From d7bc6c9c79be36a5b8fb6df606548d5ce46892ed Mon Sep 17 00:00:00 2001 From: Naveen Kumar Date: Fri, 13 Feb 2026 15:38:12 +0530 Subject: [PATCH 1/3] Addressing go sec failures # Conflicts: # docker_test.go --- artifactory_test.go | 2 +- general/ai/cli.go | 1 + general/summary/cli.go | 4 ++++ lifecycle_test.go | 2 +- nuget_test.go | 1 + utils/cliutils/utils.go | 1 + utils/cliutils/utils_test.go | 1 + 7 files changed, 10 insertions(+), 2 deletions(-) diff --git a/artifactory_test.go b/artifactory_test.go index 9ba575230..09373afdd 100644 --- a/artifactory_test.go +++ b/artifactory_test.go @@ -6815,7 +6815,7 @@ func setupTestFilesForSearchPatterns(t *testing.T) { tmpFile, err := os.CreateTemp("", "test-file-*.txt") assert.NoError(t, err) defer func(name string) { - _ = os.Remove(name) + _ = os.Remove(name) // #nosec G703 -- name is from CreateTemp, not user input }(tmpFile.Name()) _, err = tmpFile.WriteString("test content") if err != nil { diff --git a/general/ai/cli.go b/general/ai/cli.go index fbed17070..728304d4a 100644 --- a/general/ai/cli.go +++ b/general/ai/cli.go @@ -164,6 +164,7 @@ func sendRestAPI(apiType ApiType, content interface{}) (response string, err err req.Header.Set(askRateLimitHeader, "true") } log.Debug(fmt.Sprintf("Sending HTTP %s request to: %s", req.Method, req.URL)) + // #nosec G704 -- URL is a constant CLI-AI endpoint, not user-controlled input resp, err := client.GetClient().Do(req) if err != nil { err = errorutils.CheckErrorf("CLI-AI server is not available. Please check your network or try again later.") diff --git a/general/summary/cli.go b/general/summary/cli.go index 7f9881d1b..1a19ab0b2 100644 --- a/general/summary/cli.go +++ b/general/summary/cli.go @@ -131,6 +131,7 @@ func saveFile(content, filePath string) (err error) { if content == "" { return nil } + // #nosec G703 -- filePath is constructed from SummaryOutputDirPathEnv set by CLI, not arbitrary user input file, err := os.Create(filePath) if err != nil { return err @@ -146,10 +147,12 @@ func saveFile(content, filePath string) (err error) { func getSectionMarkdownContent(section MarkdownSection) (string, error) { sectionFilepath := filepath.Join(os.Getenv(coreutils.SummaryOutputDirPathEnv), commandsummary.OutputDirName, string(section), markdownFileName) + // #nosec G703 -- sectionFilepath is constructed from SummaryOutputDirPathEnv set by CLI, not arbitrary user input if _, err := os.Stat(sectionFilepath); os.IsNotExist(err) { return "", nil } + // #nosec G703 -- sectionFilepath is constructed from SummaryOutputDirPathEnv set by CLI, not arbitrary user input contentBytes, err := os.ReadFile(sectionFilepath) if err != nil { return "", fmt.Errorf("error reading markdown file for section %s: %w", section, err) @@ -280,6 +283,7 @@ func processScan(index commandsummary.Index, filePath string, scannedName string // shouldGenerateUploadSummary checks if upload summary should be generated. func shouldGenerateUploadSummary() (bool, error) { buildInfoPath := filepath.Join(os.Getenv(coreutils.SummaryOutputDirPathEnv), commandsummary.OutputDirName, string(BuildInfo)) + // #nosec G703 -- buildInfoPath is constructed from SummaryOutputDirPathEnv set by CLI, not arbitrary user input if _, err := os.Stat(buildInfoPath); os.IsNotExist(err) { return true, nil } diff --git a/lifecycle_test.go b/lifecycle_test.go index e61e76aa2..cb533a942 100644 --- a/lifecycle_test.go +++ b/lifecycle_test.go @@ -1641,5 +1641,5 @@ type KeyPairPayload struct { Alias string `json:"alias,omitempty"` Passphrase string `json:"passphrase,omitempty"` PublicKey string `json:"publicKey,omitempty"` - PrivateKey string `json:"privateKey,omitempty"` + PrivateKey string `json:"privateKey,omitempty"` // #nosec G117 -- field name is for JSON serialization, not a hardcoded secret } diff --git a/nuget_test.go