P2P/API/RPC Communication - Spacemesh


Prepared by:

Halborn Logo

HALBORN

Last Updated 06/11/2024

Date of Engagement by: March 18th, 2024 - April 26th, 2024

Summary

100% of all REPORTED Findings have been addressed

All findings

7

Critical

0

High

0

Medium

4

Low

3

Informational

0


1. Introduction

The Spacemesh team engaged Halborn to conduct a security assessment on their P2P/API/RPC communication & network security, beginning on Halborn to conduct a security assessment on the forwarding module, beginning on 03/18/2024 and ending on 04/26/2024. The security assessment was scoped to the sections of code that pertain to the P2P/API/RPC communication & network security. Commit hashes and further details can be found in the Scope section of this report.

2. Assessment Summary

The team at Halborn was provided six weeks for the engagement and assigned one full-time security engineer to verify the security of the merge requests. The security engineer is a blockchain and smart-contract security expert with advanced penetration testing, smart-contract hacking, and deep knowledge of multiple blockchain protocols.

The purpose of this assessment is to:

- Ensure that the P2P/API/RPC Communication operates as intended.

- Identify potential security issues with the P2P/API/RPC Communication implementation.

In summary, Halborn identified some security risks that were mostly addressed by the Spacemesh team.

3. Test Approach and Methodology

Halborn performed a combination of manual and automated security testing to balance efficiency, timeliness, practicality, and accuracy in regard to the scope of the custom modules. While manual testing is recommended to uncover flaws in logic, process, and implementation; automated testing techniques help enhance coverage of structures and can quickly identify items that do not follow security best practices. The following phases and associated tools were used throughout the term of the assessment :

- Research into architecture and purpose.

- Static Analysis of security for scoped repository, and imported functions. (e.g., staticcheck, gosec, unconvert, codeql, ineffassign and semgrep)

- Manual Assessment for discovering security vulnerabilities on codebase.

- Ensuring correctness of the codebase.

- Dynamic Analysis on files and modules related to the P2P/API/RPC Communication operations.

4. RISK METHODOLOGY

Every vulnerability and issue observed by Halborn is ranked based on two sets of Metrics and a Severity Coefficient. This system is inspired by the industry standard Common Vulnerability Scoring System.
The two Metric sets are: Exploitability and Impact. Exploitability captures the ease and technical means by which vulnerabilities can be exploited and Impact describes the consequences of a successful exploit.
The Severity Coefficients is designed to further refine the accuracy of the ranking with two factors: Reversibility and Scope. These capture the impact of the vulnerability on the environment as well as the number of users and smart contracts affected.
The final score is a value between 0-10 rounded up to 1 decimal place and 10 corresponding to the highest security risk. This provides an objective and accurate rating of the severity of security vulnerabilities in smart contracts.
The system is designed to assist in identifying and prioritizing vulnerabilities based on their level of risk to address the most critical issues in a timely manner.

4.1 EXPLOITABILITY

Attack Origin (AO):
Captures whether the attack requires compromising a specific account.
Attack Cost (AC):
Captures the cost of exploiting the vulnerability incurred by the attacker relative to sending a single transaction on the relevant blockchain. Includes but is not limited to financial and computational cost.
Attack Complexity (AX):
Describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. Includes but is not limited to macro situation, available third-party liquidity and regulatory challenges.
Metrics:
EXPLOITABILITY METRIC (mem_e)METRIC VALUENUMERICAL VALUE
Attack Origin (AO)Arbitrary (AO:A)
Specific (AO:S)
1
0.2
Attack Cost (AC)Low (AC:L)
Medium (AC:M)
High (AC:H)
1
0.67
0.33
Attack Complexity (AX)Low (AX:L)
Medium (AX:M)
High (AX:H)
1
0.67
0.33
Exploitability EE is calculated using the following formula:

E=meE = \prod m_e

4.2 IMPACT

Confidentiality (C):
Measures the impact to the confidentiality of the information resources managed by the contract due to a successfully exploited vulnerability. Confidentiality refers to limiting access to authorized users only.
Integrity (I):
Measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of data stored and/or processed on-chain. Integrity impact directly affecting Deposit or Yield records is excluded.
Availability (A):
Measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. This metric refers to smart contract features and functionality, not state. Availability impact directly affecting Deposit or Yield is excluded.
Deposit (D):
Measures the impact to the deposits made to the contract by either users or owners.
Yield (Y):
Measures the impact to the yield generated by the contract for either users or owners.
Metrics:
IMPACT METRIC (mIm_I)METRIC VALUENUMERICAL VALUE
Confidentiality (C)None (I:N)
Low (I:L)
Medium (I:M)
High (I:H)
Critical (I:C)
0
0.25
0.5
0.75
1
Integrity (I)None (I:N)
Low (I:L)
Medium (I:M)
High (I:H)
Critical (I:C)
0
0.25
0.5
0.75
1
Availability (A)None (A:N)
Low (A:L)
Medium (A:M)
High (A:H)
Critical (A:C)
0
0.25
0.5
0.75
1
Deposit (D)None (D:N)
Low (D:L)
Medium (D:M)
High (D:H)
Critical (D:C)
0
0.25
0.5
0.75
1
Yield (Y)None (Y:N)
Low (Y:L)
Medium (Y:M)
High (Y:H)
Critical (Y:C)
0
0.25
0.5
0.75
1
Impact II is calculated using the following formula:

I=max(mI)+mImax(mI)4I = max(m_I) + \frac{\sum{m_I} - max(m_I)}{4}

4.3 SEVERITY COEFFICIENT

Reversibility (R):
Describes the share of the exploited vulnerability effects that can be reversed. For upgradeable contracts, assume the contract private key is available.
Scope (S):
Captures whether a vulnerability in one vulnerable contract impacts resources in other contracts.
Metrics:
SEVERITY COEFFICIENT (CC)COEFFICIENT VALUENUMERICAL VALUE
Reversibility (rr)None (R:N)
Partial (R:P)
Full (R:F)
1
0.5
0.25
Scope (ss)Changed (S:C)
Unchanged (S:U)
1.25
1
Severity Coefficient CC is obtained by the following product:

C=rsC = rs

The Vulnerability Severity Score SS is obtained by:

S=min(10,EIC10)S = min(10, EIC * 10)

The score is rounded up to 1 decimal places.
SeverityScore Value Range
Critical9 - 10
High7 - 8.9
Medium4.5 - 6.9
Low2 - 4.4
Informational0 - 1.9

6. Assessment Summary & Findings Overview

Critical

0

High

0

Medium

4

Low

3

Informational

0

Security analysisRisk levelRemediation Date
Information Leakage from Exposing Pprof EndpointMediumSolved - 04/19/2024
Slowloris Attack In HTTP Server Due To Missing ReadHeaderTimeout ConfigurationMediumSolved - 04/19/2024
Mitigating Eclipse Attacks in Discovery Module with Enhanced Peer Selection and Connection PoliciesMediumFuture Release
Random Peer Selection Mechanism in Discovery ModuleMediumFuture Release
Permissions Setting in EnsureIdentity FunctionLowSolved - 05/01/2024
Potential Command Injection Vulnerability in PostSupervisor Execution PathLowSolved - 05/01/2024
Running Docker Image as RootLowAcknowledged

7. Findings & Tech Details

7.1 Information Leakage from Exposing Pprof Endpoint

// Medium

Description

In the provided code snippet, the pprof HTTP server is being started on port 6060, exposing the profiling endpoints to any client that can connect to the server on that port. While profiling is a useful tool for debugging and performance analysis, exposing these endpoints to the public internet can potentially leak sensitive information about the application, such as memory usage, CPU profiles, and even source code paths.


func (app *App) startSynchronous(ctx context.Context) (err error) {
	// notify anyone who might be listening that the app has finished starting.
	// this can be used by, e.g., app tests.
	defer close(app.started)

	// Create a contextual logger for local usage (lower-level modules will create their own contextual loggers
	// using context passed down to them)
	logger := app.log.WithContext(ctx)

	hostname, err := os.Hostname()
	if err != nil {
		return fmt.Errorf("error reading hostname: %w", err)
	}

	logger.With().Info("starting spacemesh",
		log.String("data-dir", app.Config.DataDir()),
		log.String("post-dir", app.Config.SMESHING.Opts.DataDir),
		log.String("hostname", hostname),
	)

	if err := os.MkdirAll(app.Config.DataDir(), 0o700); err != nil {
		return fmt.Errorf(
			"data-dir %s not found or could not be created: %w",
			app.Config.DataDir(),
			err,
		)
	}

	/* Setup monitoring */
	app.errCh = make(chan error, 100)
	if app.Config.PprofHTTPServer {
		logger.Info("starting pprof server")
		app.pprofService = &http.Server{Addr: ":6060"}
		app.eg.Go(func() error {
			if err := app.pprofService.ListenAndServe(); err != nil {
				app.errCh <- fmt.Errorf("cannot start pprof http server: %w", err)
			}
			return nil
		})
	}
BVSS
Recommendation

Run the pprof HTTP server on a separate port on localhost (e.g., localhost:6060), separate from the application's main HTTP server. This way, the profiling endpoints are only accessible from the same machine, reducing the attack surface.


