turn on gosec and resolve blocking issues (#55)

* turn on gosec and resolve blocking issues

turn on gosec and resolve blocking issues (#55)
af18d16c · Bob Callaway · GitHub · dfcd88b4 · af18d16c · af18d16c
Unverified Commit af18d16c authored 4 years ago by Bob Callaway Committed by GitHub 4 years ago
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -29,3 +29,10 @@ jobs:
      # Test It
      - name: Test
        run: go test -v ./...
+      # Gosec It
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@v2.5.0
+        env:
+          GOROOT: ""
+        with:
+          args: ./...
--- a/cmd/cli/app/verify.go
+++ b/cmd/cli/app/verify.go
@@ -20,6 +20,7 @@ import (
 	"encoding/json"
 	"io/ioutil"
 	"os"
+	"path/filepath"

 	"github.com/projectrekor/rekor/pkg"
 	"github.com/projectrekor/rekor/pkg/log"
@@ -46,11 +47,11 @@ var verifyCmd = &cobra.Command{
 		}

 		// Signature and Public Key are always required
-		sig, err := ioutil.ReadFile(signature)
+		sig, err := ioutil.ReadFile(filepath.Clean(signature))
 		if err != nil {
 			log.Fatal(err)
 		}
-		pubKey, err := ioutil.ReadFile(pk)
+		pubKey, err := ioutil.ReadFile(filepath.Clean(pk))
 		if err != nil {
 			log.Fatal(err)
 		}
@@ -64,7 +65,7 @@ var verifyCmd = &cobra.Command{
 		var body []byte
 		if isLocal {
 			var err error
-			body, err = ioutil.ReadFile(artifact)
+			body, err = ioutil.ReadFile(filepath.Clean(artifact))
 			if err != nil {
 				log.Fatal(err)
 			}