From 7b38eb8625c5c1b3d17b0f79bf07ad8f852aaa41 Mon Sep 17 00:00:00 2001 From: Syed Azeez <67051473+syedazeez337@users.noreply.github.com> Date: Thu, 1 Jan 2026 13:50:29 +0530 Subject: [PATCH] plugin: fix gosec G115 integer overflow warnings (#7799) Fix integer overflow conversion warnings (G115) by adding appropriate suppressions where values are provably bounded. Fixes: https://github.com/coredns/coredns/issues/7793 Changes: - Updated 56 G115 annotations to use consistent // #nosec G115 format - Added 2 //nolint:gosec suppressions for conditional expressions - Removed G115 exclusion from golangci.yml (now explicitly handled per-line) Suppressions justify why each conversion is safe (e.g., port numbers are bounded 1-65535, DNS TTL limits, pool lengths, etc.) Signed-off-by: Azeez Syed --- .golangci.yml | 3 --- core/dnsserver/quic.go | 2 +- core/dnsserver/server_grpc.go | 2 +- core/dnsserver/server_quic.go | 3 ++- plugin/azure/azure.go | 40 ++++++++++++++++----------------- plugin/bufsize/bufsize.go | 2 +- plugin/cache/item.go | 2 +- plugin/dnssec/dnssec.go | 4 ++-- plugin/dnstap/msg/msg.go | 16 ++++++------- plugin/etcd/etcd.go | 2 +- plugin/etcd/msg/service.go | 4 ++-- plugin/etcd/xfr.go | 2 +- plugin/file/file.go | 3 ++- plugin/file/secondary.go | 2 +- plugin/forward/policy.go | 2 +- plugin/grpc/policy.go | 2 +- plugin/kubernetes/external.go | 2 +- plugin/kubernetes/kubernetes.go | 4 ++-- plugin/loadbalance/weighted.go | 2 +- plugin/nomad/helpers.go | 2 +- plugin/nomad/setup.go | 2 +- plugin/pkg/proxy/connect.go | 2 +- plugin/rewrite/ttl.go | 2 +- plugin/sign/signer.go | 6 ++--- plugin/test/helpers.go | 2 +- plugin/tsig/tsig.go | 2 +- 26 files changed, 58 insertions(+), 59 deletions(-) diff --git a/.golangci.yml b/.golangci.yml index e32b54e5a..4ea575401 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -42,9 +42,6 @@ linters: - perfsprint - gosec settings: - gosec: - excludes: - - G115 govet: enable: - nilness diff --git a/core/dnsserver/quic.go b/core/dnsserver/quic.go index 24684a45b..04201f220 100644 --- a/core/dnsserver/quic.go +++ b/core/dnsserver/quic.go @@ -53,7 +53,7 @@ func (w *DoQWriter) Close() error { // AddPrefix adds a 2-byte prefix with the DNS message length. func AddPrefix(b []byte) (m []byte) { m = make([]byte, 2+len(b)) - binary.BigEndian.PutUint16(m, uint16(len(b))) + binary.BigEndian.PutUint16(m, uint16(len(b))) // #nosec G115 -- DNS message length fits in uint16 copy(m[2:], b) return m diff --git a/core/dnsserver/server_grpc.go b/core/dnsserver/server_grpc.go index e899ffa48..4bfa59988 100644 --- a/core/dnsserver/server_grpc.go +++ b/core/dnsserver/server_grpc.go @@ -101,7 +101,7 @@ func (s *ServergRPC) Serve(l net.Listener) error { // Only set MaxConcurrentStreams if not unbounded (0) if s.maxStreams > 0 { - serverOpts = append(serverOpts, grpc.MaxConcurrentStreams(uint32(s.maxStreams))) + serverOpts = append(serverOpts, grpc.MaxConcurrentStreams(uint32(s.maxStreams))) // #nosec G115 -- maxStreams is bounded } if s.Tracer() != nil { diff --git a/core/dnsserver/server_quic.go b/core/dnsserver/server_quic.go index cc07c7b05..d05db8536 100644 --- a/core/dnsserver/server_quic.go +++ b/core/dnsserver/server_quic.go @@ -363,7 +363,8 @@ func readDOQMessage(r io.Reader) ([]byte, error) { // A client or server receives a