update gosec (#561)

* update gosec * update * update * update
2024-09-05 10:53:18 +08:00 · 2024-09-05 10:53:18 +08:00 · d593fa6db2
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@ -19,16 +19,14 @@ jobs:
  gosec:
    name: gosec
    runs-on: ubuntu-latest
+    env:
+      GOFLAGS: '-buildvcs=false'
    steps:
      - name: Checkout Source
        uses: actions/checkout@v3

      - name: Run Gosec Security Scanner
-        # This is due to https://github.com/securego/gosec/issues/1105
-        # Per https://github.com/securego/gosec/issues/1105#issuecomment-1948225619, the issue occurs since 2.19.0.
-        # The commit that updates the GH action to 2.19.0 is d13d7dac9b7e2b40e86be5b830d297816376f1db
-        # It's parent commit is 26e57d6b340778c2983cd61775bc7e8bb41d002a
-        uses: securego/gosec@26e57d6b340778c2983cd61775bc7e8bb41d002a
+        uses: securego/gosec@v2.21.1
        with:
          args: './...'

--- a/flag.go
+++ b/flag.go
@ -283,6 +283,7 @@ func initTelemetryClient(subscriptionId string) telemetry.Client {
 func (f FlagSet) buildAuthConfig() (*config.AuthConfig, error) {
 	clientId := f.flagClientId
 	if path := f.flagClientIdFilePath; path != "" {
+		// #nosec G304
 		b, err := os.ReadFile(path)
 		if err != nil {
 			return nil, fmt.Errorf("reading Client ID from file %q: %v", path, err)
@ -292,6 +293,7 @@ func (f FlagSet) buildAuthConfig() (*config.AuthConfig, error) {

 	clientSecret := f.flagClientSecret
 	if path := f.flagClientSecretFilePath; path != "" {
+		// #nosec G304
 		b, err := os.ReadFile(path)
 		if err != nil {
 			return nil, fmt.Errorf("reading Client secret from file %q: %v", path, err)
@ -301,6 +303,7 @@ func (f FlagSet) buildAuthConfig() (*config.AuthConfig, error) {

 	clientCertEncoded := f.flagClientCertificate
 	if path := f.flagClientCertificatePath; path != "" {
+		// #nosec G304
 		b, err := os.ReadFile(path)
 		if err != nil {
 			return nil, fmt.Errorf("reading Client certificate from file %q: %v", path, err)
@ -310,6 +313,7 @@ func (f FlagSet) buildAuthConfig() (*config.AuthConfig, error) {

 	oidcToken := f.flagOIDCToken
 	if path := f.flagOIDCTokenFilePath; path != "" {
+		// #nosec G304
 		b, err := os.ReadFile(path)
 		if err != nil {
 			return nil, fmt.Errorf("reading OIDC token from file %q: %v", path, err)
--- a/internal/meta/base_meta.go
+++ b/internal/meta/base_meta.go
@ -180,6 +180,7 @@ func NewBaseMeta(cfg config.CommonConfig) (*baseMeta, error) {
 	os.Setenv("AZURE_HTTP_USER_AGENT", cfg.AzureSDKClientOption.Telemetry.ApplicationID)

 	// Disable AzureRM provider's enahnced validation, which will cause RP listing, that is expensive.
+	// #nosec G104
 	os.Setenv("ARM_PROVIDER_ENHANCED_VALIDATION", "false")

 	outputFileNames := cfg.OutputFileNames
--- a/internal/ui/ui.go
+++ b/internal/ui/ui.go
@ -265,6 +265,7 @@ func (m model) logoView() string {
 }

 func importErrorView(m model) string {
+	// #nosec G115
 	return m.importerrormsg.Item.TFResourceId + "\n\n" + common.ErrorMsgStyle.Render(wordwrap.WrapString(m.importerrormsg.Item.ImportError.Error(), uint(m.winsize.Width-indentLevel)))
 }

@ -273,5 +274,6 @@ func summaryView(m model) string {
 }

 func errorView(m model) string {
+	// #nosec G115
 	return common.ErrorMsgStyle.Render(wordwrap.WrapString(m.err.Error(), uint(m.winsize.Width-indentLevel)))
 }
--- a/main.go
+++ b/main.go
@ -512,6 +512,7 @@ func main() {
 						}

 						path := strings.TrimPrefix(arg, "@")
+						// #nosec G304
 						f, err := os.Open(path)
 						if err != nil {
 							return fmt.Errorf("failed to open file %q: %v", path, err)