b/nuget_test.go index b54965706..43fcb12c3 100644 --- a/nuget_test.go +++ b/nuget_test.go @@ -251,6 +251,7 @@ func runInitNewConfig(t *testing.T, testSuite testInitNewConfigDescriptor, baseR return } + // #nosec G703 -- configFile path is created by test setup, not user input content, err := os.ReadFile(configFile.Name()) if err != nil { assert.NoError(t, err) diff --git a/utils/cliutils/utils.go b/utils/cliutils/utils.go index 0cf5a6d89..4d239a0a9 100644 --- a/utils/cliutils/utils.go +++ b/utils/cliutils/utils.go @@ -668,6 +668,7 @@ func getLatestCliVersionFromGithubAPI() (githubVersionInfo githubResponse, err e func doHttpRequest(client *http.Client, req *http.Request) (resp *http.Response, body []byte, err error) { const maxResponseSize = 10 * 1024 * 1024 // 10MB limit req.Close = true + // #nosec G704 -- URL is validated and constructed from CLI configuration, not arbitrary user input resp, err = client.Do(req) if errorutils.CheckError(err) != nil { return diff --git a/utils/cliutils/utils_test.go b/utils/cliutils/utils_test.go index 9597bde75..25bff9832 100644 --- a/utils/cliutils/utils_test.go +++ b/utils/cliutils/utils_test.go @@ -365,6 +365,7 @@ type redirectingTransport struct { func (t *redirectingTransport) RoundTrip(req *http.Request) (*http.Response, error) { if req.URL.String() == t.targetURL { // Create a new request to the redirect URL + // #nosec G704 -- redirectURL is a controlled test value, not user input redirectReq, err := http.NewRequest(req.Method, t.redirectURL, req.Body) if err != nil { return nil, err From 7e8ad5af7eda94f12459e45d36823b573bc0c2ef Mon Sep 17 00:00:00 2001 From: Naveen Kumar Date: Fri, 13 Feb 2026 15:51:07 +0530 Subject: [PATCH 2/3] Addressing go sec failures --- docker_test.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docker_test.go b/docker_test.go index 6635d0827..9c5655222 100644 --- a/docker_test.go +++ b/docker_test.go @@ -138,7 +138,7 @@ func setupInsecureBuildxBuilder(t *testing.T, builderName string) func() { http = true insecure = true `, registryHost) - require.NoError(t, os.WriteFile(configPath, []byte(configContent), 0644)) + require.NoError(t, os.WriteFile(configPath, []byte(configContent), 0644)) //nolint:gosec // G703 - configPath is constructed from test temp directory, not user input // Remove builder if it exists (stop first, then remove) _ = exec.Command("docker", "buildx", "stop", builderName).Run() @@ -923,7 +923,7 @@ RUN echo "Hello from test" CMD ["sh"]`, baseImage) dockerfilePath := filepath.Join(workspace, "Dockerfile") - assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) + assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //nolint:gosec // G703 - dockerfilePath is constructed from test workspace, not user input // clean build before test runJfrogCli(t, "rt", "bc", buildName, buildNumber) @@ -972,11 +972,11 @@ RUN echo "Hello from test" CMD ["sh"]`, baseImage) dockerfilePath := filepath.Join(workspace, "Dockerfile") - assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) + assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //nolint:gosec // G703 - dockerfilePath is constructed from test workspace, not user input // Create test file testFilePath := filepath.Join(workspace, "test.txt") - assert.NoError(t, os.WriteFile(testFilePath, []byte("Hello from Docker build test"), 0644)) + assert.NoError(t, os.WriteFile(testFilePath, []byte("Hello from Docker build test"), 0644)) //nolint:gosec // G703 - testFilePath is constructed from test workspace, not user input // clean build before test runJfrogCli(t, "rt", "bc", buildName, buildNumber) @@ -1030,7 +1030,7 @@ FROM %s CMD ["hello"]`, golangImage, alpineImage) dockerfilePath := filepath.Join(workspace, "Dockerfile") - assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) + assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //nolint:gosec // G703 - dockerfilePath is constructed from test workspace, not user input // clean build before test runJfrogCli(t, "rt", "bc", buildName, buildNumber) @@ -1082,7 +1082,7 @@ RUN echo "Built with buildx" CMD ["echo", "Hello from buildx"]`, baseImage) dockerfilePath := filepath.Join(workspace, "Dockerfile") - assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) + assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //nolint:gosec // G703 - dockerfilePath is constructed from test workspace, not user input // Check if buildx is available cmd := exec.Command("docker", "buildx", "version") @@ -1141,7 +1141,7 @@ RUN echo "Testing virtual repo" CMD ["sh"]`, baseImage) dockerfilePath := filepath.Join(workspace, "Dockerfile") - assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) + assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //nolint:gosec // G703 - dockerfilePath is constructed from test workspace, not user input // clean build before test runJfrogCli(t, "rt", "bc", buildName, buildNumber) @@ -1286,7 +1286,7 @@ func TestDockerBuildPublishWithCIVcsProps(t *testing.T) { CMD ["echo", "Hello from CI VCS test"]`, baseImage) dockerfilePath := filepath.Join(workspace, "Dockerfile") - assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) + assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //nolint:gosec // G703 - dockerfilePath is constructed from test workspace, not user input // Clean build before test runJfrogCli(t, "rt", "bc", buildName, buildNumber) From e969f6b7eff0d44fce62be9af477316850be6238 Mon Sep 17 00:00:00 2001 From: Naveen Kumar Date: Fri, 13 Feb 2026 15:57:33 +0530 Subject: [PATCH 3/3] Addressing go sec failures --- docker_test.go | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/docker_test.go b/docker_test.go index 03274c916..39d2c9731 100644 --- a/docker_test.go +++ b/docker_test.go @@ -138,7 +138,7 @@ func setupInsecureBuildxBuilder(t *testing.T, builderName string) func() { http = true insecure = true `, registryHost) - require.NoError(t, os.WriteFile(configPath, []byte(configContent), 0644)) //nolint:gosec // G703 - configPath is constructed from test temp directory, not user input + require.NoError(t, os.WriteFile(configPath, []byte(configContent), 0644)) /* #nosec G703 -- configPath is constructed from test temp directory, not user input */ // Remove builder if it exists (stop first, then remove) _ = exec.Command("docker", "buildx", "stop", builderName).Run() @@ -427,7 +427,7 @@ RUN echo "Built for nested path test" CMD ["echo", "Hello from nested path"]`, baseImage) dockerfilePath := filepath.Join(workspace, "Dockerfile") - assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) + assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) /* #nosec G703 -- dockerfilePath is constructed from test workspace, not user input */ // Cleanup old build inttestutils.DeleteBuild(serverDetails.ArtifactoryUrl, buildName, artHttpDetails) @@ -515,7 +515,7 @@ RUN echo "This is the nested base image" CMD ["echo", "base"]`, alpineBase) baseDockerfilePath := filepath.Join(workspace, "Dockerfile.base") - assert.NoError(t, os.WriteFile(baseDockerfilePath, []byte(baseDockerfile), 0644)) + assert.NoError(t, os.WriteFile(baseDockerfilePath, []byte(baseDockerfile), 0644)) /* #nosec G703 -- baseDockerfilePath is constructed from test workspace, not user input */ // Push base image to nested path inttestutils.DeleteBuild(serverDetails.ArtifactoryUrl, baseImageBuildName, artHttpDetails) @@ -538,7 +538,7 @@ RUN echo "This is the child image using nested base" CMD ["echo", "child"]`, baseImageTag) childDockerfilePath := filepath.Join(workspace, "Dockerfile.child") - assert.NoError(t, os.WriteFile(childDockerfilePath, []byte(childDockerfile), 