diff --git a/hack/testdata/levee/OWNERS b/hack/testdata/levee/OWNERS deleted file mode 100644 index fc94cc112e5..00000000000 --- a/hack/testdata/levee/OWNERS +++ /dev/null @@ -1,8 +0,0 @@ -# See the OWNERS docs at https://go.k8s.io/owners - -approvers: - - sig-security-approvers -reviewers: - - sig-security-reviewers -labels: - - sig/security diff --git a/hack/testdata/levee/levee-config.yaml b/hack/testdata/levee/levee-config.yaml deleted file mode 100644 index a77ea7a43cb..00000000000 --- a/hack/testdata/levee/levee-config.yaml +++ /dev/null @@ -1,154 +0,0 @@ -# Copyright 2015 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This file holds configuration for taint propagation analysis of Kubernetes source via go-flow-levee. -# It defines sources which may contain credentials and sinks where these should not be logged. -# Sources may be identified by the FieldTags element, or by matching package, type, and field explicitly in the Sources element. -# Sanitizers permit sources to safely reach a sink. -# False positives may be suppressed in the Exclude block. -# Note that `*RE` keys have regexp values. - -# For additional details, see KEP-1933. ---- - -# These field tags were introduced by KEP-1753 to indicate fields which may contain credentials -FieldTags: - - Key: "datapolicy" - Value: "security-key" - - Key: "datapolicy" - Value: "token" - - Key: "datapolicy" - Value: "password" - -# This preliminary collection of source types should be removed once -# KEP-1753 adds tags to the relevant fields. -Sources: -# The following fields are tagged in #95994 -- PackageRE: "k8s.io/kubernetes/test/e2e/storage/vsphere" - TypeRE: "Config" - FieldRE: "Password" -- PackageRE: "k8s.io/kubernetes/test/e2e/storage/vsphere" - TypeRE: "ConfigFile" - FieldRE: "Global" # Global is of unnamed type, contains the field Password. - -# The following fields are tagged in #95997 -- PackageRE: "k8s.io/kubelet/config/v1beta1" - TypeRE: "KubeletConfiguration" - FieldRE: "StaticPodURLHeader" - -# The following fields are tagged in #95998 -- PackageRE: "k8s.io/kube-scheduler/config/v1" - TypeRE: "ExtenderTLSConfig" - FieldRE: "KeyData" - -# The following fields are tagged in #95600 -- PackageRE: "k8s.io/cri-api/pkg/apis/runtime/v1" - TypeRE: "AuthConfig" - FieldRE: "Password|IdentityToken|RegistryToken" - -# The following fields are tagged in #96002 -- PackageRE: "k8s.io/apiserver/pkg/apis/apiserver" # multiple versions - TypeRE: "TLSConfig" - FieldRE: "ClientKey" -- PackageRE: "k8s.io/apiserver/pkg/apis/config" # multiple versions - TypeRE: "Key" - FieldRE: "Secret" -- PackageRE: "k8s.io/apiserver/pkg/authentication/request/headerrequest" - TypeRE: "requestHeaderBundle" - FieldRE: "UsernameHeaders|GroupHeaders" -- PackageRE: "k8s.io/apiserver/pkg/server/dynamiccertificates" - TypeRE: "certKeyContent" - FieldRE: "key" -- PackageRE: "k8s.io/apiserver/pkg/server/dynamiccertificates" - TypeRE: "DynamicCertKeyPairContent" - FieldRE: "certKeyPair" -- PackageRE: "k8s.io/apiserver/pkg/server/options" - TypeRE: "RequestHeaderAuthenticationOptions" - FieldRE: "UsernameHeaders|GroupHeaders" -- PackageRE: "k8s.io/apiserver/plugin/pkg/authenticator/token/oidc" - TypeRE: "endpoint" - FieldRE: "AccessToken" - -# The following fields are tagged in #96003 -- PackageRE: "k8s.io/cli-runtime/pkg/genericclioptions" - TypeRE: "ConfigFlags" - FieldRE: "BearerToken|Password" - -# The following fields are