Remediation Plan

SOLVED : The Spacemesh team solved the issue by implementing the suggested recommendation.

Remediation Hash
References

7.2 Slowloris Attack In HTTP Server Due To Missing ReadHeaderTimeout Configuration

// Medium

Description

The Node HTTP server, as implemented in the file http_server.go, is currently vulnerable to a potential Slowloris attack. This vulnerability stems from the absence of the ReadHeaderTimeout setting in the http.Server configuration. The Slowloris attack is a type of Denial of Service (DoS) attack where the attacker sends partial HTTP requests to the server, aiming to open many connections and keep them open as long as possible, thereby exhausting server resources. Without a ReadHeaderTimeout, the server lacks a mechanism to time out and close these incomplete request connections, making it susceptible to such attacks.


// StartService starts the json api server and listens for status (started, stopped).
func (s *JSONHTTPServer) StartService(
	ctx context.Context,
	services ...ServiceAPI,
) error {
	// At least one service must be enabled
	if len(services) == 0 {
		s.logger.Error("not starting grpc gateway service; at least one service must be enabled")
		return errors.New("no services provided")
	}

	// register each individual, enabled service
	mux := runtime.NewServeMux()
	for _, svc := range services {
		if err := svc.RegisterHandlerService(mux); err != nil {
			return fmt.Errorf("registering service %s with grpc gateway failed: %w", svc, err)
		}
	}

	s.logger.Info("starting grpc gateway server", zap.String("address", s.listener))
	lis, err := net.Listen("tcp", s.listener)
	if err != nil {
		return fmt.Errorf("listening on %s: %w", s.listener, err)
	}
	s.BoundAddress = lis.Addr().String()
	s.server = &http.Server{
		Handler: mux,
	}
	s.eg.Go(func() error {
		if err := s.server.Serve(lis); err != nil {
			s.logger.Error("serving grpc server", zap.Error(err))
			return nil
		}
		return nil
	})
	r
BVSS
Recommendation

Consider implementing timeout on the HTTP server.

s := &http.Server{

    Addr:              tssAddr,

    Handler:           mux,

    ReadHeaderTimeout: 5 * time.Second, // Set to a suitable value

}

Remediation Plan

SOLVED : The Spacemesh team solved the issue by implementing the suggested recommendation.

Remediation Hash
References

7.3 Mitigating Eclipse Attacks in Discovery Module with Enhanced Peer Selection and Connection Policies

// Medium

Description

The Discovery module, as currently implemented, lacks specific safeguards against Eclipse attacks, where an adversary could potentially monopolize a node's peer connections by controlling its view of the network. The system does not impose limits on connections from the same IP or subnet, allowing potential dominance by nodes controlled by an attacker.


func (d *Discovery) findPeersContinuously(ctx context.Context, ns string) <-chan peer.AddrInfo {
	r := make(chan peer.AddrInfo)
	d.eg.Go(func() error {
		defer close(r)
		var peerCh <-chan peer.AddrInfo
		for {
			if peerCh == nil {
				var err error
				peerCh, err = d.disc.FindPeers(ctx, ns)
				if err != nil {
					d.logger.Error("error finding relay peers", zap.Error(err))
					select {
					case <-ctx.Done():
						return nil
					case <-time.After(d.findPeersRetryDelay):
					}
					peerCh = nil
					continue
				}
			}

			select {
			case <-ctx.Done():
				return nil
			case p, ok := <-peerCh:
				if !ok {
					peerCh = nil
					select {
					case <-ctx.Done():
						return nil
					case <-time.After(d.findPeersRetryDelay):
					}
					continue
				}
				select {
				case r <- p:
				case <-ctx.Done():
				}
			}
		}
	})
	return r
}
BVSS
Recommendation

Develop a throttling mechanism that limits the number of connections from the same IP address or subnet. For example, limit to two connections per /24 subnets, which would prevent a large number of malicious nodes on the same network from overwhelming the node.


Remediation Plan

PENDING: The Spacemesh team will address the issue in a future release. The issue was opened in https://github.com/spacemeshos/go-spacemesh/issues/5510.

References

7.4 Random Peer Selection Mechanism in Discovery Module

// Medium

Description

The current implementation of the Discovery module lacks a robust mechanism for random peer selection. Without effective randomization in peer selection, the network might become vulnerable to certain types of attacks, such as Eclipse attacks. If the peer selection process is predictable or insufficiently random, an attacker could exploit this by positioning their controlled nodes in a way that they are more likely to be chosen.


func (d *Discovery) findPeersContinuously(ctx context.Context, ns string) <-chan peer.AddrInfo {
	r := make(chan peer.AddrInfo)
	d.eg.Go(func() error {
		defer close(r)
		var peerCh <-chan peer.AddrInfo
		for {
			if peerCh == nil {
				var err error
				peerCh, err = d.disc.FindPeers(ctx, ns)
				if err != nil {
					d.logger.Error("error finding relay peers", zap.Error(err))
					select {
					case <-ctx.Done():
						return nil
					case <-time.After(d.findPeersRetryDelay):
					}
					peerCh = nil
					continue
				}
			}

			select {
			case <-ctx.Done():
				return nil
			case p, ok := <-peerCh:
				if !ok {
					peerCh = nil
					select {
					case <-ctx.Done():
						return nil
					case <-time.After(d.findPeersRetryDelay):
					}
					continue
				}
				select {
				case r <- p:
				case <-ctx.Done():
				}
			}
		}
	})
	return r
}
BVSS
Recommendation

Enhance the peer selection algorithm to incorporate true randomness. This could involve integrating cryptographic randomness to select from the list of discovered peers, thereby ensuring that all peers have an equal chance of being chosen.


Remediation Plan

PENDING: The Spacemesh team will address the issue in a future release. The issue was opened in https://github.com/spacemeshos/go-spacemesh/issues/5510.

References

7.5 Permissions Setting in EnsureIdentity Function

// Low

Description

The EnsureIdentity function sets directory permissions to 0755 using os.MkdirAll. This setting allows the owner to read, write, and execute files, while others can only read and execute.If the directory's contents are sensitive (such as private keys), the read and execute permissions for 'group' and 'others' may expose sensitive information to unauthorized users.


// EnsureIdentity generates an identity key file in given directory.
func EnsureIdentity(dir string) (crypto.PrivKey, error) {
    // TODO add crc check
    if err := os.MkdirAll(dir, 0o755); err != nil {
        return nil, fmt.Errorf("ensure that directory %s exist: %w", dir, err)
    }
    info, err := identityInfoFromDir(dir)
    switch {
    case errors.Is(err, fs.ErrNotExist):
        key, err := genIdentity()
        if err != nil {
            return nil, err
        }
        id, err := peer.IDFromPrivateKey(key)
        if err != nil {
            panic("generated key is malformed")
        }
        raw, err := crypto.MarshalPrivateKey(key)
        if err != nil {
            panic("generated key can't be marshaled to bytes")
        }
        data, err := json.Marshal(identityInfo{
            Key: raw,
            ID:  id,
        })
        if err != nil {
            return nil, err
        }
        if err := os.WriteFile(filepath.Join(dir, keyFilename), data, 0o644); err != nil {
            return nil, fmt.Errorf("write identity data: %w", err)
        }
        return key, nil
    case err != nil:
        return nil, fmt.Errorf("read key from disk: %w", err)
    }

    pk, err := crypto.UnmarshalPrivateKey(info.Key)
    if err != nil {
        return nil, fmt.Errorf("unmarshal privkey: %w", err)
    }
    return pk, nil
}
BVSS
Recommendation

Consider setting directory permissions with sufficient privilege.


Remediation Plan

SOLVED: The Spacemesh team solved the issue by implementing the suggested recommendation.

Remediation Hash
References

7.6 Potential Command Injection Vulnerability in PostSupervisor Execution Path

// Low

Description

In the PostSupervisor component of the system, there is a potential security vulnerability concerning how external commands are constructed and executed. Specifically, the function runCmd constructs command-line arguments dynamically based on configurations and user input, which may be susceptible to command injection if the input is not properly sanitized.


cmd := exec.CommandContext(
    ctx,
    cmdCfg.PostServiceCmd,
    args...,
)
BVSS
Recommendation

Where possible, use allow lists for allowed commands and strictly enforce what executable can be run in the context of the application.


Remediation Plan

SOLVED: The Spacemesh team solved the issue by sanitizing commands.

References

7.7 Running Docker Image as Root

// Low

Description

The provided Dockerfile is building a Docker image for the go-spacemesh project, which is a Go-based implementation of the Spacemesh protocol. However, the issue lies in the fact that the Docker image is running as the root user, which can pose potential security risks. Running containers as the root user is generally discouraged because it grants unrestricted access to the host system's resources, increasing the potential for security vulnerabilities. If the container is compromised or contains vulnerabilities, an attacker could potentially gain root access to the host system, leading to serious consequences.


