mirror of
https://github.com/optim-enterprises-bv/kubernetes.git
synced 2025-10-31 18:28:13 +00:00
Drop hack/verify-govet-levee
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
This commit is contained in:
Davanum Srinivas
8
hack/testdata/levee/OWNERS
vendored
8
hack/testdata/levee/OWNERS
vendored
@@ -1,8 +0,0 @@
|
||||
# See the OWNERS docs at https://go.k8s.io/owners
|
||||
|
||||
approvers:
|
||||
- sig-security-approvers
|
||||
reviewers:
|
||||
- sig-security-reviewers
|
||||
labels:
|
||||
- sig/security
|
||||
154
hack/testdata/levee/levee-config.yaml
vendored
154
hack/testdata/levee/levee-config.yaml
vendored
@@ -1,154 +0,0 @@
|
||||
# Copyright 2015 The Kubernetes Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# This file holds configuration for taint propagation analysis of Kubernetes source via go-flow-levee.
|
||||
# It defines sources which may contain credentials and sinks where these should not be logged.
|
||||
# Sources may be identified by the FieldTags element, or by matching package, type, and field explicitly in the Sources element.
|
||||
# Sanitizers permit sources to safely reach a sink.
|
||||
# False positives may be suppressed in the Exclude block.
|
||||
# Note that `*RE` keys have regexp values.
|
||||
|
||||
# For additional details, see KEP-1933.
|
||||
---
|
||||
|
||||
# These field tags were introduced by KEP-1753 to indicate fields which may contain credentials
|
||||
FieldTags:
|
||||
- Key: "datapolicy"
|
||||
Value: "security-key"
|
||||
- Key: "datapolicy"
|
||||
Value: "token"
|
||||
- Key: "datapolicy"
|
||||
Value: "password"
|
||||
|
||||
# This preliminary collection of source types should be removed once
|
||||
# KEP-1753 adds tags to the relevant fields.
|
||||
Sources:
|
||||
# The following fields are tagged in #95994
|
||||
- PackageRE: "k8s.io/kubernetes/test/e2e/storage/vsphere"
|
||||
TypeRE: "Config"
|
||||
FieldRE: "Password"
|
||||
- PackageRE: "k8s.io/kubernetes/test/e2e/storage/vsphere"
|
||||
TypeRE: "ConfigFile"
|
||||
FieldRE: "Global" # Global is of unnamed type, contains the field Password.
|
||||
|
||||
# The following fields are tagged in #95997
|
||||
- PackageRE: "k8s.io/kubelet/config/v1beta1"
|
||||
TypeRE: "KubeletConfiguration"
|
||||
FieldRE: "StaticPodURLHeader"
|
||||
|
||||
# The following fields are tagged in #95998
|
||||
- PackageRE: "k8s.io/kube-scheduler/config/v1"
|
||||
TypeRE: "ExtenderTLSConfig"
|
||||
FieldRE: "KeyData"
|
||||
|
||||
# The following fields are tagged in #95600
|
||||
- PackageRE: "k8s.io/cri-api/pkg/apis/runtime/v1"
|
||||
TypeRE: "AuthConfig"
|
||||
FieldRE: "Password|IdentityToken|RegistryToken"
|
||||
|
||||
# The following fields are tagged in #96002
|
||||
- PackageRE: "k8s.io/apiserver/pkg/apis/apiserver" # multiple versions
|
||||
TypeRE: "TLSConfig"
|
||||
FieldRE: "ClientKey"
|
||||
- PackageRE: "k8s.io/apiserver/pkg/apis/config" # multiple versions
|
||||
TypeRE: "Key"
|
||||
FieldRE: "Secret"
|
||||
- PackageRE: "k8s.io/apiserver/pkg/authentication/request/headerrequest"
|
||||
TypeRE: "requestHeaderBundle"
|
||||
FieldRE: "UsernameHeaders|GroupHeaders"
|
||||
- PackageRE: "k8s.io/apiserver/pkg/server/dynamiccertificates"
|
||||
TypeRE: "certKeyContent"
|
||||
FieldRE: "key"
|
||||
- PackageRE: "k8s.io/apiserver/pkg/server/dynamiccertificates"
|
||||
TypeRE: "DynamicCertKeyPairContent"
|
||||
FieldRE: "certKeyPair"
|
||||
- PackageRE: "k8s.io/apiserver/pkg/server/options"
|
||||
TypeRE: "RequestHeaderAuthenticationOptions"
|
||||
FieldRE: "UsernameHeaders|GroupHeaders"
|
||||
- PackageRE: "k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
|
||||
TypeRE: "endpoint"
|
||||
FieldRE: "AccessToken"
|
||||
|
||||
# The following fields are tagged in #96003
|
||||
- PackageRE: "k8s.io/cli-runtime/pkg/genericclioptions"
|
||||
TypeRE: "ConfigFlags"
|
||||
FieldRE: "BearerToken|Password"
|
||||
|
||||
# The following fields are tagged in #96004
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/kubelet/apis/config"
