You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: contributors/devel/sig-testing/verify-tests.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@
4
4
5
5
-[Verification Tests](#verification-tests)
6
6
-[Overview](#overview)
7
-
-[`verify-govet-leveee`](#verify-govet-levee)
7
+
-[`verify-govet-levee`](#verify-govet-leve)
8
8
9
9
## Overview
10
10
@@ -15,7 +15,8 @@ All blocking verification tests can be executed via `make verify`.
15
15
Individual verification tests also can be found in vestigial shell scripts at `hack/verify-*.sh`.
16
16
17
17
Most verification tests are self-explanatory.
18
-
`verify-golint` and `verify-gofmt`, for instance, fail when a contribution does not adhere to lint and formatting conventions.
18
+
`verify-govet`, for instance, performs `go vet` checks, which [defends against common mistakes](https://golang.org/cmd/vet/).
19
+
The verification tests fails when `go vet` produces any findings.
19
20
More complex verification tests are described below.
20
21
21
22
### `verify-govet-levee`
@@ -27,7 +28,7 @@ Field tagging was introduced by [KEP-1753](https://github.com/kubernetes/enhance
27
28
Additional credential sources may be identified in analysis configuration (see below).
28
29
29
30
Taint propagation analysis defends against both direct and indirect logging of credentials.
30
-
For consider the following hypothetical snippet.
31
+
Consider the following hypothetical snippet.
31
32
32
33
```golang
33
34
// kubernetes/cmd/kubelet/app/server.go
@@ -68,9 +69,8 @@ The analysis will detect this as well and call the verification test to fail.
68
69
69
70
When this analysis causes the verification test to fail, a developer has several options.
70
71
In order of decreasing preference:
71
-
* Reconstruct logging calls such that only relevant information is passed.
72
-
* If analysis warning is produced by a tainted value reaching logs, reconstruct the method which caused taint to spread so that it only takes non-credential values.
73
-
* Reconstruct the method which caused taint to spread to return indicators which are not logged directly, e.g. return `value, ok` rather than `value, err`.
72
+
* Reconstruct logging calls such that only non-secret information is passed.
73
+
* Reconstruct a method which caused taint to spread to return indicators which are not logged directly, e.g. return `value, ok` rather than `value, err`.
74
74
* Write a *sanitizer* whose return value is guaranteed to be log-safe. Add this sanitizer to the analysis configuration (see below).
75
75
* Add the method where the log call occurs to the analysis configuration exclude-list.
0 commit comments