# go-spacemesh needs at least ubuntu 22.04. newer versions of ubuntu might work as well, but are untested
FROM ubuntu:22.04 AS linux
ENV DEBIAN_FRONTEND noninteractive
ENV SHELL /bin/bash
ARG TZ=Etc/UTC
ENV TZ=${TZ}
USER root
RUN set -ex \
   && apt-get update --fix-missing \
   && apt-get install -qy --no-install-recommends \
   ca-certificates \
   tzdata \
   locales \
   procps \
   net-tools \
   file \
   ocl-icd-libopencl1 clinfo \
   # required for OpenCL CPU provider
   # pocl-opencl-icd libpocl2 \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/* \
   && locale-gen en_US.UTF-8 \
   && update-locale LANG=en_US.UTF-8 \
   && echo "$TZ" > /etc/timezone
ENV LANG en_US.UTF-8
ENV LANGUAGE en_US.UTF-8
ENV LC_ALL en_US.UTF-8

FROM golang:1.22 as builder
ARG VERSION=""
ENV VERSION=${VERSION}
RUN set -ex \
   && apt-get update --fix-missing \
   && apt-get install -qy --no-install-recommends \
   unzip sudo \
   ocl-icd-opencl-dev

WORKDIR /src

COPY Makefile* .
RUN make get-libs

# We want to populate the module cache based on the go.{mod,sum} files.
COPY go.mod .
COPY go.sum .

RUN go mod download

# Here we copy the rest of the source code
COPY . .

# And compile the project
RUN --mount=type=cache,id=build,target=/root/.cache/go-build make build VERSION=${VERSION}
RUN --mount=type=cache,id=build,target=/root/.cache/go-build make gen-p2p-identity
RUN --mount=type=cache,id=build,target=/root/.cache/go-build make merge-nodes VERSION=${VERSION}

# In this last stage, we start from a fresh image, to reduce the image size and not ship the Go compiler in our production artifacts.
FROM linux AS spacemesh

# Finally we copy the statically compiled Go binary.
COPY --from=builder /src/build/go-spacemesh /bin/
COPY --from=builder /src/build/service /bin/
COPY --from=builder /src/build/libpost.so /bin/
COPY --from=builder /src/build/gen-p2p-identity /bin/
COPY --from=builder /src/build/merge-nodes /bin/

ENTRYPOINT ["/bin/go-spacemesh"]
EXPOSE 7513

# profiling port
EXPOSE 6060

# pubsub port
EXPOSE 56565
BVSS
Recommendation

To mitigate this issue, it is recommended to follow the principle of least privilege and run the container as a non-root user. This can be achieved by creating a dedicated user within the Dockerfile and running the application as that user.

Remediation Plan

ACKNOWLEDGED: The Spacemesh team acknowledged this issue.

References

8. Automated Testing

Halborn used automated testing techniques to enhance coverage of certain areas of the scoped component. Among the tools used were staticcheck, gosec, semgrep, unconvert, codeql and nancy. After Halborn verified all the code and scoped structures in the repository and was able to compile them correctly, these tools were leveraged on scoped structures. With these tools, Halborn can statically verify security related issues across the entire codebase.

Gosec


[/spacemesh/go-spacemesh/txs/conservative_state.go:110] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    109: 	// randomly select transactions from the predicted block.
  > 110: 	rng := rand.New(rand.NewSource(time.Now().UnixNano()))
    111: 	return ShuffleWithNonceOrder(logger, rng, numTXs, predictedBlock, byAddrAndNonce)



[/spacemesh/go-spacemesh/tortoise/sim/generator.go:87] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    86: 	g := &Generator{
  > 87: 		rng:       rand.New(rand.NewSource(0)),
    88: 		conf:      defaults(),



[/spacemesh/go-spacemesh/tortoise/sim/generator.go:20] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    19: 	return func(g *Generator) {
  > 20: 		g.rng = rand.New(rand.NewSource(seed))
    21: 	}



[/spacemesh/go-spacemesh/systest/testcontext/context.go:146] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    145: func rngName() string {
  > 146: 	rng := rand.New(rand.NewSource(time.Now().UnixNano()))
    147: 	const choices = "qwertyuiopasdfghjklzxcvbnm"



[/spacemesh/go-spacemesh/syncer/atxsync/atxsync.go:67] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    66: 				return ctx.Err()
  > 67: 			case <-time.After(retryInterval + time.Duration(rand.Int63n(int64(retryInterval)))):
    68: 			}



[/spacemesh/go-spacemesh/p2p/book/book.go:137] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    136: 		queue:     list.New(),
  > 137: 		rng:       rand.New(rand.NewSource(time.Now().Unix())),
    138: 		shareable: []*addressInfo{},



[/spacemesh/go-spacemesh/p2p/book/book.go:128] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    127: 	return func(b *Book) {
  > 128: 		b.rng = rand.New(rand.NewSource(seed))
    129: 	}



[/spacemesh/go-spacemesh/fetch/fetch.go:607] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    606: func (f *Fetch) organizeRequests(requests []RequestMessage) map[p2p.Peer][][]RequestMessage {
  > 607: 	rng := rand.New(rand.NewSource(time.Now().UnixNano()))
    608: 	peer2requests := make(map[p2p.Peer][]RequestMessage)



[/spacemesh/go-spacemesh/fetch/fetch.go:167] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    166: func randomPeer(peers []p2p.Peer) p2p.Peer {
  > 167: 	return peers[rand.Intn(len(peers))]
    168: }



[/spacemesh/go-spacemesh/common/fixture/transaction_results.go:32] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    31: func (g *TransactionResultGenerator) WithSeed(seed int64) *TransactionResultGenerator {
  > 32: 	g.rng = rand.New(rand.NewSource(seed))
    33: 	return g



[/spacemesh/go-spacemesh/common/fixture/rewards.go:32] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    31: func (g *RewardsGenerator) WithSeed(seed int64) *RewardsGenerator {
  > 32: 	g.rng = rand.New(rand.NewSource(seed))
    33: 	return g



[/spacemesh/go-spacemesh/common/fixture/atxs.go:33] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    32: func (g *AtxsGenerator) WithSeed(seed int64) *AtxsGenerator {
  > 33: 	g.rng = rand.New(rand.NewSource(seed))
    34: 	return g



[/spacemesh/go-spacemesh/blocks/utils.go:181] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    180: 	mt.SeedFromSlice(toUint64Slice(blockSeed))
  > 181: 	rng := rand.New(mt)
    182: 	ordered := txs.ShuffleWithNonceOrder(logger, rng, len(candidates), candidates, byAddrAndNonce)



[/spacemesh/go-spacemesh/activation/nipost.go:592] - G404 (CWE-338): Use of weak random number generator (math/rand instead of crypto/rand) (Confidence: MEDIUM, Severity: HIGH)
    591: func randomDurationInRange(min, max time.Duration) time.Duration {
  > 592: 	return min + time.Duration(rand.Int63n(int64(max-min+1)))
    593: }



[/spacemesh/go-spacemesh/api/grpcserver/grpc.go:106-110] - G402 (CWE-295): TLS MinVersion too low. (Confidence: HIGH, Severity: HIGH)
    105: 
  > 106: 	tlsConfig := &tls.Config{
  > 107: 		Certificates: []tls.Certificate{serverCert},
  > 108: 		ClientAuth:   tls.RequireAndVerifyClientCert,
  > 109: 		ClientCAs:    certPool,
  > 110: 	}
    111: 



[/spacemesh/go-spacemesh/cmd/node/main.go:7] - G108 (CWE-200): Profiling endpoint is automatically exposed on /debug/pprof (Confidence: HIGH, Severity: HIGH)
    6: 	"fmt"
  > 7: 	_ "net/http/pprof"
    8: 	"os"



[/spacemesh/go-spacemesh/node/mapstructureutil/bigrat.go:20] - G113 (CWE-190): Potential uncontrolled memory consumption in Rat.SetString (CVE-2022-23772) (Confidence: LOW, Severity: HIGH)
    19: 		case reflect.String:
  > 20: 			v, ok := new(big.Rat).SetString(data.(string))
    21: 			if !ok {



[/spacemesh/go-spacemesh/metrics/server.go:17] - G114 (CWE-676): Use of net/http serve function that has no support for setting timeouts (Confidence: HIGH, Severity: MEDIUM)
    16: 	go func() {
  > 17: 		err := http.ListenAndServe(fmt.Sprintf(":%v", metricsPort), nil)
    18: 		log.With().Warning("Metrics server stopped: %v", log.Err(err))



[/spacemesh/go-spacemesh/activation/post_supervisor.go:265-269] - G204 (CWE-78): Subprocess launched with a potential tainted input or cmd arguments (Confidence: HIGH, Severity: MEDIUM)
    264: 
  > 265: 	cmd := exec.CommandContext(
  > 266: 		ctx,
  > 267: 		cmdCfg.PostServiceCmd,
  > 268: 		args...,
  > 269: 	)
    270: 	pipe, err := cmd.StderrPipe()



[/spacemesh/go-spacemesh/tortoise/tracer.go:80] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    79: func RunTrace(path string, breakpoint func(), opts ...Opt) error {
  > 80: 	f, err := os.Open(path)
    81: 	if err != nil {