|
||||
TypeRE: "KubeletConfiguration"
|
||||
FieldRE: "StaticPodURLHeader"
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/kubelet/client"
|
||||
TypeRE: "KubeletClientConfig"
|
||||
FieldRE: "BearerToken"
|
||||
|
||||
# The following fields are tagged in #96005
|
||||
- PackageRE: "k8s.io/api/authentication/v1"
|
||||
TypeRE: "TokenReviewSpec|TokenRequestStatus"
|
||||
FieldRE: " Token"
|
||||
- PackageRE: "k8s.io/api/authentication/v1beta1"
|
||||
TypeRE: "TokenReviewSpec"
|
||||
FieldRE: " Token"
|
||||
|
||||
# The following fields are tagged in #96007
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider/azure"
|
||||
TypeRE: "acrAuthResponse"
|
||||
FieldRE: "RefreshToken"
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
|
||||
TypeRE: "DockerConfigEntry"
|
||||
FieldRE: "Password"
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
|
||||
TypeRE: "DockerConfigJSON"
|
||||
FieldRE: "Auths|HTTPHeaders"
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
|
||||
TypeRE: "dockerConfigEntryWithAuth"
|
||||
FieldRE: "Password|Auth"
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider/gcp"
|
||||
TypeRE: "tokenBlob"
|
||||
FieldRE: "AccessToken"
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
|
||||
TypeRE: "AuthConfig"
|
||||
FieldRE: "Password|Auth|IdentityToken|RegistryToken"
|
||||
|
||||
# The following fields are tagged in #96008
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/controller/certificates/authority"
|
||||
TypeRE: "CertificateAuthority"
|
||||
FieldRE: "RawKey"
|
||||
|
||||
# The following fields are not yet tagged
|
||||
- PackageRE: "k8s.io/api/core/v1"
|
||||
TypeRE: "Secret"
|
||||
FieldRE: "Data|StringData"
|
||||
|
||||
# Sinks are functions that should not be called with source or source-tainted arguments.
|
||||
# This configuration should capture all log unfiltered log calls.
|
||||
Sinks:
|
||||
- PackageRE: "k?log"
|
||||
# Empty regexp receiver will match both top-level klog functions and klog.Verbose methods.
|
||||
ReceiverRE: ""
|
||||
MethodRE: "Info|Warning|Error|Fatal|Exit"
|
||||
|
||||
# Sanitizers permit a source to reach a sink by explicitly removing the source data.
|
||||
Sanitizers:
|
||||
# maskValue strips bearer tokens from request headers
|
||||
- PackageRE: "k8s.io/client-go/transport"
|
||||
MethodRE: "maskValue"
|
||||
|
||||
# False positives may be suppressed here.
|
||||
# Exclude reporting within a given function by specifying it similar to Sinks, i.e.,
|
||||
# PackageRE | ReceiverRE | MethodRE regexp
|
||||
Exclude:
|
||||
- PackageRE: "k8s.io/kubernetes/cmd/kubelet/app"
|
||||
# Regexp matches anonymized inner function
|
||||
MethodRE: "NewKubeletCommand"
|
||||
@@ -8,7 +8,6 @@ require (
|
||||
github.com/client9/misspell v0.3.4
|
||||
github.com/golang/mock v1.6.0
|
||||
github.com/golangci/golangci-lint v1.55.2
|
||||
github.com/google/go-flow-levee v0.1.5
|
||||
go.uber.org/automaxprocs v1.5.2
|
||||
gotest.tools/gotestsum v1.6.4
|
||||
honnef.co/go/tools v0.4.6
|
||||
@@ -194,7 +193,6 @@ require (
|
||||
golang.org/x/term v0.13.0 // indirect
|
||||
golang.org/x/text v0.13.0 // indirect
|
||||
golang.org/x/tools v0.14.0 // indirect
|
||||
golang.org/x/tools/go/pointer v0.1.0-deprecated // indirect
|
||||
google.golang.org/protobuf v1.28.0 // indirect
|
||||
gopkg.in/ini.v1 v1.67.0 // indirect
|
||||
gopkg.in/yaml.v2 v2.4.0 // indirect
|
||||
@@ -203,5 +201,4 @@ require (
|
||||
mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed // indirect
|
||||
mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b // indirect
|
||||
mvdan.cc/unparam v0.0.0-20221223090309-7455f1af531d // indirect
|
||||
sigs.k8s.io/yaml v1.2.0 // indirect
|
||||
)
|
||||
|
||||
@@ -266,8 +266,6 @@ github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
|
||||
github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
|
||||
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
|
||||
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
