Add gosec of GitHub action

LinuxSuRen · Jan 27, 2021 · d4269d7 · d4269d7
1 parent 5ba75dd
commit d4269d7
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 8 deletions.
diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml
@@ -40,3 +40,29 @@ jobs:
         uses: Jerome1337/golint-action@v1.0.2
         with:
           golint-path: ./...
+  Security:
+    name: Security
+    runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v2
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          args: '-exclude=G402,G204,G304,G110 ./...'
+  CodeQL:
+    name: CodeQL
+    runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v2
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v1
+        with:
+          languages: go
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v1
diff --git a/cmd/install.go b/cmd/install.go
@@ -64,7 +64,7 @@ func (o *installOption) overWriteBinary(sourceFile, targetPath string) (err erro
 		}
 	default:
 		sourceF, _ := os.Open(sourceFile)
-		targetF, _ := os.OpenFile(targetPath, os.O_CREATE|os.O_RDWR, 0664)
+		targetF, _ := os.OpenFile(targetPath, os.O_CREATE|os.O_RDWR, 0600)
 		if _, err = io.Copy(targetF, sourceF); err != nil {
 			err = fmt.Errorf("cannot copy %s from %s to %v, error: %v", o.name, sourceFile, targetPath, err)
 		}
@@ -119,8 +119,8 @@ func (o *installOption) extractFiles(tarFile, targetName string) (err error) {
 func execCommand(name string, arg ...string) (err error) {
 	command := exec.Command(name, arg...)
 
-	var stdout []byte
-	var errStdout error
+	//var stdout []byte
+	//var errStdout error
 	stdoutIn, _ := command.StdoutPipe()
 	stderrIn, _ := command.StderrPipe()
 	err = command.Start()
@@ -134,11 +134,11 @@ func execCommand(name string, arg ...string) (err error) {
 	var wg sync.WaitGroup
 	wg.Add(1)
 	go func() {
-		stdout, errStdout = copyAndCapture(os.Stdout, stdoutIn)
+		_, _ = copyAndCapture(os.Stdout, stdoutIn)
 		wg.Done()
 	}()
 
-	copyAndCapture(os.Stderr, stderrIn)
+	_, _ = copyAndCapture(os.Stderr, stderrIn)
 
 	wg.Wait()
 

diff --git a/pkg/http.go b/pkg/http.go
@@ -159,9 +159,9 @@ func (h *HTTPDownloader) DownloadFile() error {
 	// Create the file
 	out, err := os.Create(filepath)
 	if err != nil {
+		_ = out.Close()
 		return err
 	}
-	defer out.Close()
 
 	writer.Writer = out
 
@@ -216,7 +216,7 @@ func DownloadFileWithMultipleThreadKeepParts(targetURL, targetFilePath string, t
 
 		// concat all these partial files
 		var f *os.File
-		if f, err = os.OpenFile(targetFilePath, os.O_CREATE|os.O_WRONLY, 0644); err == nil {
+		if f, err = os.OpenFile(targetFilePath, os.O_CREATE|os.O_WRONLY, 0600); err == nil {
 			defer func() {
 				_ = f.Close()
 			}()

diff --git a/pkg/progress.go b/pkg/progress.go
@@ -52,6 +52,6 @@ func (i *ProgressIndicator) setBar(n int) {
 	i.count += float64(n)
 
 	if i.bar != nil {
-		i.bar.Set((int)(i.count * 100 / i.Total))
+		_ = i.bar.Set((int)(i.count * 100 / i.Total))
 	}
 }