First commit for ControllerMesh -- just for test #2
Conversation
FillZpp
force-pushed
the
controllermesh-first-commit
branch
from
0a905f3 to
4127d3c
Compare
Codecov Report
@@ Coverage Diff @@
## master #2 +/- ##
==========================================
- Coverage 47.74% 47.04% -0.70%
==========================================
Files 82 82
Lines 7570 7682 +112
==========================================
Hits 3614 3614
- Misses 3379 3491 +112
Partials 577 577
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
FillZpp
force-pushed
the
controllermesh-first-commit
branch
6 times, most recently
from
570b82e to
3865d80
Compare
FillZpp
force-pushed
the
controllermesh-first-commit
branch
3 times, most recently
from
977e0d6 to
5b09248
Compare
FillZpp
force-pushed
the
controllermesh-first-commit
branch
from
5b09248 to
c310ef2
Compare
FillZpp
force-pushed
the
controllermesh-first-commit
branch
2 times, most recently
from
4eaad0e to
48e5bff
Compare
FillZpp
force-pushed
the
controllermesh-first-commit
branch
4 times, most recently
from
df299a0 to
07f8bb4
Compare
FillZpp
force-pushed
the
controllermesh-first-commit
branch
from
07f8bb4 to
f668804
Compare
Signed-off-by: Siyu Wang <[email protected]>
FillZpp
force-pushed
the
controllermesh-first-commit
branch
from
f668804 to
238600d
Compare
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
| github.com/go-bindata/go-bindata v3.1.2+incompatible // indirect | ||
| github.com/go-openapi/spec v0.19.2 | ||
| github.com/gogo/googleapis v1.4.0 // indirect | ||
| github.com/gogo/protobuf v1.3.1 |
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:golang/github.com/gogo/[email protected]
1 Critical, 0 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a direct dependency
CRITICAL Vulnerabilities (1)
[CVE-2021-3121] An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarsha...
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
(at-me in a reply with help or ignore)
| klog.Errorf("failed to create connection to unix socket: %s, error: %v", addr, err) | ||
| } | ||
| return c, err | ||
| })) |
There was a problem hiding this comment.
opt.semgrep.go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection: Found an insecure gRPC connection. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.
(at-me in a reply with help or ignore)
| var opts []grpc.ServerOption | ||
| // Set max message size in bytes is 64MB | ||
| opts = append(opts, grpc.MaxRecvMsgSize(1024*1024*64)) | ||
| grpcServer := grpc.NewServer(opts...) |
There was a problem hiding this comment.
opt.semgrep.go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection: Found an insecure gRPC connection. This allows for a connection without encryption to this server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.
(at-me in a reply with help or ignore)
| p.P(`if this.`, fieldname, `[i] != that1.`, fieldname, `[i] {`) | ||
| } else { | ||
| p.P(`if this.`, fieldname, `[i] != that1.`, fieldname, `[i] {`) | ||
| } |
There was a problem hiding this comment.
opt.semgrep.go.lang.maintainability.useless-ifelse.useless-if-body: Detected identical if-statement bodies. Is this intentional?
(at-me in a reply with help or ignore)
| } else { | ||
| p.P(`s = append(s, "`, fieldname, `: " + `, fmtPkg.Use(), `.Sprintf("%#v", this.`, fieldname, `) + ",\n")`) | ||
| } | ||
| } |
There was a problem hiding this comment.
opt.semgrep.go.lang.maintainability.useless-ifelse.useless-if-body: Detected identical if-statement bodies. Is this intentional?
(at-me in a reply with help or ignore)
| p.P(`n+=`, strconv.Itoa(key+1)) | ||
| } else { | ||
| p.P(`n+=`, strconv.Itoa(key+1)) | ||
| } |
There was a problem hiding this comment.
opt.semgrep.go.lang.maintainability.useless-ifelse.useless-if-body: Detected identical if-statement bodies. Is this intentional?
(at-me in a reply with help or ignore)
| } | ||
|
|
||
| func getMD5Hash(text string) string { | ||
| hash := md5.Sum([]byte(text)) |
There was a problem hiding this comment.
opt.semgrep.go.lang.security.audit.crypto.bad_imports.insecure-module-used: Insecure module used.
(at-me in a reply with help or ignore)
| // | ||
| // NewHash(sha1.New(), space, data, 5) | ||
| func NewSHA1(space UUID, data []byte) UUID { | ||
| return NewHash(sha1.New(), space, data, 5) |
There was a problem hiding this comment.
opt.semgrep.go.lang.security.audit.crypto.bad_imports.insecure-module-used: Insecure module used.
(at-me in a reply with help or ignore)
| // getNonceAccept computes the base64-encoded SHA-1 of the concatenation of | ||
| // the nonce ("Sec-WebSocket-Key" value) with the websocket GUID string. | ||
| func getNonceAccept(nonce []byte) (expected []byte, err error) { | ||
| h := sha1.New() |
There was a problem hiding this comment.
opt.semgrep.go.lang.security.audit.crypto.bad_imports.insecure-module-used: Insecure module used.
(at-me in a reply with help or ignore)
| } | ||
|
|
||
| func getMD5Hash(text string) string { | ||
| hash := md5.Sum([]byte(text)) |
There was a problem hiding this comment.
opt.semgrep.go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5: Detected MD5 hash algorithm which is considered insecure. MD5 is not
collision resistant and is therefore not suitable as a cryptographic
signature. Use SHA256 or SHA3 instead.
(at-me in a reply with help or ignore)
| // | ||
| // NewHash(md5.New(), space, data, 3) | ||
| func NewMD5(space UUID, data []byte) UUID { | ||
| return NewHash(md5.New(), space, data, 3) |
There was a problem hiding this comment.
opt.semgrep.go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5: Detected MD5 hash algorithm which is considered insecure. MD5 is not
collision resistant and is therefore not suitable as a cryptographic
signature. Use SHA256 or SHA3 instead.
(at-me in a reply with help or ignore)
| // | ||
| // NewHash(sha1.New(), space, data, 5) | ||
| func NewSHA1(space UUID, data []byte) UUID { | ||
| return NewHash(sha1.New(), space, data, 5) |
There was a problem hiding this comment.
opt.semgrep.go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1: Detected SHA1 hash algorithm which is considered insecure. SHA1 is not
collision resistant and is therefore not suitable as a cryptographic
signature. Use SHA256 or SHA3 instead.
(at-me in a reply with help or ignore)
| // getNonceAccept computes the base64-encoded SHA-1 of the concatenation of | ||
| // the nonce ("Sec-WebSocket-Key" value) with the websocket GUID string. | ||
| func getNonceAccept(nonce []byte) (expected []byte, err error) { | ||
| h := sha1.New() |
There was a problem hiding this comment.
opt.semgrep.go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1: Detected SHA1 hash algorithm which is considered insecure. SHA1 is not
collision resistant and is therefore not suitable as a cryptographic
signature. Use SHA256 or SHA3 instead.
(at-me in a reply with help or ignore)
| } | ||
| w.Header().Set("Content-Type", "application/json") | ||
| w.WriteHeader(statusCode) | ||
| w.Write(output) |
There was a problem hiding this comment.
opt.semgrep.no-direct-write-to-responsewriter: Detected directly writing or similar in http.ResponseWriter.write().
This bypasses HTML escaping that prevents cross-site scripting
vulnerabilities. Instead, use the 'html/template' package
and render data using template.Execute().
(at-me in a reply with help or ignore)
| func writePlainText(statusCode int, text string, w http.ResponseWriter) { | ||
| w.Header().Set("Content-Type", "text/plain") | ||
| w.WriteHeader(statusCode) | ||
| fmt.Fprintln(w, text) |
There was a problem hiding this comment.
opt.semgrep.no-fprintf-to-responsewriter: Detected Fprintf or similar writing to http.ResponseWriter.
This bypasses HTML escaping that prevents cross-site scripting
vulnerabilities. Instead, use the 'html/template' package
to render data to users.
(at-me in a reply with help or ignore)
| continue | ||
| } | ||
|
|
||
| addr := fmt.Sprintf("%s:%d", leader.PodIP, metaInfo.Status.Ports.GrpcLeaderElectionPort) |
There was a problem hiding this comment.
opt.semgrep.sprintf-host-port: Use net.JoinHostPort instead of fmt.Sprintf($XX, addr). When using IPv6, JoinHostPort continues to operate properly.
(at-me in a reply with help or ignore)
| continue | ||
| } | ||
|
|
||
| addr := fmt.Sprintf("%s:%d", leader.PodIP, metaInfo.Status.Ports.GrpcLeaderElectionPort) |
There was a problem hiding this comment.
opt.semgrep.sprintf-host-port: Use net.JoinHostPort instead of fmt.Sprintf(metaInfo.Status.Ports.GrpcLeaderElectionPort, leader.PodIP). When using IPv6, JoinHostPort continues to operate properly.
(at-me in a reply with help or ignore)
| tc.cache = make(map[string]http.RoundTripper, 10) | ||
| } | ||
| host := hosts[0] | ||
| redirectHost := fmt.Sprintf("%s:%d", host, tc.webhookPort) |
There was a problem hiding this comment.
opt.semgrep.sprintf-host-port: Use net.JoinHostPort instead of fmt.Sprintf($XX, redirectHost). When using IPv6, JoinHostPort continues to operate properly.
(at-me in a reply with help or ignore)
| tc.cache = make(map[string]http.RoundTripper, 10) | ||
| } | ||
| host := hosts[0] | ||
| redirectHost := fmt.Sprintf("%s:%d", host, tc.webhookPort) |
There was a problem hiding this comment.
opt.semgrep.sprintf-host-port: Use net.JoinHostPort instead of fmt.Sprintf(tc.webhookPort, host). When using IPv6, JoinHostPort continues to operate properly.
(at-me in a reply with help or ignore)
| klog.Infof("Webhook proxy stopped") | ||
| } | ||
| } | ||
| select { |
There was a problem hiding this comment.
S1000: should use a simple channel send/receive instead of select with a single case
(at-me in a reply with help or ignore)
| func (c *GrpcClient) connect(stopChan <-chan struct{}, initChan chan struct{}) { | ||
| parentCtx, parentCancel := context.WithCancel(context.Background()) | ||
| go func() { | ||
| select { |
There was a problem hiding this comment.
S1000: should use a simple channel send/receive instead of select with a single case
(at-me in a reply with help or ignore)
| }) | ||
|
|
||
| listObj.Object["items"] = newItems | ||
| return |
There was a problem hiding this comment.
S1023: redundant return statement
(at-me in a reply with help or ignore)
| go spc.copyToBackend(errc) | ||
| go spc.copyFromBackend(errc) | ||
| <-errc | ||
| return |
There was a problem hiding this comment.
S1023: redundant return statement
(at-me in a reply with help or ignore)
| } | ||
|
|
||
| ctx := req.Context() | ||
| if cn, ok := rw.(http.CloseNotifier); ok { |
There was a problem hiding this comment.
SA1019: http.CloseNotifier has been deprecated since Go 1.11 and an alternative has been available since Go 1.7: the CloseNotifier interface predates Go's context package. New code should use Request.Context instead.
(at-me in a reply with help or ignore)
| t.remaining = body[n:] | ||
| return n, nil | ||
| } | ||
| p = append(p[0:0], body...) |
There was a problem hiding this comment.
SA4006: this value of p is never used
(at-me in a reply with help or ignore)
| t.remaining = body[n:] | ||
| return n, nil | ||
| } | ||
| p = append(p[0:0], body...) |
There was a problem hiding this comment.
SA4010: this result of append is never used, except maybe in other appends
(at-me in a reply with help or ignore)
|
|
||
| conn, brw, err := hj.Hijack() | ||
| if err != nil { | ||
| p.getErrorHandler()(rw, req, fmt.Errorf("Hijack failed on protocol switch: %v", err)) |
There was a problem hiding this comment.
ST1005: error strings should not be capitalized
(at-me in a reply with help or ignore)
Ⅰ. Describe what this PR does
First commit for ControllerMesh -- just for test
Ⅱ. Does this pull request fix one issue?
Ⅲ. List the added test cases (unit test/integration test) if any, please explain if no tests are needed.
Ⅳ. Describe how to verify it
Ⅴ. Special notes for reviews