kolide · James-Pickett · Apr 17, 2024 · Apr 16, 2024 · Apr 16, 2024 · Apr 16, 2024
diff --git a/.gitignore b/.gitignore
@@ -7,3 +7,4 @@
 coverage.out
 /Gemfile.lock
 /.vscode
+/test-cmds/
diff --git a/.golangci.yml b/.golangci.yml
@@ -1,6 +1,4 @@
 run:
-  skip-dirs:
-    - test-cmds
   timeout: 5m
 
 linters:
@@ -32,8 +30,10 @@ linters-settings:
     simplify: false
 
 issues:
+  exclude-dirs:
+    - test-cmds
   exclude-rules:
     # False positive: https://github.com/kunwardeep/paralleltest/issues/8.
     - linters:
       - paralleltest
-      text: "does not use range value in test Run"
+      text: "does not use range value in test Run"
diff --git a/cross_language_tests/aes_cross_test.go b/cross_language_tests/aes_cross_test.go
@@ -40,7 +40,6 @@ func TestAesRuby(t *testing.T) {
 		{AuthData: mkrand(t, 32), Plaintext: mkrand(t, 1024)},
 	}
 
-	//#nosec G306 -- Need readable files
 	for _, tt := range tests {
 		tt := tt
 		t.Run("", func(t *testing.T) {
@@ -60,6 +59,7 @@ func TestAesRuby(t *testing.T) {
 
 				b, err := msgpack.Marshal(tt)
 				require.NoError(t, err)
+				//#nosec G306 -- Need readable files
 				require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644))
 			})
 

diff --git a/cross_language_tests/boxer_cross_test.go b/cross_language_tests/boxer_cross_test.go
@@ -70,7 +70,6 @@ func TestBoxerRuby(t *testing.T) {
 	}
 
 	// Ruby Decrypt Tests
-	//#nosec G306 -- Need readable files
 	for _, message := range testMessages {
 		message := message
 
@@ -93,6 +92,7 @@ func TestBoxerRuby(t *testing.T) {
 
 				b, err := msgpack.Marshal(rubyCommand)
 				require.NoError(t, err)
+				//#nosec G306 -- Need readable files
 				require.NoError(t, os.WriteFile(rubyInFile, []byte(base64.StdEncoding.EncodeToString(b)), 0644))
 
 				ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
@@ -160,6 +160,7 @@ func TestBoxerRuby(t *testing.T) {
 			var png bytes.Buffer
 			pngFile := path.Join(dir, ulid.New()+".png")
 			require.NoError(t, aliceBoxer.EncodePng(responseTo, message, &png))
+			//#nosec G306 -- Need readable files
 			require.NoError(t, os.WriteFile(pngFile, png.Bytes(), 0644))
 
 			tests := []boxerCrossTestCase{
@@ -200,6 +201,7 @@ func TestBoxerRuby(t *testing.T) {
 					//
 					b, err := msgpack.Marshal(tt)
 					require.NoError(t, err)
+					//#nosec G306 -- Need readable files
 					require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644))
 
 					ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
@@ -248,6 +250,7 @@ func TestBoxerRuby(t *testing.T) {
 
 				b, err := msgpack.Marshal(rubyCommand)
 				require.NoError(t, err)
+				//#nosec G306 -- Need readable files
 				require.NoError(t, os.WriteFile(rubyInFile, []byte(base64.StdEncoding.EncodeToString(b)), 0644))
 
 				ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)

diff --git a/cross_language_tests/challenge_cross_test.go b/cross_language_tests/challenge_cross_test.go
@@ -196,7 +196,7 @@ func TestChallenge_GoGenerate_RubyRespond(t *testing.T) {
 			outerResponse, err := challenge.UnmarshalResponse(tamperWithResponse(t, challengeOuterBoxBytes, outerResponseBytes))
 			require.NoError(t, err)
 
-			_, err = outerResponse.Open(*challengePrivateEncryptionKey)
+			_, err = outerResponse.Open(challengePrivateEncryptionKey)
 			require.Error(t, err)
 		})
 
@@ -210,11 +210,11 @@ func TestChallenge_GoGenerate_RubyRespond(t *testing.T) {
 			// try to open with a bad key
 			_, malloryPrivKey, err := box.GenerateKey(rand.Reader)
 			require.NoError(t, err)
-			_, err = outerResponse.Open(*malloryPrivKey)
+			_, err = outerResponse.Open(malloryPrivKey)
 			require.Error(t, err)
 
 			// open with legit key
-			innerResponse, err := outerResponse.Open(*challengePrivateEncryptionKey)
+			innerResponse, err := outerResponse.Open(challengePrivateEncryptionKey)
 			require.NoError(t, err)
 
 			// verify data
@@ -225,7 +225,6 @@ func TestChallenge_GoGenerate_RubyRespond(t *testing.T) {
 	}
 }
 
-// #nosec G306 -- Need readable files
 func rubyChallengeExec(rubyCmd, dir string, inputData rubyChallengeCmd) ([]byte, error) {
 	testCaseBytes, err := msgpack.Marshal(inputData)
 	if err != nil {
@@ -236,7 +235,9 @@ func rubyChallengeExec(rubyCmd, dir string, inputData rubyChallengeCmd) ([]byte,
 
 	inFilePath := filepath.Join(dir, "in")
 
