fix gosec G115 linter

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

internal/apis/config/shared/v1alpha1/conversion.go

@@ -17,6 +17,8 @@ limitations under the License.
 package v1alpha1
 
 import (
+	"fmt"
+	"math"
 	"time"
 
 	conversion "k8s.io/apimachinery/pkg/conversion"
@@ -74,7 +76,11 @@ func Convert_Pointer_int32_To_int(in **int32, out *int, s conversion.Scope) erro
 }
 
 func Convert_int_To_Pointer_int32(in *int, out **int32, s conversion.Scope) error {
-	temp := int32(*in)
+	tempIn := *in
+	if tempIn > math.MaxInt32 || tempIn < math.MinInt32 {
+		return fmt.Errorf("value %d is out of range for int32 (must be between %d and %d)", tempIn, math.MinInt32, math.MaxInt32)
+	}
+	temp := int32(tempIn)
 	*out = &temp
 	return nil
 }

internal/webhook/webhook.go

@@ -27,6 +27,7 @@ import (
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
+	"k8s.io/utils/ptr"
 	crlog "sigs.k8s.io/controller-runtime/pkg/log"
 
 	acmeinstall "github.com/cert-manager/cert-manager/internal/apis/acme/install"
@@ -72,8 +73,8 @@ func NewCertManagerWebhookServer(log logr.Logger, opts config.WebhookConfigurati
 
 	s := &server.Server{
 		ResourceScheme:           scheme,
-		ListenAddr:               opts.SecurePort,
-		HealthzAddr:              &opts.HealthzPort,
+		ListenAddr:               int(opts.SecurePort),
+		HealthzAddr:              ptr.To(int(opts.HealthzPort)),
 		EnablePprof:              opts.EnablePprof,
 		PprofAddress:             opts.PprofAddress,
 		CertificateSource:        buildCertificateSource(log, opts.TLSConfig, restcfg),

pkg/acme/util/util.go

@@ -43,9 +43,6 @@ func RetryBackoff(n int, r *http.Request, resp *http.Response) time.Duration {
 	// don't retry more than 6 times, if we get 6 nonce mismatches something is quite wrong
 	if n > maxRetries {
 		return -1
-	} else if n < 1 {
-		// n is used for the backoff time below
-		n = 1
 	}
 
 	var jitter time.Duration
@@ -53,7 +50,15 @@ func RetryBackoff(n int, r *http.Request, resp *http.Response) time.Duration {
 		jitter = (1 + time.Duration(x.Int64())) * time.Millisecond
 	}
 
-	d := time.Duration(1<<uint(n-1))*time.Second + jitter
+	// the exponent is calculated slightly contrived to allow the gosec:G115
+	// linter to recognise the safe type conversion.
+	// simple formula: exponent = max(0, n-1)
+	exponent := uint(0)
+	if temp := n - 1; temp >= 0 {
+		exponent = uint(temp)
+	}
+
+	d := time.Duration(1<<exponent)*time.Second + jitter
 	if d > maxDelay {
 		return maxDelay
 	}

pkg/api/util/kube.go

@@ -69,8 +69,8 @@ func ExtKeyUsageTypeKube(usage certificatesv1.KeyUsage) (x509.ExtKeyUsage, bool)
 func KubeKeyUsageStrings(usage x509.KeyUsage) []certificatesv1.KeyUsage {
 	var usageStr []certificatesv1.KeyUsage
 
-	for i := 0; i < bits.UintSize; i++ {
-		if v := usage & (1 << uint(i)); v != 0 {
+	for i := uint(0); i < bits.UintSize; i++ {
+		if v := usage & (1 << i); v != 0 {
 			usageStr = append(usageStr, kubeKeyUsageString(v))
 		}
 	}

pkg/api/util/usages.go

@@ -68,8 +68,8 @@ func ExtKeyUsageType(usage cmapi.KeyUsage) (x509.ExtKeyUsage, bool) {
 func KeyUsageStrings(usage x509.KeyUsage) []cmapi.KeyUsage {
 	var usageStr []cmapi.KeyUsage
 
-	for i := 0; i < bits.UintSize; i++ {
-		if v := usage & (1 << uint(i)); v != 0 {
+	for i := uint(0); i < bits.UintSize; i++ {
+		if v := usage & (1 << i); v != 0 {
 			usageStr = append(usageStr, keyUsageString(v))
 		}
 	}

pkg/issuer/acme/dns/rfc2136/rfc2136.go

@@ -105,10 +105,10 @@ func (r *DNSProvider) CleanUp(_, fqdn, zone, value string) error {
 	return r.changeRecord("REMOVE", fqdn, zone, value, 60)
 }
 
-func (r *DNSProvider) changeRecord(action, fqdn, zone, value string, ttl int) error {
+func (r *DNSProvider) changeRecord(action, fqdn, zone, value string, ttl uint32) error {
 	// Create RR
 	rr := new(dns.TXT)
-	rr.Hdr = dns.RR_Header{Name: fqdn, Rrtype: dns.TypeTXT, Class: dns.ClassINET, Ttl: uint32(ttl)}
+	rr.Hdr = dns.RR_Header{Name: fqdn, Rrtype: dns.TypeTXT, Class: dns.ClassINET, Ttl: ttl}
 	rr.Txt = []string{value}
 	rrs := []dns.RR{rr}
 

pkg/logs/logs.go

@@ -20,6 +20,7 @@ import (
 	"context"
 	"flag"
 	"fmt"
+	"math"
 
 	"github.com/go-logr/logr"
 	"github.com/spf13/pflag"
@@ -169,7 +170,14 @@ func NewContext(ctx context.Context, l logr.Logger, names ...string) context.Con
 }
 
 func V(level int) klog.Verbose {
-	return klog.V(klog.Level(level))
+	switch {
+	case level < math.MinInt32:
+		return klog.V(klog.Level(math.MinInt32))
+	case level > math.MaxInt32:
+		return klog.V(klog.Level(math.MaxInt32))
+	default:
+		return klog.V(klog.Level(level))
+	}
 }
 
 // LogWithFormat is a wrapper for logger that adds Infof method to log messages

pkg/webhook/server/server.go

@@ -57,11 +57,11 @@ var (
 type Server struct {
 	// ListenAddr is the address the HTTP server should listen on
 	// This must be specified.
-	ListenAddr int32
+	ListenAddr int
 
 	// HealthzAddr is the address the healthz HTTP server should listen on
 	// If not specified, the healthz endpoint will not be exposed.
-	HealthzAddr *int32
+	HealthzAddr *int
 
 	// PprofAddress is the address the pprof endpoint should be served on if enabled.
 	PprofAddress string
@@ -134,7 +134,7 @@ func (s *Server) Run(ctx context.Context) error {
 			return err
 		}
 
-		s.ListenAddr = int32(webhookPort)
+		s.ListenAddr = webhookPort
 	}
 
 	mgr, err := ctrl.NewManager(
@@ -155,7 +155,7 @@ func (s *Server) Run(ctx context.Context) error {
 				},
 			},
 			WebhookServer: webhook.NewServer(webhook.Options{
-				Port: int(s.ListenAddr),
+				Port: s.ListenAddr,
 				TLSOpts: []func(*tls.Config){
 					func(cfg *tls.Config) {
 						cfg.CipherSuites = cipherSuites
@@ -289,7 +289,7 @@ func (s *Server) Port() (int, error) {
 		return 0, ErrNotListening
 	}
 
-	return int(s.ListenAddr), nil
+	return s.ListenAddr, nil
 }
 
 func (s *Server) handleHealthz(w http.ResponseWriter, req *http.Request) {