英文:
How can I disable "TLS InsecureSkipVerify may be true" error
问题
我有一个类似这样的代码:
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // need insecure TLS option for testing and development
InsecureSkipVerify: cfg.GetRedisInsecure(),
}
}
当我运行 golangci-lint run 时,它识别到了 nolint 指令并忽略了该错误,但是当 Sonarqube 运行时,它仍然失败,并显示消息 "TLS InsecureSkipVerify may be true"。
这个问题 https://github.com/securego/gosec/issues/278 讨论了在注释中使用 #nosec 来禁用该错误。
这里讨论了在语句的特定部分使用它 https://github.com/securego/gosec/issues/278#issuecomment-745209803
所以我尝试了以下几种方式:
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // need insecure TLS option for testing and development
// NOSONAR #nosec
InsecureSkipVerify: cfg.GetRedisInsecure(),
}
}
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // need insecure TLS option for testing and development
InsecureSkipVerify: cfg.GetRedisInsecure(), // NOSONAR #nosec
}
}
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
InsecureSkipVerify: cfg.GetRedisInsecure(),
}
}
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
InsecureSkipVerify: cfg.GetRedisInsecure(), /* #nosec */
}
}
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
/* #nosec */ InsecureSkipVerify: cfg.GetRedisInsecure(), /* #nosec */
}
}
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
/* #nosec */ InsecureSkipVerify: cfg.GetRedisInsecure() /* #nosec */, /* #nosec */
}
}
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
/* #nosec */ InsecureSkipVerify: /* #nosec */ cfg.GetRedisInsecure() /* #nosec */, /* #nosec */
}
}
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
/* #nosec */ InsecureSkipVerify /* #nosec */ :/* #nosec */ cfg.GetRedisInsecure(), /* #nosec */
}
}
我在 gosec 项目中提了这个问题 https://github.com/securego/gosec/issues/780
还有什么其他方法可以在 gosec 中忽略这个问题?
英文:
I have a code like this:
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // need insecure TLS option for testing and development
InsecureSkipVerify: cfg.GetRedisInsecure(),
}
}
When I run golangci-lint run it recognizes the nolint directive and ignores that error, but when Sonarqube runs it keeps failing with a message "TLS InsecureSkipVerify may be true"
This issue https://github.com/securego/gosec/issues/278 talks about using #nosec in the comment to disable that error.
Here it talks about using it in specific parts of the statement https://github.com/securego/gosec/issues/278#issuecomment-745209803
So I've tried:
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // need insecure TLS option for testing and development
// NOSONAR #nosec
InsecureSkipVerify: cfg.GetRedisInsecure(),
}
}
And
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // need insecure TLS option for testing and development
InsecureSkipVerify: cfg.GetRedisInsecure(), // NOSONAR #nosec
}
}
And
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
InsecureSkipVerify: cfg.GetRedisInsecure(),
}
}
And
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
InsecureSkipVerify: cfg.GetRedisInsecure(), /* #nosec */
}
}
And
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
/* #nosec */ InsecureSkipVerify: cfg.GetRedisInsecure(), /* #nosec */
}
}
And
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
/* #nosec */ InsecureSkipVerify: cfg.GetRedisInsecure() /* #nosec */, /* #nosec */
}
}
And
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
/* #nosec */ InsecureSkipVerify: /* #nosec */ cfg.GetRedisInsecure() /* #nosec */, /* #nosec */
}
}
And
if cfg.GetRedisTLS() {
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
/* #nosec */ InsecureSkipVerify /* #nosec */ :/* #nosec */ cfg.GetRedisInsecure(), /* #nosec */
}
}
I have open this issue in the gosec project https://github.com/securego/gosec/issues/780
What else can I do to ignore this in gosec?
答案1
得分: 5
如@rodolfo所建议的那样,我将在GitHub上复制提到的解决方案,因为它可能对其他人有帮助。
显然,在与if语句相同的行上使用// #nosec G402可以解决这个问题:
if cfg.GetRedisTLS() { // #nosec G402
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
InsecureSkipVerify: cfg.GetRedisInsecure(),
}
}
英文:
As @rodolfo has suggested, I reproduce the solution mentioned on Github as it might help someone else.
Apparently using // #nosec G402 on the same line as the if statement fixes the problem:
if cfg.GetRedisTLS() { // #nosec G402
clientOpts.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
InsecureSkipVerify: cfg.GetRedisInsecure(),
}
}
答案2
得分: 0
如果你没有if语句,你可以使用一个命令块来实现。
{ // #nosec G402
clientOpts.tlsConfig := &tls.Config{
RootCAs: or.certificates,
InsecureSkipVerify: or.insecure,
}
}
英文:
If you don't have an if statement, you can make a command block
{ // #nosec G402
clientOpts.tlsConfig := &tls.Config{
RootCAs: or.certificates,
InsecureSkipVerify: or.insecure,
}
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论