import (
"github.com/docker/go-metrics" "github.com/docker/go-metrics"
gorhandlers "github.com/gorilla/handlers" gorhandlers "github.com/gorilla/handlers"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
log "github.com/sirupsen/logrus"
"github.com/spf13/cobra" "github.com/spf13/cobra"
"github.com/yvasiyarov/gorelic" "github.com/yvasiyarov/gorelic"
"golang.org/x/crypto/acme" "golang.org/x/crypto/acme"
@ -111,16 +110,16 @@ var ServeCmd = &cobra.Command{
if config.HTTP.Debug.Addr != "" { if config.HTTP.Debug.Addr != "" {
go func(addr string) { go func(addr string) {
log.Infof("debug server listening %v", addr) logrus.Infof("debug server listening %v", addr)
if err := http.ListenAndServe(addr, nil); err != nil { if err := http.ListenAndServe(addr, nil); err != nil {
log.Fatalf("error listening on debug interface: %v", err) logrus.Fatalf("error listening on debug interface: %v", err)
} }
}(config.HTTP.Debug.Addr) }(config.HTTP.Debug.Addr)
} }
registry, err := NewRegistry(ctx, config) registry, err := NewRegistry(ctx, config)
if err != nil { if err != nil {
log.Fatalln(err) logrus.Fatalln(err)
} }
if config.HTTP.Debug.Prometheus.Enabled { if config.HTTP.Debug.Prometheus.Enabled {
@ -128,12 +127,12 @@ var ServeCmd = &cobra.Command{
if path == "" { if path == "" {
path = "/metrics" path = "/metrics"
} }
log.Info("providing prometheus metrics on ", path) logrus.Info("providing prometheus metrics on ", path)
http.Handle(path, metrics.Handler()) http.Handle(path, metrics.Handler())
} }
if err = registry.ListenAndServe(); err != nil { if err = registry.ListenAndServe(); err != nil {
log.Fatalln(err) logrus.Fatalln(err)
} }
}, },
} }
@ -344,7 +343,7 @@ func configureReporting(app *handlers.App) http.Handler {
// configureLogging prepares the context with a logger using the // configureLogging prepares the context with a logger using the
// configuration. // configuration.
func configureLogging(ctx context.Context, config *configuration.Configuration) (context.Context, error) { func configureLogging(ctx context.Context, config *configuration.Configuration) (context.Context, error) {
log.SetLevel(logLevel(config.Log.Level)) logrus.SetLevel(logLevel(config.Log.Level))
formatter := config.Log.Formatter formatter := config.Log.Formatter
if formatter == "" { if formatter == "" {
@ -353,16 +352,16 @@ func configureLogging(ctx context.Context, config *configuration.Configuration)
switch formatter { switch formatter {
case "json": case "json":
log.SetFormatter(&log.JSONFormatter{ logrus.SetFormatter(&logrus.JSONFormatter{
TimestampFormat: time.RFC3339Nano, TimestampFormat: time.RFC3339Nano,
DisableHTMLEscape: true, DisableHTMLEscape: true,
}) })
case "text": case "text":
log.SetFormatter(&log.TextFormatter{ logrus.SetFormatter(&logrus.TextFormatter{
TimestampFormat: time.RFC3339Nano, TimestampFormat: time.RFC3339Nano,
}) })
case "logstash": case "logstash":
log.SetFormatter(&logstash.LogstashFormatter{ logrus.SetFormatter(&logstash.LogstashFormatter{
Formatter: &logrus.JSONFormatter{TimestampFormat: time.RFC3339Nano}, Formatter: &logrus.JSONFormatter{TimestampFormat: time.RFC3339Nano},
}) })
default: default:
@ -373,7 +372,7 @@ func configureLogging(ctx context.Context, config *configuration.Configuration)
} }
if config.Log.Formatter != "" { if config.Log.Formatter != "" {
log.Debugf("using %q logging formatter", config.Log.Formatter) logrus.Debugf("using %q logging formatter", config.Log.Formatter)
} }
if len(config.Log.Fields) > 0 { if len(config.Log.Fields) > 0 {
@ -391,11 +390,11 @@ func configureLogging(ctx context.Context, config *configuration.Configuration)
return ctx, nil return ctx, nil
} }
func logLevel(level configuration.Loglevel) log.Level { func logLevel(level configuration.Loglevel) logrus.Level {
l, err := log.ParseLevel(string(level)) l, err := logrus.ParseLevel(string(level))
if err != nil { if err != nil {
l = log.InfoLevel l = logrus.InfoLevel
log.Warnf("error parsing level %q: %v, using %q ", level, err, l) logrus.Warnf("error parsing level %q: %v, using %q ", level, err, l)
} }
return l return l
@ -421,10 +420,10 @@ func configureBugsnag(config *configuration.Configuration) {
// configure logrus bugsnag hook // configure logrus bugsnag hook
hook, err := logrus_bugsnag.NewBugsnagHook() hook, err := logrus_bugsnag.NewBugsnagHook()
if err != nil { if err != nil {
log.Fatalln(err) logrus.Fatalln(err)
} }
log.AddHook(hook) logrus.AddHook(hook)
} }
// panicHandler add an HTTP handler to web app. The handler recover the happening // panicHandler add an HTTP handler to web app. The handler recover the happening
@ -434,7 +433,7 @@ func panicHandler(handler http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
defer func() { defer func() {
if err := recover(); err != nil { if err := recover(); err != nil {
log.Panic(fmt.Sprintf("%v", err)) logrus.Panic(fmt.Sprintf("%v", err))
} }
}() }()
handler.ServeHTTP(w, r) handler.ServeHTTP(w, r)