tagged in #96004 -- PackageRE: "k8s.io/kubernetes/pkg/kubelet/apis/config" - TypeRE: "KubeletConfiguration" - FieldRE: "StaticPodURLHeader" -- PackageRE: "k8s.io/kubernetes/pkg/kubelet/client" - TypeRE: "KubeletClientConfig" - FieldRE: "BearerToken" - -# The following fields are tagged in #96005 -- PackageRE: "k8s.io/api/authentication/v1" - TypeRE: "TokenReviewSpec|TokenRequestStatus" - FieldRE: " Token" -- PackageRE: "k8s.io/api/authentication/v1beta1" - TypeRE: "TokenReviewSpec" - FieldRE: " Token" - -# The following fields are tagged in #96007 -- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider/azure" - TypeRE: "acrAuthResponse" - FieldRE: "RefreshToken" -- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider" - TypeRE: "DockerConfigEntry" - FieldRE: "Password" -- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider" - TypeRE: "DockerConfigJSON" - FieldRE: "Auths|HTTPHeaders" -- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider" - TypeRE: "dockerConfigEntryWithAuth" - FieldRE: "Password|Auth" -- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider/gcp" - TypeRE: "tokenBlob" - FieldRE: "AccessToken" -- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider" - TypeRE: "AuthConfig" - FieldRE: "Password|Auth|IdentityToken|RegistryToken" - -# The following fields are tagged in #96008 -- PackageRE: "k8s.io/kubernetes/pkg/controller/certificates/authority" - TypeRE: "CertificateAuthority" - FieldRE: "RawKey" - -# The following fields are not yet tagged -- PackageRE: "k8s.io/api/core/v1" - TypeRE: "Secret" - FieldRE: "Data|StringData" - -# Sinks are functions that should not be called with source or source-tainted arguments. -# This configuration should capture all log unfiltered log calls. -Sinks: -- PackageRE: "k?log" - # Empty regexp receiver will match both top-level klog functions and klog.Verbose methods. - ReceiverRE: "" - MethodRE: "Info|Warning|Error|Fatal|Exit" - -# Sanitizers permit a source to reach a sink by explicitly removing the source data. -Sanitizers: -# maskValue strips bearer tokens from request headers -- PackageRE: "k8s.io/client-go/transport" - MethodRE: "maskValue" - -# False positives may be suppressed here. -# Exclude reporting within a given function by specifying it similar to Sinks, i.e., -# PackageRE | ReceiverRE | MethodRE regexp -Exclude: -- PackageRE: "k8s.io/kubernetes/cmd/kubelet/app" - # Regexp matches anonymized inner function - MethodRE: "NewKubeletCommand" diff --git a/hack/tools/go.mod b/hack/tools/go.mod index 862d6c24156..179c370d758 100644 --- a/hack/tools/go.mod +++ b/hack/tools/go.mod @@ -8,7 +8,6 @@ require ( github.com/client9/misspell v0.3.4 github.com/golang/mock v1.6.0 github.com/golangci/golangci-lint v1.55.2 - github.com/google/go-flow-levee v0.1.5 go.uber.org/automaxprocs v1.5.2 gotest.tools/gotestsum v1.6.4 honnef.co/go/tools v0.4.6 @@ -194,7 +193,6 @@ require ( golang.org/x/term v0.13.0 // indirect golang.org/x/text v0.13.0 // indirect golang.org/x/tools v0.14.0 // indirect - golang.org/x/tools/go/pointer v0.1.0-deprecated // indirect google.golang.org/protobuf v1.28.