From d13997b4badce89927bdab071c23e45684027f87 Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Fri, 16 Apr 2021 17:21:26 +0200
Subject: [PATCH] gosec: G601: Implicit memory aliasing in for loop

    plugin/v2/plugin.go:141:50: G601: Implicit memory aliasing in for loop. (gosec)
                    updateSettingsEnv(&p.PluginObj.Settings.Env, &s)
                                                                 ^
    libcontainerd/remote/client.go:572:13: G601: Implicit memory aliasing in for loop. (gosec)
                cpDesc = &m
                         ^
    distribution/push_v2.go:400:34: G601: Implicit memory aliasing in for loop. (gosec)
                (metadata.CheckV2MetadataHMAC(&mountCandidate, pd.hmacKey) ||
                                              ^
    builder/dockerfile/builder.go:261:84: G601: Implicit memory aliasing in for loop. (gosec)
            currentCommandIndex = printCommand(b.Stdout, currentCommandIndex, totalCommands, &meta)
                                                                                             ^
    builder/dockerfile/builder.go:278:46: G601: Implicit memory aliasing in for loop. (gosec)
            if err := initializeStage(dispatchRequest, &stage); err != nil {
                                                       ^
    daemon/container.go:283:40: G601: Implicit memory aliasing in for loop. (gosec)
            if err := parser.ValidateMountConfig(&cfg); err != nil {
                                                 ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 builder/dockerfile/builder.go  | 9 +++++----
 daemon/container.go            | 3 ++-
 distribution/push_v2.go        | 3 ++-
 libcontainerd/remote/client.go | 1 +
 plugin/v2/plugin.go            | 4 +++-
 5 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/builder/dockerfile/builder.go b/builder/dockerfile/builder.go
index 0369a1d82d..52e2c7d50f 100644
--- a/builder/dockerfile/builder.go
+++ b/builder/dockerfile/builder.go
@@ -254,10 +254,10 @@ func (b *Builder) dispatchDockerfileWithCancellation(parseResult []instructions.
 		totalCommands += len(stage.Commands)
 	}
 	shlex := shell.NewLex(escapeToken)
-	for _, meta := range metaArgs {
-		currentCommandIndex = printCommand(b.Stdout, currentCommandIndex, totalCommands, &meta)
+	for i := range metaArgs {
+		currentCommandIndex = printCommand(b.Stdout, currentCommandIndex, totalCommands, &metaArgs[i])
 
-		err := processMetaArg(meta, shlex, buildArgs)
+		err := processMetaArg(metaArgs[i], shlex, buildArgs)
 		if err != nil {
 			return nil, err
 		}
@@ -265,7 +265,8 @@ func (b *Builder) dispatchDockerfileWithCancellation(parseResult []instructions.
 
 	stagesResults := newStagesBuildResults()
 
-	for _, stage := range parseResult {
+	for _, s := range parseResult {
+		stage := s
 		if err := stagesResults.checkStageNameAvailable(stage.Name); err != nil {
 			return nil, err
 		}
diff --git a/daemon/container.go b/daemon/container.go
index 70cf612a09..5912f26b62 100644
--- a/daemon/container.go
+++ b/daemon/container.go
@@ -279,7 +279,8 @@ func validateHostConfig(hostConfig *containertypes.HostConfig, platform string)
 	}
 	// Validate mounts; check if host directories still exist
 	parser := volumemounts.NewParser(platform)
-	for _, cfg := range hostConfig.Mounts {
+	for _, c := range hostConfig.Mounts {
+		cfg := c
 		if err := parser.ValidateMountConfig(&cfg); err != nil {
 			return err
 		}
diff --git a/distribution/push_v2.go b/distribution/push_v2.go
index 8934ac71a2..3d2c13bf25 100644
--- a/distribution/push_v2.go
+++ b/distribution/push_v2.go
@@ -326,7 +326,8 @@ func (pd *v2PushDescriptor) Upload(ctx context.Context, progressOutput progress.
 	// Attempt to find another repository in the same registry to mount the layer from to avoid an unnecessary upload
 	candidates := getRepositoryMountCandidates(pd.repoInfo, pd.hmacKey, maxMountAttempts, v2Metadata)
 	isUnauthorizedError := false
-	for _, mountCandidate := range candidates {
+	for _, mc := range candidates {
+		mountCandidate := mc
 		logrus.Debugf("attempting to mount layer %s (%s) from %s", diffID, mountCandidate.Digest, mountCandidate.SourceRepository)
 		createOpts := []distribution.BlobCreateOption{}
 
diff --git a/libcontainerd/remote/client.go b/libcontainerd/remote/client.go
index 7561706241..f82911884e 100644
--- a/libcontainerd/remote/client.go
+++ b/libcontainerd/remote/client.go
@@ -568,6 +568,7 @@ func (c *client) CreateCheckpoint(ctx context.Context, containerID, checkpointDi
 
 	var cpDesc *v1.Descriptor
 	for _, m := range index.Manifests {
+		m := m
 		if m.MediaType == images.MediaTypeContainerd1Checkpoint {
 			cpDesc = &m // nolint:gosec
 			break
diff --git a/plugin/v2/plugin.go b/plugin/v2/plugin.go
index 3e6e063f4a..d42e1bd0b9 100644
--- a/plugin/v2/plugin.go
+++ b/plugin/v2/plugin.go
@@ -126,7 +126,9 @@ func (p *Plugin) Set(args []string) error {
 	// TODO(vieux): lots of code duplication here, needs to be refactored.
 
 next:
-	for _, s := range sets {
+	for _, set := range sets {
+		s := set
+
 		// range over all the envs in the config
 		for _, env := range p.PluginObj.Config.Env {
 			// found the env in the config