(docs): guard unsafe int/uint conversions flagged by gosec (#2679)

* (fix): gosec issues for integer overflow conversion

Signed-off-by: Sachin Sampras M <sampras343@gmail.com>

* (fix): gosec issues for integer overflow conversion in trillian client

Signed-off-by: Sachin Sampras M <sampras343@gmail.com>

* (fix): gosec high severity issues

Signed-off-by: Sachin Sampras M <sampras343@gmail.com>

* (docs): add relevant comments

Signed-off-by: Sachin Sampras M <sampras343@gmail.com>

* (docs): add nolint gosec comments

Signed-off-by: Sachin Sampras M <sampras343@gmail.com>

* (docs): lint whitespace fix

Signed-off-by: Sachin Sampras M <sampras343@gmail.com>

* (docs): added line wise no lint comments

Signed-off-by: Sachin Sampras M <sampras343@gmail.com>

---------

Signed-off-by: Sachin Sampras M <sampras343@gmail.com>

Author: sampras343

pkg/api/api.go

@@ -150,7 +150,7 @@ func NewAPI(treeID int64) (*API, error) {
 		if !ok {
 			return nil, fmt.Errorf("no root found for inactive shard %d", r.TreeID)
 		}
-		cp, err := util.CreateAndSignCheckpoint(ctx, viper.GetString("rekor_server.hostname"), r.TreeID, uint64(r.TreeLength), root.RootHash, r.Signer)
+		cp, err := util.CreateAndSignCheckpoint(ctx, viper.GetString("rekor_server.hostname"), r.TreeID, uint64(r.TreeLength), root.RootHash, r.Signer) //nolint:gosec
 		if err != nil {
 			return nil, fmt.Errorf("error signing checkpoint for inactive shard %d: %w", r.TreeID, err)
 		}

pkg/api/entries.go

@@ -127,7 +127,7 @@ func logEntryFromLeaf(ctx context.Context, leaf *trillian.LogLeaf, signedLogRoot
 	}
 
 	inclusionProof := models.InclusionProof{
-		TreeSize:   conv.Pointer(int64(root.TreeSize)),
+		TreeSize:   conv.Pointer(int64(root.TreeSize)), //nolint:gosec
 		RootHash:   conv.Pointer(hex.EncodeToString(root.RootHash)),
 		LogIndex:   conv.Pointer(proof.GetLeafIndex()),
 		Hashes:     hashes,
@@ -446,7 +446,7 @@ func createLogEntry(params entries.CreateLogEntryParams) (models.LogEntry, middl
 	}
 
 	inclusionProof := models.InclusionProof{
-		TreeSize:   conv.Pointer(int64(root.TreeSize)),
+		TreeSize:   conv.Pointer(int64(root.TreeSize)), //nolint:gosec
 		RootHash:   conv.Pointer(hex.EncodeToString(root.RootHash)),
 		LogIndex:   conv.Pointer(queuedLeaf.LeafIndex),
 		Hashes:     hashes,

pkg/api/tlog.go

@@ -65,7 +65,7 @@ func GetLogInfoHandler(params tlog.GetLogInfoParams) middleware.Responder {
 	}
 
 	hashString := hex.EncodeToString(root.RootHash)
-	treeSize := int64(root.TreeSize)
+	treeSize := int64(root.TreeSize) //nolint:gosec
 
 	scBytes, err := util.CreateAndSignCheckpoint(ctx,
 		viper.GetString("rekor_server.hostname"), api.logRanges.GetActive().TreeID, root.TreeSize, root.RootHash, api.logRanges.GetActive().Signer)
@@ -164,7 +164,7 @@ func inactiveShardLogInfo(ctx context.Context, tid int64, cachedCheckpoints map[
 	}
 
 	hashString := hex.EncodeToString(root.RootHash)
-	treeSize := int64(root.TreeSize)
+	treeSize := int64(root.TreeSize) //nolint:gosec
 
 	m := models.InactiveShardLogInfo{
 		RootHash:       &hashString,

pkg/sharding/ranges.go

@@ -116,7 +116,7 @@ func (l *LogRanges) CompleteInitialization(ctx context.Context, tcm *trilliancli
 		if err := root.UnmarshalBinary(resp.GetLatestResult.SignedLogRoot.LogRoot); err != nil {
 			return nil, err
 		}
-		l.inactive[i].TreeLength = int64(root.TreeSize)
+		l.inactive[i].TreeLength = int64(root.TreeSize) //nolint:gosec
 		sthMap[r.TreeID] = root
 	}
 	return sthMap, nil