[/spacemesh/go-spacemesh/sql/localsql/nipost_state.go:56] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    55: func read(path string) ([]byte, error) {
  > 56: 	file, err := os.Open(path)
    57: 	if err != nil {



[/spacemesh/go-spacemesh/sql/localsql/nipost_state.go:26] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    25: 	tmpName := fmt.Sprintf("%s.tmp", path)
  > 26: 	tmp, err := os.Create(tmpName)
    27: 	if err != nil {



[/spacemesh/go-spacemesh/signing/signer.go:79] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    78: 		// read hex data from file
  > 79: 		data, err := os.ReadFile(path)
    80: 		if err != nil {



[/spacemesh/go-spacemesh/p2p/persist.go:76] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    75: func loadPeers(dir string) ([]peer.AddrInfo, error) {
  > 76: 	f, err := os.Open(filepath.Join(dir, connectedFile))
    77: 	if err != nil {



[/spacemesh/go-spacemesh/p2p/identity.go:32] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    31: 	path := filepath.Join(dir, keyFilename)
  > 32: 	data, err := os.ReadFile(path)
    33: 	if err != nil {



[/spacemesh/go-spacemesh/node/node_identities.go:71] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    70: 
  > 71: 	dst, err := os.Create(newKey)
    72: 	if err != nil {



[/spacemesh/go-spacemesh/node/node_identities.go:56] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    55: 
  > 56: 	src, err := os.Open(oldKey)
    57: 	switch {



[/spacemesh/go-spacemesh/config/genesis.go:75] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    74: func (g *GenesisConfig) WriteToFile(filename string) error {
  > 75: 	f, err := os.OpenFile(filename, os.O_CREATE|os.O_WRONLY, 0o644)
    76: 	if err != nil {



[/spacemesh/go-spacemesh/config/genesis.go:65] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    64: func (g *GenesisConfig) LoadFromFile(filename string) error {
  > 65: 	f, err := os.Open(filename)
    66: 	if err != nil {



[/spacemesh/go-spacemesh/cmd/bootstrapper/bootstrapper.go:140] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    139: func upload(ctx context.Context, filename, gsBucket, gsPath string) error {
  > 140: 	r, err := os.Open(filename)
    141: 	if err != nil {



[/spacemesh/go-spacemesh/api/grpcserver/admin_service.go:91] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    90: 	}
  > 91: 	f, err := os.Open(fname)
    92: 	if err != nil {



[/spacemesh/go-spacemesh/node/node.go:1932] - G112 (CWE-400): Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (Confidence: LOW, Severity: MEDIUM)
    1931: 		logger.Info("starting pprof server")
  > 1932: 		app.pprofService = &http.Server{Addr: ":6060"}
    1933: 		app.eg.Go(func() error {



[/spacemesh/go-spacemesh/cmd/bootstrapper/server.go:78] - G112 (CWE-400): Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (Confidence: LOW, Severity: MEDIUM)
    77: 	s := &Server{
  > 78: 		Server:          &http.Server{Addr: fmt.Sprintf(":%d", port)},
    79: 		logger:          log.NewNop(),



[/spacemesh/go-spacemesh/api/grpcserver/http_server.go:82-84] - G112 (CWE-400): Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (Confidence: LOW, Severity: MEDIUM)
    81: 	s.BoundAddress = lis.Addr().String()
  > 82: 	s.server = &http.Server{
  > 83: 		Handler: mux,
  > 84: 	}
    85: 	s.eg.Go(func() error {



[/spacemesh/go-spacemesh/txs/cache.go:738] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
    737: 			RawTxCount.WithLabelValues(updated).Inc()
  > 738: 			if err := transactions.Add(db, &tx, time.Now()); err != nil {
    739: 				return err



[/spacemesh/go-spacemesh/hare3/protocol.go:624] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
    623: 		for _, stat := range s.notify {
  > 624: 			encoder.AppendObject(&stat)
    625: 		}



[/spacemesh/go-spacemesh/hare3/protocol.go:618] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
    617: 		for _, stat := range s.commit {
  > 618: 			encoder.AppendObject(&stat)
    619: 		}



[/spacemesh/go-spacemesh/hare3/protocol.go:612] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
    611: 		for _, stat := range s.propose {
  > 612: 			encoder.AppendObject(&stat)
    613: 		}



[/spacemesh/go-spacemesh/hare3/protocol.go:606] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
    605: 		for _, stat := range s.preround {
  > 606: 			encoder.AppendObject(&stat)
    607: 		}



[/spacemesh/go-spacemesh/hare3/protocol.go:585] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
    584: 		for _, tally := range n.tallies {
  > 585: 			encoder.AppendObject(&tally)
    586: 		}



[/spacemesh/go-spacemesh/hare3/protocol.go:569] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
    568: 		for _, tally := range s.tallies {
  > 569: 			encoder.AppendObject(&tally)
    570: 		}



[/spacemesh/go-spacemesh/hare3/protocol.go:517] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
    516: 		for _, tally := range s.tallies {
  > 517: 			enc.AppendObject(&tally)
    518: 		}



[/spacemesh/go-spacemesh/genvm/vm.go:231] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
    230: 	for _, reward := range rewardsResult {
  > 231: 		if err := rewards.Add(tx, &reward); err != nil {
    232: 			return nil, nil, fmt.Errorf("%w: %w", core.ErrInternal, err)



[/spacemesh/go-spacemesh/common/types/ballot.go:196] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
    195: 		for _, vote := range v.Against {
  > 196: 			encoder.AppendObject(&vote)
    197: 		}



[/spacemesh/go-spacemesh/common/types/ballot.go:190] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
    189: 		for _, vote := range v.Support {
  > 190: 			encoder.AppendObject(&vote)
    191: 		}



[/spacemesh/go-spacemesh/config/genesis.go:75] - G302 (CWE-276): Expect file permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM)
    74: func (g *GenesisConfig) WriteToFile(filename string) error {
  > 75: 	f, err := os.OpenFile(filename, os.O_CREATE|os.O_WRONLY, 0o644)
    76: 	if err != nil {



[/spacemesh/go-spacemesh/p2p/identity.go:53] - G301 (CWE-276): Expect directory permissions to be 0750 or less (Confidence: HIGH, Severity: MEDIUM)
    52: 	// TODO add crc check
  > 53: 	if err := os.MkdirAll(dir, 0o755); err != nil {
    54: 		return nil, fmt.Errorf("ensure that directory %s exist: %w", dir, err)



[/spacemesh/go-spacemesh/p2p/identity.go:84] - G306 (CWE-276): Expect WriteFile permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM)
    83: 		}
  > 84: 		if err := os.WriteFile(filepath.Join(dir, keyFilename), data, 0o644); err != nil {
    85: 			return nil, fmt.Errorf("write identity data: %w", err)



[/spacemesh/go-spacemesh/txs/nano_tx.go:42] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    41: 	hash.Write(blockSeed)
  > 42: 	hash.Write(n.ID.Bytes())
    43: 	return hash.Sum(nil)



[/spacemesh/go-spacemesh/txs/nano_tx.go:41] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    40: 	hash := hash.New()
  > 41: 	hash.Write(blockSeed)
    42: 	hash.Write(n.ID.Bytes())



[/spacemesh/go-spacemesh/tortoise/util.go:97-105] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    96: 		for i := range blocks {
  > 97: 			encoder.AppendObject(zapcore.ObjectMarshalerFunc(func(encoder zapcore.ObjectEncoder) error {
  > 98: 				encoder.AddString("decision", blocks[i].validity.String())
  > 99: 				encoder.AddString("hare", blocks[i].hare.String())
  > 100: 				encoder.AddString("id", blocks[i].id.String())
  > 101: 				encoder.AddString("weight", blocks[i].margin.String())
  > 102: 				encoder.AddUint64("height", blocks[i].height)
  > 103: 				encoder.AddBool("data", blocks[i].data)
  > 104: 				return nil
  > 105: 			}))
    106: 		}



[/spacemesh/go-spacemesh/tortoise/sim/layer.go:142] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    141: 		txid := types.TransactionID{}
  > 142: 		g.rng.Read(txid[:])
    143: 		txIDs = append(txIDs, txid)



[/spacemesh/go-spacemesh/tortoise/sim/layer.go:132] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    131: 	beacon := types.Beacon{}
  > 132: 	g.rng.Read(beacon[:])
    133: 	for _, state := range g.states {



[/spacemesh/go-spacemesh/tortoise/model/hare.go:24] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    23: 		id := types.BlockID{}
  > 24: 		h.rng.Read(id[:])
    25: 		block := types.NewExistingBlock(



[/spacemesh/go-spacemesh/tortoise/model/core.go:186] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    185: 	case MessageCoinflip:
  > 186: 		layers.SetWeakCoin(c.cdb, ev.LayerID, ev.Coinflip)
    187: 	}



[/spacemesh/go-spacemesh/tortoise/model/core.go:184] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    183: 	case MessageBeacon:
  > 184: 		beacons.Add(c.cdb, ev.EpochID+1, ev.Beacon)
    185: 	case MessageCoinflip:



[/spacemesh/go-spacemesh/tortoise/model/core.go:177] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    176: 		}
  > 177: 		atxs.Add(c.cdb, vAtx)
    178: 		malicious, err := c.cdb.IsMalicious(vAtx.SmesherID)



[/spacemesh/go-spacemesh/tortoise/model/core.go:171] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    170: 	case MessageBallot:
  > 171: 		ballots.Add(c.cdb, ev.Ballot)
    172: 	case MessageAtx:



[/spacemesh/go-spacemesh/tortoise/model/core.go:169] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    168: 		}
  > 169: 		blocks.Add(c.cdb, ev.Block)
    170: 	case MessageBallot:



[/spacemesh/go-spacemesh/tortoise/model/core.go:167] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    166: 		if errors.Is(err, sql.ErrNotFound) || len(ids) == 0 {
  > 167: 			certificates.SetHareOutput(c.cdb, ev.Block.LayerIndex, ev.Block.ID())
    168: 		}



[/spacemesh/go-spacemesh/tortoise/model/core.go:135] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    134: 		if ev.LayerID.After(types.GetEffectiveGenesis()) {
  > 135: 			tortoise.RecoverLayer(context.Background(), c.tortoise, c.cdb.Executor, c.atxdata, ev.LayerID, c.tortoise.OnBallot)
    136: 			c.tortoise.TallyVotes(context.Background(), ev.LayerID)



[/spacemesh/go-spacemesh/tortoise/model/core.go:127] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    126: 		ballot.SmesherID = c.signer.NodeID()
  > 127: 		ballot.Initialize()
    128: 		if c.refBallot == nil {



[/spacemesh/go-spacemesh/tortoise/model/core.go:117] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    116: 				c.rng.Read(beacon[:])
  > 117: 				beacons.Set(c.cdb, ev.LayerID.GetEpoch(), beacon)
    118: 			}



[/spacemesh/go-spacemesh/tortoise/model/core.go:116] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    115: 				beacon = types.Beacon{}
  > 116: 				c.rng.Read(beacon[:])
    117: 				beacons.Set(c.cdb, ev.LayerID.GetEpoch(), beacon)



[/spacemesh/go-spacemesh/tortoise/model/beacon.go:27] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    26: 		beacon := types.Beacon{}
  > 27: 		b.rng.Read(beacon[:])
    28: 		m.Send(MessageBeacon{



[/spacemesh/go-spacemesh/timesync/peersync/sync.go:176] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    175: 	s.cancel()
  > 176: 	s.Wait()
    177: }



[/spacemesh/go-spacemesh/timesync/clock.go:50] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    49: 	for _, opt := range opts {
  > 50: 		opt(cfg)
    51: 	}



[/spacemesh/go-spacemesh/systest/validation/consensus.go:92] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    91: 		}
  > 92: 		eg.Wait()
    93: 		return cv.Complete(iter)



[/spacemesh/go-spacemesh/systest/cluster/nodes.go:649] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    648: 			}
  > 649: 			deployNodeSvc(ctx, nodeId)
    650: 			clients <- &NodeClient{



[/spacemesh/go-spacemesh/systest/cluster/nodes.go:219] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    218: 	if n.privConn != nil && n.privConn == conn {
  > 219: 		n.privConn.Close()
    220: 		n.privConn = nil



[/spacemesh/go-spacemesh/systest/cluster/nodes.go:189] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    188: 	if n.pubConn != nil && n.pubConn == conn {
  > 189: 		n.pubConn.Close()
    190: 		n.pubConn = nil



[/spacemesh/go-spacemesh/systest/cluster/cluster.go:723] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    722: 	}
  > 723: 	eg.Wait()
    724: }



[/spacemesh/go-spacemesh/syncer/syncer.go:603] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    602: func (s *Syncer) waitBackgroundSync() {
  > 603: 	s.backgroundSync.eg.Wait()
    604: }



[/spacemesh/go-spacemesh/syncer/syncer.go:466] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    465: 		s.backgroundSync.cancel()
  > 466: 		s.backgroundSync.eg.Wait()
    467: 		s.backgroundSync.epoch.Store(0)



[/spacemesh/go-spacemesh/sql/database.go:242] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    241: 		tx.Commit()
  > 242: 		tx.Release()
    243: 



[/spacemesh/go-spacemesh/sql/database.go:241] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    240: 		}
  > 241: 		tx.Commit()
    242: 		tx.Release()



[/spacemesh/go-spacemesh/sql/database.go:231] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    230: 
  > 231: 					tx.Release()
    232: 					err = errors.Join(err, db.Close())



[/spacemesh/go-spacemesh/sql/activesets/activesets.go:68] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    67: 				rst = make([]byte, rd.Len())
  > 68: 				rd.Read(rst)
    69: 				return true



[/spacemesh/go-spacemesh/p2p/upgrade.go:404] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    403: 	fh.natTypeSub.Close()
  > 404: 	fh.eg.Wait()
    405: 	if err := fh.Host.Close(); err != nil {



[/spacemesh/go-spacemesh/p2p/upgrade.go:403] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    402: 	fh.reachSub.Close()
  > 403: 	fh.natTypeSub.Close()
    404: 	fh.eg.Wait()



[/spacemesh/go-spacemesh/p2p/upgrade.go:402] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    401: 	fh.discovery.Stop()
  > 402: 	fh.reachSub.Close()
    403: 	fh.natTypeSub.Close()



[/spacemesh/go-spacemesh/p2p/upgrade.go:378] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    377: 	}
  > 378: 	fh.discovery.Start()
    379: 	if fh.ping != nil {



[/spacemesh/go-spacemesh/p2p/server/server.go:260] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    259: 		)
  > 260: 		stream.Conn().Close()
    261: 		return false



[/spacemesh/go-spacemesh/p2p/server/server.go:220] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    219: 				if s.decayingTag != nil {
  > 220: 					s.decayingTag.Bump(req.stream.Conn().RemotePeer(), s.decayingTagSpec.Inc)
    221: 				}



[/spacemesh/go-spacemesh/p2p/server/server.go:215] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    214: 			if err := limit.Wait(ctx); err != nil {
  > 215: 				eg.Wait()
    216: 				return nil



[/spacemesh/go-spacemesh/p2p/server/server.go:208] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    207: 		case <-ctx.Done():
  > 208: 			eg.Wait()
    209: 			return nil



[/spacemesh/go-spacemesh/p2p/server/server.go:199] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    198: 			}
  > 199: 			stream.Close()
    200: 		}



[/spacemesh/go-spacemesh/p2p/pubsub/wrapper.go:37-57] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    36: 	handler = DropPeerOnValidationReject(handler, ps.host, ps.logger)
  > 37: 	ps.pubsub.RegisterTopicValidator(
  > 38: 		topic,
  > 39: 		func(ctx context.Context, pid peer.ID, msg *pubsub.Message) pubsub.ValidationResult {
  > 40: 			start := time.Now()
  > 41: 			err := handler(log.WithNewRequestID(ctx), pid, msg.Data)
  > 42: 			metrics.ProcessedMessagesDuration.WithLabelValues(topic, castResult(err)).
  > 43: 				Observe(float64(time.Since(start)))
  > 44: 			if err != nil {
  > 45: 				ps.logger.With().Debug("topic validation failed",
  > 46: 					log.String("topic", topic), log.Err(err))
  > 47: 			}
  > 48: 			switch {
  > 49: 			case errors.Is(err, ErrValidationReject):
  > 50: 				return pubsub.ValidationReject
  > 51: 			case err != nil:
  > 52: 				return pubsub.ValidationIgnore
  > 53: 			default:
  > 54: 				return pubsub.ValidationAccept
  > 55: 			}
  > 56: 		},
  > 57: 		opts...)
    58: 	topich, err := ps.pubsub.Join(topic)



[/spacemesh/go-spacemesh/p2p/pubsub/pubsub.go:208] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    207: 	}
  > 208: 	hasher.Write(msg.Data)
    209: 	return string(hasher.Sum(nil))



[/spacemesh/go-spacemesh/p2p/pubsub/pubsub.go:206] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    205: 	if msg.Topic != nil {
  > 206: 		hasher.Write([]byte(*msg.Topic))
    207: 	}



[/spacemesh/go-spacemesh/p2p/ping.go:80] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    79: 	p.cancel = nil
  > 80: 	p.eg.Wait()
    81: }



[/spacemesh/go-spacemesh/p2p/persist.go:71] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    70: 	}
  > 71: 	tmp.Close()
    72: 	return atomic.ReplaceFile(tmp.Name(), filepath.Join(dir, connectedFile))



[/spacemesh/go-spacemesh/p2p/persist.go:68] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    67: 	if _, err = tmp.WriteAt(crc, 0); err != nil {
  > 68: 		tmp.Close()
    69: 		return err



[/spacemesh/go-spacemesh/p2p/persist.go:62] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    61: 		if err := codec.Encode(info); err != nil {
  > 62: 			tmp.Close()
    63: 			return err



[/spacemesh/go-spacemesh/p2p/persist.go:55] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    54: 	if _, err := tmp.Write(crc); err != nil {
  > 55: 		tmp.Close()
    56: 		return err



