Fix Go lookup code scanning alerts

ktsaou · ktsaou · commit a263a9b08f9b · 2026-06-04T09:40:14.000+03:00
diff --git a/.agents/sow/current/SOW-0014-20260603-maintainability-hotspots.md b/.agents/sow/current/SOW-0014-20260603-maintainability-hotspots.md
@@ -357,6 +357,15 @@ Refined recommendation:
 - Extracted cgroups lookup label-table writing into one local helper per language.
 - The cgroups lookup change intentionally did not change item offsets, label table layout, string storage order, directory entries, response finishing, or packed-data compaction.
 - Label source validation remains in the existing layout calculation path before label storage is written.
+- Investigated the failing GitHub Actions check `Go Static Analysis (src/go)` on commit `879c521`.
+- The failing job reported that `gosec` found issues and uploaded SARIF; GitHub code scanning exposed five open `G115` alerts:
+  - alerts `7574`, `7575`, and `7576` at `pkg/netipc/protocol/lookup.go:1192`.
+  - alerts `7577` and `7578` at `pkg/netipc/protocol/lookup.go:757`.
+  - all five were `integer overflow conversion int -> uint64` from helper-call casts in the Go lookup codec.
+- Fixed the Go code-scanning findings by changing the Go lookup semantic helper length/count parameters to `int`, removing the introduced `int -> uint64` casts instead of suppressing `G115`.
+- Continued the apps lookup builder complexity target:
+  - reused the extracted lookup label writer from both cgroups and apps lookup builders in Go, C, and Rust.
+  - kept item offsets, label-table layout, string storage order, directory entries, response finishing, and packed-data compaction unchanged.
 
 ## Validation
 
@@ -458,6 +467,41 @@ Implementation validation:
   - `bash .agents/sow/audit.sh` passed and reported SOW initialization complete and clean.
   - `git diff --check` passed.
   - Sensitive-data scan across the touched SOW and codec files returned no matches.
+- CI/code-scanning repair and apps lookup builder validation:
+  - GitHub Actions failing check inspected:
+    - run `26915313092`, job `79403453980`, check `Go Static Analysis (src/go)`.
+    - root cause: `gosec` exited with status 1 after uploading SARIF.
+    - GitHub code scanning showed five open `G115` alerts on `pkg/netipc/protocol/lookup.go`.
+  - Local reproduction of the failing Go static-analysis job passed in `src/go`:
+    - `go test ./...` passed.
+    - `go vet ./...` passed.
+    - `staticcheck ./...` passed.
+    - `govulncheck ./...` passed with no vulnerabilities.
+    - `gosec -quiet -fmt sarif -out /tmp/plugin-ipc-gosec-src-go.sarif -exclude=G404 ./...` passed with status `0`.
+  - `cargo fmt --manifest-path src/crates/netipc/Cargo.toml` passed.
+  - `cargo test --manifest-path src/crates/netipc/Cargo.toml` passed: 329 Rust unit tests passed, plus bin/doc test targets.
+  - `cmake --build build` passed.
+  - `/usr/bin/ctest --test-dir build --output-on-failure -R protocol` passed: 4/4 protocol tests.
+  - `bash tests/interop_codec.sh` passed after CTest, serially:
+    - Rust decoded C output: 89 passed, 0 failed.
+    - Go decoded C output: 90 passed, 0 failed.
+    - C decoded Rust output: 101 passed, 0 failed.
+    - Go decoded Rust output: 90 passed, 0 failed.
+    - C decoded Go output: 101 passed, 0 failed.
+    - Rust decoded Go output: 89 passed, 0 failed.
+    - C, Rust, and Go generated byte-identical protocol fixture files, including all apps lookup response variants.
+  - Lizard focused lookup-code comparison for the apps lookup builder target:
+    - Go `AppsLookupBuilder.Add`: CCN 39 before, 28 after.
+    - C `nipc_apps_lookup_builder_add`: CCN 31 before, 29 after.
+    - Rust `AppsLookupBuilder::add`: CCN 27 before, below the CCN 20 warning threshold after.
+  - `codacy-analysis analyze --output-format json` passed:
+    - Checkov: 0 issues.
+    - Opengrep/Semgrep: 0 issues.
+    - Trivy: 0 issues.
+    - cppcheck: 0 issues.
+    - ShellCheck: 0 issues.
+    - Spectral: 0 issues.
+    - total: 0 issues, 0 errors.
 - Cgroups lookup complexity validation:
   - `gofmt -w src/go/pkg/netipc/protocol/lookup.go` passed.
   - `cargo fmt --manifest-path src/crates/netipc/Cargo.toml` passed.
@@ -503,7 +547,7 @@ Sensitive data gate:
 
 ## Outcome
 
-Raw cache, Go typed-facade, apps lookup, and cgroups lookup remediation targets are complete; the overall maintainability SOW remains in progress pending the next useful target or closure decision.
+Raw cache, Go typed-facade, apps lookup, cgroups lookup, and the five Go code-scanning findings are locally remediated; the overall maintainability SOW remains in progress pending CI confirmation and the next useful target or closure decision.
 