STREAM FIN before receiving all the bytes // for a message indicated in the 2-octet length field. // See https://www.rfc-editor.org/rfc/rfc9250#section-4.3.3-2.2 - if size != uint16(len(buf)) { + //nolint:gosec + if size != uint16(len(buf)) { // #nosec G115 -- buf length fits in uint16 return nil, fmt.Errorf("message size does not match 2-byte prefix") } diff --git a/plugin/azure/azure.go b/plugin/azure/azure.go index 96dda9ec5..fc1b2a05e 100644 --- a/plugin/azure/azure.go +++ b/plugin/azure/azure.go @@ -139,7 +139,7 @@ func (h *Azure) updateZones(ctx context.Context) error { func updateZoneFromPublicResourceSet(recordSet publicdns.RecordSetListResultPage, newZ *file.Zone) { for _, result := range *(recordSet.Response().Value) { resultFqdn := *(result.Fqdn) - resultTTL := uint32(*(result.TTL)) + resultTTL := uint32(*(result.TTL)) // #nosec G115 -- Azure API guarantees TTL fits in uint32 if result.ARecords != nil { for _, A := range *(result.ARecords) { a := &dns.A{Hdr: dns.RR_Header{Name: resultFqdn, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: resultTTL}, @@ -159,7 +159,7 @@ func updateZoneFromPublicResourceSet(recordSet publicdns.RecordSetListResultPage if result.MxRecords != nil { for _, MX := range *(result.MxRecords) { mx := &dns.MX{Hdr: dns.RR_Header{Name: resultFqdn, Rrtype: dns.TypeMX, Class: dns.ClassINET, Ttl: resultTTL}, - Preference: uint16(*(MX.Preference)), + Preference: uint16(*(MX.Preference)), // #nosec G115 -- MX preference fits in uint16 Mx: dns.Fqdn(*(MX.Exchange))} newZ.Insert(mx) } @@ -176,9 +176,9 @@ func updateZoneFromPublicResourceSet(recordSet publicdns.RecordSetListResultPage if result.SrvRecords != nil { for _, SRV := range *(result.SrvRecords) { srv := &dns.SRV{Hdr: dns.RR_Header{Name: resultFqdn, Rrtype: dns.TypeSRV, Class: dns.ClassINET, Ttl: resultTTL}, - Priority: uint16(*(SRV.Priority)), - Weight: uint16(*(SRV.Weight)), - Port: uint16(*(SRV.Port)), + Priority: uint16(*(SRV.Priority)), // #nosec G115 -- SRV priority fits in uint16 + Weight: uint16(*(SRV.Weight)), // #nosec G115 -- SRV weight fits in uint16 + Port: uint16(*(SRV.Port)), // #nosec G115 -- Port fits in uint16 Target: dns.Fqdn(*(SRV.Target))} newZ.Insert(srv) } @@ -203,11 +203,11 @@ func updateZoneFromPublicResourceSet(recordSet publicdns.RecordSetListResultPage if result.SoaRecord != nil { SOA := result.SoaRecord soa := &dns.SOA{Hdr: dns.RR_Header{Name: resultFqdn, Rrtype: dns.TypeSOA, Class: dns.ClassINET, Ttl: resultTTL}, - Minttl: uint32(*(SOA.MinimumTTL)), - Expire: uint32(*(SOA.ExpireTime)), - Retry: uint32(*(SOA.RetryTime)), - Refresh: uint32(*(SOA.RefreshTime)), - Serial: uint32(*(SOA.SerialNumber)), + Minttl: uint32(*(SOA.MinimumTTL)), // #nosec G115 -- DNS protocol mandates uint32 for SOA + Expire: uint32(*(SOA.ExpireTime)), // #nosec G115 -- DNS protocol mandates uint32 for SOA + Retry: uint32(*(SOA.RetryTime)), // #nosec G115 -- DNS protocol mandates uint32 for SOA + Refresh: uint32(*(SOA.RefreshTime)), // #nosec G115 -- DNS protocol mandates uint32 for SOA + Serial: uint32(*(SOA.SerialNumber)), // #nosec G115 -- DNS protocol mandates uint32 for SOA Mbox: dns.Fqdn(*(SOA.Email)), Ns: *(SOA.Host)} newZ.Insert(soa) @@ -225,7 +225,7 @@ func updateZoneFromPublicResourceSet(recordSet publicdns.RecordSetListResultPage func