Address gosec/code scan issues

Michael Weber · Michael Weber · commit 2ce68f956374 · 2019-04-02T22:57:26.000-07:00
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -41,6 +41,9 @@ jobs:
       - run:
           name: Test
           command: make test TESTREPORT=test-results/go/results.xml
+      - run:
+          name: Code Quality
+          command: make lint
       - store_test_results:
           path: test-results/
       - store_artifacts:
diff --git a/Makefile b/Makefile
@@ -14,7 +14,7 @@ LD_FLAGS +=  -X "$(LD_FLAGS_PKG).commit=$(SHORT_COMMIT)"
 LD_FLAGS +=  -X "$(LD_FLAGS_PKG).goVersion=$(GO_VERSION)"
 
 .PHONY: all
-all: dep build lint test
+all: build lint test
 
 .PHONY: dep
 dep: prereq
@@ -46,11 +46,15 @@ test: build
 lint: dep
 	go list ./... | grep -v vendor | xargs go vet
 	go list ./... | grep -v vendor | xargs golint
+	ineffassign .
+	gosec -quiet -vendor ./...
 
 .PHONY: prereq
 prereq:
 	go get github.com/golang/dep/cmd/dep
 	go get golang.org/x/lint/golint
+	go get github.com/gordonklaus/ineffassign
+	go get github.com/securego/gosec/cmd/gosec/...
 	go get gotest.tools/gotestsum
 
 .PHONY: clean
diff --git a/README.md b/README.md
@@ -4,10 +4,14 @@ vault-plugin-splunk
 A Hashicorp Vault[1] plugin that aims to securely manage Splunk admin
 accounts, including secrets rotation for compliance purposes.
 
-[![CircleCI](https://circleci.com/gh/splunk/vault-plugin-splunk.svg?style=svg)](https://circleci.com/gh/splunk/vault-plugin-splunk)
-
 [1] https://www.vaultproject.io/
 
+## Project status
+
+[![Build Status](https://circleci.com/gh/splunk/vault-plugin-splunk.svg?style=shield)](https://circleci.com/gh/splunk/vault-plugin-splunk)
+[![GoReport](https://goreportcard.com/badge/github.com/splunk/vault-plugin-splunk)](https://goreportcard.com/report/github.com/splunk/vault-plugin-splunk)
+
+
 # Building from Source
 
 ```shell
diff --git a/clients/splunk/testing.go b/clients/splunk/testing.go
@@ -92,7 +92,8 @@ func TestGlobalSplunkClient(t *testing.T) *API {
 // See also: APIParams.NewAPI
 func TestDefaultContext() context.Context {
 	tr := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // XXX
+		// #nosec G402
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 	}
 	// client is the underlying transport for API calls, including Login (for obtaining session token)
 	client := &http.Client{
@@ -202,6 +203,7 @@ func NewTestSplunkServiceWithTempAdmin() (cleanup func(), conn *API, err error)
 	clConn := conn
 	clCleanup := cleanup
 	cleanup = func() {
+		// #nosec G104
 		clConn.AccessControl.Authentication.Users.Delete(testUser)
 		clCleanup()
 	}
diff --git a/clients/splunk/user_test.go b/clients/splunk/user_test.go
@@ -30,8 +30,8 @@ func TestUserService_Create(t *testing.T) {
 	params := testUserParams("")
 
 	user, _, err := userSvc.Create(params)
-	defer userSvc.Delete(user.Name)
 	assert.NilError(t, err)
+	defer userSvc.Delete(user.Name)
 	assert.Equal(t, user.Name, params.Name)
 	assert.Equal(t, user.Content.Email, params.Email)
 }
@@ -52,8 +52,8 @@ func TestUserService_Update_Email(t *testing.T) {
 	params := testUserParams("")
 
 	user, _, err := userSvc.Create(params)
-	defer userSvc.Delete(user.Name)
 	assert.NilError(t, err)
+	defer userSvc.Delete(user.Name)
 	assert.Equal(t, user.Name, params.Name)
 
 	user, _, err = userSvc.Update(user.Name, &UpdateUserOptions{
@@ -68,6 +68,7 @@ func TestUserService_Update_Password(t *testing.T) {
 	params := testUserParams("")
 
 	user, _, err := userSvc.Create(params)
+	assert.NilError(t, err)
 	defer userSvc.Delete(user.Name)
 	assert.NilError(t, err)
 	assert.Equal(t, user.Name, params.Name)
@@ -93,6 +94,7 @@ func TestUserService_Update_OwnPassword(t *testing.T) {
 
 	params := testUserParams("")
 	user, _, err := userSvc.Create(params)
+	assert.NilError(t, err)
 	defer userSvc.Delete(user.Name)
 
 	_, _, err = userSvc.Update(user.Name, &UpdateUserOptions{
diff --git a/cmd/vault-plugin-splunk/main.go b/cmd/vault-plugin-splunk/main.go
@@ -4,14 +4,17 @@ import (
 	"os"
 
 	"github.com/hashicorp/go-hclog"
-	"github.com/splunk/vault-plugin-splunk"
 	"github.com/hashicorp/vault/helper/pluginutil"
 	"github.com/hashicorp/vault/logical/plugin"
+
+	splunk "github.com/splunk/vault-plugin-splunk"
 )
 
 func main() {
 	apiClientMeta := &pluginutil.APIClientMeta{}
 	flags := apiClientMeta.FlagSet()
+	// all plugins ignore Parse errors
+	// #nosec G104
 	flags.Parse(os.Args[1:])
 
 	tlsConfig := apiClientMeta.GetTLSConfig()
@@ -27,4 +30,4 @@ func main() {
 		logger.Error("plugin shutting down", "error", err)
 		os.Exit(1)
 	}
-}
+}
diff --git a/conn.go b/conn.go
@@ -77,6 +77,7 @@ func (config *splunkConfig) store(ctx context.Context, s logical.Storage, name s
 		defer func() {
 			if err != nil {
 				// config was not stored => cancel cleanup
+				// #nosec G104
 				framework.DeleteWAL(ctx, s, walID)
 			}
 		}()

Original file line number	Diff line number	Diff line change
`@@ -77,6 +77,7 @@ func (config *splunkConfig) store(ctx context.Context, s logical.Storage, name s`
`77`	`77`	`defer func() {`
`78`	`78`	`if err != nil {`
`79`	`79`	`// config was not stored => cancel cleanup`
	`80`	`+ // #nosec G104`
`80`	`81`	`framework.DeleteWAL(ctx, s, walID)`
`81`	`82`	`}`
`82`	`83`	`}()`