From 1e946bdf2fb932b012b888c8c1d7642cc011f8ad Mon Sep 17 00:00:00 2001 From: jake Date: Thu, 24 Apr 2025 13:29:11 -0400 Subject: [PATCH 1/7] adding workflow --- .gitea/workflows/security.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .gitea/workflows/security.yaml diff --git a/.gitea/workflows/security.yaml b/.gitea/workflows/security.yaml new file mode 100644 index 0000000..3cee2bc --- /dev/null +++ b/.gitea/workflows/security.yaml @@ -0,0 +1,25 @@ +name: "code scans" +on: push #runs on pushes to any branch + +jobs: + scans: + runs-on: smoke-test + steps: + - name: "clone code" + uses: actions/checkout@v4 + + - name: "install go" + uses: https://code.jakeyoungdev.com/actions/install-go@master + with: + commands: | + golang.org/x/vuln/cmd/govulncheck@latest + + - name: "dependency and stdlib scan" + uses: https://code.jakeyoungdev.com/actions/report-vulns@master + with: + manager: go + + - name: "static code analysis" + uses: securego/gosec@v2.22.3 + with: + args: ./... \ No newline at end of file -- 2.47.2 From 2dc48079083add5e2bbfa233b828e3a1accd2869 Mon Sep 17 00:00:00 2001 From: jake Date: Thu, 24 Apr 2025 13:43:55 -0400 Subject: [PATCH 2/7] gosec fixes and nosec adds --- cmd/config.go | 15 ++++++++++----- cmd/delete.go | 3 ++- cmd/save.go | 3 ++- cryptography/aes.go | 5 ++++- 4 files changed, 18 insertions(+), 8 deletions(-) diff --git a/cmd/config.go b/cmd/config.go index 4e1cec4..d5dd723 100644 --- a/cmd/config.go +++ b/cmd/config.go @@ -48,7 +48,8 @@ var configCmd = &cobra.Command{ viper.Set("server", cfgserver) viper.Set("password", string(ciphert)) viper.Set("port", cfgport) - viper.WriteConfig() + err = viper.WriteConfig() + cobra.CheckErr(err) fmt.Println() fmt.Println("Config file updated!") }, @@ -57,9 +58,11 @@ var configCmd = &cobra.Command{ func init() { initConfig() configCmd.Flags().StringVarP(&cfgserver, "server", "s", "", "server address") - configCmd.MarkFlagRequired("server") + err := configCmd.MarkFlagRequired("server") + cobra.CheckErr(err) configCmd.Flags().IntVarP(&cfgport, "port", "p", 0, "server rcon port") - configCmd.MarkFlagRequired("port") + err = configCmd.MarkFlagRequired("port") + cobra.CheckErr(err) rootCmd.AddCommand(configCmd) } @@ -72,7 +75,8 @@ func initConfig() { viper.SetConfigType("yaml") viper.SetConfigName(".mctl") viper.AutomaticEnv() - viper.ReadInConfig() + err = viper.ReadInConfig() + cobra.CheckErr(err) if err := viper.ReadInConfig(); err != nil { //file does not exist, create it @@ -92,6 +96,7 @@ func initConfig() { //write config viper.Set("customcmd", cmdMap) viper.Set("device", string(uu)) - viper.SafeWriteConfig() + err = viper.SafeWriteConfig() + cobra.CheckErr(err) } } diff --git a/cmd/delete.go b/cmd/delete.go index 5508df6..dcee881 100644 --- a/cmd/delete.go +++ b/cmd/delete.go @@ -21,7 +21,8 @@ var deleteCmd = &cobra.Command{ cmdMap := viper.Get("customcmd").(map[string]any) delete(cmdMap, args[0]) viper.Set("customcmd", cmdMap) - viper.WriteConfig() + err := viper.WriteConfig() + cobra.CheckErr(err) } }, PreRunE: func(cmd *cobra.Command, args []string) error { diff --git a/cmd/save.go b/cmd/save.go index 1b034a2..2f5e6fb 100644 --- a/cmd/save.go +++ b/cmd/save.go @@ -36,7 +36,8 @@ var saveCmd = &cobra.Command{ } cmdMap[args[0]] = txt viper.Set("customcmd", cmdMap) - viper.WriteConfig() + err := viper.WriteConfig() + cobra.CheckErr(err) fmt.Println("\nSaved!") } } diff --git a/cryptography/aes.go b/cryptography/aes.go index 8458bfc..d5f8012 100644 --- a/cryptography/aes.go +++ b/cryptography/aes.go @@ -21,7 +21,10 @@ func EncryptPassword(b []byte) ([]byte, error) { return nil, err } - ct := aesg.Seal(nil, []byte(nonce), []byte(b), nil) + //adding #nosec trigger here since gosec interprets this as a hardcoded nonce value. The nonce is calculated using crypto/rand when the + //config command is ran and is pulled from memory when used any times after, for now we must prevent the scan from catching here until gosec + //is updated to account for this properly + ct := aesg.Seal(nil, []byte(nonce), []byte(b), nil) // #nosec return ct, nil } -- 2.47.2 From a2791a2e02b28ee8995b6d764156dc06144ef5d3 Mon Sep 17 00:00:00 2001 From: jake Date: Thu, 24 Apr 2025 13:47:16 -0400 Subject: [PATCH 3/7] go version bump --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 0c15b54..d1e9163 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module code.jakeyoungdev.com/jake/mctl -go 1.24.0 +go 1.24.2 require ( github.com/jake-young-dev/mcr v1.3.1 -- 2.47.2 From 53958fb0e11c921e09699534bdbb20b1682aab0d Mon Sep 17 00:00:00 2001 From: jake Date: Thu, 24 Apr 2025 13:59:17 -0400 Subject: [PATCH 4/7] workflow updates --- .gitea/workflows/security.