From 35a4bc881df2f7147e7619670b177d770beb09e1 Mon Sep 17 00:00:00 2001 From: Kanishk Date: Tue, 17 Feb 2026 15:19:20 +0530 Subject: [PATCH 1/6] Fix GOSEC --- artifactory_test.go | 2 +- docker_test.go | 22 +++++++++++----------- general/ai/cli.go | 2 +- general/summary/cli.go | 6 +++--- lifecycle_test.go | 2 +- nuget_test.go | 2 +- utils/cliutils/utils.go | 2 +- utils/cliutils/utils_test.go | 2 +- 8 files changed, 20 insertions(+), 20 deletions(-) diff --git a/artifactory_test.go b/artifactory_test.go index 1e0468518..a2ffcc60d 100644 --- a/artifactory_test.go +++ b/artifactory_test.go @@ -6815,7 +6815,7 @@ func setupTestFilesForSearchPatterns(t *testing.T) { tmpFile, err := os.CreateTemp("", "test-file-*.txt") assert.NoError(t, err) defer func(name string) { - _ = os.Remove(name) + _ = os.Remove(name) //#nosec G703 -- test code, path from temp file }(tmpFile.Name()) _, err = tmpFile.WriteString("test content") if err != nil { diff --git a/docker_test.go b/docker_test.go index a8fb5cc6a..1598b5241 100644 --- a/docker_test.go +++ b/docker_test.go @@ -138,7 +138,7 @@ func setupInsecureBuildxBuilder(t *testing.T, builderName string) func() { http = true insecure = true `, registryHost) - require.NoError(t, os.WriteFile(configPath, []byte(configContent), 0644)) + require.NoError(t, os.WriteFile(configPath, []byte(configContent), 0644)) //#nosec G703 -- test code, path is constructed from temp dir // Remove builder if it exists (stop first, then remove) _ = exec.Command("docker", "buildx", "stop", builderName).Run() @@ -427,7 +427,7 @@ RUN echo "Built for nested path test" CMD ["echo", "Hello from nested path"]`, baseImage) dockerfilePath := filepath.Join(workspace, "Dockerfile") - assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) + assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //#nosec G703 -- test code, path built from test workspace // Cleanup old build inttestutils.DeleteBuild(serverDetails.ArtifactoryUrl, buildName, artHttpDetails) @@ -515,7 +515,7 @@ RUN echo "This is the nested base image" CMD ["echo", "base"]`, alpineBase) baseDockerfilePath := filepath.Join(workspace, "Dockerfile.base") - assert.NoError(t, os.WriteFile(baseDockerfilePath, []byte(baseDockerfile), 0644)) + assert.NoError(t, os.WriteFile(baseDockerfilePath, []byte(baseDockerfile), 0644)) //#nosec G703 -- test code, path built from test workspace // Push base image to nested path inttestutils.DeleteBuild(serverDetails.ArtifactoryUrl, baseImageBuildName, artHttpDetails) @@ -538,7 +538,7 @@ RUN echo "This is the child image using nested base" CMD ["echo", "child"]`, baseImageTag) childDockerfilePath := filepath.Join(workspace, "Dockerfile.child") - assert.NoError(t, os.WriteFile(childDockerfilePath, []byte(childDockerfile), 0644)) + assert.NoError(t, os.WriteFile(childDockerfilePath, []byte(childDockerfile), 0644)) //#nosec G703 -- test code, path built from test workspace // Build child image inttestutils.DeleteBuild(serverDetails.ArtifactoryUrl, childBuildName, artHttpDetails) @@ -1092,7 +1092,7 @@ RUN echo "Hello from test" CMD ["sh"]`, baseImage) dockerfilePath := filepath.Join(workspace, "Dockerfile") - assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) + assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //#nosec G703 -- test code, path built from test workspace // clean build before test runJfrogCli(t, "rt", "bc", buildName, buildNumber) @@ -1141,11 +1141,11 @@ RUN echo "Hello from test" CMD ["sh"]`, baseImage) dockerfilePath := filepath.Join(workspace, "Dockerfile") - assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) + assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //#nosec