gosec: G204 - Subproccess launched as function arg

G204 doesn't necessarily indicate a bad behaviour. But could help discover potential command injection vector.
2021-12-01 08:57:36 +01:00 · 2021-12-01 08:57:36 +01:00 · eb3fa3e5d4
commit eb3fa3e5d4
parent 0b9372fe0a
4 changed files with 12 additions and 1 deletions
--- a/cmd/osbuild-composer-cli-tests/main_test.go
+++ b/cmd/osbuild-composer-cli-tests/main_test.go
@ -270,6 +270,8 @@ func getComposeStatus(t *testing.T, uuid uuid.UUID) string {
 }

 func getLogs(t *testing.T, uuid uuid.UUID) string {
+	// There's no potential command injection vector here
+	/* #nosec G204 */
 	cmd := exec.Command("composer-cli", "compose", "log", uuid.String())
 	cmd.Stderr = os.Stderr
 	stdoutReader, err := cmd.StdoutPipe()
--- a/cmd/osbuild-koji-tests/main_test.go
+++ b/cmd/osbuild-koji-tests/main_test.go
@ -196,6 +196,8 @@ func TestKojiImport(t *testing.T) {
 	require.NoError(t, err)

 	// check if the build is really there:
+	// There's no potential command injection vector here
+	/* #nosec G204 */
 	cmd := exec.Command(
 		"koji",
 		"--server", server,