0644)) + assert.NoError(t, os.WriteFile(childDockerfilePath, []byte(childDockerfile), 0644)) /* #nosec G703 -- childDockerfilePath is constructed from test workspace, not user input */ // Build child image inttestutils.DeleteBuild(serverDetails.ArtifactoryUrl, childBuildName, artHttpDetails) @@ -1092,7 +1092,7 @@ RUN echo "Hello from test" CMD ["sh"]`, baseImage) dockerfilePath := filepath.Join(workspace, "Dockerfile") - assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //nolint:gosec // G703 - dockerfilePath is constructed from test workspace, not user input + assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) /* #nosec G703 -- dockerfilePath is constructed from test workspace, not user input */ // clean build before test runJfrogCli(t, "rt", "bc", buildName, buildNumber) @@ -1141,11 +1141,11 @@ RUN echo "Hello from test" CMD ["sh"]`, baseImage) dockerfilePath := filepath.Join(workspace, "Dockerfile") - assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //nolint:gosec // G703 - dockerfilePath is constructed from test workspace, not user input + assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) /* #nosec G703 -- dockerfilePath is constructed from test workspace, not user input */ // Create test file testFilePath := filepath.Join(workspace, "test.txt") - assert.NoError(t, os.WriteFile(testFilePath, []byte("Hello from Docker build test"), 0644)) //nolint:gosec // G703 - testFilePath is constructed from test workspace, not user input + assert.NoError(t, os.WriteFile(testFilePath, []byte("Hello from Docker build test"), 0644)) /* #nosec G703 -- testFilePath is constructed from test workspace, not user input */ // clean build before test runJfrogCli(t, "rt", "bc", buildName, buildNumber) @@ -1199,7 +1199,7 @@ FROM %s CMD ["hello"]`, golangImage, alpineImage) dockerfilePath := filepath.Join(workspace, "Dockerfile") - assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //nolint:gosec // G703 - dockerfilePath is constructed from test workspace, not user input + assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) /* #nosec G703 -- dockerfilePath is constructed from test workspace, not user input */ // clean build before test runJfrogCli(t, "rt", "bc", buildName, buildNumber) @@ -1251,7 +1251,7 @@ RUN echo "Built with buildx" CMD ["echo", "Hello from buildx"]`, baseImage) dockerfilePath := filepath.Join(workspace, "Dockerfile") - assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //nolint:gosec // G703 - dockerfilePath is constructed from test workspace, not user input + assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) /* #nosec G703 -- dockerfilePath is constructed from test workspace, not user input */ // Check if buildx is available cmd := exec.Command("docker", "buildx", "version") @@ -1310,7 +1310,7 @@ RUN echo "Testing virtual repo" CMD ["sh"]`, baseImage) dockerfilePath := filepath.Join(workspace, "Dockerfile") - assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //nolint:gosec // G703 - dockerfilePath is constructed from test workspace, not user input + assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) /* #nosec G703 -- dockerfilePath is constructed from test workspace, not user input */ // clean build before test runJfrogCli(t, "rt", "bc", buildName, buildNumber) @@ -1455,7 +1455,7 @@ func TestDockerBuildPublishWithCIVcsProps(t *testing.T) { CMD ["echo", "Hello from CI VCS test"]`, baseImage) dockerfilePath := filepath.Join(workspace, "Dockerfile") - assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //nolint:gosec // G703 - dockerfilePath is constructed from test workspace, not user input + assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) /* #nosec G703 -- dockerfilePath is constructed from test workspace, not user input */ // Clean build before test runJfrogCli(t, "rt", "bc", buildName, buildNumber)