[/spacemesh/go-spacemesh/p2p/host.go:444] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    443: 		}
  > 444: 		cfg.Apply(libp2p.ResourceManager(mgr))
    445: 		return nil



[/spacemesh/go-spacemesh/p2p/handshake/handshake.go:238] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    237: 	defer s.Close()
  > 238: 	s.SetDeadline(time.Now().Add(l.timeout))
    239: 



[/spacemesh/go-spacemesh/p2p/handshake/handshake.go:159] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    158: 	defer s.Close()
  > 159: 	s.SetDeadline(time.Now().Add(tr.timeout))
    160: 



[/spacemesh/go-spacemesh/p2p/dhtdiscovery/discovery.go:311] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    310: 	}
  > 311: 	eg.Wait()
    312: }



[/spacemesh/go-spacemesh/p2p/dhtdiscovery/discovery.go:269] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    268: 	d.cancel = nil
  > 269: 	d.eg.Wait()
    270: 	if !d.disableDht {



[/spacemesh/go-spacemesh/p2p/book/book.go:432] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    431: 		checksum.Write(scanner.Bytes())
  > 432: 		checksum.Write([]byte{'\n'})
    433: 		known[addr.ID] = addr



[/spacemesh/go-spacemesh/p2p/book/book.go:431] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    430: 		}
  > 431: 		checksum.Write(scanner.Bytes())
    432: 		checksum.Write([]byte{'\n'})



[/spacemesh/go-spacemesh/node/test_network.go:85] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    84: 		// Wait for nodes to shutdown
  > 85: 		g.Wait()
    86: 



[/spacemesh/go-spacemesh/node/node.go:1654] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    1653: 	if app.postVerifier != nil {
  > 1654: 		app.postVerifier.Close()
    1655: 	}



[/spacemesh/go-spacemesh/node/node.go:1650] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    1649: 	if app.atxBuilder != nil {
  > 1650: 		app.atxBuilder.StopSmeshing(false)
    1651: 	}



[/spacemesh/go-spacemesh/node/node.go:1638] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    1637: 		app.log.Info("stopping updater")
  > 1638: 		app.updater.Close()
    1639: 	}



[/spacemesh/go-spacemesh/node/node.go:1633] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    1632: 		app.log.Info("stopping tls grpc service")
  > 1633: 		app.grpcTLSServer.Close() // err is always nil
    1634: 	}



[/spacemesh/go-spacemesh/node/node.go:1629] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    1628: 		app.log.Info("stopping local grpc service")
  > 1629: 		app.grpcPostServer.Close() // err is always nil
    1630: 	}



[/spacemesh/go-spacemesh/node/node.go:1625] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    1624: 		app.log.Info("stopping private grpc service")
  > 1625: 		app.grpcPrivateServer.Close() // err is always nil
    1626: 	}



[/spacemesh/go-spacemesh/node/node.go:1621] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    1620: 		app.log.Info("stopping public grpc service")
  > 1621: 		app.grpcPublicServer.Close() // err is always nil
    1622: 	}



[/spacemesh/go-spacemesh/node/node.go:1298] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    1297: 					}
  > 1298: 					activesets.Add(app.db, id, activeSet)
    1299: 



[/spacemesh/go-spacemesh/node/node.go:553] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    552: 	app.stopServices(ctx)
  > 553: 	app.eg.Wait()
    554: 	app.log.Info("app cleanup completed")



[/spacemesh/go-spacemesh/miner/proposal_builder.go:138-144] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    137: 				for _, lyr := range keys {
  > 138: 					encoder.AppendObject(
  > 139: 						log.ObjectMarshallerFunc(func(encoder log.ObjectEncoder) error {
  > 140: 							encoder.AddUint32("layer", lyr.Uint32())
  > 141: 							encoder.AddInt("slots", len(s.eligibilities.proofs[lyr]))
  > 142: 							return nil
  > 143: 						}),
  > 144: 					)
    145: 				}



[/spacemesh/go-spacemesh/miner/proposal_builder.go:131-148] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    130: 		encoder.AddInt("eligible", len(s.eligibilities.proofs))
  > 131: 		encoder.AddArray(
  > 132: 			"eligible by layer",
  > 133: 			log.ArrayMarshalerFunc(func(encoder log.ArrayEncoder) error {
  > 134: 				// Sort the layer map to log the layer data in order
  > 135: 				keys := maps.Keys(s.eligibilities.proofs)
  > 136: 				slices.Sort(keys)
  > 137: 				for _, lyr := range keys {
  > 138: 					encoder.AppendObject(
  > 139: 						log.ObjectMarshallerFunc(func(encoder log.ObjectEncoder) error {
  > 140: 							encoder.AddUint32("layer", lyr.Uint32())
  > 141: 							encoder.AddInt("slots", len(s.eligibilities.proofs[lyr]))
  > 142: 							return nil
  > 143: 						}),
  > 144: 					)
  > 145: 				}
  > 146: 				return nil
  > 147: 			}),
  > 148: 		)
    149: 	}



[/spacemesh/go-spacemesh/mesh/mesh.go:305] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    304: 				for i := range results {
  > 305: 					encoder.AppendObject(&results[i])
    306: 				}



[/spacemesh/go-spacemesh/hash/hash.go:19] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    18: 	for _, chunk := range chunks {
  > 19: 		hh.Write(chunk)
    20: 	}



[/spacemesh/go-spacemesh/hare3/types.go:158-163] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    157: 	if m.Value.Proposals != nil {
  > 158: 		encoder.AddArray("full", zapcore.ArrayMarshalerFunc(func(encoder log.ArrayEncoder) error {
  > 159: 			for _, id := range m.Value.Proposals {
  > 160: 				encoder.AppendString(types.Hash20(id).ShortString())
  > 161: 			}
  > 162: 			return nil
  > 163: 		}))
    164: 	} else if m.Value.Reference != nil {



[/spacemesh/go-spacemesh/hare3/protocol.go:624] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    623: 		for _, stat := range s.notify {
  > 624: 			encoder.AppendObject(&stat)
    625: 		}



[/spacemesh/go-spacemesh/hare3/protocol.go:622-627] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    621: 	}))
  > 622: 	encoder.AddArray("notify", zapcore.ArrayMarshalerFunc(func(encoder zapcore.ArrayEncoder) error {
  > 623: 		for _, stat := range s.notify {
  > 624: 			encoder.AppendObject(&stat)
  > 625: 		}
  > 626: 		return nil
  > 627: 	}))
    628: 	return nil



[/spacemesh/go-spacemesh/hare3/protocol.go:618] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    617: 		for _, stat := range s.commit {
  > 618: 			encoder.AppendObject(&stat)
    619: 		}



[/spacemesh/go-spacemesh/hare3/protocol.go:616-621] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    615: 	}))
  > 616: 	encoder.AddArray("commit", zapcore.ArrayMarshalerFunc(func(encoder zapcore.ArrayEncoder) error {
  > 617: 		for _, stat := range s.commit {
  > 618: 			encoder.AppendObject(&stat)
  > 619: 		}
  > 620: 		return nil
  > 621: 	}))
    622: 	encoder.AddArray("notify", zapcore.ArrayMarshalerFunc(func(encoder zapcore.ArrayEncoder) error {



[/spacemesh/go-spacemesh/hare3/protocol.go:612] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    611: 		for _, stat := range s.propose {
  > 612: 			encoder.AppendObject(&stat)
    613: 		}



[/spacemesh/go-spacemesh/hare3/protocol.go:610-615] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    609: 	}))
  > 610: 	encoder.AddArray("propose", zapcore.ArrayMarshalerFunc(func(encoder zapcore.ArrayEncoder) error {
  > 611: 		for _, stat := range s.propose {
  > 612: 			encoder.AppendObject(&stat)
  > 613: 		}
  > 614: 		return nil
  > 615: 	}))
    616: 	encoder.AddArray("commit", zapcore.ArrayMarshalerFunc(func(encoder zapcore.ArrayEncoder) error {



[/spacemesh/go-spacemesh/hare3/protocol.go:606] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    605: 		for _, stat := range s.preround {
  > 606: 			encoder.AppendObject(&stat)
    607: 		}



[/spacemesh/go-spacemesh/hare3/protocol.go:604-609] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    603: 	encoder.AddUint16("threshold", s.threshold)
  > 604: 	encoder.AddArray("preround", zapcore.ArrayMarshalerFunc(func(encoder zapcore.ArrayEncoder) error {
  > 605: 		for _, stat := range s.preround {
  > 606: 			encoder.AppendObject(&stat)
  > 607: 		}
  > 608: 		return nil
  > 609: 	}))
    610: 	encoder.AddArray("propose", zapcore.ArrayMarshalerFunc(func(encoder zapcore.ArrayEncoder) error {



[/spacemesh/go-spacemesh/hare3/protocol.go:585] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    584: 		for _, tally := range n.tallies {
  > 585: 			encoder.AppendObject(&tally)
    586: 		}



