Merge pull request #122596 from dims/drop-hack-verify-govet-leveee

Drop hack/verify-govet-levee
2025-08-01 15:58:37 +00:00 · 2024-01-05 20:22:38 +01:00 · 2024-01-05 20:22:38 +01:00 · b98a4b8495
commit b98a4b8495
parent d39f401767 2431a964af
6 changed files with 0 additions and 222 deletions
--- a/hack/testdata/levee/OWNERS
+++ b/hack/testdata/levee/OWNERS
@ -1,8 +0,0 @@
-# See the OWNERS docs at https://go.k8s.io/owners
-
-approvers:
-  - sig-security-approvers
-reviewers:
-  - sig-security-reviewers
-labels:
-  - sig/security
--- a/hack/testdata/levee/levee-config.yaml
+++ b/hack/testdata/levee/levee-config.yaml
@ -1,154 +0,0 @@
-# Copyright 2015 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# This file holds configuration for taint propagation analysis of Kubernetes source via go-flow-levee.
-# It defines sources which may contain credentials and sinks where these should not be logged.
-# Sources may be identified by the FieldTags element, or by matching package, type, and field explicitly in the Sources element.
-# Sanitizers permit sources to safely reach a sink.
-# False positives may be suppressed in the Exclude block.
-# Note that `*RE` keys have regexp values.
-
-# For additional details, see KEP-1933.
---
-
-# These field tags were introduced by KEP-1753 to indicate fields which may contain credentials
-FieldTags:
-  - Key: "datapolicy"
-    Value: "security-key"
-  - Key: "datapolicy"
-    Value: "token"
-  - Key: "datapolicy"
-    Value: "password"
-
-# This preliminary collection of source types should be removed once
-# KEP-1753 adds tags to the relevant fields.
-Sources:
-# The following fields are tagged in #95994
- PackageRE: "k8s.io/kubernetes/test/e2e/storage/vsphere"
-  TypeRE: "Config"
-  FieldRE: "Password"
- PackageRE: "k8s.io/kubernetes/test/e2e/storage/vsphere"
-  TypeRE: "ConfigFile"
-  FieldRE: "Global"  # Global is of unnamed type, contains the field Password.
-
-# The following fields are tagged in #95997
- PackageRE: "k8s.io/kubelet/config/v1beta1"
-  TypeRE: "KubeletConfiguration"
-  FieldRE: "StaticPodURLHeader"
-
-# The following fields are tagged in #95998
- PackageRE: "k8s.io/kube-scheduler/config/v1"
-  TypeRE: "ExtenderTLSConfig"
-  FieldRE: "KeyData"
-
-# The following fields are tagged in #95600
- PackageRE: "k8s.io/cri-api/pkg/apis/runtime/v1"
-  TypeRE: "AuthConfig"
-  FieldRE: "Password|IdentityToken|RegistryToken"
-
-# The following fields are tagged in #96002
- PackageRE: "k8s.io/apiserver/pkg/apis/apiserver" # multiple versions
-  TypeRE: "TLSConfig"
-  FieldRE: "ClientKey"
- PackageRE: "k8s.io/apiserver/pkg/apis/config" # multiple versions
-  TypeRE: "Key"
-  FieldRE: "Secret"
- PackageRE: "k8s.io/apiserver/pkg/authentication/request/headerrequest"
-  TypeRE: "requestHeaderBundle"
-  FieldRE: "UsernameHeaders|GroupHeaders"