 ## Lessons Extracted
 
diff --git a/src/crates/netipc/src/protocol/lookup.rs b/src/crates/netipc/src/protocol/lookup.rs
@@ -853,7 +853,7 @@ impl<'a> CgroupsLookupBuilder<'a> {
         item[name_offset + name.len()] = 0;
         if !labels.is_empty() {
             item[fixed_end..table_start].fill(0);
-            item_size = write_cgroups_lookup_labels(item, table_start, table_bytes, labels)?;
+            item_size = write_lookup_labels(item, table_start, table_bytes, labels)?;
         }
         let dir_offset = (self.item_count as usize)
             .checked_mul(LOOKUP_DIR_ENTRY_SIZE)
@@ -887,7 +887,7 @@ impl<'a> CgroupsLookupBuilder<'a> {
     }
 }
 
-fn write_cgroups_lookup_labels(
+fn write_lookup_labels(
     item: &mut [u8],
     table_start: usize,
     table_bytes: usize,
@@ -1308,35 +1308,7 @@ impl<'a> AppsLookupBuilder<'a> {
         item[name_offset + cgroup_name.len()] = 0;
         if !labels.is_empty() {
             item[fixed_end..table_start].fill(0);
-            let mut next = table_start
-                .checked_add(table_bytes)
-                .ok_or(NipcError::Overflow)?;
-            for (i, (key, value)) in labels.iter().enumerate() {
-                let entry_offset = i
-                    .checked_mul(LOOKUP_LABEL_ENTRY_SIZE)
-                    .ok_or(NipcError::Overflow)?;
-                let entry = table_start
-                    .checked_add(entry_offset)
-                    .ok_or(NipcError::Overflow)?;
-                let value_offset = next
-                    .checked_add(key.len())
-                    .and_then(|v| v.checked_add(1))
-                    .ok_or(NipcError::Overflow)?;
-                put_u32(item, entry, checked_u32(next)?);
-                put_u32(item, entry + 4, checked_u32(key.len())?);
-                put_u32(item, entry + 8, checked_u32(value_offset)?);
-                put_u32(item, entry + 12, checked_u32(value.len())?);
-                item[next..next + key.len()].copy_from_slice(key);
-                item[next + key.len()] = 0;
-                next = value_offset;
-                item[next..next + value.len()].copy_from_slice(value);
-                item[next + value.len()] = 0;
-                next = next
-                    .checked_add(value.len())
-                    .and_then(|v| v.checked_add(1))
-                    .ok_or(NipcError::Overflow)?;
-            }
-            item_size = next;
+            item_size = write_lookup_labels(item, table_start, table_bytes, labels)?;
         }
         let dir_offset = (self.item_count as usize)
             .checked_mul(LOOKUP_DIR_ENTRY_SIZE)
diff --git a/src/go/pkg/netipc/protocol/lookup.go b/src/go/pkg/netipc/protocol/lookup.go
@@ -63,7 +63,7 @@ func invalidSourceString(data []byte, requireNonEmpty bool) bool {
 	return (requireNonEmpty && len(data) == 0) || bytes.IndexByte(data, 0) >= 0
 }
 
-func validateAppsLookupSemantics(status, cgroupStatus, orchestrator uint16, ppid, uid uint32, starttime uint64, commLen, pathLen, nameLen, labelCount uint64) error {
+func validateAppsLookupSemantics(status, cgroupStatus, orchestrator uint16, ppid, uid uint32, starttime uint64, commLen, pathLen, nameLen, labelCount int) error {
 	if status != PidLookupKnown && status != PidLookupUnknown {
 		return ErrBadLayout
 	}
@@ -105,7 +105,7 @@ func validateAppsLookupSemantics(status, cgroupStatus, orchestrator uint16, ppid
 	return nil
 }
 
