Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: Preparation for incoming static code analysis CI check #15164

Merged
merged 20 commits into from
Nov 28, 2024
Merged

Conversation

paul1r
Copy link
Collaborator

@paul1r paul1r commented Nov 27, 2024

What this PR does / why we need it:
This PR addresses a variety of issues found with GoSec in the Loki codebase.

Working with the security team, it was determined that these issues needed to be masked off via a comment, implying they had a thorough review, or fixed. Other less-important issues, such as not checking the return value of a function in an error path, are likely going to be fenced off at the scanner configuration level.

Notable changes include:

  • Updating the bloom untar function
  • Switching from MD5/SHA1 to SHA3 for hashing
  • Changing the Loki canary to have a timeout
  • Switching from math/rand to crypto/rand

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Checklist

  • Reviewed the CONTRIBUTING.md guide (required)
  • Documentation added
  • Tests updated
  • Title matches the required conventional commits format, see here
    • Note that Promtail is considered to be feature complete, and future development for logs collection will be in Grafana Alloy. As such, feat PRs are unlikely to be accepted unless a case can be made for the feature actually being a bug fix to existing behavior.
  • Changes that require user attention or interaction to upgrade are documented in docs/sources/setup/upgrade/_index.md
  • If the change is deprecating or removing a configuration option, update the deprecated-config.yaml and deleted-config.yaml files respectively in the tools/deprecated-config-checker directory. Example PR

@CLAassistant
Copy link

CLAassistant commented Nov 27, 2024

CLA assistant check
All committers have signed the CLA.

Copy link
Collaborator

@trevorwhitney trevorwhitney left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great, thanks Paul!

Copy link
Collaborator

@JoaoBraveCoding JoaoBraveCoding left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the operator POV lgtm

@paul1r paul1r merged commit f2c2a22 into main Nov 28, 2024
66 checks passed
@paul1r paul1r deleted the sast-uplift branch November 28, 2024 13:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants