chore(lint): suppress known gosec false positives
Add config-level exclusions for G117 (secret-named struct fields), G101 in test files, G702/G704 in magefile, and goheader in plugins. Add inline #nosec comments for specific G703/G704 false positives in export, dump/restore, migration, and avatar code.
This commit is contained in:
parent
595002bf96
commit
2053426062
|
|
@ -152,6 +152,20 @@ linters:
|
|||
- err113
|
||||
path: magefile.go
|
||||
text: 'do not define dynamic errors, use wrapped static errors instead:'
|
||||
- linters:
|
||||
- gosec
|
||||
text: 'G117:' # Struct fields named Password/Secret/AccessToken are intentional data model fields
|
||||
- linters:
|
||||
- gosec
|
||||
text: 'G101:'
|
||||
path: (pkg/webtests/|pkg/e2etests/|_test\.go) # Test fixtures with bcrypt hashes, not real credentials
|
||||
- linters:
|
||||
- gosec
|
||||
text: 'G70[24]:'
|
||||
path: magefile.go # Build tooling, not user-facing code
|
||||
- linters:
|
||||
- goheader
|
||||
path: plugins/
|
||||
paths:
|
||||
- third_party$
|
||||
- builtin$
|
||||
|
|
|
|||
|
|
@ -81,7 +81,7 @@ func ExportUserData(s *xorm.Session, u *user.User) (err error) {
|
|||
dumpWriter.Close()
|
||||
dumpFile.Close()
|
||||
|
||||
exported, err := os.Open(tmpFilename)
|
||||
exported, err := os.Open(tmpFilename) // #nosec G703 -- tmpFilename is generated internally, not from user input
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -107,7 +107,7 @@ func ExportUserData(s *xorm.Session, u *user.User) (err error) {
|
|||
}
|
||||
|
||||
// Remove the old file
|
||||
err = os.Remove(exported.Name())
|
||||
err = os.Remove(exported.Name()) // #nosec G703 -- path from internally created temp file
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -247,7 +247,7 @@ func restoreFile(id int64, zipFile *zip.File) error {
|
|||
}
|
||||
defer func() {
|
||||
_ = tmpFile.Close()
|
||||
_ = os.Remove(tmpFile.Name())
|
||||
_ = os.Remove(tmpFile.Name()) // #nosec G703 -- path from os.CreateTemp, not user input
|
||||
}()
|
||||
|
||||
// Limit copy size to prevent decompression bombs
|
||||
|
|
|
|||
|
|
@ -187,7 +187,7 @@ func makeAuthenticatedGetRequest(token, urlPart string, v interface{}) error {
|
|||
}
|
||||
req.Header.Set("Authorization", "Bearer "+token)
|
||||
|
||||
resp, err := (&http.Client{}).Do(req)
|
||||
resp, err := (&http.Client{}).Do(req) // #nosec G704 -- URL is constructed from a hardcoded API prefix
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -101,7 +101,7 @@ func DownloadImage(url string) ([]byte, error) {
|
|||
return nil, fmt.Errorf("failed to create HTTP request: %w", err)
|
||||
}
|
||||
|
||||
resp, err := (&http.Client{}).Do(req)
|
||||
resp, err := (&http.Client{}).Do(req) // #nosec G704 -- URL comes from OIDC provider picture claim
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to download image: %w", err)
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue