From 16578d877736db7457e91622df9748b4fee4ee87 Mon Sep 17 00:00:00 2001
From: rick <rick@jenkins-zh.cn>
Date: Tue, 26 Jan 2021 21:21:26 +0800
Subject: [PATCH] Add gosec of GitHub action

---
 .github/workflows/pull-request.yaml | 26 ++++++++++++++++++++++++++
 cmd/install.go                      |  4 ++--
 pkg/http.go                         |  4 ++--
 pkg/progress.go                     |  2 +-
 4 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml
index 3fd1226e..e2653d7b 100644
--- a/.github/workflows/pull-request.yaml
+++ b/.github/workflows/pull-request.yaml
@@ -40,3 +40,29 @@ jobs:
         uses: Jerome1337/golint-action@v1.0.2
         with:
           golint-path: ./...
+  Security:
+    name: Security
+    runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v2
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          args: '-exclude=G402,G204,G304,G110 ./...'
+  CodeQL:
+    name: CodeQL
+    runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v2
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v1
+        with:
+          languages: go
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v1
diff --git a/cmd/install.go b/cmd/install.go
index 70790126..0ff616aa 100644
--- a/cmd/install.go
+++ b/cmd/install.go
@@ -64,7 +64,7 @@ func (o *installOption) overWriteBinary(sourceFile, targetPath string) (err erro
 		}
 	default:
 		sourceF, _ := os.Open(sourceFile)
-		targetF, _ := os.OpenFile(targetPath, os.O_CREATE|os.O_RDWR, 0664)
+		targetF, _ := os.OpenFile(targetPath, os.O_CREATE|os.O_RDWR, 0600)
 		if _, err = io.Copy(targetF, sourceF); err != nil {
 			err = fmt.Errorf("cannot copy %s from %s to %v, error: %v", o.name, sourceFile, targetPath, err)
 		}
@@ -138,7 +138,7 @@ func execCommand(name string, arg ...string) (err error) {
 		wg.Done()
 	}()
 
-	copyAndCapture(os.Stderr, stderrIn)
+	_, _ = copyAndCapture(os.Stderr, stderrIn)
 
 	wg.Wait()
 
diff --git a/pkg/http.go b/pkg/http.go
index 5f7fb0da..819e043f 100644
--- a/pkg/http.go
+++ b/pkg/http.go
@@ -159,9 +159,9 @@ func (h *HTTPDownloader) DownloadFile() error {
 	// Create the file
 	out, err := os.Create(filepath)
 	if err != nil {
+		out.Close()
 		return err
 	}
-	defer out.Close()
 
 	writer.Writer = out
 
@@ -216,7 +216,7 @@ func DownloadFileWithMultipleThreadKeepParts(targetURL, targetFilePath string, t
 
 		// concat all these partial files
 		var f *os.File
-		if f, err = os.OpenFile(targetFilePath, os.O_CREATE|os.O_WRONLY, 0644); err == nil {
+		if f, err = os.OpenFile(targetFilePath, os.O_CREATE|os.O_WRONLY, 0600); err == nil {
 			defer func() {
 				_ = f.Close()
 			}()
diff --git a/pkg/progress.go b/pkg/progress.go
index 87826946..2235368f 100644
--- a/pkg/progress.go
+++ b/pkg/progress.go
@@ -52,6 +52,6 @@ func (i *ProgressIndicator) setBar(n int) {
 	i.count += float64(n)
 
 	if i.bar != nil {
-		i.bar.Set((int)(i.count * 100 / i.Total))
+		_ = i.bar.Set((int)(i.count * 100 / i.Total))
 	}
 }