I personally think that sensitive data is returned by an access to passPhraseJWTPath
. What do you think? @tdrozdovsky
This might be the same potential security risk as follow.
@tdrozdovsky Plus, could you rectify if err
is used in our platform?
@tdrozdovsky This is due to my ongoing analysis with the tool lgtm
as follow.
https://lgtm.com/projects/g/lf-edge/edge-home-orchestration-go/alerts/?mode=list
I personally think that sensitive data is returned by an access to
passPhraseJWTPath
. What do you think? @tdrozdovskyThis might be the same potential security risk as follow.
Good point, I know and remember this security issue.
These only informs about a failed attempt to create the passPhraseJWTFilePath
file.
But of course, storing such information in files (passPhrase, edge-orchestration.key, etc) is a security risk.
I think in the future this should be solved with secure storage or with access control system such as: SeLinux, SMACK, etc.
Thank you for reminder
@tdrozdovsky Thank you for accepting my suggestion. I have just assigned this issue to you. We are looking forward to seeing your another valuable contribution soon!
@tdrozdovsky Plus, could you rectify if
err
is used in our platform?
I researched using err
variable. Error handling is done below.
if len(deviceScores) <= 0 {
return errorResp
} else if deviceScores[0].score == scoringmgr.INVALID_SCORE {
return errorResp
}
Additional processing will make the code more complex.
Therefore, I suggest to ignore the err
variable.
deviceResources[i].score, _ = orcheEngine.GetScoreWithResource(dev.resource)
@tdrozdovsky Plus, could you rectify if
err
is used in our platform?
https://github.com/lf-edge/edge-home-orchestration-go/blob/22ce49b4b76ae78dfb75e14ef64399e5805c7d02/src/orchestrationapi/orchestration_api.go#L180I researched using
err
variable. Error handling is done below.if len(deviceScores) <= 0 { return errorResp } else if deviceScores[0].score == scoringmgr.INVALID_SCORE { return errorResp }
Additional processing will make the code more complex.
Therefore, I suggest to ignore the
err
variable.deviceResources[i].score, _ = orcheEngine.GetScoreWithResource(dev.resource)
@tdrozdovsky It is reasonable. ^^ Could you suggest the regarding PR for this?
Most helpful comment
I researched using
err
variable. Error handling is done below.Additional processing will make the code more complex.
Therefore, I suggest to ignore the
err
variable.