- PackageRE: "k8s.io/apiserver/pkg/server/dynamiccertificates"
-  TypeRE: "certKeyContent"
-  FieldRE: "key"
- PackageRE: "k8s.io/apiserver/pkg/server/dynamiccertificates"
-  TypeRE: "DynamicCertKeyPairContent"
-  FieldRE: "certKeyPair"
- PackageRE: "k8s.io/apiserver/pkg/server/options"
-  TypeRE: "RequestHeaderAuthenticationOptions"
-  FieldRE: "UsernameHeaders|GroupHeaders"
- PackageRE: "k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
-  TypeRE: "endpoint"
-  FieldRE: "AccessToken"
-
-# The following fields are tagged in #96003
- PackageRE: "k8s.io/cli-runtime/pkg/genericclioptions"
-  TypeRE: "ConfigFlags"
-  FieldRE: "BearerToken|Password"
-
-# The following fields are tagged in #96004
- PackageRE: "k8s.io/kubernetes/pkg/kubelet/apis/config"
-  TypeRE: "KubeletConfiguration"
-  FieldRE: "StaticPodURLHeader"
- PackageRE: "k8s.io/kubernetes/pkg/kubelet/client"
-  TypeRE: "KubeletClientConfig"
-  FieldRE: "BearerToken"
-
-# The following fields are tagged in #96005
- PackageRE: "k8s.io/api/authentication/v1"
-  TypeRE: "TokenReviewSpec|TokenRequestStatus"
-  FieldRE: " Token"
- PackageRE: "k8s.io/api/authentication/v1beta1"
-  TypeRE: "TokenReviewSpec"
-  FieldRE: " Token"
-
-# The following fields are tagged in #96007
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider/azure"
-  TypeRE: "acrAuthResponse"
-  FieldRE: "RefreshToken"
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
-  TypeRE: "DockerConfigEntry"
-  FieldRE: "Password"
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
-  TypeRE: "DockerConfigJSON"
-  FieldRE: "Auths|HTTPHeaders"
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
-  TypeRE: "dockerConfigEntryWithAuth"
-  FieldRE: "Password|Auth"
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider/gcp"
-  TypeRE: "tokenBlob"
-  FieldRE: "AccessToken"
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
-  TypeRE: "AuthConfig"
-  FieldRE: "Password|Auth|IdentityToken|RegistryToken"
-
-# The following fields are tagged in #96008
- PackageRE: "k8s.io/kubernetes/pkg/controller/certificates/authority"
-  TypeRE: "CertificateAuthority"
-  FieldRE: "RawKey"
-
-# The following fields are not yet tagged
- PackageRE: "k8s.io/api/core/v1"
-  TypeRE: "Secret"
-  FieldRE: "Data|StringData"
-
-# Sinks are functions that should not be called with source or source-tainted arguments.
-# This configuration should capture all log unfiltered log calls.
-Sinks:
- PackageRE: "k?log"
-  # Empty regexp receiver will match both top-level klog functions and klog.Verbose methods.
-  ReceiverRE: ""
-  MethodRE: "Info|Warning|Error|Fatal|Exit"
-
-# Sanitizers permit a source to reach a sink by explicitly removing the source data.
-Sanitizers:
-# maskValue strips bearer tokens from request headers
- PackageRE: "k8s.io/client-go/transport"
-  MethodRE: "maskValue"
-
-# False positives may be suppressed here.