[/spacemesh/go-spacemesh/hare3/protocol.go:583-588] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    582: 	encoder.AddUint16("grade", uint16(n.grade))
  > 583: 	encoder.AddArray("tallies", zapcore.ArrayMarshalerFunc(func(encoder zapcore.ArrayEncoder) error {
  > 584: 		for _, tally := range n.tallies {
  > 585: 			encoder.AppendObject(&tally)
  > 586: 		}
  > 587: 		return nil
  > 588: 	}))
    589: 	return nil



[/spacemesh/go-spacemesh/hare3/protocol.go:569] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    568: 		for _, tally := range s.tallies {
  > 569: 			encoder.AppendObject(&tally)
    570: 		}



[/spacemesh/go-spacemesh/hare3/protocol.go:567-572] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    566: 	encoder.AddUint16("grade", uint16(s.grade))
  > 567: 	encoder.AddArray("tallies", zapcore.ArrayMarshalerFunc(func(encoder zapcore.ArrayEncoder) error {
  > 568: 		for _, tally := range s.tallies {
  > 569: 			encoder.AppendObject(&tally)
  > 570: 		}
  > 571: 		return nil
  > 572: 	}))
    573: 	return nil



[/spacemesh/go-spacemesh/hare3/protocol.go:551-556] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    550: 	encoder.AddUint16("grade", uint16(s.grade))
  > 551: 	encoder.AddArray("proposals", zapcore.ArrayMarshalerFunc(func(encoder zapcore.ArrayEncoder) error {
  > 552: 		for _, id := range s.proposals {
  > 553: 			encoder.AppendString(id.String())
  > 554: 		}
  > 555: 		return nil
  > 556: 	}))
    557: 	return nil



[/spacemesh/go-spacemesh/hare3/protocol.go:517] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    516: 		for _, tally := range s.tallies {
  > 517: 			enc.AppendObject(&tally)
    518: 		}



[/spacemesh/go-spacemesh/hare3/protocol.go:515-520] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    514: 	encoder.AddUint16("grade", uint16(s.grade))
  > 515: 	encoder.AddArray("tallies", zapcore.ArrayMarshalerFunc(func(enc zapcore.ArrayEncoder) error {
  > 516: 		for _, tally := range s.tallies {
  > 517: 			enc.AppendObject(&tally)
  > 518: 		}
  > 519: 		return nil
  > 520: 	}))
    521: 	return nil



[/spacemesh/go-spacemesh/hare3/protocol.go:87] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    86: 	if o.message != nil {
  > 87: 		encoder.AddObject("msg", o.message)
    88: 	}



[/spacemesh/go-spacemesh/hare3/protocol.go:79-84] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    78: 	if o.result != nil {
  > 79: 		encoder.AddArray("result", zapcore.ArrayMarshalerFunc(func(encoder log.ArrayEncoder) error {
  > 80: 			for _, id := range o.result {
  > 81: 				encoder.AppendString(types.Hash20(id).ShortString())
  > 82: 			}
  > 83: 			return nil
  > 84: 		}))
    85: 	}



[/spacemesh/go-spacemesh/hare3/protocol.go:58] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    57: 	if i.Message != nil {
  > 58: 		i.Message.MarshalLogObject(encoder)
    59: 	}



[/spacemesh/go-spacemesh/hare3/hare.go:603] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    602: 	h.cancel()
  > 603: 	h.eg.Wait()
    604: 	close(h.results)



[/spacemesh/go-spacemesh/genvm/vm.go:244] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    243: 		}
  > 244: 		account.EncodeScale(encoder)
    245: 		return true



[/spacemesh/go-spacemesh/genvm/core/hash.go:22] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    21: 	template.EncodeScale(encoder)
  > 22: 	args.EncodeScale(encoder)
    23: 	hash := hasher.Sum(nil)



[/spacemesh/go-spacemesh/genvm/core/hash.go:21] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    20: 	encoder := scale.NewEncoder(hasher)
  > 21: 	template.EncodeScale(encoder)
    22: 	args.EncodeScale(encoder)



[/spacemesh/go-spacemesh/fetch/mesh_data.go:119] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    118: 
  > 119: 	eg.Wait()
    120: 	if !bfailure.Empty() {



[/spacemesh/go-spacemesh/config/genesis.go:38] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    37: 	hh.Write([]byte(strconv.FormatInt(parsed.Unix(), 10)))
  > 38: 	hh.Write([]byte(g.ExtraData))
    39: 	return types.BytesToHash(hh.Sum(nil))



[/spacemesh/go-spacemesh/config/genesis.go:37] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    36: 	}
  > 37: 	hh.Write([]byte(strconv.FormatInt(parsed.Unix(), 10)))
    38: 	hh.Write([]byte(g.ExtraData))



[/spacemesh/go-spacemesh/common/util/json.go:98] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    97: 	}
  > 98: 	hex.Decode(out, raw)
    99: 	return nil



[/spacemesh/go-spacemesh/common/types/transaction_result.go:54-59] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    53: 	encoder.AddUint32("layer", h.Layer.Uint32())
  > 54: 	encoder.AddArray("addresses", log.ArrayMarshalerFunc(func(encoder log.ArrayEncoder) error {
  > 55: 		for i := range h.Addresses {
  > 56: 			encoder.AppendString((&h.Addresses[i]).String())
  > 57: 		}
  > 58: 		return nil
  > 59: 	}))
    60: 	return nil



[/spacemesh/go-spacemesh/common/types/tortoise_data.go:29] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    28: 	if b.EpochData != nil {
  > 29: 		encoder.AddObject("epochdata", b.EpochData)
    30: 	} else if b.Ref != nil {



[/spacemesh/go-spacemesh/common/types/tortoise_data.go:26] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    25: 	encoder.AddString("atxid", b.AtxID.String())
  > 26: 	encoder.AddObject("opinion", &b.Opinion)
    27: 	encoder.AddUint32("elig", b.Eligibilities)



[/spacemesh/go-spacemesh/common/types/result/result.go:60] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    59: func (b *Block) MarshalLogObject(encoder log.ObjectEncoder) error {
  > 60: 	b.Header.MarshalLogObject(encoder)
    61: 	encoder.AddBool("valid", b.Valid)



[/spacemesh/go-spacemesh/common/types/result/result.go:43] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    42: 		for i := range l.Blocks {
  > 43: 			aencoder.AppendObject(&l.Blocks[i])
    44: 		}



[/spacemesh/go-spacemesh/common/types/result/result.go:41-46] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    40: 	encoder.AddBool("verified", l.Verified)
  > 41: 	encoder.AddArray("blocks", log.ArrayMarshalerFunc(func(aencoder log.ArrayEncoder) error {
  > 42: 		for i := range l.Blocks {
  > 43: 			aencoder.AppendObject(&l.Blocks[i])
  > 44: 		}
  > 45: 		return nil
  > 46: 	}))
    47: 	return nil



[/spacemesh/go-spacemesh/common/types/proposal.go:141] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    140: 	encoder.AddString("mesh_hash", p.MeshHash.ShortString())
  > 141: 	p.Ballot.MarshalLogObject(encoder)
    142: 	return nil



[/spacemesh/go-spacemesh/common/types/poet.go:109] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    108: 	}
  > 109: 	encoder.AddObject("PoetProof", &p.PoetProof)
    110: 	encoder.AddString("PoetServiceID", hex.EncodeToString(p.PoetServiceID))



[/spacemesh/go-spacemesh/common/types/poet.go:83-88] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    82: 	}))
  > 83: 	encoder.AddArray("MerkleProof.ProofNodes", log.ArrayMarshalerFunc(func(encoder log.ArrayEncoder) error {
  > 84: 		for _, v := range p.ProofNodes {
  > 85: 			encoder.AppendString(hex.EncodeToString(v))
  > 86: 		}
  > 87: 		return nil
  > 88: 	}))
    89: 



[/spacemesh/go-spacemesh/common/types/poet.go:77-82] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    76: 	encoder.AddString("MerkleProof.Root", hex.EncodeToString(p.Root))
  > 77: 	encoder.AddArray("MerkleProof.ProvenLeaves", log.ArrayMarshalerFunc(func(encoder log.ArrayEncoder) error {
  > 78: 		for _, v := range p.ProvenLeaves {
  > 79: 			encoder.AppendString(hex.EncodeToString(v))
  > 80: 		}
  > 81: 		return nil
  > 82: 	}))
    83: 	encoder.AddArray("MerkleProof.ProofNodes", log.ArrayMarshalerFunc(func(encoder log.ArrayEncoder) error {



[/spacemesh/go-spacemesh/common/types/malfeasance.go:360] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    359: 		if ok {
  > 360: 			p.Atx.Initialize()
    361: 			b.WriteString(



[/spacemesh/go-spacemesh/common/types/malfeasance.go:199] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    198: 	encoder.AddObject("first", &hp.Messages[0].InnerMsg)
  > 199: 	encoder.AddObject("second", &hp.Messages[1].InnerMsg)
    200: 	return nil



[/spacemesh/go-spacemesh/common/types/malfeasance.go:198] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    197: func (hp *HareProof) MarshalLogObject(encoder log.ObjectEncoder) error {
  > 198: 	encoder.AddObject("first", &hp.Messages[0].InnerMsg)
    199: 	encoder.AddObject("second", &hp.Messages[1].InnerMsg)



