[release tool] security fixes (#9283)

* disable security check for ISS server

* remove using ssh.InsecureIgnoreHostKey

go.mod

@@ -69,6 +69,7 @@ require (
 	github.com/safchain/ethtool v0.0.0-20210803160452-9aa261dae9b1
 	github.com/shirou/gopsutil v0.0.0-20190323131628-2cbc9195c892
 	github.com/sirupsen/logrus v1.9.3
+	github.com/skeema/knownhosts v1.3.0
 	github.com/slack-go/slack v0.14.0
 	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5

go.sum

@@ -685,6 +685,8 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/skeema/knownhosts v1.3.0 h1:AM+y0rI04VksttfwjkSTNQorvGqmwATnvnAHpSgc0LY=
+github.com/skeema/knownhosts v1.3.0/go.mod h1:sPINvnADmT/qYH1kfv+ePMmOBTH6Tbl7b5LvTDjFK7M=
 github.com/slack-go/slack v0.14.0 h1:6c0UTfbRnvRssZUsZ2qe0Iu07VAMPjRqOa6oX8ewF4k=
 github.com/slack-go/slack v0.14.0/go.mod h1:hlGi5oXA+Gt+yWTPP0plCdRKmjsDxecdHxYQdlMQKOw=
 github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js=

release/internal/command/ssh.go

@@ -3,11 +3,15 @@ package command
 import (
 	"bytes"
 	"fmt"
+	"net"
 	"os"
+	"path/filepath"
 	"strings"
 
-	"github.com/sirupsen/logrus"
 	"golang.org/x/crypto/ssh"
+
+	"github.com/sirupsen/logrus"
+	"github.com/skeema/knownhosts"
 )
 
 // SSHConfig holds the configuration for an SSH connection
@@ -59,7 +63,30 @@ func connect(sshConfig *SSHConfig) (*ssh.Session, error) {
 		Auth: []ssh.AuthMethod{
 			ssh.PublicKeys(signer),
 		},
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+		// This callback mimics the behavior of ssh -o StrictHostKeyChecking=no
+		HostKeyCallback: ssh.HostKeyCallback(func(host string, remote net.Addr, pubKey ssh.PublicKey) error {
+			knownHostsFilePath := filepath.Join(os.Getenv("HOME"), ".ssh", "known_hosts")
+			k, err := knownhosts.NewDB(knownHostsFilePath)
+			if err != nil {
+				return err
+			}
+			err = k.HostKeyCallback()(host, remote, pubKey)
+			if knownhosts.IsHostKeyChanged(err) {
+				return fmt.Errorf("host key changed: %v", err)
+			} else if knownhosts.IsHostUnknown(err) {
+				f, err := os.OpenFile(knownHostsFilePath, os.O_APPEND|os.O_WRONLY, 0o600)
+				if err != nil {
+					return err
+				}
+				defer f.Close()
+				err = knownhosts.WriteKnownHost(f, host, remote, pubKey)
+				if err != nil {
+					return err
+				}
+				return nil
+			}
+			return err
+		}),
 	}
 	client, err := ssh.Dial("tcp", sshConfig.Address(), config)
 	if err != nil {

release/internal/imagescanner/scanner.go

@@ -2,6 +2,7 @@ package imagescanner
 
 import (
 	"bytes"
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -83,7 +84,13 @@ func (i *Scanner) Scan(images []string, stream string, release bool, outputDir s
 		"scanner":     i.config.Scanner,
 		"version":     stream,
 	}).Debug("Sending image scan request")
-	resp, err := http.DefaultClient.Do(req)
+	// Create a httpClient to skip TLS verification since ISS is an internal service.
+	httpClient := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		},
+	}
+	resp, err := httpClient.Do(req)
 	if err != nil {
 		logrus.WithError(err).Error("Failed to send request to image scanner")
 		return err