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.gitea/workflows/security.yaml b/.gitea/workflows/security.yaml index 3cee2bc..33b6c86 100644 --- a/.gitea/workflows/security.yaml +++ b/.gitea/workflows/security.yaml @@ -7,9 +7,14 @@ jobs: steps: - name: "clone code" uses: actions/checkout@v4 + + - name: "static code analysis" + uses: securego/gosec@v2.22.3 + with: + args: ./... - name: "install go" - uses: https://code.jakeyoungdev.com/actions/install-go@master + uses: https://code.jakeyoungdev.com/actions/install-go@v0.1.3 with: commands: | golang.org/x/vuln/cmd/govulncheck@latest @@ -18,8 +23,3 @@ jobs: uses: https://code.jakeyoungdev.com/actions/report-vulns@master with: manager: go - - - name: "static code analysis" - uses: securego/gosec@v2.22.3 - with: - args: ./... \ No newline at end of file -- 2.47.2 From 381b49ca71f3b685571018a60263ee907e1eab46 Mon Sep 17 00:00:00 2001 From: jake Date: Thu, 24 Apr 2025 14:10:30 -0400 Subject: [PATCH 5/7] file cleanup --- .gitea/workflows/security.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.gitea/workflows/security.yaml b/.gitea/workflows/security.yaml index 33b6c86..65da5f4 100644 --- a/.gitea/workflows/security.yaml +++ b/.gitea/workflows/security.yaml @@ -7,19 +7,19 @@ jobs: steps: - name: "clone code" uses: actions/checkout@v4 - - - name: "static code analysis" - uses: securego/gosec@v2.22.3 - with: - args: ./... - name: "install go" uses: https://code.jakeyoungdev.com/actions/install-go@v0.1.3 with: - commands: | - golang.org/x/vuln/cmd/govulncheck@latest + commands: | + golang.org/x/vuln/cmd/govulncheck@latest - name: "dependency and stdlib scan" uses: https://code.jakeyoungdev.com/actions/report-vulns@master with: manager: go + + - name: "static code analysis" + uses: securego/gosec@master + with: + args: ./... -- 2.47.2 From d9184ed18a1e00a761739498e8e45a17ff3ba880 Mon Sep 17 00:00:00 2001 From: jake Date: Thu, 24 Apr 2025 14:13:16 -0400 Subject: [PATCH 6/7] adding new trigger for prs --- .gitea/workflows/security.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitea/workflows/security.yaml b/.gitea/workflows/security.yaml index 65da5f4..4004ab4 100644 --- a/.gitea/workflows/security.yaml +++ b/.gitea/workflows/security.yaml @@ -1,5 +1,5 @@ name: "code scans" -on: push #runs on pushes to any branch +on: [push, pull_request] #runs on pushes to any branch jobs: scans: -- 2.47.2 From 26a7dfca6e23161373a8b400de904524feab228c Mon Sep 17 00:00:00 2001 From: jake Date: Thu, 24 Apr 2025 14:17:04 -0400 Subject: [PATCH 7/7] readme update --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d8615f8..992bf66 100644 --- a/README.md +++ b/README.md @@ -97,7 +97,9 @@ mctl delete All configuration data will be kept in the home directory and any sensitive data is encrypted for added security ## Security -RCon is an inherently insecure protocol, passwords are sent in plaintext and, if possible, the port should not be exposed to the internet. It is best to keep these connections local or over a VPN +RCon is an inherently insecure protocol, passwords are sent in plaintext and, if possible, the port should not be exposed to the internet. It is best to keep these connections local or over a VPN. + +mctl utilizes [govulncheck](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck) and [gosec](https://github.com/securego/gosec) in workflows to ensure quality, secure code is being pushed. These workflow steps must pass before a PR will be accepted ## Development this repo is currently in heavy development and may encounter breaking changes, use a tag to prevent any surprises \ No newline at end of file -- 2.47.2