如何禁用“TLS InsecureSkipVerify may be true”错误?

huangapple go评论103阅读模式
英文:

How can I disable "TLS InsecureSkipVerify may be true" error

问题

我有一个类似这样的代码:

if cfg.GetRedisTLS() {
	clientOpts.TLSConfig = &tls.Config{
		MinVersion:         tls.VersionTLS12,
		//nolint:gosec // need insecure TLS option for testing and development
		InsecureSkipVerify: cfg.GetRedisInsecure(),
	}
}

当我运行 golangci-lint run 时,它识别到了 nolint 指令并忽略了该错误,但是当 Sonarqube 运行时,它仍然失败,并显示消息 "TLS InsecureSkipVerify may be true"。

这个问题 https://github.com/securego/gosec/issues/278 讨论了在注释中使用 #nosec 来禁用该错误。
这里讨论了在语句的特定部分使用它 https://github.com/securego/gosec/issues/278#issuecomment-745209803

所以我尝试了以下几种方式:

if cfg.GetRedisTLS() {
	clientOpts.TLSConfig = &tls.Config{
		MinVersion:         tls.VersionTLS12,
		//nolint:gosec // need insecure TLS option for testing and development
		// NOSONAR #nosec 
		InsecureSkipVerify: cfg.GetRedisInsecure(),
	}
}
if cfg.GetRedisTLS() {
	clientOpts.TLSConfig = &tls.Config{
		MinVersion:         tls.VersionTLS12,
		//nolint:gosec // need insecure TLS option for testing and development
		InsecureSkipVerify: cfg.GetRedisInsecure(), // NOSONAR #nosec 
	}
}
if cfg.GetRedisTLS() {
	clientOpts.TLSConfig = &tls.Config{
		MinVersion:         tls.VersionTLS12,
		//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
		InsecureSkipVerify: cfg.GetRedisInsecure(),
	}
}
if cfg.GetRedisTLS() {
	clientOpts.TLSConfig = &tls.Config{
		MinVersion:         tls.VersionTLS12,
		//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
		InsecureSkipVerify: cfg.GetRedisInsecure(), /* #nosec */
	}
}
if cfg.GetRedisTLS() {
	clientOpts.TLSConfig = &tls.Config{
		MinVersion:         tls.VersionTLS12,
		//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
		/* #nosec */ InsecureSkipVerify: cfg.GetRedisInsecure(), /* #nosec */
	}
}
if cfg.GetRedisTLS() {
	clientOpts.TLSConfig = &tls.Config{
		MinVersion:         tls.VersionTLS12,
		//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
		/* #nosec */ InsecureSkipVerify: cfg.GetRedisInsecure() /* #nosec */, /* #nosec */
	}
}
if cfg.GetRedisTLS() {
	clientOpts.TLSConfig = &tls.Config{
		MinVersion:         tls.VersionTLS12,
		//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
		/* #nosec */ InsecureSkipVerify: /* #nosec */ cfg.GetRedisInsecure() /* #nosec */, /* #nosec */
	}
}
if cfg.GetRedisTLS() {
	clientOpts.TLSConfig = &tls.Config{
		MinVersion:         tls.VersionTLS12,
		//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
		/* #nosec */ InsecureSkipVerify /* #nosec */ :/* #nosec */ cfg.GetRedisInsecure(), /* #nosec */
	}
}

我在 gosec 项目中提了这个问题 https://github.com/securego/gosec/issues/780

还有什么其他方法可以在 gosec 中忽略这个问题?

英文:

I have a code like this:

if cfg.GetRedisTLS() {
	clientOpts.TLSConfig = &tls.Config{
		MinVersion: tls.VersionTLS12,
		//nolint:gosec // need insecure TLS option for testing and development
		InsecureSkipVerify: cfg.GetRedisInsecure(),
	}
}

When I run golangci-lint run it recognizes the nolint directive and ignores that error, but when Sonarqube runs it keeps failing with a message "TLS InsecureSkipVerify may be true"

This issue https://github.com/securego/gosec/issues/278 talks about using #nosec in the comment to disable that error.
Here it talks about using it in specific parts of the statement https://github.com/securego/gosec/issues/278#issuecomment-745209803