-func validateCgroupsLookupSemantics(status, orchestrator uint16, pathLen, nameLen, labelCount uint64) error {
+func validateCgroupsLookupSemantics(status, orchestrator uint16, pathLen, nameLen, labelCount int) error {
 	if status != CgroupLookupKnown && status != CgroupLookupUnknownRetryLater && status != CgroupLookupUnknownPermanent {
 		return ErrBadLayout
 	}
@@ -754,7 +754,7 @@ func decodeCgroupsLookupItem(item []byte) (*CgroupsLookupItemView, error) {
 	if ne.Uint16(item[0:2]) != 1 || ne.Uint16(item[6:8]) != 0 || ne.Uint16(item[26:28]) != 0 {
 		return nil, ErrBadLayout
 	}
-	if err := validateCgroupsLookupSemantics(status, orchestrator, uint64(pathLen), uint64(nameLen), uint64(labelCount)); err != nil {
+	if err := validateCgroupsLookupSemantics(status, orchestrator, pathLen, nameLen, int(labelCount)); err != nil {
 		return nil, err
 	}
 	path, pathEnd, err := lookupString(item, CgroupsLookupItemHdr, pathOff, pathLen)
@@ -816,7 +816,7 @@ func (b *CgroupsLookupBuilder) Add(status, orchestrator uint16, path, name []byt
 		b.err = ErrOverflow
 		return ErrOverflow
 	}
-	if err := validateCgroupsLookupSemantics(status, orchestrator, uint64(len(path)), uint64(len(name)), uint64(len(labels))); err != nil {
+	if err := validateCgroupsLookupSemantics(status, orchestrator, len(path), len(name), len(labels)); err != nil {
 		b.err = err
 		return err
 	}
@@ -913,7 +913,7 @@ func (b *CgroupsLookupBuilder) Add(status, orchestrator uint16, path, name []byt
 	item[nameOff+len(name)] = 0
 	if len(labels) > 0 {
 		clear(item[fixedEnd:tableStart])
-		next, err := writeCgroupsLookupLabels(item, tableStart, tableBytes, labels)
+		next, err := writeLookupLabels(item, tableStart, tableBytes, labels)
 		if err != nil {
 			b.err = err
 			return err
@@ -932,7 +932,7 @@ func (b *CgroupsLookupBuilder) Add(status, orchestrator uint16, path, name []byt
 	return nil
 }
 
-func writeCgroupsLookupLabels(item []byte, tableStart, tableBytes int, labels []struct{ Key, Value []byte }) (int, error) {
+func writeLookupLabels(item []byte, tableStart, tableBytes int, labels []struct{ Key, Value []byte }) (int, error) {
 	next, ok := checkedAddInt(tableStart, tableBytes)
 	if !ok {
 		return 0, ErrOverflow
@@ -1189,7 +1189,7 @@ func decodeAppsLookupItem(item []byte) (*AppsLookupItemView, error) {
 	if ne.Uint16(item[0:2]) != 1 || ne.Uint32(item[20:24]) != 0 || ne.Uint16(item[58:60]) != 0 {
 		return nil, ErrBadLayout
 	}
-	if err := validateAppsLookupSemantics(status, cgroupStatus, orchestrator, ppid, uid, starttime, uint64(commLen), uint64(pathLen), uint64(nameLen), uint64(labelCount)); err != nil {
+	if err := validateAppsLookupSemantics(status, cgroupStatus, orchestrator, ppid, uid, starttime, commLen, pathLen, nameLen, int(labelCount)); err != nil {
 		return nil, err
 	}
 	comm, commEnd, err := lookupString(item, AppsLookupItemHdr, commOff, commLen)
@@ -1263,7 +1263,7 @@ func (b *AppsLookupBuilder) Add(status, cgroupStatus, orchestrator uint16, pid,
 		b.err = ErrOverflow
 		return ErrOverflow
 	}
-	if err := validateAppsLookupSemantics(status, cgroupStatus, orchestrator, ppid, uid, starttime, uint64(len(comm)), uint64(len(cgroupPath)), uint64(len(cgroupName)), uint64(len(labels))); err != nil {
+	if err := validateAppsLookupSemantics(status, cgroupStatus, orchestrator, ppid, uid, starttime, len(comm), len(cgroupPath), len(cgroupName), len(labels)); err != nil {
 		b.err = err
 		return err
 	}
@@ -1388,66 +1388,10 @@ func (b *AppsLookupBuilder) Add(status, cgroupStatus, orchestrator uint16, pid,
 	item[nameOff+len(cgroupName)] = 0
 	if len(labels) > 0 {
 		clear(item[fixedEnd:tableStart])
-		next, ok := checkedAddInt(tableStart, tableBytes)
-		if !ok {
-			return ErrOverflow
-		}
-		for i, label := range labels {
-			keyOff32, ok := checkedU32Int(next)
-			if !ok {
-				b.err = ErrOverflow
-				return ErrOverflow
-			}
-			keyLen32, ok := checkedU32Int(len(label.Key))
-			if !ok {
-				b.err = ErrOverflow
-				return ErrOverflow
-			}
-			valueOff, ok := checkedAddInt(next, len(label.Key))
-			if ok {
-				valueOff, ok = checkedAddInt(valueOff, 1)
-			}
-			if !ok {
-				b.err = ErrOverflow
-				return ErrOverflow
-			}
-			valueOff32, ok := checkedU32Int(valueOff)
-			if !ok {
-				b.err = ErrOverflow
-				return ErrOverflow
-			}
-			valueLen32, ok := checkedU32Int(len(label.Value))
-			if !ok {
-				b.err = ErrOverflow
-				return ErrOverflow
-			}
-			entryRel, ok := checkedMulInt(i, LookupLabelEntrySize)
-			if !ok {
-				b.err = ErrOverflow
-				return ErrOverflow
-			}
-			entry, ok := checkedAddInt(tableStart, entryRel)
-			if !ok {
-				b.err = ErrOverflow
-				return ErrOverflow
-			}
-			ne.PutUint32(item[entry:entry+4], keyOff32)
-			ne.PutUint32(item[entry+4:entry+8], keyLen32)
-			ne.PutUint32(item[entry+8:entry+12], valueOff32)
-			ne.PutUint32(item[entry+12:entry+16], valueLen32)
-			copy(item[next:], label.Key)
-			item[next+len(label.Key)] = 0
-			next = valueOff
-			copy(item[next:], label.Value)
-			item[next+len(label.Value)] = 0
-			next, ok = checkedAddInt(next, len(label.Value))
-			if ok {
-				next, ok = checkedAddInt(next, 1)
-			}
-			if !ok {
-				b.err = ErrOverflow
-				return ErrOverflow
-			}
+		next, err := writeLookupLabels(item, tableStart, tableBytes, labels)
+		if err != nil {
+			b.err = err
+			return err
 		}
 		itemSize = next
 	}
diff --git a/src/libnetdata/netipc/src/protocol/netipc_protocol.c b/src/libnetdata/netipc/src/protocol/netipc_protocol.c
@@ -1148,11 +1148,11 @@ static nipc_error_t lookup_label_at(const uint8_t *item,
                               &out->value, &ignored);
 }
 