updateZoneFromPrivateResourceSet(recordSet privatedns.RecordSetListResultPage, newZ *file.Zone) { for _, result := range *(recordSet.Response().Value) { resultFqdn := *(result.Fqdn) - resultTTL := uint32(*(result.TTL)) + resultTTL := uint32(*(result.TTL)) // #nosec G115 -- Azure API guarantees TTL fits in uint32 if result.ARecords != nil { for _, A := range *(result.ARecords) { a := &dns.A{Hdr: dns.RR_Header{Name: resultFqdn, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: resultTTL}, @@ -244,7 +244,7 @@ func updateZoneFromPrivateResourceSet(recordSet privatedns.RecordSetListResultPa if result.MxRecords != nil { for _, MX := range *(result.MxRecords) { mx := &dns.MX{Hdr: dns.RR_Header{Name: resultFqdn, Rrtype: dns.TypeMX, Class: dns.ClassINET, Ttl: resultTTL}, - Preference: uint16(*(MX.Preference)), + Preference: uint16(*(MX.Preference)), // #nosec G115 -- MX preference fits in uint16 Mx: dns.Fqdn(*(MX.Exchange))} newZ.Insert(mx) } @@ -261,9 +261,9 @@ func updateZoneFromPrivateResourceSet(recordSet privatedns.RecordSetListResultPa if result.SrvRecords != nil { for _, SRV := range *(result.SrvRecords) { srv := &dns.SRV{Hdr: dns.RR_Header{Name: resultFqdn, Rrtype: dns.TypeSRV, Class: dns.ClassINET, Ttl: resultTTL}, - Priority: uint16(*(SRV.Priority)), - Weight: uint16(*(SRV.Weight)), - Port: uint16(*(SRV.Port)), + Priority: uint16(*(SRV.Priority)), // #nosec G115 -- SRV priority fits in uint16 + Weight: uint16(*(SRV.Weight)), // #nosec G115 -- SRV weight fits in uint16 + Port: uint16(*(SRV.Port)), // #nosec G115 -- Port fits in uint16 Target: dns.Fqdn(*(SRV.Target))} newZ.Insert(srv) } @@ -280,11 +280,11 @@ func updateZoneFromPrivateResourceSet(recordSet privatedns.RecordSetListResultPa if result.SoaRecord != nil { SOA := result.SoaRecord soa := &dns.SOA{Hdr: dns.RR_Header{Name: resultFqdn, Rrtype: dns.TypeSOA, Class: dns.ClassINET, Ttl: resultTTL}, - Minttl: uint32(*(SOA.MinimumTTL)), - Expire: uint32(*(SOA.ExpireTime)), - Retry: uint32(*(SOA.RetryTime)), - Refresh: uint32(*(SOA.RefreshTime)), - Serial: uint32(*(SOA.SerialNumber)), + Minttl: uint32(*(SOA.MinimumTTL)), // #nosec G115 -- DNS protocol mandates uint32 for SOA + Expire: uint32(*(SOA.ExpireTime)), // #nosec G115 -- DNS protocol mandates uint32 for SOA + Retry: uint32(*(SOA.RetryTime)), // #nosec G115 -- DNS protocol mandates uint32 for SOA + Refresh: uint32(*(SOA.RefreshTime)), // #nosec G115 -- DNS protocol mandates uint32 for SOA + Serial: uint32(*(SOA.SerialNumber)), // #nosec G115 -- DNS protocol mandates uint32 for SOA Mbox: dns.Fqdn(*(SOA.Email)), Ns: dns.Fqdn(*(SOA.Host))} newZ.Insert(soa) diff --git a/plugin/bufsize/bufsize.go b/plugin/bufsize/bufsize.go index 00556c2ba..23e65c869 100644 --- a/plugin/bufsize/bufsize.go +++ b/plugin/bufsize/bufsize.go @@ -18,7 +18,7 @@ type Bufsize struct { // ServeDNS implements the plugin.Handler interface. func (buf Bufsize) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error) { if option := r.IsEdns0(); option != nil && int(option.UDPSize()) > buf.Size { - option.SetUDPSize(uint16(buf.Size)) + option.SetUDPSize(uint16(buf.Size)) // #nosec G115 -- buffer size fits in uint16 } return plugin.NextOrFailure(buf.Name(), buf.Next, ctx, w, r) } diff --git a/plugin/cache/item.go b/plugin/cache/item.go index 3259d4a72..c41574c25 100644 --- a/plugin/cache/item.go +++ b/plugin/cache/item.go @@ -82,7 +82,7 @@ func (i *item) toMsg(m *dns.Msg, now time.Time, do bool, ad bool) *dns.Msg { m1.RecursionAvailable = i.RecursionAvailable m1.Rcode = i.Rcode - ttl := uint32(i.ttl(now)) + ttl := uint32(i.ttl(now)) // #nosec G115 -- ttl is bounded by DNS TTL limits m1.Answer = filterRRSlice(i.Answer, ttl, true) m1.Ns = filterRRSlice(i.Ns, ttl, true) m1.Extra = filterRRSlice(i.Extra, ttl, true) diff --git a/plugin/dnssec/dnssec.go b/plugin/dnssec/dnssec.go index 2d52c84b9..bb2abd052 100644 --- a/plugin/dnssec/dnssec.go +++ b/plugin/dnssec/dnssec.go @@ -167,8 +167,8 @@ func (d Dnssec) get(key uint64, server string) ([]dns.RR, bool) { } func incepExpir(now time.Time) (uint32, uint32) { - incep := uint32(now.Add(-3 * time.Hour).Unix()) // -(2+1) hours, be sure to catch daylight saving time and such - expir := uint32(now.Add(eightDays).Unix()) // sign for 8 days + incep := uint32(now.Add(-3 * time.Hour).Unix()) // #nosec G115 -- DNSSEC inception, Year 2106 problem accepted // -(2+1) hours, be sure to catch daylight saving time and such + expir := uint32(now.Add(eightDays).Unix()) // #nosec G115 -- DNSSEC expiration, Year 2106 problem accepted // sign for 8 days return incep, expir } diff --git a/plugin/dnstap/msg/msg.go b/plugin/dnstap/msg/msg.go index f9d84c45a..9cbc09252 100644 --- a/plugin/dnstap/msg/msg.go +++ b/plugin/dnstap/msg/msg.go @@ -23,7 +23,7 @@ func SetQueryAddress(t *tap.Message, addr net.Addr) error { t.SocketProtocol = &protoTCP t.QueryAddress = a.IP - p := uint32(a.Port) + p := uint32(a.Port) // #nosec G115 -- Port is inherently bounded (1-65535) t.QueryPort = &p if a.IP.To4() == nil { @@ -34,7 +34,7 @@ func SetQueryAddress(t *tap.Message, addr net.Addr) error { t.SocketProtocol = &protoUDP t.QueryAddress = a.IP - p := uint32(a.Port) + p := uint32(a.Port) // #nosec G115 -- Port is inherently bounded (1-65535) t.QueryPort = &p if a.IP.To4() == nil { @@ -54,7 +54,7 @@ func SetResponseAddress(t *tap.Message, addr net.Addr) error { t.SocketProtocol = &protoTCP t.ResponseAddress = a.IP - p := uint32(a.Port) + p := uint32(a.Port) // #nosec G115 -- Port is inherently bounded (1-65535) t.ResponsePort = &p if a.IP.To4() == nil { @@ -65,7 +65,7 @@ func SetResponseAddress(t *tap.Message, addr net.Addr) error { t.SocketProtocol = &protoUDP t.ResponseAddress = a.IP - p := uint32(a.Port) + p := uint32(a.Port) // #nosec G115 -- Port is inherently bounded (1-65535) t.ResponsePort = &p if a.IP.To4() == nil { @@ -79,16 +79,16 @@ func SetResponseAddress(t *tap.Message, addr net.Addr) error { // SetQueryTime sets the time of the query in t. func SetQueryTime(t *tap.Message, ti time.Time) { - qts := uint64(ti.Unix()) - qtn := uint32(ti.Nanosecond()) + qts := uint64(ti.Unix()) // #nosec G115 -- Unix time fits in uint64 + qtn := uint32(ti.Nanosecond()) // #nosec G115 -- Nanoseconds (0-999999999) fit in uint32 t.QueryTimeSec = &qts t.QueryTimeNsec = &qtn } // SetResponseTime sets the time of the response in t. func SetResponseTime(t *tap.Message, ti time.Time) { - rts := uint64(ti.Unix()) - rtn := uint32(ti.Nanosecond()) + rts := uint64(ti.Unix()) // #nosec G115 -- Unix time fits in uint64 + rtn := uint32(ti.Nanosecond()) // #nosec G115 -- Nanoseconds (0-999999999) fit in uint32 t.ResponseTimeSec = &rts t.ResponseTimeNsec = &rtn } diff --git a/plugin/etcd/etcd.go b/plugin/etcd/etcd.go index b311def1b..83f1b5f20 100644 --- a/plugin/etcd/etcd.go +++ b/plugin/etcd/etcd.go @@ -190,7 +190,7 @@ func (e *Etcd) TTL(kv *mvccpb.KeyValue, serv *msg.Service) uint32 { leaseTTL = maxTTL64 } - etcdTTL = uint32(leaseTTL) + etcdTTL = uint32(leaseTTL) // #nosec G115 -- leaseTTL is bounded by minTTL64/maxTTL64 } } diff --git a/plugin/etcd/msg/service.go b/plugin/etcd/msg/service.go index e653d07d7..f3ac45ffa 100644 --- a/plugin/etcd/msg/service.go +++ b/plugin/etcd/msg/service.go @@ -44,7 +44,7 @@ func (s *Service) NewSRV(name string, weight uint16) *dns.SRV { } return &dns.SRV{Hdr: dns.RR_Header{Name: name, Rrtype: dns.TypeSRV, Class: dns.ClassINET, Ttl: s.TTL}, - Priority: uint16(s.Priority), Weight: weight, Port: uint16(s.Port), Target: host} + Priority: uint16(s.Priority), Weight: weight, Port: uint16(s.Port), Target: host} // #nosec G115 -- Priority and Port fit in uint16 } // NewMX returns a new MX record based on the Service. @@ -55,7 +55,7 @@ func (s *Service) NewMX(name string) *dns.MX { } return &dns.MX{Hdr: dns.RR_Header{Name: name, Rrtype: dns.TypeMX, Class: dns.ClassINET, Ttl: s.TTL}, - Preference: uint16(s.Priority), Mx: host} + Preference: uint16(s.Priority), Mx: host} // #nosec G115 -- MX preference fits in uint16 } // NewA returns a new A record based on the Service. diff --git a/plugin/etcd/xfr.go b/plugin/etcd/xfr.go index 87a4d7838..bffa81d68 100644 --- a/plugin/etcd/xfr.go +++ b/plugin/etcd/xfr.go @@ -8,7 +8,7 @@ import ( // Serial returns the serial number to use. func (e *Etcd) Serial(state request.Request) uint32 { - return uint32(time.Now().Unix()) + return uint32(time.Now().Unix()) // #nosec G115 -- Unix time to SOA serial, Year 2106 problem accepted } // MinTTL returns the minimal TTL. diff --git a/plugin/file/file.go b/plugin/file/file.go index 21039d8ec..1d80c9520 100644 --- a/plugin/file/file.go +++ b/plugin/file/file.go @@ -156,7 +156,8 @@ func Parse(f io.Reader, origin, fileName string, serial int64) (*Zone, error) { // -1 is valid serial is we failed to load the file on startup. - if serial >= 0 && s.Serial == uint32(serial) { // same serial + //nolint:gosec + if serial >= 0 && s.Serial == uint32(serial) { // #nosec G115 -- serial is validated non-negative, fits in uint32 return nil, &serialErr{err: "no change in SOA serial", origin: origin, zone: fileName, serial: serial} } } diff --git a/plugin/file/secondary.go b/plugin/file/secondary.go index 6c4b06d64..9da5f7865 100644 --- a/plugin/file/secondary.go +++ b/plugin/file/secondary.go @@ -92,7 +92,7 @@ Transfer: if z.SOA == nil { return true, Err } - return less(z.SOA.Serial, uint32(serial)), Err + return less(z.SOA.Serial, uint32(serial)), Err // #nosec G115 -- serial fits in uint32 per DNS RFC } // less returns true of a is smaller than b when taking RFC 1982 serial arithmetic into account. diff --git a/plugin/forward/policy.go b/plugin/forward/policy.go index 7bd1f316a..3b62b1b49 100644 --- a/plugin/forward/policy.go +++ b/plugin/forward/policy.go @@ -47,7 +47,7 @@ type roundRobin struct { func (r *roundRobin) String() string { return "round_robin" } func (r *roundRobin) List(p []*proxy.Proxy) []*proxy.Proxy { - poolLen := uint32(len(p)) + poolLen := uint32(len(p)) // #nosec