From 534b7fb3cd2b56c071f692bc5f4bc95d4c16cefe Mon Sep 17 00:00:00 2001 From: Andy Anderson Date: Sat, 27 Jun 2026 05:07:49 -0400 Subject: [PATCH 1/5] [scanner] fix: safe uintptr-to-int conversion in flock_unix.go Fixes #19782 Adds bounds checking for the uintptr to int conversion to prevent integer overflow (gosec G115). File descriptors are validated to fit within the int range before conversion. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- pkg/agent/tokentracker/flock_unix.go | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/pkg/agent/tokentracker/flock_unix.go b/pkg/agent/tokentracker/flock_unix.go index 59e8c319ab..82193e277e 100644 --- a/pkg/agent/tokentracker/flock_unix.go +++ b/pkg/agent/tokentracker/flock_unix.go @@ -7,6 +7,7 @@ package tokentracker import ( "fmt" + "math" "os" "syscall" ) @@ -24,8 +25,13 @@ func acquireFileLock(path string) (release func(), err error) { return nil, fmt.Errorf("open lock file: %w", err) } - // Store fd as int to avoid unsafe uintptr -> int conversion (gosec G115) - fd := int(f.Fd()) + // Safe conversion: validate uintptr fits in int (gosec G115) + uintptrVal := f.Fd() + if uintptrVal > uintptr(math.MaxInt) { + f.Close() + return nil, fmt.Errorf("file descriptor out of range: %v", uintptrVal) + } + fd := int(uintptrVal) if err := syscall.Flock(fd, syscall.LOCK_EX); err != nil { f.Close() @@ -39,4 +45,4 @@ func acquireFileLock(path string) (release func(), err error) { _ = f.Close() } return release, nil -} +} \ No newline at end of file From b8b20fba8249cdc6a9419d229525abc733fa14ab Mon Sep 17 00:00:00 2001 From: Andy Anderson Date: Sat, 27 Jun 2026 06:02:22 -0400 Subject: [PATCH 2/5] fix: add DCO sign-off Signed-off-by: clubanderson --- pkg/agent/tokentracker/flock_unix.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/agent/tokentracker/flock_unix.go b/pkg/agent/tokentracker/flock_unix.go index 82193e277e..82eaa77727 100644 --- a/pkg/agent/tokentracker/flock_unix.go +++ b/pkg/agent/tokentracker/flock_unix.go @@ -45,4 +45,4 @@ func acquireFileLock(path string) (release func(), err error) { _ = f.Close() } return release, nil -} \ No newline at end of file +} From 4f4dcdf108e82b800d4e86fec2a34e9c55e4be07 Mon Sep 17 00:00:00 2001 From: Andy Anderson Date: Sat, 27 Jun 2026 07:07:08 -0400 Subject: [PATCH 3/5] fix: update nilaway-baseline.json with shifted line numbers After merging main, line numbers shifted in cluster_groups_test.go and solver.go. Update baseline entries to match current positions. Signed-off-by: clubanderson --- .github/nilaway-baseline.json | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/.github/nilaway-baseline.json b/.github/nilaway-baseline.json index f2f6789cc2..45633e29bc 100644 --- a/.github/nilaway-baseline.json +++ b/.github/nilaway-baseline.json @@ -10,18 +10,17 @@ "pkg/api/handlers/mcs_test.go:217:2", "pkg/api/handlers/stellar/handler.go:843:25", "pkg/api/handlers/stellar/observations.go:323:30", - "pkg/api/handlers/workloads/cluster_groups_test.go:215:2", - "pkg/api/handlers/workloads/cluster_groups_test.go:233:2", - "pkg/api/handlers/workloads/cluster_groups_test.go:246:2", - "pkg/api/handlers/workloads/cluster_groups_test.go:259:2", - "pkg/api/handlers/workloads/cluster_groups_test.go:273:2", - "pkg/api/handlers/workloads/cluster_groups_test.go:285:2", - "pkg/api/handlers/workloads/cluster_groups_test.go:307:2", - "pkg/api/handlers/workloads/cluster_groups_test.go:325:2", - "pkg/api/handlers/workloads/cluster_groups_test.go:337:2", - "pkg/api/handlers/workloads/cluster_groups_test.go:391:2", - "pkg/api/handlers/workloads/cluster_groups_test.go:409:2", - "pkg/api/handlers/workloads/cluster_groups_test.go:425:2", + "pkg/api/handlers/workloads/cluster_groups_test.go:234:2", + "pkg/api/handlers/workloads/cluster_groups_test.go:248:2", + "pkg/api/handlers/workloads/cluster_groups_test.go:262:2", + "pkg/api/handlers/workloads/cluster_groups_test.go:277:2", + "pkg/api/handlers/workloads/cluster_groups_test.go:290:2", + "pkg/api/handlers/workloads/cluster_groups_test.go:313:2", + "pkg/api/handlers/workloads/cluster_groups_test.go:332:2", + "pkg/api/handlers/workloads/cluster_groups_test.go:345:2", + "pkg/api/handlers/workloads/cluster_groups_test.go:400:2", + "pkg/api/handlers/workloads/cluster_groups_test.go:419:2", + "pkg/api/handlers/workloads/cluster_groups_test.go:436:2", "pkg/api/handlers/workloads_test.go:163:2", "pkg/api/handlers/workloads_test.go:233:2", "pkg/api/handlers/workloads_test.go:275:2", @@ -55,6 +54,6 @@ "pkg/settings/manager.go:368:9", "pkg/settings/manager.go:375:2", "pkg/settings/manager.go:382:2", - "pkg/stellar/solver/solver.go:160:7", + "pkg/stellar/solver/solver.go:258:6", "pkg/store/sqlite_users_test.go:297:17" ] From 7a0ab1844017ced1aee2878cc99c5c50b5eebace Mon Sep 17 00:00:00 2001 From: Andy Anderson Date: Sat, 27 Jun 2026 08:07:23 -0400 Subject: [PATCH 4/5] fix: revert nilaway baseline to match main Signed-off-by: clubanderson --- .github/nilaway-baseline.json | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/.github/nilaway-baseline.json b/.github/nilaway-baseline.json index 45633e29bc..f2f6789cc2 100644 --- a/.github/nilaway-baseline.json +++ b/.github/nilaway-baseline.json @@ -10,17 +10,18 @@ "pkg/api/handlers/mcs_test.go:217:2", "pkg/api/handlers/stellar/handler.go:843:25", "pkg/api/handlers/stellar/observations.go:323:30", - "pkg/api/handlers/workloads/cluster_groups_test.go:234:2", - "pkg/api/handlers/workloads/cluster_groups_test.go:248:2", - "pkg/api/handlers/workloads/cluster_groups_test.go:262:2", - "pkg/api/handlers/workloads/cluster_groups_test.go:277:2", - "pkg/api/handlers/workloads/cluster_groups_test.go:290:2", - "pkg/api/handlers/workloads/cluster_groups_test.go:313:2", - "pkg/api/handlers/workloads/cluster_groups_test.go:332:2", - "pkg/api/handlers/workloads/cluster_groups_test.go:345:2", - "pkg/api/handlers/workloads/cluster_groups_test.go:400:2", - "pkg/api/handlers/workloads/cluster_groups_test.go:419:2", - "pkg/api/handlers/workloads/cluster_groups_test.go:436:2", + "pkg/api/handlers/workloads/cluster_groups_test.go:215:2", + "pkg/api/handlers/workloads/cluster_groups_test.go:233:2", + "pkg/api/handlers/workloads/cluster_groups_test.go:246:2", + "pkg/api/handlers/workloads/cluster_groups_test.go:259:2", + "pkg/api/handlers/workloads/cluster_groups_test.go:273:2", + "pkg/api/handlers/workloads/cluster_groups_test.go:285:2", + "pkg/api/handlers/workloads/cluster_groups_test.go:307:2", + "pkg/api/handlers/workloads/cluster_groups_test.go:325:2", + "pkg/api/handlers/workloads/cluster_groups_test.go:337:2", + "pkg/api/handlers/workloads/cluster_groups_test.go:391:2", + "pkg/api/handlers/workloads/cluster_groups_test.go:409:2", + "pkg/api/handlers/workloads/cluster_groups_test.go:425:2", "pkg/api/handlers/workloads_test.go:163:2", "pkg/api/handlers/workloads_test.go:233:2", "pkg/api/handlers/workloads_test.go:275:2", @@ -54,6 +55,6 @@ "pkg/settings/manager.go:368:9", "pkg/settings/manager.go:375:2", "pkg/settings/manager.go:382:2", - "pkg/stellar/solver/solver.go:258:6", + "pkg/stellar/solver/solver.go:160:7", "pkg/store/sqlite_users_test.go:297:17" ] From 13c8c7823b23895ba1822629594c7e450111cab1 Mon Sep 17 00:00:00 2001 From: clubanderson Date: Sat, 27 Jun 2026 09:10:19 -0400 Subject: [PATCH 5/5] fix: DCO sign-off Signed-off-by: clubanderson