-# Exclude reporting within a given function by specifying it similar to Sinks, i.e.,
-# PackageRE | ReceiverRE | MethodRE regexp
-Exclude:
- PackageRE: "k8s.io/kubernetes/cmd/kubelet/app"
-  # Regexp matches anonymized inner function
-  MethodRE: "NewKubeletCommand"
--- a/hack/tools/go.mod
+++ b/hack/tools/go.mod
@ -8,7 +8,6 @@ require (
 	github.com/client9/misspell v0.3.4
 	github.com/golang/mock v1.6.0
 	github.com/golangci/golangci-lint v1.55.2
-	github.com/google/go-flow-levee v0.1.5
 	go.uber.org/automaxprocs v1.5.2
 	gotest.tools/gotestsum v1.6.4
 	honnef.co/go/tools v0.4.6
@ -194,7 +193,6 @@ require (
 	golang.org/x/term v0.13.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
 	golang.org/x/tools v0.14.0 // indirect
-	golang.org/x/tools/go/pointer v0.1.0-deprecated // indirect
 	google.golang.org/protobuf v1.28.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
@ -203,5 +201,4 @@ require (
 	mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed // indirect
 	mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b // indirect
 	mvdan.cc/unparam v0.0.0-20221223090309-7455f1af531d // indirect
-	sigs.k8s.io/yaml v1.2.0 // indirect
 )
--- a/hack/tools/go.sum
+++ b/hack/tools/go.sum
@ -266,8 +266,6 @@ github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-flow-levee v0.1.5 h1:AA7PBp4jrb1JIpqgSHxShqogsAZyI4VoTuJ0pNKHBVw=
-github.com/google/go-flow-levee v0.1.5/go.mod h1:Uiz/03u4gZX0ldjN5Tj5+fyZN1v6VK22uKRcpQCDsyE=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
@ -852,7 +850,6 @@ golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjs
 golang.org/x/tools v0.0.0-20200324003944-a576cf524670/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
 golang.org/x/tools v0.0.0-20200329025819-fd4102a86c65/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
 golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
-golang.org/x/tools v0.0.0-20200416214402-fc959738d646/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
@ -885,8 +882,6 @@ golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc=
 golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg=
-golang.org/x/tools/go/pointer v0.1.0-deprecated h1:PwCkqv2FT35Z4MVxR/tUlvLoL0TkxDjShpBrE4p18Ho=
-golang.org/x/tools/go/pointer v0.1.0-deprecated/go.mod h1:Jd+I2inNruJ+5VRdS+jU4S1t17z5y+UCCRa/eBRwilA=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@ -995,7 +990,6 @@ gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
@ -1030,5 +1024,3 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/logtools v0.8.0 h1:PPokQ0bBsuYVtSFHSfXoNtQPQ7Mfb9PzwSJH7kApPpE=
 sigs.k8s.io/logtools v0.8.0/go.mod h1:/muFLJLDCPfiBkA8a1YC96gvnbISgO/JVwgKOXZrT1I=
-sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
-sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
--- a/hack/tools/tools.go
+++ b/hack/tools/tools.go
@ -23,7 +23,6 @@ import (
 	_ "github.com/aojea/sloppy-netparser"
 	_ "github.com/client9/misspell/cmd/misspell"
 	_ "github.com/golangci/golangci-lint/cmd/golangci-lint"
-	_ "github.com/google/go-flow-levee/cmd/levee"
 	_ "honnef.co/go/tools/cmd/staticcheck"
 	_ "sigs.k8s.io/logtools/logcheck"

--- a/hack/verify-govet-levee.sh
+++ b/hack/verify-govet-levee.sh
@ -1,48 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright 2020 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# This script vets each package by `levee`.
-# Usage: `hack/verify-govet-levee.sh`.
-
-set -o errexit
-set -o pipefail
-
-KUBE_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
-source "${KUBE_ROOT}/hack/lib/init.sh"
-source "${KUBE_ROOT}/hack/lib/util.sh"
-
-kube::golang::verify_go_version
-
-# Ensure that we find the binaries we build before anything else.
-export GOBIN="${KUBE_OUTPUT_BINPATH}"
-PATH="${GOBIN}:${PATH}"
-
-# Install levee
-pushd "${KUBE_ROOT}/hack/tools" >/dev/null
-  GO111MODULE=on go install github.com/google/go-flow-levee/cmd/levee
-popd >/dev/null
-
-# Prefer full path for interaction with make vet
-LEVEE_BIN="$(which levee)"
-CONFIG_FILE="${KUBE_ROOT}/hack/testdata/levee/levee-config.yaml"
-
-# Do not run on third_party directories or generated client code or build tools.
-targets=()
-while IFS='' read -r line; do
-  targets+=("${line}")
-done < <(go list --find -e ./... | grep -E -v "/(build|third_party|vendor|staging|clientset_generated|hack)/")
-
-go vet -vettool="${LEVEE_BIN}" -config="${CONFIG_FILE}" "${targets[@]}"