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect @@ -203,5 +201,4 @@ require ( mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed // indirect mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b // indirect mvdan.cc/unparam v0.0.0-20221223090309-7455f1af531d // indirect - sigs.k8s.io/yaml v1.2.0 // indirect ) diff --git a/hack/tools/go.sum b/hack/tools/go.sum index bae99c744cd..e4d72f3bae2 100644 --- a/hack/tools/go.sum +++ b/hack/tools/go.sum @@ -266,8 +266,6 @@ github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-flow-levee v0.1.5 h1:AA7PBp4jrb1JIpqgSHxShqogsAZyI4VoTuJ0pNKHBVw= -github.com/google/go-flow-levee v0.1.5/go.mod h1:Uiz/03u4gZX0ldjN5Tj5+fyZN1v6VK22uKRcpQCDsyE= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= @@ -852,7 +850,6 @@ golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjs golang.org/x/tools v0.0.0-20200324003944-a576cf524670/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= golang.org/x/tools v0.0.0-20200329025819-fd4102a86c65/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= -golang.org/x/tools v0.0.0-20200416214402-fc959738d646/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= @@ -885,8 +882,6 @@ golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc= golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg= -golang.org/x/tools/go/pointer v0.1.0-deprecated h1:PwCkqv2FT35Z4MVxR/tUlvLoL0TkxDjShpBrE4p18Ho= -golang.org/x/tools/go/pointer v0.1.0-deprecated/go.mod h1:Jd+I2inNruJ+5VRdS+jU4S1t17z5y+UCCRa/eBRwilA= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -995,7 +990,6 @@ gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= @@ -1030,5 +1024,3 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/logtools v0.8.0 h1:PPokQ0bBsuYVtSFHSfXoNtQPQ7Mfb9PzwSJH7kApPpE= sigs.k8s.io/logtools v0.8.0/go.mod h1:/muFLJLDCPfiBkA8a1YC96gvnbISgO/JVwgKOXZrT1I= -sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= -sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= diff --git a/hack/tools/tools.go b/hack/tools/tools.go index 0bab8a5fdce..a439a7623c0 100644 --- a/hack/tools/tools.go +++ b/hack/tools/tools.go @@ -23,7 +23,6 @@ import ( _ "github.com/aojea/sloppy-netparser" _ "github.com/client9/misspell/cmd/misspell" _ "github.com/golangci/golangci-lint/cmd/golangci-lint" - _ "github.com/google/go-flow-levee/cmd/levee" _ "honnef.co/go/tools/cmd/staticcheck" _ "sigs.k8s.io/logtools/logcheck" diff --git a/hack/verify-govet-levee.sh b/hack/verify-govet-levee.sh deleted file mode 100755 index f087d59d1b9..00000000000 --- a/hack/verify-govet-levee.sh +++ /dev/null @@ -1,48 +0,0 @@ -#!/usr/bin/env bash - -# Copyright 2020 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This script vets each package by `levee`. -# Usage: `hack/verify-govet-levee.sh`. - -set -o errexit -set -o pipefail - -KUBE_ROOT=$(dirname "${BASH_SOURCE[0]}")/.. -source "${KUBE_ROOT}/hack/lib/init.sh" -source "${KUBE_ROOT}/hack/lib/util.sh" - -kube::golang::verify_go_version - -# Ensure that we find the binaries we build before anything else. -export GOBIN="${KUBE_OUTPUT_BINPATH}" -PATH="${GOBIN}:${PATH}" - -# Install levee -pushd "${KUBE_ROOT}/hack/tools" >/dev/null - GO111MODULE=on go install github.com/google/go-flow-levee/cmd/levee -popd >/dev/null - -# Prefer full path for interaction with make vet -LEVEE_BIN="$(which levee)" -CONFIG_FILE="${KUBE_ROOT}/hack/testdata/levee/levee-config.yaml" - -# Do not run on third_party directories or generated client code or build tools. -targets=() -while IFS='' read -r line; do - targets+=("${line}") -done < <(go list --find -e ./... | grep -E -v "/(build|third_party|vendor|staging|clientset_generated|hack)/") - -go vet -vettool="${LEVEE_BIN}" -config="${CONFIG_FILE}" "${targets[@]}"