G703 -- test code, path built from test workspace // Create test file testFilePath := filepath.Join(workspace, "test.txt") - assert.NoError(t, os.WriteFile(testFilePath, []byte("Hello from Docker build test"), 0644)) + assert.NoError(t, os.WriteFile(testFilePath, []byte("Hello from Docker build test"), 0644)) //#nosec G703 -- test code // clean build before test runJfrogCli(t, "rt", "bc", buildName, buildNumber) @@ -1199,7 +1199,7 @@ FROM %s CMD ["hello"]`, golangImage, alpineImage) dockerfilePath := filepath.Join(workspace, "Dockerfile") - assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) + assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //#nosec G703 -- test code, path built from test workspace // clean build before test runJfrogCli(t, "rt", "bc", buildName, buildNumber) @@ -1251,7 +1251,7 @@ RUN echo "Built with buildx" CMD ["echo", "Hello from buildx"]`, baseImage) dockerfilePath := filepath.Join(workspace, "Dockerfile") - assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) + assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //#nosec G703 -- test code, path built from test workspace // Check if buildx is available cmd := exec.Command("docker", "buildx", "version") @@ -1310,7 +1310,7 @@ RUN echo "Testing virtual repo" CMD ["sh"]`, baseImage) dockerfilePath := filepath.Join(workspace, "Dockerfile") - assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) + assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //#nosec G703 -- test code, path built from test workspace // clean build before test runJfrogCli(t, "rt", "bc", buildName, buildNumber) @@ -1455,7 +1455,7 @@ func TestDockerBuildPublishWithCIVcsProps(t *testing.T) { CMD ["echo", "Hello from CI VCS test"]`, baseImage) dockerfilePath := filepath.Join(workspace, "Dockerfile") - assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) + assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //#nosec G703 -- test code, path built from test workspace // Clean build before test runJfrogCli(t, "rt", "bc", buildName, buildNumber) diff --git a/general/ai/cli.go b/general/ai/cli.go index fbed17070..41bb02388 100644 --- a/general/ai/cli.go +++ b/general/ai/cli.go @@ -164,7 +164,7 @@ func sendRestAPI(apiType ApiType, content interface{}) (response string, err err req.Header.Set(askRateLimitHeader, "true") } log.Debug(fmt.Sprintf("Sending HTTP %s request to: %s", req.Method, req.URL)) - resp, err := client.GetClient().Do(req) + resp, err := client.GetClient().Do(req) //#nosec G704 -- URL is constructed from a hardcoded AI service endpoint if err != nil { err = errorutils.CheckErrorf("CLI-AI server is not available. Please check your network or try again later.") return diff --git a/general/summary/cli.go b/general/summary/cli.go index 7f9881d1b..0e439c091 100644 --- a/general/summary/cli.go +++ b/general/summary/cli.go @@ -131,7 +131,7 @@ func saveFile(content, filePath string) (err error) { if content == "" { return nil } - file, err := os.Create(filePath) + file, err := os.Create(filepath.Clean(filePath)) if err != nil { return err } @@ -145,7 +145,7 @@ func saveFile(content, filePath string) (err error) { } func getSectionMarkdownContent(section MarkdownSection) (string, error) { - sectionFilepath := filepath.Join(os.Getenv(coreutils.SummaryOutputDirPathEnv), commandsummary.OutputDirName, string(section), markdownFileName) + sectionFilepath := filepath.Clean(filepath.Join(os.Getenv(coreutils.SummaryOutputDirPathEnv), commandsummary.OutputDirName, string(section), markdownFileName)) if _, err := os.Stat(sectionFilepath); os.IsNotExist(err) { return "", nil } @@ -279,7 +279,7 @@ func processScan(index commandsummary.Index, filePath string, scannedName string // shouldGenerateUploadSummary checks if upload summary should be generated. func shouldGenerateUploadSummary() (bool, error) { - buildInfoPath := filepath.Join(os.Getenv(coreutils.SummaryOutputDirPathEnv), commandsummary.OutputDirName, string(BuildInfo)) + buildInfoPath := filepath.Clean(filepath.Join(os.Getenv(coreutils.SummaryOutputDirPathEnv), commandsummary.OutputDirName, string(BuildInfo))) if _, err := os.Stat(buildInfoPath); os.IsNotExist(err) { return true, nil } diff --git a/lifecycle_test.go b/lifecycle_test.go index fb5212254..aba215448 100644 --- a/lifecycle_test.go +++ b/lifecycle_test.go @@ -1713,5 +1713,5 @@ type KeyPairPayload struct { Alias string `json:"alias,omitempty"` Passphrase string `json:"passphrase,omitempty"` PublicKey string `json:"publicKey,omitempty"` - PrivateKey string `json:"privateKey,omitempty"` + PrivateKey string `json:"privateKey,omitempty"` //#nosec G117 -- test struct, not a real secret } diff --git a/nuget_test.go b/nuget_test.go index bc500c0e8..103eb7ed3 100644 --- a/nuget_test.go +++ b/nuget_test.go @@ -251,7 +251,7 @@ func runInitNewConfig(t *testing.T, testSuite testInitNewConfigDescriptor, baseR return } - content, err := os.ReadFile(configFile.Name()) + content, err := os.ReadFile(configFile.Name()) //#nosec G703 -- test code, path from temp file if err != nil { assert.NoError(t, err) return diff --git a/utils/cliutils/utils.go b/utils/cliutils/utils.go index 0cf5a6d89..b576d7f7a 100644 --- a/utils/cliutils/utils.go +++ b/utils/cliutils/utils.go @@ -668,7 +668,7 @@ func getLatestCliVersionFromGithubAPI() (githubVersionInfo githubResponse, err e func doHttpRequest(client *http.Client, req *http.Request) (resp *http.Response, body []byte, err error) { const maxResponseSize = 10 * 1024 * 1024 // 10MB limit req.Close = true - resp, err = client.Do(req) + resp, err = client.Do(req) //#nosec G704 -- URL is constructed internally from validated version API endpoint if errorutils.CheckError(err) != nil { return } diff --git a/utils/cliutils/utils_test.go b/utils/cliutils/utils_test.go index 9597bde75..9fe069525 100644 --- a/utils/cliutils/utils_test.go +++ b/utils/cliutils/utils_test.go @@ -365,7 +365,7 @@ type redirectingTransport struct { func (t *redirectingTransport) RoundTrip(req *http.Request) (*http.Response, error) { if req.URL.String() == t.targetURL { // Create a new request to the redirect URL - redirectReq, err := http.NewRequest(req.Method, t.redirectURL, req.Body) + redirectReq, err := http.NewRequest(req.Method, t.redirectURL, req.Body) //nolint:gosec // G704 - URL is a test-controlled constant if err != nil { return nil, err } From 7ddcd06c70680f5d39945e9a83d0c5d05b8ce0bc Mon Sep 17 00:00:00 2001 From: Naveen Kumar Date: Tue, 17 Feb 2026 16:23:23 +0530 Subject: [PATCH 2/6] Update general/summary/cli.go --- general/summary/cli.go | 1 + 1 file changed, 1 insertion(+) diff --git a/general/summary/cli.go b/general/summary/cli.go index 0e439c091..5e9c8a1ac 100644 --- a/general/summary/cli.go +++ b/general/summary/cli.go @@ -280,6 +280,7 @@ func processScan(index commandsummary.Index, filePath string, scannedName string // shouldGenerateUploadSummary checks if upload summary should be generated. func shouldGenerateUploadSummary() (bool, error) { buildInfoPath := filepath.Clean(filepath.Join(os.Getenv(coreutils.SummaryOutputDirPathEnv), commandsummary.OutputDirName, string(BuildInfo))) + // #nosec G703 -- buildInfoPath is constructed from SummaryOutputDirPathEnv set by CLI, not arbitrary user input, and buildInfoPath is already cleaned. if _, err := os.Stat(buildInfoPath); os.IsNotExist(err) { return true, nil } From fd91353ddce1ebb8c470450c1df1147e6b2fcc0d Mon Sep 17 00:00:00 2001 From: Naveen Kumar Date: Tue, 17 Feb 2026 16:23:32 +0530 Subject: [PATCH 3/6] Update utils/cliutils/utils_test.go --- utils/cliutils/utils_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/utils/cliutils/utils_test.go b/utils/cliutils/utils_test.go index 9fe069525..a39f45ef7 100644 --- a/utils/cliutils/utils_test.go +++ b/utils/cliutils/utils_test.go @@ -365,6 +365,7 @@ type redirectingTransport struct { func (t *redirectingTransport) RoundTrip(req *http.Request) (*http.Response, error) { if req.URL.String() == t.targetURL { // Create a new request to the redirect URL + // #nosec G704 -- redirectURL is a controlled test value, not user input redirectReq, err := http.NewRequest(req.Method, t.redirectURL, req.Body) //nolint:gosec // G704 - URL is a test-controlled constant if err != nil { return nil, err From f647636efd46f71690c0ca2844e2df9fb3fc6c56 Mon Sep 17 00:00:00 2001 From: Naveen Kumar Date: Tue, 17 Feb 2026 16:23:39 +0530 Subject: [PATCH 4/6] Update general/summary/cli.go --- general/summary/cli.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/general/summary/cli.go b/general/summary/cli.go index 5e9c8a1ac..44fed2a3e 100644 --- a/general/summary/cli.go +++ b/general/summary/cli.go @@ -149,7 +149,7 @@ func getSectionMarkdownContent(section MarkdownSection) (string, error) { if _, err := os.Stat(sectionFilepath); os.IsNotExist(err) { return "", nil } - +// #nosec G703 -- sectionFilepath is constructed from SummaryOutputDirPathEnv set by CLI, not arbitrary user input contentBytes, err := os.ReadFile(sectionFilepath) if err != nil { return "", fmt.Errorf("error reading markdown file for section %s: %w", section, err) From 28d75404d6a49b1851c83500e14112bfd3ed988a Mon Sep 17 00:00:00 2001 From: Naveen Kumar Date: Tue, 17 Feb 2026 16:23:47 +0530 Subject: [PATCH 5/6] Update general/summary/cli.go --- general/summary/cli.go | 1 + 1 file changed, 1 insertion(+) diff --git a/general/summary/cli.go b/general/summary/cli.go index 44fed2a3e..07a5efa62 100644 --- a/general/summary/cli.go +++ b/general/summary/cli.go @@ -146,6 +146,7 @@ func saveFile(content, filePath string) (err error) { func getSectionMarkdownContent(section MarkdownSection) (string, error) { sectionFilepath := filepath.Clean(filepath.Join(os.Getenv(coreutils.SummaryOutputDirPathEnv), commandsummary.OutputDirName, string(section), markdownFileName)) + // #nosec G703 -- sectionFilepath is constructed from SummaryOutputDirPathEnv set by CLI, not arbitrary user input and sectionFilepath is already cleaned. if _, err := os.Stat(sectionFilepath); os.IsNotExist(err) { return "", nil } From 61e39f7c05bdd9a4cd339615f0906fb7984e6c67 Mon Sep 17 00:00:00 2001 From: Naveen Kumar Date: Tue, 17 Feb 2026 16:23:54 +0530 Subject: [PATCH 6/6] Update general/summary/cli.go --- general/summary/cli.go | 1 + 1 file changed, 1 insertion(+) diff --git a/general/summary/cli.go b/general/summary/cli.go index 07a5efa62..d9137edd9 100644 --- a/general/summary/cli.go +++ b/general/summary/cli.go @@ -131,6 +131,7 @@ func saveFile(content, filePath string) (err error) { if content == "" { return nil } +// #nosec G703 -- filePath is constructed from SummaryOutputDirPathEnv set by CLI, not arbitrary user input and filePath is already cleaned. file, err := os.Create(filepath.Clean(filePath)) if err != nil { return err