Merge pull request #1049 from synfinatic/security

update security.md and update golangci-lint

Author: synfinatic

.github/workflows/golangci-lint.yaml

@@ -30,7 +30,7 @@ jobs:
         uses: golangci/golangci-lint-action@v6
         with:
           # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-          version: v${{ vars.GOLANGCI_LINT_VERSION }}
+          version: '${{ vars.GOLANGCI_LINT_VERSION }}'
 
           # Optional: working directory, useful for monorepos
           # working-directory: somedir

cmd/aws-sso/setup_wizard.go

@@ -491,7 +491,7 @@ func promptConsoleDuration(defaultValue int32) int32 {
 	val = strings.TrimSpace(val)
 
 	x, _ := strconv.ParseInt(val, 10, 32)
-	return int32(x)
+	return int32(x) // #nosec
 }
 
 func promptHistoryLimit(defaultValue int64) int64 {

docs/security.md

@@ -3,9 +3,21 @@
 ## Supported Versions
 
 The only version I support is the latest version of `aws-sso`.  Should a new
-major version be released which is incompatible with v1.x, then this policy
+major version be released which is incompatible with v2.x, then this policy
 will be updated at that time.
 
+Note: with the v2.x release, v1.x is no longer supported.
+
+## Code signing
+
+All commits by me are signed by my [commit signing GPG key](commit-sign-key.asc.md).
+
+## Binary signatures
+
+All releases have a corresponding detactched GPG signature using my [code signing GPG key](code-sign-key.asc.md).
+
+## Reporting a Vulnerability
+
 ## Reporting a Vulnerability
 
 Please open a [security ticket in GitHub](

internal/sso/awssso_auth_test.go

@@ -223,15 +223,15 @@ func TestAuthenticate(t *testing.T) {
 					UserCode:                aws.String("user-code"),
 					VerificationUri:         aws.String("verification-uri"),
 					VerificationUriComplete: aws.String("verification-uri-complete"),
-					ExpiresIn:               int32(expires),
+					ExpiresIn:               int32(expires), // #nosec
 					Interval:                5,
 				},
 				Error: nil,
 			},
 			{
 				CreateToken: &ssooidc.CreateTokenOutput{
 					AccessToken:  aws.String("access-token"),
-					ExpiresIn:    int32(expires),
+					ExpiresIn:    int32(expires), // #nosec
 					IdToken:      aws.String("id-token"),
 					RefreshToken: aws.String("refresh-token"),
 					TokenType:    aws.String("token-type"),
@@ -247,15 +247,15 @@ func TestAuthenticate(t *testing.T) {
 	assert.NoError(t, err)
 	assert.True(t, as.ValidAuthToken())
 	assert.Equal(t, "access-token", as.Token.AccessToken)
-	assert.Equal(t, int32(expires), as.Token.ExpiresIn)
+	assert.Equal(t, int32(expires), as.Token.ExpiresIn) // #nosec
 	assert.Equal(t, "id-token", as.Token.IdToken)
 	assert.Equal(t, "refresh-token", as.Token.RefreshToken)
 	assert.Equal(t, "token-type", as.Token.TokenType)
 
 	// We should now have a valid auth token
 	assert.True(t, as.ValidAuthToken())
 	assert.Equal(t, "access-token", as.Token.AccessToken)
-	assert.Equal(t, int32(expires), as.Token.ExpiresIn)
+	assert.Equal(t, int32(expires), as.Token.ExpiresIn) // #nosec
 	assert.Equal(t, "id-token", as.Token.IdToken)
 	assert.Equal(t, "refresh-token", as.Token.RefreshToken)
 	assert.Equal(t, "token-type", as.Token.TokenType)
@@ -381,7 +381,7 @@ func TestAuthenticateFailure(t *testing.T) {
 					UserCode:                aws.String("user-code"),
 					VerificationUri:         aws.String("verification-uri"),
 					VerificationUriComplete: aws.String("verification-uri-complete"),
-					ExpiresIn:               int32(expires),
+					ExpiresIn:               int32(expires), // #nosec
 					Interval:                5,
 				},
 				Error: nil,
@@ -408,7 +408,7 @@ func TestAuthenticateFailure(t *testing.T) {
 					UserCode:                aws.String("user-code"),
 					VerificationUri:         aws.String(""),
 					VerificationUriComplete: aws.String("verification-uri-complete"),
-					ExpiresIn:               int32(expires),
+					ExpiresIn:               int32(expires), // #nosec
 					Interval:                5,
 				},
 				Error: nil,
@@ -431,7 +431,7 @@ func TestAuthenticateFailure(t *testing.T) {
 					UserCode:                aws.String("user-code"),
 					VerificationUri:         aws.String("verification-uri"),
 					VerificationUriComplete: aws.String("verification-uri-complete"),
-					ExpiresIn:               int32(expires),
+					ExpiresIn:               int32(expires), // #nosec
 					Interval:                5,
 				},
 				Error: nil,
@@ -454,7 +454,7 @@ func TestAuthenticateFailure(t *testing.T) {
 					UserCode:                aws.String("user-code"),
 					VerificationUri:         aws.String("verification-uri"),
 					VerificationUriComplete: aws.String("verification-uri-complete"),
-					ExpiresIn:               int32(expires),
+					ExpiresIn:               int32(expires), // #nosec
 					Interval:                5,
 				},
 				Error: nil,
@@ -561,7 +561,7 @@ func TestReauthenticate(t *testing.T) {
 					UserCode:                aws.String("user-code"),
 					VerificationUri:         aws.String("verification-uri"),
 					VerificationUriComplete: aws.String("verification-uri-complete"),
-					ExpiresIn:               int32(expires),
+					ExpiresIn:               int32(expires), // #nosec
 					Interval:                5,
 				},
 				Error: nil,

internal/storage/keyring.go

@@ -147,7 +147,7 @@ func fileKeyringPassword(prompt string) (string, error) {
 	}
 
 	fmt.Fprintf(os.Stderr, "%s: ", prompt)
-	b, err := term.ReadPassword(int(os.Stdin.Fd()))
+	b, err := term.ReadPassword(int(os.Stdin.Fd())) // #nosec
 	if err != nil {
 		return "", err
 	}