G115 -- pool length is small i := atomic.AddUint32(&r.robin, 1) % poolLen robin := []*proxy.Proxy{p[i]} diff --git a/plugin/grpc/policy.go b/plugin/grpc/policy.go index 0caf62945..a01364354 100644 --- a/plugin/grpc/policy.go +++ b/plugin/grpc/policy.go @@ -51,7 +51,7 @@ func (r *roundRobin) List(p []*Proxy) []*Proxy { if len(p) == 0 { return nil } - poolLen := uint32(len(p)) + poolLen := uint32(len(p)) // #nosec G115 -- pool length is small i := atomic.AddUint32(&r.robin, 1) % poolLen robin := []*Proxy{p[i]} diff --git a/plugin/kubernetes/external.go b/plugin/kubernetes/external.go index 83f796928..ac8007400 100644 --- a/plugin/kubernetes/external.go +++ b/plugin/kubernetes/external.go @@ -211,7 +211,7 @@ func (k *Kubernetes) ExternalServices(zone string, headless bool) (services []ms // ExternalSerial returns the serial of the external zone func (k *Kubernetes) ExternalSerial(string) uint32 { - return uint32(k.APIConn.Modified(ModifiedExternal)) + return uint32(k.APIConn.Modified(ModifiedExternal)) // #nosec G115 -- Unix time to SOA serial } // ExternalReverse does a reverse lookup for the external IPs diff --git a/plugin/kubernetes/kubernetes.go b/plugin/kubernetes/kubernetes.go index 8bd72db69..75436f9e6 100644 --- a/plugin/kubernetes/kubernetes.go +++ b/plugin/kubernetes/kubernetes.go @@ -668,9 +668,9 @@ func (k *Kubernetes) findMultiClusterServices(r recordRequest, zone string) (ser // Serial return the SOA serial. func (k *Kubernetes) Serial(state request.Request) uint32 { if !k.isMultiClusterZone(state.Zone) { - return uint32(k.APIConn.Modified(ModifiedInternal)) + return uint32(k.APIConn.Modified(ModifiedInternal)) // #nosec G115 -- Unix time to SOA serial } else { - return uint32(k.APIConn.Modified(ModifiedMultiCluster)) + return uint32(k.APIConn.Modified(ModifiedMultiCluster)) // #nosec G115 -- Unix time to SOA serial } } diff --git a/plugin/loadbalance/weighted.go b/plugin/loadbalance/weighted.go index 9f72a7dc3..791d0b345 100644 --- a/plugin/loadbalance/weighted.go +++ b/plugin/loadbalance/weighted.go @@ -56,7 +56,7 @@ func (r *randomUint) randInit() { } func (r *randomUint) randUint(limit uint) uint { - return uint(r.rn.Intn(int(limit))) + return uint(r.rn.Intn(int(limit))) // #nosec G115 -- limit is bounded by RR count } func weightedShuffle(res *dns.Msg, w *weightedRR) *dns.Msg { diff --git a/plugin/nomad/helpers.go b/plugin/nomad/helpers.go index 4f29d1533..54b6f0e53 100644 --- a/plugin/nomad/helpers.go +++ b/plugin/nomad/helpers.go @@ -11,7 +11,7 @@ func addSRVRecord(m *dns.Msg, s *api.ServiceRegistration, header dns.RR_Header, srvRecord := &dns.SRV{ Hdr: header, Target: originalQName, - Port: uint16(s.Port), + Port: uint16(s.Port), // #nosec G115 -- port numbers are bounded (1-65535) Priority: 10, Weight: 10, } diff --git a/plugin/nomad/setup.go b/plugin/nomad/setup.go index 40aa4692f..cf63ae093 100644 --- a/plugin/nomad/setup.go +++ b/plugin/nomad/setup.go @@ -19,7 +19,7 @@ func init() { plugin.Register(pluginName, setup) } // for parsing any extra options the nomad plugin may have. The first token this function sees is "nomad". func setup(c *caddy.Controller) error { n := &Nomad{ - ttl: uint32(defaultTTL), + ttl: uint32(defaultTTL), // #nosec G115 -- defaultTTL is a constant that fits in uint32 clients: make([]*nomad.Client, 0), current: -1, } diff --git a/plugin/pkg/proxy/connect.go b/plugin/pkg/proxy/connect.go index 8445d18a7..1bce4cfa2 100644 --- a/plugin/pkg/proxy/connect.go +++ b/plugin/pkg/proxy/connect.go @@ -123,7 +123,7 @@ func (p *Proxy) Connect(ctx context.Context, state request.Request, opts Options } // Set buffer size correctly for this client. - pc.c.UDPSize = max(uint16(state.Size()), 512) + pc.c.UDPSize = max(uint16(state.Size()), 512) // #nosec G115 -- UDP size fits in uint16 pc.c.SetWriteDeadline(time.Now().Add(maxTimeout)) // records the origin Id before upstream. diff --git a/plugin/rewrite/ttl.go b/plugin/rewrite/ttl.go index 5430fc923..a4722a966 100644 --- a/plugin/rewrite/ttl.go +++ b/plugin/rewrite/ttl.go @@ -199,7 +199,7 @@ func isValidTTL(v string) (uint32, uint32, bool) { // reject invalid range return 0, 0, false } - return uint32(min), uint32(max), true + return uint32(min), uint32(max), true // #nosec G115 -- min/max parsed with 32-bit limit } return 0, 0, false } diff --git a/plugin/sign/signer.go b/plugin/sign/signer.go index 742e1555a..746c8df07 100644 --- a/plugin/sign/signer.go +++ b/plugin/sign/signer.go @@ -44,7 +44,7 @@ func (s *Signer) Sign(now time.Time) (*file.Zone, error) { mttl := z.SOA.Minttl ttl := z.SOA.Header().Ttl inception, expiration := lifetime(now, s.jitterIncep, s.jitterExpir) - z.SOA.Serial = uint32(now.Unix()) + z.SOA.Serial = uint32(now.Unix()) // #nosec G115 -- Unix time to SOA serial, Year 2106 problem accepted for _, pair := range s.keys { pair.Public.Header().Ttl = ttl // set TTL on key so it matches the RRSIG. @@ -200,7 +200,7 @@ func (s *Signer) refresh(val time.Duration) { } func lifetime(now time.Time, jitterInception, jitterExpiration time.Duration) (uint32, uint32) { - incep := uint32(now.Add(durationSignatureInceptionHours).Add(jitterInception).Unix()) - expir := uint32(now.Add(durationSignatureExpireDays).Add(jitterExpiration).Unix()) + incep := uint32(now.Add(durationSignatureInceptionHours).Add(jitterInception).Unix()) // #nosec G115 -- DNSSEC signature inception, Year 2106 problem accepted + expir := uint32(now.Add(durationSignatureExpireDays).Add(jitterExpiration).Unix()) // #nosec G115 -- DNSSEC signature expiration, Year 2106 problem accepted return incep, expir } diff --git a/plugin/test/helpers.go b/plugin/test/helpers.go index a7094a7b6..420f3b876 100644 --- a/plugin/test/helpers.go +++ b/plugin/test/helpers.go @@ -117,7 +117,7 @@ func OPT(bufsize int, do bool) *dns.OPT { o.Hdr.Name = "." o.Hdr.Rrtype = dns.TypeOPT o.SetVersion(0) - o.SetUDPSize(uint16(bufsize)) + o.SetUDPSize(uint16(bufsize)) // #nosec G115 -- buffer size fits in uint16 if do { o.SetDo() } diff --git a/plugin/tsig/tsig.go b/plugin/tsig/tsig.go index 68f859f81..de15558ac 100644 --- a/plugin/tsig/tsig.go +++ b/plugin/tsig/tsig.go @@ -126,7 +126,7 @@ func (r *restoreTsigWriter) WriteMsg(m *dns.Msg) error { repTSIG.TimeSigned = r.reqTSIG.TimeSigned b := make([]byte, 8) // TimeSigned is network byte order. - binary.BigEndian.PutUint64(b, uint64(time.Now().Unix())) + binary.BigEndian.PutUint64(b, uint64(time.Now().Unix())) // #nosec G115 -- Unix time fits in uint64 // truncate to 48 least significant bits (network order 6 rightmost bytes) repTSIG.OtherData = hex.EncodeToString(b[2:]) repTSIG.OtherLen = 6