-static void cgroups_lookup_write_labels(uint8_t *item,
-                                        size_t table_start,
-                                        size_t table_bytes,
-                                        const nipc_lookup_label_view_t *labels,
-                                        uint16_t label_count)
+static void lookup_write_labels(uint8_t *item,
+                                size_t table_start,
+                                size_t table_bytes,
+                                const nipc_lookup_label_view_t *labels,
+                                uint16_t label_count)
 {
     size_t next = table_start + table_bytes;
     for (uint32_t i = 0; i < label_count; i++) {
@@ -1800,7 +1800,7 @@ nipc_error_t nipc_cgroups_lookup_builder_add(
     if (label_count > 0) {
         if (table_start > fixed_end)
             memset(item + fixed_end, 0, table_start - fixed_end);
-        cgroups_lookup_write_labels(item, table_start, table_bytes, labels, label_count);
+        lookup_write_labels(item, table_start, table_bytes, labels, label_count);
     }
 
     nipc_lookup_dir_entry_t dir_entry = {
@@ -2162,23 +2162,7 @@ nipc_error_t nipc_apps_lookup_builder_add(
     if (label_count > 0) {
         if (table_start > fixed_end)
             memset(item + fixed_end, 0, table_start - fixed_end);
-        size_t next = table_start + table_bytes;
-        for (uint32_t i = 0; i < label_count; i++) {
-            nipc_lookup_label_entry_t entry = {
-                .key_offset = (uint32_t)next,
-                .key_length = labels[i].key.len,
-                .value_offset = (uint32_t)(next + labels[i].key.len + 1u),
-                .value_length = labels[i].value.len,
-            };
-            memcpy(item + table_start + (size_t)i * NIPC_LOOKUP_LABEL_ENTRY_SIZE,
-                   &entry, sizeof(entry));
-            memcpy(item + entry.key_offset, labels[i].key.ptr, labels[i].key.len);
-            item[entry.key_offset + labels[i].key.len] = '\0';
-            if (labels[i].value.len > 0)
-                memcpy(item + entry.value_offset, labels[i].value.ptr, labels[i].value.len);
-            item[entry.value_offset + labels[i].value.len] = '\0';
-            next = entry.value_offset + labels[i].value.len + 1u;
-        }
+        lookup_write_labels(item, table_start, table_bytes, labels, label_count);
     }
 
     nipc_lookup_dir_entry_t dir_entry = {
