Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: gosec issues #1290

Merged
merged 3 commits into from
Oct 14, 2023
Merged

fix: gosec issues #1290

merged 3 commits into from
Oct 14, 2023

Conversation

lumtis
Copy link
Member

@lumtis lumtis commented Oct 13, 2023

Description

Fix the new gosec issues in the CI

Using nosec for false positive.
Adding timeout for websocket server.

Need confirmation for the following values:

  • read timeout - 15sec
  • write timeout - 15sec
  • idle timeout - 1 minute

Pinging @zeta-chain/devops in case

Closes: #1288

@lumtis lumtis requested a review from a team October 13, 2023 17:27
@github-actions
Copy link

!!!WARNING!!!
nosec detected in the following files: rpc/websockets.go, x/emissions/client/tests/suite.go, x/observer/module_simulation.go

Be very careful about using #nosec in code. It can be a quick way to suppress security warnings and move forward with development, it should be employed with caution. Suppressing warnings with #nosec can hide potentially serious vulnerabilities. Only use #nosec when you're absolutely certain that the security issue is either a false positive or has been mitigated in another way.

Only suppress a single rule (or a specific set of rules) within a section of code, while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within the #nosec annotation, e.g: /* #nosec G401 */ or //#nosec G201 G202 G203
Broad #nosec annotations should be avoided, as they can hide other vulnerabilities. The CI will block you from merging this PR until you remove #nosec annotations that do not target specific rules.

Pay extra attention to the way #nosec is being used in the files listed above.

@github-actions github-actions bot added the nosec label Oct 13, 2023
@lumtis lumtis self-assigned this Oct 13, 2023
ws4charlie
ws4charlie approved these changes Oct 13, 2023
View reviewed changes
Copy link
Contributor

@ws4charlie ws4charlie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not 100% sure if the idleTimeout will impact log filter users. We can give it a try and see.

@lumtis
Copy link
Member Author

lumtis commented Oct 13, 2023

I'm not 100% sure if the idleTimeout will impact log filter users. We can give it a try and see.

Maybe we can increase it to 5min?

@lumtis lumtis merged commit db6a2f4 into develop Oct 14, 2023
@lumtis lumtis deleted the fix/gosec-new branch October 14, 2023 01:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@CharlieMc0 CharlieMc0 CharlieMc0 approved these changes

@ws4charlie ws4charlie ws4charlie approved these changes

@brewmaster012 brewmaster012 Awaiting requested review from brewmaster012

@kingpinXD kingpinXD Awaiting requested review from kingpinXD

@kevinssgh kevinssgh Awaiting requested review from kevinssgh

@fadeev fadeev Awaiting requested review from fadeev

Assignees

@lumtis lumtis

Labels
nosec
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

gosec issues raised
3 participants
@lumtis @CharlieMc0 @ws4charlie