Merge pull request #867 from SoftLayer/gosec

Fixing Gosec complaints

Author: allmightyspiff

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "plugin/i18n/v1Resources/|plugin/i18n/v2Resources/|(.*test.*)|(vendor)|(go.sum)|bin/|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-07-22T22:42:28Z",
+  "generated_at": "2024-09-04T21:46:16Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -270,23 +270,23 @@
         "hashed_secret": "df4bb9b1035a1847159d5c655c1d11a00508a609",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 93,
+        "line_number": 89,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
-        "hashed_secret": "53aa77492eb716085c45d2c5873f9e47abd66bf2",
+        "hashed_secret": "09d3c49efe52ba11e94d7bdd18d2801a7830f583",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 95,
+        "line_number": 91,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "18a6fefdd2d6204456b0733cc47be1397f284fa4",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 98,
+        "line_number": 94,
         "type": "Secret Keyword",
         "verified_result": null
       }

go.mod

@@ -34,6 +34,7 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rogpeppe/go-internal v1.9.0 // indirect
+	github.com/sethvargo/go-password v0.3.1 // indirect
 	github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e // indirect
 	golang.org/x/crypto v0.24.0 // indirect
 	golang.org/x/mod v0.18.0 // indirect

go.sum

@@ -66,6 +66,8 @@ github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/f
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sclevine/spec v1.4.0 h1:z/Q9idDcay5m5irkZ28M7PtQM4aOISzOpj4bUPkDee8=
 github.com/sclevine/spec v1.4.0/go.mod h1:LvpgJaFyvQzRvc1kaDs0bulYwzC70PbiYjC4QnFHkOM=
+github.com/sethvargo/go-password v0.3.1 h1:WqrLTjo7X6AcVYfC6R7GtSyuUQR9hGyAj/f1PYQZCJU=
+github.com/sethvargo/go-password v0.3.1/go.mod h1:rXofC1zT54N7R8K/h1WDUdkf9BOx5OptoxrMBcrXzvs=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/goconvey v1.6.7 h1:I6tZjLXD2Q1kjvNbIzB1wvQBsXmKXiVrhpRE8ZjP5jY=

plugin/commands/block/volume_detail.go

@@ -102,6 +102,7 @@ func (cmd *VolumeDetailCommand) Run(args []string) error {
 	}
 
 	table.Add(T("Replicant Count"), utils.FormatUIntPointer(blockVolume.ReplicationPartnerCount))
+	// #nosec G115 -- Should never be > 2^32
 	if blockVolume.ReplicationPartnerCount != nil && int(*blockVolume.ReplicationPartnerCount) > 0 {
 		table.Add(T("Replication Status"), utils.FormatStringPointer(blockVolume.ReplicationStatus))
 		buf := new(bytes.Buffer)

plugin/commands/file/volume_detail.go

@@ -103,6 +103,7 @@ func (cmd *VolumeDetailCommand) Run(args []string) error {
 	}
 
 	table.Add(T("Replicant Count"), utils.FormatUIntPointer(fileVolume.ReplicationPartnerCount))
+	// #nosec G115 -- Should never be > 2^32
 	if fileVolume.ReplicationPartnerCount != nil && int(*fileVolume.ReplicationPartnerCount) > 0 {
 		table.Add(T("Replication Status"), utils.FormatStringPointer(fileVolume.ReplicationStatus))
 		buf := new(bytes.Buffer)

plugin/commands/ticket/summary.go

@@ -1,8 +1,8 @@
 package ticket
 
 import (
-	"strconv"
 
+	"fmt"
 	"github.com/spf13/cobra"
 
 	"github.ibm.com/SoftLayer/softlayer-cli/plugin/errors"
@@ -45,15 +45,15 @@ func (cmd *SummaryTicketCommand) Run(args []string) error {
 		table := cmd.UI.Table([]string{T("Status:"), T("Count")})
 
