Merge pull request #892 from hebelsan/gosec

Introduce gosec

Makefile

@@ -140,6 +140,14 @@ generate: $(VGOPATH) $(CONTROLLER_GEN) $(GEN_CRD_API_REFERENCE_DOCS) $(HELM) $(M
 format: $(GOIMPORTS) $(GOIMPORTSREVISER)
 	@bash $(GARDENER_HACK_DIR)/format.sh ./cmd ./pkg ./test
 
+.PHONY: sast
+sast: $(GOSEC)
+	@bash $(GARDENER_HACK_DIR)/sast.sh
+
+.PHONY: sast-report
+sast-report: $(GOSEC)
+	@bash $(GARDENER_HACK_DIR)/sast.sh --gosec-report true
+
 .PHONY: test
 test:
 	@bash $(GARDENER_HACK_DIR)/test.sh ./cmd/... ./pkg/...
@@ -153,10 +161,10 @@ test-clean:
 	@bash $(GARDENER_HACK_DIR)/test-cover-clean.sh
 
 .PHONY: verify
-verify: check format test
+verify: check format test sast
 
 .PHONY: verify-extended
-verify-extended: check-generate check format test-cov test-clean
+verify-extended: check-generate check format test-cov test-clean sast-report
 
 .PHONY: integration-test-infra
 integration-test-infra:

pkg/apis/config/loader/loader.go

@@ -36,7 +36,7 @@ func init() {
 
 // LoadFromFile takes a filename and de-serializes the contents into ControllerConfiguration object.
 func LoadFromFile(filename string) (*config.ControllerConfiguration, error) {
-	bytes, err := os.ReadFile(filename)
+	bytes, err := os.ReadFile(filename) // #nosec: G304 -- In reality files can be read from the Pod's file system only.
 	if err != nil {
 		return nil, err
 	}

pkg/apis/gcp/validation/shoot.go

@@ -6,6 +6,7 @@ package validation
 
 import (
 	"fmt"
+	"math"
 
 	"github.com/gardener/gardener/pkg/apis/core"
 	"github.com/gardener/gardener/pkg/apis/core/helper"
@@ -53,6 +54,9 @@ func ValidateWorkers(workers []core.Worker, fldPath *field.Path) field.ErrorList
 			continue
 		}
 
+		if len(worker.Zones) > math.MaxInt32 {
+			allErrs = append(allErrs, field.Invalid(workerFldPath.Child("zones"), len(worker.Zones), "too many zones"))
+		}
 	}
 
 	return allErrs

pkg/apis/gcp/validation/shoot_test.go

@@ -68,5 +68,28 @@ var _ = Describe("Shoot validation", func() {
 
 			Expect(errorList).To(BeEmpty())
 		})
+
+		It("should fail without at least one zone", func() {
+			workers := []core.Worker{
+				{
+					Name: "bar",
+					Volume: &core.Volume{
+						Type:       ptr.To("some-type"),
+						VolumeSize: "40Gi",
+					},
+					Zones: []string{},
+				},
+			}
+			workers[0].Kubernetes = &core.WorkerKubernetes{Version: ptr.To("1.28.0")}
+
+			errorList := ValidateWorkers(workers, field.NewPath("workers"))
+
+			Expect(errorList).To(ConsistOf(
+				PointTo(MatchFields(IgnoreExtras, Fields{
+					"Type":  Equal(field.ErrorTypeRequired),
+					"Field": Equal("workers[0].zones"),
+				})),
+			))
+		})
 	})
 })

pkg/controller/worker/machines.go

@@ -112,7 +112,7 @@ func (w *workerDelegate) generateMachineConfig(ctx context.Context) error {
 	}
 
 	for _, pool := range w.worker.Spec.Pools {
-		zoneLen := int32(len(pool.Zones))
+		zoneLen := int32(len(pool.Zones)) // #nosec: G115 - We check if pool zones exceeds max_int32.
 
 		workerConfig := &apisgcp.WorkerConfig{}
 		if pool.ProviderConfig != nil && pool.ProviderConfig.Raw != nil {
@@ -181,7 +181,7 @@ func (w *workerDelegate) generateMachineConfig(ctx context.Context) error {
 		}
 
 		for zoneIndex, zone := range pool.Zones {
-			zoneIdx := int32(zoneIndex)
+			zoneIdx := int32(zoneIndex) // #nosec: G115 - We check if pool zones exceeds max_int32.
 			machineClassSpec := map[string]interface{}{
 				"region":             w.worker.Spec.Region,
 				"zone":               zone,