So I've tried:

if cfg.GetRedisTLS() {
	clientOpts.TLSConfig = &tls.Config{
		MinVersion: tls.VersionTLS12,
		//nolint:gosec // need insecure TLS option for testing and development
		// NOSONAR #nosec 
		InsecureSkipVerify: cfg.GetRedisInsecure(),
	}
}

And

if cfg.GetRedisTLS() {
	clientOpts.TLSConfig = &tls.Config{
		MinVersion: tls.VersionTLS12,
		//nolint:gosec // need insecure TLS option for testing and development
		InsecureSkipVerify: cfg.GetRedisInsecure(), // NOSONAR #nosec 
	}
}

And

if cfg.GetRedisTLS() {
	clientOpts.TLSConfig = &tls.Config{
		MinVersion: tls.VersionTLS12,
		//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
		InsecureSkipVerify: cfg.GetRedisInsecure(),
	}
}

And

if cfg.GetRedisTLS() {
	clientOpts.TLSConfig = &tls.Config{
		MinVersion: tls.VersionTLS12,
		//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
		InsecureSkipVerify: cfg.GetRedisInsecure(), /* #nosec */
	}
}

And

if cfg.GetRedisTLS() {
	clientOpts.TLSConfig = &tls.Config{
		MinVersion: tls.VersionTLS12,
		//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
		/* #nosec */ InsecureSkipVerify: cfg.GetRedisInsecure(), /* #nosec */
	}
}

And

if cfg.GetRedisTLS() {
	clientOpts.TLSConfig = &tls.Config{
		MinVersion: tls.VersionTLS12,
		//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
		/* #nosec */ InsecureSkipVerify: cfg.GetRedisInsecure() /* #nosec */, /* #nosec */
	}
}

And

if cfg.GetRedisTLS() {
	clientOpts.TLSConfig = &tls.Config{
		MinVersion: tls.VersionTLS12,
		//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
		/* #nosec */ InsecureSkipVerify: /* #nosec */ cfg.GetRedisInsecure() /* #nosec */, /* #nosec */
	}
}

And

if cfg.GetRedisTLS() {
	clientOpts.TLSConfig = &tls.Config{
		MinVersion: tls.VersionTLS12,
		//nolint:gosec // NOSONAR #nosec need insecure TLS option for testing and development
		/* #nosec */ InsecureSkipVerify /* #nosec */ :/* #nosec */ cfg.GetRedisInsecure(), /* #nosec */
	}
}

I have open this issue in the gosec project https://github.com/securego/gosec/issues/780

What else can I do to ignore this in gosec?

答案1

得分: 5

@rodolfo所建议的那样,我将在GitHub上复制提到的解决方案,因为它可能对其他人有帮助。

显然,在与if语句相同的行上使用// #nosec G402可以解决这个问题:

if cfg.GetRedisTLS() { // #nosec G402
	clientOpts.TLSConfig = &tls.Config{
		MinVersion: tls.VersionTLS12,
		InsecureSkipVerify: cfg.GetRedisInsecure(),
	}
}

英文:

As @rodolfo has suggested, I reproduce the solution mentioned on Github as it might help someone else.

Apparently using // #nosec G402 on the same line as the if statement fixes the problem:

if cfg.GetRedisTLS() { // #nosec G402
	clientOpts.TLSConfig = &tls.Config{
		MinVersion: tls.VersionTLS12,
		InsecureSkipVerify: cfg.GetRedisInsecure(),
	}
}

答案2

得分: 0

如果你没有if语句,你可以使用一个命令块来实现。

{ // #nosec G402
    clientOpts.tlsConfig := &tls.Config{
        RootCAs:            or.certificates,
        InsecureSkipVerify: or.insecure,
    }
}
英文:

If you don't have an if statement, you can make a command block

        { // #nosec G402
            clientOpts.tlsConfig := &tls.Config{
                RootCAs:            or.certificates,
                InsecureSkipVerify: or.insecure,
            }
        }

huangapple
  • 本文由 发表于 2022年2月17日 07:26:00
  • 转载请务必保留本文链接:https://go.coder-hub.com/71150564.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定