pkg/trillianclient/trillian_client.go

@@ -240,11 +240,11 @@ func (t *TrillianClient) GetLeafAndProofByIndex(ctx context.Context, index int64
 		&trillian.GetEntryAndProofRequest{
 			LogId:     t.logID,
 			LeafIndex: index,
-			TreeSize:  int64(root.TreeSize),
+			TreeSize:  int64(root.TreeSize), //nolint:gosec
 		})
 
 	if resp != nil && resp.Proof != nil {
-		if err := proof.VerifyInclusion(rfc6962.DefaultHasher, uint64(index), root.TreeSize, resp.GetLeaf().MerkleLeafHash, resp.Proof.Hashes, root.RootHash); err != nil {
+		if err := proof.VerifyInclusion(rfc6962.DefaultHasher, uint64(index), root.TreeSize, resp.GetLeaf().MerkleLeafHash, resp.Proof.Hashes, root.RootHash); err != nil { //nolint:gosec
 			return &Response{
 				Status: status.Code(err),
 				Err:    err,
@@ -324,7 +324,7 @@ func (t *TrillianClient) getProofByHash(ctx context.Context, hashValue []byte) *
 		&trillian.GetInclusionProofByHashRequest{
 			LogId:    t.logID,
 			LeafHash: hashValue,
-			TreeSize: int64(root.TreeSize),
+			TreeSize: int64(root.TreeSize), //nolint:gosec
 		})
 
 	if resp != nil {

pkg/verify/verify.go

@@ -39,18 +39,18 @@ import (
 // and a second new STH. Callers MUST verify signature on the STHs'.
 func ProveConsistency(ctx context.Context, rClient *client.Rekor,
 	oldSTH *util.SignedCheckpoint, newSTH *util.SignedCheckpoint, treeID string) error {
-	oldTreeSize := int64(oldSTH.Size)
+	oldTreeSize := int64(oldSTH.Size) // nolint: gosec
 	switch {
 	case oldTreeSize == 0:
 		return errors.New("consistency proofs can not be computed starting from an empty log")
-	case oldTreeSize == int64(newSTH.Size):
+	case oldTreeSize == int64(newSTH.Size): // nolint: gosec
 		if !bytes.Equal(oldSTH.Hash, newSTH.Hash) {
 			return errors.New("old root hash does not match STH hash")
 		}
-	case oldTreeSize < int64(newSTH.Size):
+	case oldTreeSize < int64(newSTH.Size): // nolint: gosec
 		consistencyParams := tlog.NewGetLogProofParamsWithContext(ctx)
 		consistencyParams.FirstSize = &oldTreeSize      // Root size at the old, or trusted state.
-		consistencyParams.LastSize = int64(newSTH.Size) // Root size at the new state to verify against.
+		consistencyParams.LastSize = int64(newSTH.Size) // nolint: gosec // Root size at the new state to verify against.
 		consistencyParams.TreeID = &treeID
 		consistencyProof, err := rClient.Tlog.GetLogProof(consistencyParams)
 		if err != nil {
@@ -68,7 +68,7 @@ func ProveConsistency(ctx context.Context, rClient *client.Rekor,
 			oldSTH.Size, newSTH.Size, hashes, oldSTH.Hash, newSTH.Hash); err != nil {
 			return err
 		}
-	case oldTreeSize > int64(newSTH.Size):
+	case oldTreeSize > int64(newSTH.Size): // nolint: gosec
 		return errors.New("inclusion proof returned a tree size larger than the verified tree size")
 	}
 	return nil
@@ -162,7 +162,7 @@ func VerifyInclusion(ctx context.Context, e *models.LogEntryAnon) error {
 	leafHash := rfc6962.DefaultHasher.HashLeaf(entryBytes)
 
 	if err := proof.VerifyInclusion(rfc6962.DefaultHasher, uint64(*e.Verification.InclusionProof.LogIndex),
-		uint64(*e.Verification.InclusionProof.TreeSize), leafHash, hashes, rootHash); err != nil {
+		uint64(*e.Verification.InclusionProof.TreeSize), leafHash, hashes, rootHash); err != nil { // nolint: gosec
 		return err
 	}