 		table.Add(T("Open:"), "")
-		table.Add(T("Accounting"), strconv.Itoa(int(summary.Accounting)))
-		table.Add(T("Billing"), strconv.Itoa(int(summary.Billing)))
-		table.Add(T("Sales"), strconv.Itoa(int(summary.Sales)))
-		table.Add(T("Support"), strconv.Itoa(int(summary.Support)))
-		table.Add(T("Other"), strconv.Itoa(int(summary.Other)))
-		table.Add(T("Total"), strconv.Itoa(int(summary.Open)))
+		table.Add(T("Accounting"), fmt.Sprintf("%d", summary.Accounting))
+		table.Add(T("Billing"), fmt.Sprintf("%d", summary.Billing))
+		table.Add(T("Sales"), fmt.Sprintf("%d", summary.Sales))
+		table.Add(T("Support"), fmt.Sprintf("%d", summary.Support))
+		table.Add(T("Other"), fmt.Sprintf("%d", summary.Other))
+		table.Add(T("Total"), fmt.Sprintf("%d", summary.Open))
 		table.Add("", "")
 		table.Add(T("Closed:"), "")
-		table.Add(T("Total"), strconv.Itoa(int(summary.Closed)))
+		table.Add(T("Total"), fmt.Sprintf("%d", summary.Closed))
 
 		table.Print()
 

plugin/commands/user/create.go

@@ -1,15 +1,11 @@
 package user
 
 import (
-	crand "crypto/rand"
-	"encoding/binary"
 	"encoding/json"
 	"fmt"
-	"log"
-	"math/rand"
 	"reflect"
-	"strings"
 
+	gopass "github.com/sethvargo/go-password/password"
 	"github.ibm.com/SoftLayer/softlayer-cli/plugin/metadata"
 
 	"github.com/IBM-Cloud/ibm-cloud-cli-sdk/bluemix/terminal"
@@ -92,7 +88,7 @@ func (cmd *CreateCommand) Run(args []string) error {
 
 	password := cmd.Password
 	if password == "generate" {
-		password = string(GeneratePassword(23, 4))
+		password = gopass.MustGenerate(18, 4, 4, false, false)
 	}
 
 	vpnPassword := cmd.VpnPassword
@@ -139,54 +135,9 @@ func printUser(user datatypes.User_Customer, password string, ui terminal.UI) {
 	table.Print()
 }
 
-// random source leveraging crypto/rand to provide
-// true non-determinstic
-type cryptoSource struct{}
-
-func (s cryptoSource) Seed(seed int64) {}
-
-func (s cryptoSource) Int63() int64 {
-	return int64(s.Uint64() & ^uint64(1<<63))
-}
-
-func (s cryptoSource) Uint64() (v uint64) {
-	err := binary.Read(crand.Reader, binary.BigEndian, &v)
-	if err != nil {
-		log.Fatal(err)
-	}
-	return v
-}
-
-// GeneratePassword will create a random password
-// Returns a 23 character random string
-// 0  only number
-// 1  lower and upper
-// 2   upper
-// 3   special
-// 4  all
-func GeneratePassword(size int, kind int) []byte {
-	ikind, kinds, result := kind, [][]int{{10, 48}, {26, 97}, {26, 65}, {10, 38}}, make([]byte, size)
-	isAll := kind > 3 || kind < 0
-
-	// #nosec G404: Use "crypto/rand" as the seed, which should resolve the pseudo "math/rand"
-	rnd := rand.New(&cryptoSource{})
-	generate := true
-	for generate {
-		result = make([]byte, size)
-		for i := 0; i < size; i++ {
-			if isAll { // random ikind
-				ikind = rnd.Intn(4)
-			}
-			scope, base := kinds[ikind][0], kinds[ikind][1]
-			result[i] = uint8(base + rnd.Intn(scope))
-		}
-		generate = !IsValidPassword(string(result))
-	}
-	return result
-}
-
+// Values of B get copied into A
+// A <--- B
 func StructAssignment(A, B interface{}) { //a =b
-
 	av := reflect.ValueOf(A).Elem()
 	at := av.Type()
 
@@ -202,34 +153,3 @@ func StructAssignment(A, B interface{}) { //a =b
 		}
 	}
 }
-
-func IsValidPassword(output string) bool {
-	output = strings.TrimSpace(output)
-	var uppercase, lowercase, number, simbol, lenght bool
-	//Verify lenght is 23
-	if len(output) == 23 {
-		lenght = true
-	}
-	for _, char := range output {
-		//Verify exist uppercase
-		if int(char) >= 65 && int(char) <= 90 {
-			uppercase = true
-		}
-		//Verify exist lowercase
-		if int(char) >= 97 && int(char) <= 122 {
-			lowercase = true
-		}
-		//Verify exist number
-		if int(char) >= 48 && int(char) <= 57 {
-			number = true
-		}
-		//Verify exist simbol
-		if int(char) >= 33 && int(char) <= 47 {
-			simbol = true
-		}
-	}
-	if uppercase && lowercase && number && simbol && lenght {
-		return true
-	}
-	return false
-}