gosec fixes (#1201)

* nosec linter surpression in nodekey_test.go * Mark DeterministicEcdsaKeyByIndex as Insecure * nosec - surpress warning * simplify range expression Co-authored-by: tbjump <>
2022-05-20 08:09:48 -07:00 · 2022-05-20 08:09:48 -07:00 · d87ae5a272
parent a5c7898de9
commit d87ae5a272
9 changed files with 23 additions and 20 deletions
--- a/node/cmd/guardiand/admintemplate.go
+++ b/node/cmd/guardiand/admintemplate.go
@ -101,7 +101,7 @@ func runGuardianSetTemplate(cmd *cobra.Command, args []string) {
 	// Use deterministic devnet addresses as examples in the template, such that this doubles as a test fixture.
 	guardians := make([]*nodev1.GuardianSetUpdate_Guardian, *setUpdateNumGuardians)
 	for i := 0; i < *setUpdateNumGuardians; i++ {
-		k := devnet.DeterministicEcdsaKeyByIndex(crypto.S256(), uint64(i))
+		k := devnet.InsecureDeterministicEcdsaKeyByIndex(crypto.S256(), uint64(i))
 		guardians[i] = &nodev1.GuardianSetUpdate_Guardian{
 			Pubkey: crypto.PubkeyToAddress(k.PublicKey).Hex(),
 			Name:   fmt.Sprintf("Example validator %d", i),
--- a/node/cmd/guardiand/guardiankey.go
+++ b/node/cmd/guardiand/guardiankey.go
@ -5,11 +5,12 @@ import (
 	"crypto/rand"
 	"errors"
 	"fmt"
-	"github.com/certusone/wormhole/node/pkg/common"
 	"io/ioutil"
 	"log"
 	"os"

+	"github.com/certusone/wormhole/node/pkg/common"
+
 	ethcrypto "github.com/ethereum/go-ethereum/crypto"
 	"github.com/spf13/cobra"
 	"golang.org/x/crypto/openpgp/armor" //nolint
@ -145,5 +146,5 @@ func generateDevnetGuardianKey() (*ecdsa.PrivateKey, error) {
 	}

 	// Generate guardian key
-	return devnet.DeterministicEcdsaKeyByIndex(ethcrypto.S256(), uint64(idx)), nil
+	return devnet.InsecureDeterministicEcdsaKeyByIndex(ethcrypto.S256(), uint64(idx)), nil
 }
--- a/node/pkg/common/nodekey_test.go
+++ b/node/pkg/common/nodekey_test.go
@ -2,18 +2,19 @@ package common

 import (
 	"fmt"
-	"github.com/libp2p/go-libp2p-core/crypto"
-	"github.com/stretchr/testify/assert"
-	"go.uber.org/zap"
 	"io/ioutil"
 	"math/rand"
 	"os"
 	"testing"
+
+	"github.com/libp2p/go-libp2p-core/crypto"
+	"github.com/stretchr/testify/assert"
+	"go.uber.org/zap"
 )

 func TestGetOrCreateNodeKeyWithNewPath(t *testing.T) {
 	// Get a non-existing temp file path to write auto-generated privKey to
-	path := "/tmp/node_key_test_" + fmt.Sprint(rand.Int())
+	path := "/tmp/node_key_test_" + fmt.Sprint(rand.Int()) //#nosec G404 no CSPRNG needed here
 	defer os.Remove(path)

 	logger, _ := zap.NewProduction()
--- a/node/pkg/devnet/deterministic_bridge_key.go
+++ b/node/pkg/devnet/deterministic_bridge_key.go
@ -6,11 +6,11 @@ import (
 	mathrand "math/rand"
 )

-// DeterministicEcdsaKeyByIndex generates a deterministic ecdsa.PrivateKey from a given index.
-func DeterministicEcdsaKeyByIndex(c elliptic.Curve, idx uint64) *ecdsa.PrivateKey {
+// InsecureDeterministicEcdsaKeyByIndex generates a deterministic ecdsa.PrivateKey from a given index.
+func InsecureDeterministicEcdsaKeyByIndex(c elliptic.Curve, idx uint64) *ecdsa.PrivateKey {
 	// use 555 as offset to deterministically generate key 0 to match vaa-test such that
 	// we generate the same key.
-	r := mathrand.New(mathrand.NewSource(int64(555 + idx)))
+	r := mathrand.New(mathrand.NewSource(int64(555 + idx))) //#nosec G404 Testnet/devnet keys are not secret.
 	key, err := ecdsa.GenerateKey(c, r)
 	if err != nil {
 		panic(err)
--- a/node/pkg/devnet/deterministic_bridge_key_test.go
+++ b/node/pkg/devnet/deterministic_bridge_key_test.go
@ -3,9 +3,10 @@ package devnet
 import (
 	"encoding/hex"
 	"fmt"
+	"testing"
+
 	"github.com/ethereum/go-ethereum/crypto"
 	"github.com/stretchr/testify/assert"
-	"testing"
 )

 func TestDeterministicEcdsaKeyByIndex(t *testing.T) {
@ -23,7 +24,7 @@ func TestDeterministicEcdsaKeyByIndex(t *testing.T) {

 	for _, tc := range tests {
 		t.Run(fmt.Sprint(tc.index), func(t *testing.T) {
-			privKey := DeterministicEcdsaKeyByIndex(crypto.S256(), tc.index)
+			privKey := InsecureDeterministicEcdsaKeyByIndex(crypto.S256(), tc.index)
 			got := crypto.FromECDSA(privKey)
 			assert.Equal(t, tc.privKeyHex, hex.EncodeToString(got))
 		})
--- a/node/pkg/devnet/deterministic_p2p_key.go
+++ b/node/pkg/devnet/deterministic_p2p_key.go
@ -8,7 +8,7 @@ import (

 // DeterministicP2PPrivKeyByIndex generates a deterministic libp2p crypto.PrivateKey from a given index.
 func DeterministicP2PPrivKeyByIndex(idx int64) crypto.PrivKey {
-	r := mathrand.New(mathrand.NewSource(int64(idx)))
+	r := mathrand.New(mathrand.NewSource(int64(idx))) //#nosec G404 testnet / devnet keys are public knowledge
 	priv, _, err := crypto.GenerateKeyPairWithReader(crypto.Ed25519, -1, r)
 	if err != nil {
 		panic(err)
--- a/node/pkg/devnet/guardianset_vaa.go
+++ b/node/pkg/devnet/guardianset_vaa.go
@ -22,7 +22,7 @@ func DevnetGuardianSetVSS(n uint) *vaa.VAA {
 	pubkeys := make([]common.Address, n)

 	for n := range pubkeys {
-		key := DeterministicEcdsaKeyByIndex(crypto.S256(), uint64(n))
+		key := InsecureDeterministicEcdsaKeyByIndex(crypto.S256(), uint64(n))
 		pubkeys[n] = crypto.PubkeyToAddress(key.PublicKey)
 	}

@ -41,7 +41,7 @@ func DevnetGuardianSetVSS(n uint) *vaa.VAA {
 	}

 	// The devnet is initialized with a single guardian (ethereum/migrations/1_initial_migration.js).
-	key0 := DeterministicEcdsaKeyByIndex(crypto.S256(), 0)
+	key0 := InsecureDeterministicEcdsaKeyByIndex(crypto.S256(), 0)
 	v.AddSignature(key0, 0)

 	return v
--- a/node/pkg/supervisor/supervisor_node.go
+++ b/node/pkg/supervisor/supervisor_node.go
@ -210,7 +210,7 @@ func (n *node) runGroup(runnables map[string]Runnable) error {
 	}

 	// Check the requested runnable names.
-	for name, _ := range runnables {
+	for name := range runnables {
 		if !reNodeName.MatchString(name) {
 			return fmt.Errorf("runnable name %q is invalid", name)
 		}
@ -237,7 +237,7 @@ func (n *node) runGroup(runnables map[string]Runnable) error {

 	// Schedule execution of group members.
 	go func() {
-		for name, _ := range runnables {
+		for name := range runnables {
 			n.sup.pReq <- &processorRequest{
 				schedule: &processorRequestSchedule{
 					dn: dns[name],
--- a/node/pkg/supervisor/supervisor_processor.go
+++ b/node/pkg/supervisor/supervisor_processor.go
@ -206,7 +206,7 @@ func (s *supervisor) processDied(r *processorRequestDied) {

 	// Cancel all siblings.
 	if n.parent != nil {
-		for name, _ := range n.parent.groupSiblings(n.name) {
+		for name := range n.parent.groupSiblings(n.name) {
 			if name == n.name {
 				continue
 			}
@ -262,7 +262,7 @@ func (s *supervisor) processGC() {

 	// We build a queue of nodes to visit, starting from the leaves.
 	queue = []*node{}
-	for l, _ := range leaves {
+	for l := range leaves {
 		queue = append(queue, s.nodeByDN(l))
 	}

@ -366,7 +366,7 @@ func (s *supervisor) processGC() {
 	}

 	// Reinitialize and reschedule all subtrees
-	for dn, _ := range can {
+	for dn := range can {
 		n := s.nodeByDN(dn)

 		// Only back off when the node unexpectedly died - not when it got canceled.