[/spacemesh/go-spacemesh/common/types/malfeasance.go:189] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    188: 	encoder.AddObject("first", &bp.Messages[0].InnerMsg)
  > 189: 	encoder.AddObject("second", &bp.Messages[1].InnerMsg)
    190: 	return nil



[/spacemesh/go-spacemesh/common/types/malfeasance.go:188] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    187: func (bp *BallotProof) MarshalLogObject(encoder log.ObjectEncoder) error {
  > 188: 	encoder.AddObject("first", &bp.Messages[0].InnerMsg)
    189: 	encoder.AddObject("second", &bp.Messages[1].InnerMsg)



[/spacemesh/go-spacemesh/common/types/malfeasance.go:179] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    178: 	encoder.AddObject("first", &ap.Messages[0].InnerMsg)
  > 179: 	encoder.AddObject("second", &ap.Messages[1].InnerMsg)
    180: 	return nil



[/spacemesh/go-spacemesh/common/types/malfeasance.go:178] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    177: func (ap *AtxProof) MarshalLogObject(encoder log.ObjectEncoder) error {
  > 178: 	encoder.AddObject("first", &ap.Messages[0].InnerMsg)
    179: 	encoder.AddObject("second", &ap.Messages[1].InnerMsg)



[/spacemesh/go-spacemesh/common/types/malfeasance.go:168] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    167: 	if mg.Eligibility != nil {
  > 168: 		encoder.AddObject("hare eligibility", mg.Eligibility)
    169: 	}



[/spacemesh/go-spacemesh/common/types/malfeasance.go:166] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    165: func (mg *MalfeasanceGossip) MarshalLogObject(encoder log.ObjectEncoder) error {
  > 166: 	encoder.AddObject("proof", &mg.MalfeasanceProof)
    167: 	if mg.Eligibility != nil {



[/spacemesh/go-spacemesh/common/types/malfeasance.go:72] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    71: 		if ok {
  > 72: 			p.Atx.Initialize()
    73: 			encoder.AddString("atx_id", p.Atx.ID().String())



[/spacemesh/go-spacemesh/common/types/malfeasance.go:66] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    65: 		} else {
  > 66: 			encoder.AddObject("msgs", p)
    67: 		}



[/spacemesh/go-spacemesh/common/types/malfeasance.go:58] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    57: 		} else {
  > 58: 			encoder.AddObject("msgs", p)
    59: 		}



[/spacemesh/go-spacemesh/common/types/malfeasance.go:50] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    49: 		} else {
  > 50: 			encoder.AddObject("msgs", p)
    51: 		}



[/spacemesh/go-spacemesh/common/types/hashes.go:137] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    136: 	for _, id := range sortedView {
  > 137: 		hash.Write(id.Bytes()) // this never returns an error: https://golang.org/pkg/hash/#Hash
    138: 	}



[/spacemesh/go-spacemesh/common/types/hashes.go:135] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    134: 	hash := hash.New()
  > 135: 	hash.Write(additionalBytes)
    136: 	for _, id := range sortedView {



[/spacemesh/go-spacemesh/common/types/hashes.go:124] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    123: 	for _, id := range sortedView {
  > 124: 		hasher.Write(id.Bytes()) // this never returns an error: https://golang.org/pkg/hash/#Hash
    125: 	}



[/spacemesh/go-spacemesh/common/types/hashes.go:122] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    121: 	hasher := hash.New()
  > 122: 	hasher.Write(additionalBytes)
    123: 	for _, id := range sortedView {



[/spacemesh/go-spacemesh/common/types/ballot.go:326] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    325: 	encoder.AddString("beacon", beacon.ShortString())
  > 326: 	encoder.AddObject("votes", &b.Votes)
    327: 	return nil



[/spacemesh/go-spacemesh/common/types/ballot.go:200-205] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    199: 	}))
  > 200: 	encoder.AddArray("abstain", log.ArrayMarshalerFunc(func(encoder log.ArrayEncoder) error {
  > 201: 		for _, lid := range v.Abstain {
  > 202: 			encoder.AppendString(lid.String())
  > 203: 		}
  > 204: 		return nil
  > 205: 	}))
    206: 	return nil



[/spacemesh/go-spacemesh/common/types/ballot.go:196] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    195: 		for _, vote := range v.Against {
  > 196: 			encoder.AppendObject(&vote)
    197: 		}



[/spacemesh/go-spacemesh/common/types/ballot.go:194-199] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    193: 	}))
  > 194: 	encoder.AddArray("against", log.ArrayMarshalerFunc(func(encoder log.ArrayEncoder) error {
  > 195: 		for _, vote := range v.Against {
  > 196: 			encoder.AppendObject(&vote)
  > 197: 		}
  > 198: 		return nil
  > 199: 	}))
    200: 	encoder.AddArray("abstain", log.ArrayMarshalerFunc(func(encoder log.ArrayEncoder) error {



[/spacemesh/go-spacemesh/common/types/ballot.go:190] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    189: 		for _, vote := range v.Support {
  > 190: 			encoder.AppendObject(&vote)
    191: 		}



[/spacemesh/go-spacemesh/common/types/ballot.go:188-193] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    187: 	encoder.AddString("base", v.Base.String())
  > 188: 	encoder.AddArray("support", log.ArrayMarshalerFunc(func(encoder log.ArrayEncoder) error {
  > 189: 		for _, vote := range v.Support {
  > 190: 			encoder.AppendObject(&vote)
  > 191: 		}
  > 192: 		return nil
  > 193: 	}))
    194: 	encoder.AddArray("against", log.ArrayMarshalerFunc(func(encoder log.ArrayEncoder) error {



[/spacemesh/go-spacemesh/common/types/activation.go:124] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    123: 	}
  > 124: 	encoder.AddObject("InitialPost", c.InitialPost)
    125: 	return nil



[/spacemesh/go-spacemesh/common/fixture/transaction_results.go:70] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    69: 	tx.Raw = make([]byte, 10)
  > 70: 	g.rng.Read(tx.Raw)
    71: 	tx.Block = g.Blocks[g.rng.Intn(len(g.Blocks))]



[/spacemesh/go-spacemesh/common/fixture/transaction_results.go:68] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    67: 	var tx types.TransactionWithResult
  > 68: 	g.rng.Read(tx.ID[:])
    69: 	tx.Raw = make([]byte, 10)



[/spacemesh/go-spacemesh/common/fixture/rewards.go:65] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    64: 	var reward types.Reward
  > 65: 	g.rng.Read(reward.SmesherID[:])
    66: 



[/spacemesh/go-spacemesh/common/fixture/atxs.go:116] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    115: 	var atxId types.ATXID
  > 116: 	g.rng.Read(atxId[:])
    117: 	atx.SetID(atxId)



[/spacemesh/go-spacemesh/common/fixture/atxs.go:88] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    87: 	var nodeId types.NodeID
  > 88: 	g.rng.Read(nodeId[:])
    89: 



[/spacemesh/go-spacemesh/common/fixture/atxs.go:86] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    85: 	var posAtxId types.ATXID
  > 86: 	g.rng.Read(posAtxId[:])
    87: 	var nodeId types.NodeID



[/spacemesh/go-spacemesh/common/fixture/atxs.go:84] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    83: 	var prevAtxId types.ATXID
  > 84: 	g.rng.Read(prevAtxId[:])
    85: 	var posAtxId types.ATXID



[/spacemesh/go-spacemesh/beacon/weakcoin/weak_coin.go:236] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    235: 	}
  > 236: 	eg.Wait()
    237: }



[/spacemesh/go-spacemesh/beacon/proposal_list.go:29] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    28: 		// an error is never returned: https://golang.org/pkg/hash/#Hash
  > 29: 		hasher.Write(proposal[:])
    30: 	}



[/spacemesh/go-spacemesh/beacon/beacon.go:630] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    629: 			for _, p := range active {
  > 630: 				enc.AppendObject(p)
    631: 			}



[/spacemesh/go-spacemesh/api/grpcserver/smesher_service.go:86] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    85: 	if err != nil {
  > 86: 		status.Error(codes.InvalidArgument, err.Error())
    87: 	}



[/spacemesh/go-spacemesh/activation/post_verifier.go:293] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    292: 
  > 293: 	v.verifier.Close()
    294: 	v.log.Info("stopped post verifier")



[/spacemesh/go-spacemesh/activation/post_verifier.go:291] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    290: 	close(v.stop)
  > 291: 	v.eg.Wait()
    292: 



[/spacemesh/go-spacemesh/activation/post_supervisor.go:299] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    298: 	}
  > 299: 	eg.Wait()
    300: 	ps.logger.Fatal("post service exited", zap.Error(err))



[/spacemesh/go-spacemesh/activation/post_supervisor.go:279] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    278: 	if err := cmd.Start(); err != nil {
  > 279: 		pipe.Close()
    280: 		ps.logger.Error("start post service", zap.Error(err))



[/spacemesh/go-spacemesh/activation/nipost.go:421] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    420: 	}
  > 421: 	g.Wait()
    422: 	close(errChan)



Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.

© Halborn 2024. All rights reserved.