-	if err := os.WriteFile(inFilePath, testCaseBytesBase64, 0644); err != nil {
+	//#nosec G306 -- Need readable files
+	err = os.WriteFile(inFilePath, testCaseBytesBase64, 0644)
+	if err != nil {
 		return nil, err
 	}
 

diff --git a/cross_language_tests/rsa_cross_test.go b/cross_language_tests/rsa_cross_test.go
@@ -37,7 +37,6 @@ func TestRsaRuby(t *testing.T) {
 		{Plaintext: mkrand(t, 128)},
 	}
 
-	//#nosec G306 -- Need readable files
 	for _, tt := range tests {
 		tt := tt
 		t.Run("", func(t *testing.T) {
@@ -72,6 +71,7 @@ func TestRsaRuby(t *testing.T) {
 
 				b, err := msgpack.Marshal(tt)
 				require.NoError(t, err)
+				//#nosec G306 -- Need readable files
 				require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644))
 
 				cmd := exec.CommandContext(ctx, "ruby", rsaRB, "decrypt", testfile, path.Join(dir, "ruby-decrypt"))
@@ -98,6 +98,7 @@ func TestRsaRuby(t *testing.T) {
 
 				b, err := msgpack.Marshal(tt)
 				require.NoError(t, err)
+				//#nosec G306 -- Need readable files
 				require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644))
 
 				cmd := exec.CommandContext(ctx, "ruby", rsaRB, "encrypt", testfile, path.Join(dir, "ruby-encrypt"))
@@ -130,6 +131,7 @@ func TestRsaRuby(t *testing.T) {
 
 				b, err := msgpack.Marshal(tt)
 				require.NoError(t, err)
+				//#nosec G306 -- Need readable files
 				require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644))
 
 				cmd := exec.CommandContext(ctx, "ruby", rsaRB, "verify", testfile, path.Join(dir, "ruby-verify"))
@@ -157,6 +159,7 @@ func TestRsaRuby(t *testing.T) {
 
 				b, err := msgpack.Marshal(tt)
 				require.NoError(t, err)
+				//#nosec G306 -- Need readable files
 				require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644))
 
 				cmd := exec.CommandContext(ctx, "ruby", rsaRB, "sign", testfile, path.Join(dir, "ruby-signed"))

diff --git a/pkg/challenge/challenge_test.go b/pkg/challenge/challenge_test.go
@@ -107,11 +107,11 @@ func TestChallengeHappyPath(t *testing.T) {
 			// try to open with a bad key
 			_, malloryPrivKey, err := box.GenerateKey(rand.Reader)
 			require.NoError(t, err)
-			_, err = outerResponse.Open(*malloryPrivKey)
+			_, err = outerResponse.Open(malloryPrivKey)
 			require.Error(t, err)
 
 			// open with legit key
-			innerResponse, err := outerResponse.Open(*challengePrivateEncryptionKey)
+			innerResponse, err := outerResponse.Open(challengePrivateEncryptionKey)
 			require.NoError(t, err)
 
 			// verify data

diff --git a/pkg/challenge/response.go b/pkg/challenge/response.go
@@ -21,8 +21,8 @@ type OuterResponse struct {
 	ChallengeId         []byte   `msgpack:"challengeId"`
 }
 
-func (o *OuterResponse) Open(privateEncryptionKey [32]byte) (*InnerResponse, error) {
-	innerResponseBytes, err := echelper.OpenNaCl(o.Msg, &o.PublicEncryptionKey, &privateEncryptionKey)
+func (o *OuterResponse) Open(privateEncryptionKey *[32]byte) (*InnerResponse, error) {
+	innerResponseBytes, err := echelper.OpenNaCl(o.Msg, &o.PublicEncryptionKey, privateEncryptionKey)
 	if err != nil {
 		return nil, fmt.Errorf("opening challenge response box: %w", err)
 	}

diff --git a/pkg/secureenclave/secureenclave_test.go b/pkg/secureenclave/secureenclave_test.go
@@ -111,21 +111,21 @@ func TestSecureEnclaveErrors(t *testing.T) {
 	require.Error(t, err, "new secure enclave keyer should error with nil existing key")
 }
 
-// #nosec G306 -- Need readable files
 func copyFile(t *testing.T, source, destination string) {
 	bytes, err := os.ReadFile(source)
 	require.NoError(t, err)
+	// #nosec G306 -- Need readable files
 	require.NoError(t, os.WriteFile(destination, bytes, 0700))
 }
 
-// #nosec G204 -- This triggers due to using env var in cmd, making exception for test
 func signApp(t *testing.T, appRootDir string) {
 	codeSignId := os.Getenv("MACOS_CODESIGN_IDENTITY")
 	require.NotEmpty(t, codeSignId, "need MACOS_CODESIGN_IDENTITY env var to sign app, such as [Mac Developer: Jane Doe (ABCD123456)]")
 
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
+	// #nosec G204 -- This triggers due to using env var in cmd, making exception for test
 	cmd := exec.CommandContext(
 		ctx,
 		"codesign",