|
||||
github.com/google/go-flow-levee v0.1.5 h1:AA7PBp4jrb1JIpqgSHxShqogsAZyI4VoTuJ0pNKHBVw=
|
||||
github.com/google/go-flow-levee v0.1.5/go.mod h1:Uiz/03u4gZX0ldjN5Tj5+fyZN1v6VK22uKRcpQCDsyE=
|
||||
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
|
||||
github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
|
||||
github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
|
||||
@@ -852,7 +850,6 @@ golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjs
|
||||
golang.org/x/tools v0.0.0-20200324003944-a576cf524670/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
|
||||
golang.org/x/tools v0.0.0-20200329025819-fd4102a86c65/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
|
||||
golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
|
||||
golang.org/x/tools v0.0.0-20200416214402-fc959738d646/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
|
||||
golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
|
||||
golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
|
||||
golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
|
||||
@@ -885,8 +882,6 @@ golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k=
|
||||
golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
|
||||
golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc=
|
||||
golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg=
|
||||
golang.org/x/tools/go/pointer v0.1.0-deprecated h1:PwCkqv2FT35Z4MVxR/tUlvLoL0TkxDjShpBrE4p18Ho=
|
||||
golang.org/x/tools/go/pointer v0.1.0-deprecated/go.mod h1:Jd+I2inNruJ+5VRdS+jU4S1t17z5y+UCCRa/eBRwilA=
|
||||
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
@@ -995,7 +990,6 @@ gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
|
||||
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
|
||||
@@ -1030,5 +1024,3 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
|
||||
rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
|
||||
sigs.k8s.io/logtools v0.8.0 h1:PPokQ0bBsuYVtSFHSfXoNtQPQ7Mfb9PzwSJH7kApPpE=
|
||||
sigs.k8s.io/logtools v0.8.0/go.mod h1:/muFLJLDCPfiBkA8a1YC96gvnbISgO/JVwgKOXZrT1I=
|
||||
sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
|
||||
sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
|
||||
|
||||
@@ -23,7 +23,6 @@ import (
|
||||
_ "github.com/aojea/sloppy-netparser"
|
||||
_ "github.com/client9/misspell/cmd/misspell"
|
||||
_ "github.com/golangci/golangci-lint/cmd/golangci-lint"
|
||||
_ "github.com/google/go-flow-levee/cmd/levee"
|
||||
_ "honnef.co/go/tools/cmd/staticcheck"
|
||||
_ "sigs.k8s.io/logtools/logcheck"
|
||||
|
||||
|
||||
@@ -1,48 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Copyright 2020 The Kubernetes Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# This script vets each package by `levee`.
|
||||
# Usage: `hack/verify-govet-levee.sh`.
|
||||
|
||||
set -o errexit
|
||||
set -o pipefail
|
||||
|
||||
KUBE_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
|
||||
source "${KUBE_ROOT}/hack/lib/init.sh"
|
||||
source "${KUBE_ROOT}/hack/lib/util.sh"
|
||||
|
||||
kube::golang::verify_go_version
|
||||
|
||||
# Ensure that we find the binaries we build before anything else.
|
||||
export GOBIN="${KUBE_OUTPUT_BINPATH}"
|
||||
PATH="${GOBIN}:${PATH}"
|
||||
|
||||
# Install levee
|
||||
pushd "${KUBE_ROOT}/hack/tools" >/dev/null
|
||||
GO111MODULE=on go install github.com/google/go-flow-levee/cmd/levee
|
||||
popd >/dev/null
|
||||
|
||||
# Prefer full path for interaction with make vet
|
||||
LEVEE_BIN="$(which levee)"
|
||||
CONFIG_FILE="${KUBE_ROOT}/hack/testdata/levee/levee-config.yaml"
|
||||
|
||||
# Do not run on third_party directories or generated client code or build tools.
|
||||
targets=()
|
||||
while IFS='' read -r line; do
|
||||
targets+=("${line}")
|
||||
done < <(go list --find -e ./... | grep -E -v "/(build|third_party|vendor|staging|clientset_generated|hack)/")
|
||||
|
||||
go vet -vettool="${LEVEE_BIN}" -config="${CONFIG_FILE}" "${targets[@]}"
|
||||
Reference in New Issue
Block a user